containerd Image Volume Insecure Handling Exploit

containerd: Insecure handling of image volumes containerd's cri plugin handles image volumes containing path traversals insecurely. This can be used to copy arbitrary host directories to a container-mounted path. OCI images contain a JSON config file described in...

Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call

The plugin does not have authorisation and CSRF checks in the wptadminupdatenoticeoption AJAX action available to both unauthenticated and authenticated users, as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or o...

iRZ Mobile Router Cross Site Request Forgery / Remote Code Execution

Exploit Title: iRZ Mobile Router - CSRF to RCE Google Dork: intitle:"iRZ Mobile Router" Date: 2022-03-18 Exploit Author: Stephen Chavez & Robert Willis Vendor Homepage: https://en.irz.ru/ Software Link: https://github.com/SakuraSamuraii/ez-iRZ Version: Routers through 2022-03-16 Tested on: RU21,...

ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover

Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery CSRF to Account Takeover Date: 18/03/2022 Exploit Author: Devansh Bordia Vendor Homepage: https://icehrm.com/ Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS Version: 31.0.0.OS Tested on: Windows 10 1. About -...

Xlight FTP 3.9.3.2 Buffer Overflow

Exploit Title: Xlight FTP v3.9.3.2 - Buffer Overflow SEH Egghunter + ROP Exploit Author: Hejap Zairy Date: 13.07.2022 Software Link: http://www.xlightftpd.com/download/setup.exe Tested Version: v3.9.3.22022-1-5 Tested on: Windows 10 64bit 1.- Run python code : 0day-HejapZairy.py 2.- Open...

CVE-2022-0941 Stored XSS due to Unrestricted File Upload in star7th/showdoc

Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to v2.10.4...

Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update

The plugin does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. 1. Make a booking to become customer ...

Ninja Forms File Uploads Extension < 3.3.1 - Unauthenticated Arbitrary File Upload

The plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the /includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code...

Exploit for Improper Initialization in Linux Linux_Kernel

CVE-2022-0847 A simple reproduction of CVE-2022-0847 Orig...

Title Experiments Free < 9.0.1 - Unauthenticated SQLi

The plugin does not sanitise and escape the id parameter before using it in a SQL statement via the wpextitles AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=wpextitles&id=1 AND SELECT 3...

Attendance and Payroll System v1.0 - Remote Code Execution Exploit

Exploit Title: Attendance and Payroll System v1.0 - Remote Code Execution RCE Exploit Author: pr0z Vendor Homepage: https://www.sourcecodester.com Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip Version: v1.0 Tested on: Linux, MySQL, Apache import...

Private Internet Access 3.3 Unquoted Service Path

Exploit Title: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path Date: 04/03/2022 Exploit Author: Saud Alenazi Vendor Homepage: https://www.privateinternetaccess.com Software Link: https://www.privateinternetaccess.com/download Version: 3.3.0.100 Tested: Windows 10 x64 Contact:...

Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)

Exploit Title: Spring Cloud Gateway 3.1.0 - Remote Code Execution RCE Google Dork: N/A Date: 03/03/2022 Exploit Author: Carlos E. Vieira Vendor Homepage: https://spring.io/ Software Link: https://spring.io/projects/spring-cloud-gateway Version: This vulnerability affect Spring Cloud Gateway 3.0.7...

Conference Scheduler < 2.4.3 - Reflected Cross-Site Scripting

The plugin does not sanitize and escape the tab parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting. https://example.com/wp-admin/edit.php?posttype=confworkshop&page=confscheduleroptions&tab="...

Sermon Browser <= 0.45.22 - Arbitrary File Upload via CSRF

The plugin does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones. function submitRequest var xhr = new XMLHttpRequest; xhr.open"POST",...

Multilist Subscribe for Sendy <= 1.6.1 - Subscriber+ Arbitrary Options Update

The plugin is using an outdated version of the Freemius library 1.2.2.9, which is known to be affected by a security issue allowing any authenticated users, such as subscriber to set arbitrary blog options As any authenticated user: Enable new user registrations:...

WAGO 750-8212 PFC200 G2 2ETH RS - Privilege Escalation

Exploit Title: WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation Date: 02/16/2022 Exploit Author: Momen Eldawakhly Cyber Guy at Cypro AB Vendor Homepage: https://www.wago.com Version: Firmware version 03.05.1017 Tested on: PopOS! Linux ======================================== = The ordinary us...

Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection

The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abcbookinggetSingleCalendar AJAX action available to both unauthenticated and authenticated users, leading to an unauthenticated SQL injection 1. Install the vulnerable plugin...

Advanced Contact form 7 DB < 1.8.7 - Subscriber+ Arbitrary File Deletion

The plugin does not have authorisation nor CSRF checks in the acf7dbeditscrfiledelete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPre...

Patreon WordPress < 1.8.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape the field "Custom Patreon Page name", which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the "Custom Patreon Page name" setting of the plugin and...