LSoft ListServ < 16.5-2018a - Cross-Site Scripting

Exploit Title: LSoft ListServ 2. http://127.0.0.1/scripts/wa.exe?OK= References: 1. http://www.lsoft.com/manuals/16.5/LISTSERV16.5-2018aWhatsNew.pdf 2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15501...

WordPress Plugin UserPro 4.9.32 - Cross-Site Scripting

Exploit Title: UserPro https://github.com/cosenary/Instagram-PHP-API/blob/master/example/success.phpL36 Proof-of-Concept: https://domain.tld/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&errordescription=...

Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal

Nimble Streamer 3.0.2-2 to 3.5.4-9 - Path Traversal Exploit Author: MAYASEVEN Source at "https://mayaseven.com/nimble-directory-traversal-in-nimble-streamer-version-3-0-2-2-to-3-5-4-9/" Published on 08/04/2019 Vendor Homepage at "https://wmspanel.com/nimble" Affected Version 3.0.2-2 to 3.5.4-9...

LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'LibreOffice Macro Python Code Execution', 'Description' = %q LibreOffice comes bundled with sample macros written in Python and allows the abilit...

Nagios XI 5.6.5 - Remote Code Execution / Root Privilege Escalation

?php / A vulnerability exists in Nagios XI = 5.6.5 allowing an attacker to leverage an RCE to escalate privileges to root. The exploit requires access to the server as the 'nagios' user, or CCM access via the web interface with perissions to manage plugins. The getprofile.sh script, invoked by...

Cisco UCS Director, Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities

Multiple critical vulnerabilities in Cisco UCS Director, Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data Discovered by Pedro Ribeiro [email protected] from Agile Information Security...

Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)

Exploit Title: File disclosure in Pulse Secure SSL VPN metasploit Google Dork: inurl:/dana-na/ filetype:cgi Date: 8/20/2019 Exploit Author: 0xDezzy Justin Wagner, Alyssa Herrera Vendor Homepage: https://pulsesecure.net Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before...

WordPress Plugin Add Mime Types 2.2.1 - Cross-Site Request Forgery

Exploit Title: CSRF vulnerabilities in WP Add Mime Types Plugin...

QEMU - Denial of Service

include include include include include include include include include include include include include include include include include define diex do \ perrorx; \ exitEXITFAILURE; \ while0; // Constans define SRCADDR "10.0.2.15" define DSTADDR "10.0.2.2" define INTERFACE "ens3" define ETHHDRLEN ...

YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection

Exploit Title: YouPHPTube 7.3 SQL Injection Google Dork: / Date: 19.08.2019 Exploit Author: Fabian Mosch, r-tec IT Security GmbH Vendor Homepage: https://www.youphptube.com/ Software Link: https://github.com/YouPHPTube/YouPHPTube Version: 7.3 Tested on: Linux/Windows CVE : CVE-2019-14430 The...

Kimai 2 - Persistent Cross-Site Scripting

Exploit Title: Kimai 2- persistent cross-site scripting XSS Date: 07/15/2019 Exploit Author: osamaalaa Vendor Homepage: link Software Link: https://github.com/kevinpapst/kimai2 Fixed on Github : https://github.com/kevinpapst/kimai2/pull/962 Version: 2 1-Normal user will try to add timesheet from...

RAR Password Recovery 1.80 - 'User Name and Registration Code' Denial of Service

Exploit Title: RAR Password Recovery v1.80 Denial of Service Exploit Date: 16.08.2019 Vendor Homepage:https://www.top-password.com/ Software Link: https://www.top-password.com/download/RARPRSetup.exe Exploit Author: Achilles Tested Version: v1.80 Tested on: Windows 7 x64 Windows XP SP3 1.- Run...

Neo Billing 3.5 - Persistent Cross-Site Scripting

Exploit Title: Neo Billing 3.5 - Stored Cross Site Scripting Vulnerability Date: 18.8.2019. Exploit Author: n1x MS-WEB Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547 Version: 3.5 CWE : CWE-79 CVE: CVE-2020-23518 Description Neo Billing os a...

Webmin 1.920 - Remote Code Execution

!/bin/sh CVE-2019-15107 Webmin Unauhenticated Remote Command Execution based on Metasploit module https://www.exploit-db.com/exploits/47230 Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html Alternative advisory spanish:...

Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure

Exploit Title: Fortinet FortiOS Leak file - Reading login/passwords in clear text. Google Dork: intext:"Please Login" inurl:"/remote/login" Date: 17/08/2019 Exploit Author: Carlos E. Vieira Vendor Homepage: https://www.fortinet.com/ Software Link:...

Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)

Exploit Title: Fortinet FortiOS Leak file - Reading login/passwords in clear text. Google Dork: intext:"Please Login" inurl:"/remote/login" Date: 17/08/2019 Exploit Author: Carlos E. Vieira Vendor Homepage: https://www.fortinet.com/ Software Link:...

GetGo Download Manager 6.2.2.3300 - Denial of Service

Exploit Title : GetGo Download Manager 6.2.2.3300 - Denial of Service Date: 2019-08-15 Author - Malav Vyas Vulnerable Software: GetGo Download Manager 6.2.2.3300 Vendor Home Page: www.getgosoft.com Software Link: http://www.getgosoft.com/getgodm/ Tested On: Windows 7 64Bit, Windows 10 64Bit Attac...

Integria IMS 5.0.86 - Arbitrary File Upload

Exploit Title: Integria IMS 5.0.86 - Arbitrary File Upload Date: 2019-08-16 Exploit Author: Greg.Priest Vendor Homepage: https://integriaims.com/ Software Link: https://sourceforge.net/projects/integria/files/5.0.86/ Version: Integria IMS 5.0.86 Tested on: Windows CVE : N/A...

Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion

Exploit Title: Joomla! component comjsjobs 1.2.6 - Arbitrary File Deletion Dork: inurl:"index.php?option=comjsjobs" Date: 2019-08-16 Exploit Author: qw3rTyTy Vendor Homepage: https://www.joomsky.com/ Software Link: https://www.joomsky.com/5/download/1 Version: 1.2.6 Tested on: Debian/nginx/joomla...

Web Wiz Forums 12.01 - 'PF' SQL Injection

Exploit Title: Web Wiz Forums 12.01 - 'PF' SQL Injection Date: 2019-09-16 Exploit Author: n1x MS-WEB Vendor Homepage: https://www.webwiz.net/web-wiz-forums/forum-downloads.htm Version: 12.01 Tested on Windows Vulnerable parameter: PF memberprofile.asp GET Request GET /memberprofile.asp?PF=10'...

EyesOfNetwork 5.1 - Authenticated Remote Command Execution

Exploit Title: EyesOfNetwork 5.1 - Authenticated Remote Command Execution Google Dork: N/A Date: 2019-08-14 Exploit Author: Nassim Asrir Vendor Homepage: https://www.eyesofnetwork.com/ Software Link: https://www.eyesofnetwork.com/?pageid=48&lang=fr Version: 5.1 "; while$read = fread$handle,100 ec...

Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- 2728.1fa8: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handling. This...

Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- 4c84.1e3c: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handling. This...

Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- 3fb8.2ac4: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handling. This...

Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- 36ec.3210: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handling. This...

Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- 4970.179c: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handling. This...

Microsoft Font Subsetting - DLL Returning a Dangling Pointer via MergeFontPackage

-----===== Background =====----- The Microsoft Font Subsetting DLL fontsub.dll is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows G...

Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities

The msctf subsystem is part of the Text Services Framework, The TSF manages things like input methods, keyboard layouts, text processing and so on. There are two main components, the ctfmon server and the msctf client. The ctfmon service creates an ALPC port in a well known location, to which...

Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- 50a8.4100: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handling. This...

Microsoft Font Subsetting - DLL Heap Corruption in MakeFormat12MergedGlyphList

-----===== Background =====----- The Microsoft Font Subsetting DLL fontsub.dll is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows G...

Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- 188c.47fc: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handling. This...

Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in WriteTableFromStructure

-----===== Background =====----- The Microsoft Font Subsetting DLL fontsub.dll is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows G...

Microsoft Font Subsetting - DLL Heap Corruption in FixSbitSubTables

-----===== Background =====----- The Microsoft Font Subsetting DLL fontsub.dll is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows G...

Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream

We have observed the following crash in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- ======================================= VERIFIER STOP 00000007: pid 0x2C1C: Heap block already freed. 0C441000 : Heap handle for the heap owning the...

Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList

-----===== Background =====----- The Microsoft Font Subsetting DLL fontsub.dll is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows G...

Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in FixSbitSubTableFormat1

-----===== Background =====----- The Microsoft Font Subsetting DLL fontsub.dll is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows G...

Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in GetGlyphIdx

-----===== Background =====----- The Microsoft Font Subsetting DLL fontsub.dll is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows G...

Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- 2040.5034: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handling. This...

Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts

-----===== Background =====----- AFDKO Adobe Font Development Kit for OpenType is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType to some...

Microsoft Font Subsetting - DLL Double Free in MergeFormat12Cmap / MakeFormat12MergedGlyphList

-----===== Background =====----- The Microsoft Font Subsetting DLL fontsub.dll is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows G...

Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators

-----===== Background =====----- AFDKO Adobe Font Development Kit for OpenType is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType to some...

NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String

There is an info leak when decoding the SGBigUTF8String class using SGBigUTF8String initWithCoder:. This class initializes the string using SGBigUTF8String initWithUTF8DataNullTerminated: even though there is no guarantee the bytes provided to the decoder are null terminated. It should use...

Microsoft Font Subsetting - DLL Heap Corruption in ReadTableIntoStructure

-----===== Background =====----- The Microsoft Font Subsetting DLL fontsub.dll is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows G...

Adobe Acrobat Reader DC for Windows - Heap-Based Out-of-Bounds read due to Malformed JP2 Stream

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- 180c.327c: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handling. This...

Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection

Exploit Title: Joomla! component comjsjobs - 'customfields.php' SQL Injection Dork: inurl:"index.php?option=comjsjobs" Date: 13.08.19 Exploit Author: qw3rTyTy Vendor Homepage: https://www.joomsky.com/ Software Link: https://www.joomsky.com/5/download/1 Version: 1.2.5 Tested on: Debian/nginx/jooml...

D-Link DIR-600M - Authentication Bypass (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CVE-2019-13101 D-Link DIR-600M Incorrect Access Control', 'Description' = %q This module attempts to find D-Link router DIR-600M which is...

Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion

/ Author : Abdelhamid Naceri Discovered On : 13/08/2019 Description : An Elevation Of Privileges Exist when the microsoft AppXSvc Deployment Service Cannot Properly Handle The Folder Junction lead to an arbitrary file deletion from a low integrity user . Still Unpatched On 13/08/2019 Here Is A De...

ManageEngine opManager 12.3.150 - Authenticated Code Execution

!/usr/bin/env python3 Exploit Title: ManageEngine opManager Authenticated Code Execution Google Dork: N/A Date: 08/13/2019 Exploit Author: @kindredsec Vendor Homepage: https://www.manageengine.com/ Software Link: https://www.manageengine.com/network-monitoring/download.html Version: 12.3.150 Test...

Microsoft Windows PowerShell - Unsanitized Filename Command Execution

''' + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt + ISR: Apparition Security Vendor www.microsoft.com Product Windows PowerShell Windows PowerShell...

SugarCRM Enterprise 9.0.0 - Cross-Site Scripting

Exploit Title: 0Day UnauthenticatedXSS SugarCRM Enterprise Google Dork: N/A Date: 11.08.2019 Exploit Author: Ilca Lucian Florin Vendor Homepage: https://www.sugarcrm.com Version: 9.0.0 Tested on: Windows 7 / Internet Explorer 11 / Google Chrome 76 CVE : 2019-14974 The application fails to sanitiz...