47904 matches found
Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition
/ The Siemens R3964 line discipline code in drivers/tty/nr3964.c has a few races around its ioctl handler; for example, the handler for R3964ENABLESIGNALS just allocates and deletes elements in a linked list with zero locking. This code is reachable by an unprivileged user if the line discipline ...
Ross Video DashBoard 8.5.1 - Insecure Permissions
Ross Video DashBoard 8.5.1 Insecure Permissions Vendor: Ross Video Ltd. Product web page: https://www.rossvideo.com Affected version: 8.5.1 Summary: DashBoard is a free and open platform from Ross Video for facility control and monitoring that enables users to quickly build unique, tailored Custo...
systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit
As documented at , for any action, a polkit policy can specify separate levels of required authentication based on whether a client is: - in an active session on a local console - in an inactive session on a local console - or neither This is expressed in the policy using the elements "allowany",...
UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting
Exploit Title: UliCMS - 2019.2 , 2019.1 - Multiple Cross-Site Scripting Google Dork: intext:"by UliCMS" Exploit Author: Kağan EĞLENCE Vendor Homepage: https://en.ulicms.de/ Version: 2019.2 , 2019.1 CVE : CVE-2019-11398 Vulnerability 1 Url :...
74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User)
Exploit Title: 74CMS v5.0.1 has a CSRF vulnerability to add a new admin user Date: 2019-04-14 Exploit Author: ax8 Vendor Homepage: https://github.com/Li-Siyuan Software Link: http://www.74cms.com/download/index.html Version: v5.0.1 CVE : CVE-2019-11374 74CMS v5.0.1 has a CSRF vulnerability to add...
LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)
!/usr/bin/python Exploit Title: LabF nfsAxe 3.7 Ping Client - Buffer Overflow Vanilla Date: 20-04-2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: http://www.labf.com/nfsaxe Version: 3.7 Software Link : http://www.labf.com/download/nfsaxe.exe Contact: [email protected]...
ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "ManageEngine Applications Manager %q This module exploits sqli and command injection vulnerability in the ManageEngine AM 14 and prior versions. I...
Msvod 10 - Cross-Site Request Forgery (Change User Information)
Exploit Title: Msvod v10 has a CSRF vulnerability to change user information Date: 2019-04-14 Exploit Author: ax8 Vendor Homepage: https://github.com/Li-Siyuan Software Link: https://www.msvodx.com/ Version: v10 CVE : CVE-2019-11375 Msvod v10 has a CSRF vulnerability to change user information vi...
Ease Audio Converter 5.30 - '.mp4' Denial of Service (PoC)
Exploit Title: Ease Audio Converter 5.30 Audio Cutter Dos Exploit Date: 19.04.19 Vendor Homepage:http://www.audiotool.net/download.htm Software Link: http://www.audiotool.net/download/audioconverter.exe Exploit Author: Achilles Tested Version: 5.30 Tested on: Windows 7 x64 Sp1 1.- Run the python...
QNAP myQNAPcloud Connect 1.3.4.0317 - 'Username/Password' Denial of Service
!/usr/bin/python Exploit Title: QNAP myQNAPcloud Connect "Username/Password" DOS Date: 19/04/2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.qnap.com Version: 1.3.4.0317 and below are vulnerable Software Link: https://www.qnap.com/en/utilities/essentials Contact...
Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-Memory in Invalid Table Size Denial of Service (PoC)
var arr1 = 0,1; function ObjCreatemake this.make = make; var obj1 = new ObjCreate; function main arr1.reducef3; Object.getOwnPropertyDescriptorsArray99.joinobj1.make; function f3 obj1"make" = RegExpArray60000.join"CCC";...
WordPress Plugin Contact Form Builder 1.0.67 - Cross-Site Request Forgery / Local File Inclusion
Exploit Title: Contact Form Builder CSRF → LFI Date: 2019-03-17 Exploit Author: Panagiotis Vagenas Vendor Homepage: http://web-dorado.com/ Software Link: https://wordpress.org/plugins/contact-form-builder Version: 1.0.67 Tested on: WordPress 5.1.1 Description ----------- Plugin implements the...
Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Atlassian Confluence Widget Connector Macro Velocity Template Injection", 'Description' = %q Widget Connector Macro is part of Atlassian Confluen...
SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SystemTap MODPROBEOPTIONS Privilege Escalation', 'Description' = %q This module attempts to gain root privileges by exploiting a vulnerability in...
Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection
Exploit Title: XXE in Oracle Business Intelligence and XML Publisher Date: 16.04.19 Exploit Author: @vah13 Vendor Homepage: http://oracle.com Software Link: https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Tested...
Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal
Exploit Title: Directory traversal in Oracle Business Intelligence Date: 16.04.19 Exploit Author: @vah13 Vendor Homepage: http://oracle.com Software Link: https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Tested on...
Evernote 7.9 - Code Execution via Path Traversal
Exploit Title: Code execution via path traversal Date: 17-04-2019 Exploit Author: Dhiraj Mishra Vendor Homepage: http://evernote.com/ Software Link: https://evernote.com/download Version: 7.9 Tested on: macOS Mojave v10.14.4 CVE: CVE-2019-10038 References:...
ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)
This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "ManageEngine Applications Manager 11.0 %q This module exploits sql and command injection vulnerability in the ManageEngine AM 14 and prior version...
LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'LibreOffice Macro Code Execution', 'Description' = %q LibreOffice comes bundled with sample macros written in Python and allows the ability to bi...
Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC)
Exploit Title: Netwide Assembler NASM 2.14rc15 NULL Pointer Dereference PoC Date: 2018-09-05 Exploit Author: Fakhri Zulkifli Vendor Homepage: https://www.nasm.us/ Software Link: https://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D Version: 2.14rc15 and earlier Tested on: 2.14rc15 CVE :...
MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow
!/usr/bin/python Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "RETR" commandPOP3 Date: 16/04/2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.tabslab.com/ Version: 2.51 Software Link: N.A Contact: [email protected] Twitter: @telspacesyste...
Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID
A heap corruption was observed in Oracle Java Runtime Environment version 8u202 latest at the time of this writing while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following or similar crash: --- cut --- $ bin/java -cp . DisplaySfntFont test.ttf Iteratio...
DHCP Server 2.5.2 - Denial of Service (PoC)
Exploit Title: DHCP Server 2.5.2 - Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-04-16 Vendor Homepage: http://www.dhcpserver.de/cms/ Software Link: http://www.dhcpserver.de/cms/wp-content/plugins/download-attachments Tested Version: 2.5.2 Tested on: Windows 7 x32...
ASUS HG100 - Denial of Service
Exploit Title:ASUS HG100 devices denial of serviceDOS via IPv4 packets/SlowHTTPDOS Date: 2019-04-14 Exploit Author: YinT Wang; Vendor Homepage: www.asus.com Version: Hardware version: HG100 、Firmware version: 1.05.12 Tested on: Currnet 1.05.12 CVE : CVE-2018-11492 1. Description The attack at sam...
Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4
A heap corruption was observed in Oracle Java Runtime Environment version 8u202 latest at the time of this writing while fuzz-testing the processing of TrueType, implemented in a proprietary t2k library. It manifests itself in the form of the following or similar crash: --- cut --- $ bin/java -cp...
PCHelpWare V2 1.0.0.5 - 'SC' Denial of Service (PoC)
-- coding: utf-8 -- Exploit Title: PCHelpWareV2 1.0.0.5 - 'SC' Denial of Service PoC Date: 15/04/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.uvnc.com/home.html Software Link: http://www.uvnc.eu/download/pchw2/PCHelpWareV2.msi Version: 1.0.0.5 Tested on: Windows 10 Proof of Concept...
PCHelpWare V2 1.0.0.5 - 'Group' Denial of Service (PoC)
-- coding: utf-8 -- Exploit Title: PCHelpWareV2 1.0.0.5 - 'Group' Denial of Service PoC Date: 15/04/2019 Author: Alejandra Sánchez Vendor Homepage: https://www.uvnc.com/home.html Software Link: http://www.uvnc.eu/download/pchw2/PCHelpWareV2.msi Version: 1.0.0.5 Tested on: Windows 10 Proof of...
Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation
Windows: LUAFV Delayed Virtualization Cache Manager Poisoning EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The LUAFV driver can confuse the cache and memory manager to replace the...
Microsoft Windows 10 1809 - LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation
Windows: LUAFV LuafvCopyShortName Arbitrary Short Name EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The LUAFV driver bypasses security checks to copy short names during file...
Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation
Windows: LUAFV Delayed Virtualization MAXIMUMACCESS DesiredAccess EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The LUAFV driver reuses the file’s create request DesiredAccess paramete...
Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) - Privilege Escalation
Exploit Title: Zoho ManageEngine ADManager Plus 6.6 Build 6659 Privilege Escalation Date: 15th April 2019 Exploit Author: Digital Interruption Vendor Homepage: https://www.manageengine.co.uk/ Version: 6.6 Build 6658 Tested on: Windows Server 2012 R2 CVE : CVE-2018-19374 Due to weak permissions...
AdminExpress 1.2.5 - 'Folder Path' Denial of Service (PoC)
-- coding: utf-8 -- !/usr/bin/python Exploit Title: AdminExpress 1.2.5 - Denial of Service PoC Date: 2019-04-12 Exploit Author: Mücahit İsmail Aktaş Software Link: https://admin-express.en.softonic.com/ Version: 1.2.5.485 Tested on: Windows XP Professional SP2 Description: 1 Click the "System...
Zyxel ZyWall 310 / ZyWall 110 / USG1900 / ATP500 / USG40 - Login Page Cross-Site Scripting
Exploit Title: Reflected XSS on Zyxel login pages Date: 10 Apr 2019 Exploit Author: Aaron Bishop Vendor Homepage: https://www.zyxel.com/us/en/ Version: V4.31 Tested on: ZyWall 310, ZyWall 110, USG1900, ATP500, USG40 - weblogin.cgi, webauthrelogin.cgi CVE : 2019-9955 1. Description ==============...
Joomla! Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion
Exploit Title: Joomla Core 1.5.0 through 3.9.4 - Directory Traversal && Authenticated Arbitrary File Deletion Date: 2019-March-13 Exploit Author: Haboob Team Web Site: haboob.sa Email: [email protected] Software Link: https://www.joomla.org/ Versions: Joomla 1.5.0 through Joomla 3.9.4 CVE :...
Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation
Windows: CSRSS SxSSrv Cached Manifest EoP Platform: Windows 10 1809, 1709 Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary and others Summary: The SxS manifest cache in CSRSS uses a weak key allowing an attacker to fill a cache entry for a syste...
Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation
Windows: LUAFV Delayed Virtualization Cross Process Handle Duplication EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The LUAFV driver doesn’t take into account a virtualized handle bei...
Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass
Windows: LUAFV NtSetCachedSigningLevel Device Guard Bypass Platform: Windows 10 1809 not tested earlier. Note I’ve not tested this on Windows 10 SMode. Class: Security Feature Bypass Summary: The NtSetCachedSigningLevel system call can be tricked by the operation of LUAFV to apply a cached...
Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation
Windows: LUAFV PostLuafvPostReadWrite SECTIONOBJECTPOINTERS Race Condition EoP Platform: Windows 10 1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User boundary Summary: The LUAFV driver has a race condition in the LuafvPostReadWrite...
MailCarrier 2.51 - POP3 'TOP' SEH Buffer Overflow
!/usr/bin/python Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "TOP" commandPOP3 Date: 14/04/2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.tabslab.com/ Version: 2.51 Software Link: N.A Contact: [email protected] Twitter: @telspacesystem...
Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework linux/armle/meterpreter/bindtcp - segfault linux/armle/meterpreter/reversetcp - segfault linux/armle/meterpreterreversehttp - works linux/armle/meterpreterreversehttps -...
UltraVNC Viewer 1.2.2.4 - 'VNC Server' Denial of Service (PoC)
Exploit Title: UltraVNC Viewer 1.2.2.4 - Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-04-14 Vendor Homepage: https://www.uvnc.com/ Software Link: https://www.uvnc.com/downloads/ultravnc/126-download-ultravnc-1224.html Tested Version: 1.2.2.4 Tested on: Windows 7 x64...
UltraVNC Launcher 1.2.2.4 - 'Path' Denial of Service (PoC)
Exploit Title: UltraVNC Launcher 1.2.2.4 - Denial of Service PoC Discovery by: Victor Mondragón Discovery Date: 2019-04-14 Vendor Homepage: https://www.uvnc.com/ Software Link: https://www.uvnc.com/downloads/ultravnc/126-download-ultravnc-1224.html Tested Version: 1.2.2.4 Tested on: Windows 7 x64...
MailCarrier 2.51 - POP3 'USER' Buffer Overflow
!/usr/bin/python Exploit Title: MailCarrier 2.51 - Remote Buffer Overflow in "USER" commandPOP3 Date: 14/04/2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.tabslab.com/ Version: 2.51 Software Link: N.A Contact: [email protected] Twitter: @telspacesystems...
MailCarrier 2.51 - POP3 'LIST' SEH Buffer Overflow
!/usr/bin/python Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "LIST" commandPOP3 Date: 14/04/2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.tabslab.com/ Version: 2.51 Software Link: N.A Contact: [email protected] Twitter: @telspacesyste...
RemoteMouse 3.008 - Arbitrary Remote Command Execution
Exploit Title: Remote Mouse 3.008 - Failure to Authenticate Date: 2019-09-04 Exploit Author: 0rphon Software Link: https://www.remotemouse.net/ Version: 3.008 Tested on: Windows 10 Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it This script po...
CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "CuteNews 2.1.2 - 'avatar' Remote Code Execution", 'Description' = %q This module exploits a command execution vulnerability in CuteNews prior to...
MailCarrier 2.51 - 'RCPT TO' Buffer Overflow
!/usr/bin/python Exploit Title: MailCarrier 2.51 'RCPT TO' - Buffer Overflow Remote Date: 12/04/2019 Exploit Author: Dino Covotsos - Telspace Systems Vendor Homepage: https://www.tabslab.com/ Version: 2.51 Software Link: N.A Contact: [email protected] Twitter: @telspacesystems Greets to the...
DirectAdmin 1.561 - Multiple Vulnerabilities
Title: DirectAdmin Multiple Vulnerabilities to Takeover the Server = v1.561 Date: 12.04.2019 Author: InfinitumIT Vendor Homepage: https://www.directadmin.com/ Version: Up to v1.561. CVE: CVE-2019-11193 [email protected] && infinitumit.com.tr Description: Multiple security vulnerabilities ha...
CyberArk EPM 10.2.1.603 - Security Restrictions Bypass
Exploit Title: CyberArk Endpoint bypass Google Dork: - Date: 03/06/2018 Exploit Author: Alpcan Onaran, Mustafa Kemal Can Vendor Homepage: https://www.cyberark.com Software Link: - Version: 10.2.1.603 Tested on: Windows 10 CVE : CVE-2018-14894 //If user needs admin privileges, CyberArk gives the...
Microsoft Windows - Contact File Format Arbitary Code Execution (Metasploit)
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'fileutils' require 'rex/zip' class MetasploitModule 'Microsoft Windows Contact File Format Arbitary Code Execution', 'Description' = %q This vulnerability allow...