9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.905 High
EPSS
Percentile
98.4%
This week’s new features and improvements start with two new exploit modules leveraging CVE-2023-34960 Chamilo versions 1.11.18 and below and CVE-2023-26469 in Jorani 1.0.0. Like CVE-2023-34960, I too, feel attacked by PowerPoint sometimes.
We also have several improvements, including additions to fetch payloads, PostgreSQL authentication, and documentation.
Authors: Randorisec and h00die-gr3y
Type: Exploit
Pull request: #18233 contributed by h00die-gr3y
Path: exploits/linux/http/chamilo_unauth_rce_cve_2023_34960
AttackerKB reference: CVE-2023-34960
Description: This adds an exploit module that leverages an unauthenticated remote command execution vulnerability Chamilo versions 1.11.18 and below. This vulnerability is identified as CVE-2023-34960. Due to a functionality called Chamilo Rapid
to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at OS level using a malicious SOAP request at the vulnerable endpoint /main/webservices/additional_webservices.php
.
Author: RIOUX Guilhem (jrjgjk)
Type: Exploit
Pull request: #18123 contributed by Guilhem7
Path: exploits/multi/php/jorani_path_trav
AttackerKB reference: CVE-2023-26469
Description: This PR adds a module that chains together a log poisoning LFI redirection bypass and a path traversal vulnerability to obtain unauthenticated RCE.
FETCH_SRVHOST
option will be set to LHOST
when LHOST
is set and FETCH_SRVHOST
is not, meaning there is now one less option users need to set when using a payload with a reverse stager. The second improvement is that the default command for the Windows HTTP payload has been changed to CERTUTIL which will offer better compatibility with older versions of Windows than the previous CURL command. The HTTPS and TFTP payloads will still default to CURL.exploit/multi/http/subrion_cms_file_upload_rce
module.documentation/modules/exploit/windows/http/smartermail_rce
.multi/http/adobe_coldfusion_rce_cve_2023_26360
when the target ColdFusion server is deployed with a Development profile.forge_ticket
module when the SPN datastore option was left blank. The module now fails due to bad-config and gives a detailed error message.scanner/mysql/mysql_authbypass_hashdump
module and adds documentation for the module.LHOST
as an interface name, for example with set LHOST eth0
. Previously, a non-deterministic IP would be resolved from the adapter name if the adapter had multiple IPv4/IPv6 addresses registered. Now the lowest ordinal IPv4 addresses is preferenced first, followed by any IPv6 addresses.You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.905 High
EPSS
Percentile
98.4%