HTTPS Fetch, Linux Command Shell, Reverse TCP Inline

Fetch and execute an x64 payload from an HTTPS server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/https/x64/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp show...

HTTPS Fetch, Linux x64 Pingback, Bind TCP Inline

Fetch and execute an x64 payload from an HTTPS server. Accept a connection from attacker and report UUID Linux x64 Module Options msf use payload/cmd/linux/https/x64/pingbackbindtcp msf payloadpingbackbindtcp show actions ...actions... msf payloadpingbackbindtcp set ACTION msf...

HTTPS Fetch, Linux x64 Pingback, Reverse TCP Inline

Fetch and execute an x64 payload from an HTTPS server. Connect back to attacker and report UUID Linux x64 Module Options msf use payload/cmd/linux/https/x64/pingbackreversetcp msf payloadpingbackreversetcp show actions ...actions... msf payloadpingbackreversetcp set ACTION msf...

HTTP Fetch, Reverse SCTP Stager

Fetch and execute an x64 payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/linux/http/x64/meterpreter/reversesctp msf payloadreversesctp show actions ...actions... msf payloadreversesctp set ACTION msf payloadreversesctp show options ...show and set...

Design/Logic Flaw

An issue was discovered in KaiOS 3.0. The pre-installed Communications application exposes a Web Activity that returns the user's call log without origin or permission checks. An attacker can inject a JavaScript payload that runs in a browser or app without user interaction or consent. This allow...

CVE-2023-27108

An issue was discovered in KaiOS 3.0. The pre-installed Communications application exposes a Web Activity that returns the user's call log without origin or permission checks. An attacker can inject a JavaScript payload that runs in a browser or app without user interaction or consent. This allow...

Joomla! v4.2.8 - Unauthenticated information disclosure

!/usr/bin/env ruby Exploit Title: Joomla! v4.2.8 - Unauthenticated information disclosure Exploit author: noraj Alexandre ZANNI for ACCEIS https://www.acceis.fr Author website: https://pwn.by/noraj/ Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752 Date: 2023-03-24 Vendor Homepage:...

Gallery Blocks with Lightbox < 3.0.8 - Subscriber+ Arbitrary Options Update

The plugin has an AJAX endpoint that can be accessed by any authenticated users, such as subscriber. The callback function allows numerous actions, the most serious one being reading and updating the WordPress options which could be used to enable registration with a default administrator user...

SUSE CVE-2018-14350

An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/message.c has a stack-based buffer overflow for a FETCH response with a long INTERNALDATE field...

WPCode < 2.0.7 - Contributor+ WPCode Library Auth Key Update/Deletion

The plugin does not have adequate privilege checks in place for several AJAX actions, only checking the nonce. This may lead to allowing any authenticated user who can edit posts to call the endpoints related to WPCode Library authentication such as update and delete the auth key. As a contributo...

GSD-2023-1000604 ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value

ACPI: processor: idle: Check acpifetchacpidev return value This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v6.0.16 by commit...

User Verification < 1.0.94 - Authentication Bypass

The plugin was affected by an Auth Bypass security vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrative role on the website...

Link Preload XSS bypass

Description Link preloads still do not effectively confirm if the requested link is external. This is a bypass to the fix for CVE-2022-4414. Root Cause The getPayloadURL function was adapted after the disclosure to use the browsers built in URL parser to properly check for a valid URL. This is a...

Cross site request forgery (csrf)

Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could...

CVE-2022-41919 Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type

Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could...

CVE-2022-41919 Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type

Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could...

CVE-2022-45411

Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript such as cookies protected by HTTPOnly. To mitigate this attack, browsers placed limits on fetch and XMLHttpReques...

Blog2Social < 6.9.10 - Subscriber+ SQLi

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers PoC Run the script below in the web browser console while being logged in as a subscriber and on the Blog2Social...

Visual Portfolio < 2.19.0 - Contributor+ CSS Injection

The plugin does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts The postid is the ID of a saved layout As a contributor, get a REST nonce via...

[SECURITY] Fedora 36 Update: meg-0.2.4-6.fc36

Fetch many paths for many hosts without killing the hosts...