CVE-2020-12850

The following vulnerability applies only to the Pydio Cells Enterprise OVF version 2.0.4. Prior versions of the Pydio Cells Enterprise OVF such as version 2.0.3 have a looser policy restriction allowing the “pydio” user to execute any privileged command using sudo. In version 2.0.4 of the...

CVE-2020-12850

Affected product: Pydio Cells Enterprise OVF 2.0.4 (and related 2.0.x releases). The Red Hat/ENISA and CoreLabs advisories describe a set of vulnerabilities in the Pydio Cells 2.0.4 appliance that enable remote code execution, privilege escalation, and arbitrary file operations through multiple v...

Updated sudo packages fix security vulnerability

Updated sudo packages fix security vulnerabilities: It was found that sudo always allowed commands to be run with unknown user or group ids if the sudo configuration allowed it for example via the "ALL" alias. This could allow sudo to impersonate non-existent account and depending on how...

MGASA-2020-0246 Updated sudo packages fix security vulnerability

Updated sudo packages fix security vulnerabilities: It was found that sudo always allowed commands to be run with unknown user or group ids if the sudo configuration allowed it for example via the "ALL" alias. This could allow sudo to impersonate non-existent account and depending on how...

Impost3r - A Linux Password Thief

Impost3r is a tool that aim to steal many kinds of linux passwordsincluding ssh,su,sudo written by C. Attackers can use Impost3r to make a trap to steal the legal user's passwords XD This tool is limited to security research and teaching, and the user bears all legal and related responsibilities...

QuickBox Pro 2.1.8 CVE-2020-13448 - Remote Code Execution

CVE-2020-13448 QuickBox Pro versions 2.1.8 and below suffer from an authenticated remote code execution vulnerability. Exploit Title: QuickBox Pro 2.1.8 - Authenticated Remote Code Execution Date: 2020-05-26 Exploit Author: s1gh Vendor Homepage: https://quickbox.io/ Vulnerability Details:...

QuickBox Pro 2.1.8 Remote Code Execution

Exploit Title: QuickBox Pro 2.1.8 - Authenticated Remote Code Execution Date: 2020-05-26 Exploit Author: s1gh Vendor Homepage: https://quickbox.io/ Vulnerability Details: https://s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/ Version: = 2.1.8 Description: An authenticated low-privileged user...

CVE-2020-13695

In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/.db or /etc/shadow file...

CVE-2020-13695

In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/.db or /etc/shadow file...

Default credentials

In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/.db or /etc/shadow file...

CVE-2020-13695

CVE-2020-13695 affects QuickBox Community Edition up to 2.5.5 and QuickBox Pro up to 2.1.8. The local www-data user has passwordless sudo privileges to run grep as root, enabling an attacker to read sensitive files such as /root/*.db and /etc/shadow. This results in potential exposure of confiden...

CVE-2020-13695

In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/.db or /etc/shadow file...

CVE-2020-13694

In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the mysql -e option...

Design/Logic Flaw

In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the mysql -e option...

CVE-2020-13694

Technical details for CVE-2020-13694 are not provided in the connected documents; the available sources lack affected product/version/impact specifics beyond the initial description. Monitor for updates.

CVE-2020-13694

In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the mysql -e option...

QuickBox Pro 2.1.8 - Authenticated Remote Code Execution Exploit

Exploit for php platform in category web applications Exploit Title: QuickBox Pro 2.1.8 - Authenticated Remote Code Execution Exploit Author: s1gh Vendor Homepage: https://quickbox.io/ Vulnerability Details: https://s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/ Version: = 2.1.8 Description: ...

QuickBox Pro 2.1.8 - Authenticated Remote Code Execution

Exploit Title: QuickBox Pro 2.1.8 - Authenticated Remote Code Execution Date: 2020-05-26 Exploit Author: s1gh Vendor Homepage: https://quickbox.io/ Vulnerability Details: https://s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/ Version: = 2.1.8 Description: An authenticated low-privileged user...

NewStart CGSL CORE 5.04 / MAIN 5.04 : sudo Vulnerability (NS-SA-2020-0025)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has sudo packages installed that are affected by a vulnerability: - In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. pwfeedback is ...

CVE-2020-11069

In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to...