Supervisor XML-RPC Authenticated Remote Code Execution

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Supervisor XML-RPC Authenticated Remote Code Execution", 'Description' = %q This module exploits a vulnerability in the Supervisor process control...

Sql injection

SQL Injection vulnerability in mobiquo/lib/classTTForum.php in the Tapatalk plugin before 4.5.8 for MyBB allows an unauthenticated remote attacker to inject arbitrary SQL commands via an XML-RPC encoded document sent as part of the user registration process...

CVE-2017-14652

SQL Injection vulnerability in mobiquo/lib/classTTForum.php in the Tapatalk plugin before 4.5.8 for MyBB allows an unauthenticated remote attacker to inject arbitrary SQL commands via an XML-RPC encoded document sent as part of the user registration process...

Design/Logic Flaw

An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. If a login attempt is made in the XML-RPC interface with an XML message containing an empty member element, the wgagent crashes, logging out any user with a session opened in the UI. By continuously executing the failed login...

CVE-2017-14616

An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. If a login attempt is made in the XML-RPC interface with an XML message containing an empty member element, the wgagent crashes, logging out any user with a session opened in the UI. By continuously executing the failed login...

Design/Logic Flaw

An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. When a failed login attempt is made to the login endpoint of the XML-RPC interface, if JavaScript code, properly encoded to be consumed by XML parsers, is embedded as value of the user element, the code will be rendered in the...

CVE-2017-14616

An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. If a login attempt is made in the XML-RPC interface with an XML message containing an empty member element, the wgagent crashes, logging out any user with a session opened in the UI. By continuously executing the failed login...

CVE-2017-14616

WatchGuard Fireware before 12.0 is affected by CVE-2017-14616. The issue occurs in the XML-RPC login flow: sending an XML message with an empty member element causes the wgagent to crash, logging out any active UI session and, with repeated failed logins, making UI management unusable. Affected p...

CVE-2017-14615

CVE-2017-14615 affects WatchGuard Fireware pre-12.0. An XML-RPC login endpoint issue allows JavaScript embedded in the user element to be rendered in the Web UI (Traffic Monitor: Events/All), causing a stored-XSS effect where subsequent events are hidden until a restart. Affected product: WatchGu...

CVE-2017-14616

An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. If a login attempt is made in the XML-RPC interface with an XML message containing an empty member element, the wgagent crashes, logging out any user with a session opened in the UI. By continuously executing the failed login...

CVE-2017-14615

An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. When a failed login attempt is made to the login endpoint of the XML-RPC interface, if JavaScript code, properly encoded to be consumed by XML parsers, is embedded as value of the user element, the code will be rendered in the...

Watchguard Firebox / XTM XML-RPC Empty Member Denial Of Service

Watchguardas Firebox and XTM are a series of enterprise grade network security appliances providing advanced security services like next generation firewall, intrusion prevention, malware detection and blockage and others. Two vulnerabilities were discovered affecting the XML-RPC interface of the...

GLSA-201709-06 : Supervisor: command injection vulnerability

The remote host is affected by the vulnerability described in GLSA-201709-06 Supervisor: command injection vulnerability A vulnerability in Supervisor was discovered in which an authenticated client could send malicious XML-RPC requests and supervidord will run them as shell commands with process...

Supervisor: command injection vulnerability

Background Supervisor is a client/server system that allows its users to monitor and control a number of processes on UNIX-like operating systems. Description A vulnerability in Supervisor was discovered in which an authenticated client could send malicious XML-RPC requests and supervidord will r...

Supervisor XML-RPC Authenticated Remote Code Execution

This module exploits a vulnerability in the Supervisor process control software, where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how...

Red Hat Satellite Directory Traversal Vulnerability

Red Hat Satellite is a suite of system management platforms from Red Hat, Inc. that can be used to extend Linux infrastructures and provide system management functions such as administration, configuration, and monitoring. A directory traversal vulnerability exists in the XMLRPC interface in Red...

Cross site request forgery (csrf)

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups...

CVE-2017-11610

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups...

CVE-2017-11610

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups...

PYSEC-2017-41

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups...