250 matches found
Croogo 3.0.2 - Remote Code Execution (Authenticated) Vulnerability
Exploit Title: Croogo 3.0.2 - Remote Code Execution Authenticated Exploit Author: Deha Berkin Bir Vendor Homepage: https://croogo.org/ Software Link: https://downloads.croogo.org/v3.0.2.zip Version: 3.0.2 Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 == Tutorial $command"; ? ...
TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated)
Exploit Title: TextPattern CMS 4.8.7 - Remote Command Execution RCE Authenticated Date: 2021/09/06 Exploit Author: Mert Daş [email protected] Software Link: https://textpattern.com/filedownload/113/textpattern-4.8.7.zip Software web: https://textpattern.com/ Tested on: Server: Xampp First of...
CVE-2021-39459
Remote code execution in the modules component in Yakamara Media Redaxo CMS version 5.12.1 allows an authenticated CMS user to execute code on the hosting system via a module containing malicious PHP code...
TextPattern CMS 4.8.7 Remote Command Execution
Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution Authenticated Date : 2021/09/06 Exploit Author : Mert Daş [email protected] Software Link : https://textpattern.com/filedownload/113/textpattern-4.8.7.zip Software web : https://textpattern.com/ Tested on: Server : Xampp First ...
Unspecified Vulnerability in Nagios
Nagios is a set of open source and free network monitoring tools from the American company Nagios. A security vulnerability exists in Nagios Fusion version 4.1.8 and earlier, which can be exploited by an attacker to escalate privileges to Nagios by installing a malicious component containing PHP...
CVE-2020-19364
OpenEMR 5.0.1 allows an authenticated attacker to upload and execute malicious PHP scripts through /controller.php...
CVE-2020-19364
OpenEMR 5.0.1 allows an authenticated attacker to upload and execute malicious PHP scripts through /controller.php...
Design/Logic Flaw
In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. After that, when attacker logs in to the application, attacker's code will be run. As a result of this vulnerability, authenticated user can run command on the server...
Unrestricted File Upload
concrete5/concrete5 allows unrestricted file uploads. An attacker is able to upload a malicious PHP file with a file extension such as .phar, which would cause the server to execute PHP codes within the file under the context of the server...
Baldr Botnet Panel Shell Upload Exploit
This module exploits an arbitrary file upload vulnerability within the Baldr stealer malware control panel when uploading victim log files which are uploaded as ZIP files. Attackers can turn this vulnerability into an RCE by first registering a new bot to the panel and then uploading a ZIP file...
CVE-2020-5844
index.php?sec=godmode/extensions&sec2=extensions/filesrepo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742FIXPERL2020...
CVE-2020-5844
index.php?sec=godmode/extensions&sec2=extensions/filesrepo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742FIXPERL2020...
CVE-2020-5844
Pandora FMS v7.0 NG (specifically v7.0NG.742_FIX_PERL2020) is affected by CVE-2020-5844. The vulnerability resides at index.php?sec=godmode/extensions&sec2=extensions/files_repo, where authenticated administrators can upload arbitrary PHP scripts and trigger execution by base64-decoding the file ...
Path traversal
A remote code execution RCE vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users'photoppreview' delete photo feature, allowing bypass of .htaccess protection...
CVE-2019-14467
The Social Photo Gallery plugin 1.0 for WordPress allows Remote Code Execution by creating an album and attaching a malicious PHP file in the cover photo album, because the file extension is not checked...
Code injection
In YouPHPTube 7.4, the file install/checkConfiguration.php has no access control, which leads to everyone being able to edit the configuration file, and insert malicious PHP code...
CVE-2019-16124
In YouPHPTube 7.4, the file install/checkConfiguration.php has no access control, which leads to everyone being able to edit the configuration file, and insert malicious PHP code...
CVE-2019-3960
Unrestricted upload of file with dangerous type in WallacePOS 1.4.3 allows a remote, authenticated attacker to execute arbitrary code by uploading a malicious PHP file...
Rare Steganography Hack Can Compromise Fully Patched Websites
An unusual steganographic technique that an attacker can use to implant a malicious webshell on unsuspecting websites has been spotted in Latin America. According to research from Trustwave shared exclusively with Threatpost, a forensic investigation showed that an adversary is implanting PHP cod...
CVE-2019-9642
An issue was discovered in proxy.php in pydio-core in Pydio through 8.2.2. Through an unauthenticated request, it possible to evaluate malicious PHP code by placing it on the fourth line of a .php file, as demonstrated by a PoC.php created by the guest account, with execution via a...