Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation

Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation Exploit Title: Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation Date: 2019-11-22 Exploit Author: Abdelhamid Naceri Vendor Homepage: www.microsoft.com Tested on: Windows 10 1903 CVE : CVE-2019-1385 Windows:...

WebKit - Universal XSS in WebCore::command

WebKit - Universal XSS in WebCore::command frame = document-frame; if !frame || frame-document != document // 1 return Editor::Command; document-updateStyleIfNeeded; // 2 return frame-editor.commandcommandName, userInterface ? CommandFromDOMWithUserInterface : CommandFromDOM; bool...

EyesOfNetwork 5.1 - Authenticated Remote Command Execution

EyesOfNetwork 5.1 - Authenticated Remote Command Execution Exploit Title: EyesOfNetwork 5.1 - Authenticated Remote Command Execution Google Dork: N/A Date: 2019-08-14 Exploit Author: Nassim Asrir Vendor Homepage: https://www.eyesofnetwork.com/ Software Link:...

SAP Crystal Reports - Information Disclosure

SAP Crystal Reports - Information Disclosure Exploit Title: Sensitive Information Disclosure in SAP Crystal Reports Date: 2019-04-10 Exploit Author: Mohamed M.Fouad - From SecureMisr Company Vendor Homepage: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114 Version: SAP Crystal...

Thunderbird ESR 60.7.XXX - parser_get_next_char Heap-Based Buffer Overflow

Thunderbird ESR 60.7.XXX - parsergetnextchar Heap-Based Buffer Overflow X41 D-Sec GmbH Security Advisory: X41-2019-002 Heap-based buffer overflow in Thunderbird ========================================= Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched...

SOCA Access Control System 180612 - Information Disclosure

SOCA Access Control System 180612 - Information Disclosure SOCA Access Control System 180612 Information Disclosure Vendor: SOCA Technology Co., Ltd Product web page: http://www.socatech.com Affected version: 180612, 170000 and 141007 Summary: The company's products include proximity and...

Crestron AMBarco wePresent WiPGExtron ShareLinkTeq AV ITSHARP PN-L703WAOptoma WPS-ProBlackbox HD WPSInFocus LiteShow - Remote Command Injection

Crestron AMBarco wePresent WiPGExtron ShareLinkTeq AV ITSHARP PN-L703WAOptoma WPS-ProBlackbox HD WPSInFocus LiteShow - Remote Command Injection Exploit Title: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection Date: 05/01/2019 Exploit Author: Jacob Baines Tested on:...

Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery

Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery IWR 3000N - CSRF on authenticated administrator Exploit! Click the button to get the login and password. function exploit $.get "http://localhost:80/v1/system/user" .done data = alert data ; .failfunction err, status alert status ; ;...

i-doit 1.12 - qr.php Cross-Site Scripting

i-doit 1.12 - qr.php Cross-Site Scripting Exploit Title: i-doit 1.12 Cross Site Scripting on qr.php file Date: 28-03-2019 Software Link: https://www.i-doit.org/ Version: 1.12 Exploit Author: BlackFog Team Contact: [email protected] Website: https://securelayer7.net Category: webapps Tested on...

Advanced Host Monitor 11.92 beta - Local Buffer Overflow

Advanced Host Monitor 11.92 beta - Local Buffer Overflow !/usr/bin/env python ------------------------------------------------------------------------------------------------------------------------------------ Exploit: Advanced Host Monitor 11.92 beta - Local Buffer Overflow EggHunter Date:...

Indusoft Web Studio 8.1 SP2 - Remote Code Execution

Indusoft Web Studio 8.1 SP2 - Remote Code Execution Exploit Title: Indusoft Web Studio Unauthenticated RCE Date: 02/04/2019 Exploit Author: Jacob Baines Vendor Homepage: http://www.indusoft.com/ Software http://www.indusoft.com/Products-Downloads/Download-Library Version: 8.1 SP2 and below Tested...

Rundeck Community Edition 3.0.13 - Persistent Cross-Site Scripting

Rundeck Community Edition 3.0.13 - Persistent Cross-Site Scripting Exploit Title: Rundeck Community Edition before 3.0.13 Multiple Stored XSS Vendor Homepage: https://www.rundeck.com/open-source Software Link: https://docs.rundeck.com/downloads.html Exploit Author: Ishaq Mohammed Contact:...

FortiGate FortiOS 6.0.3 - LDAP Credential Disclosure

FortiGate FortiOS 6.0.3 - LDAP Credential Disclosure /usr/bin/python3 """ CVE-2018-13374 Publicado por Julio Ureña PlainText Twitter: @JulioUrena Blog Post: https://plaintext.do/My-1st-CVE-Capture-LDAP-Credentials-From-FortiGate-EN/ Referencia: https://fortiguard.com/psirt/FG-IR-18-157 Ejemplo:...

NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID Clear Text Password Storage

NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID Clear Text Password Storage ''' + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txt + ISR: ApparitionSec...

Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection

Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection Exploit Title: Microsoft SQL Server Management Studio 17.9 - XML External Entity Injection Date: 2018-10-10 Author: John Page aka hyp3rlinx Website: hyp3rlinx.altervista.org Venodor: www.microsoft.com Software: SQL Server...

Chrome OS 10820.0.0 dev-channel - app-VM via garcon TCP Command Socket

Chrome OS 10820.0.0 dev-channel - app-VM via garcon TCP Command Socket ======================= BUG DESCRIPTION ======================= There is a variety of RPC communication channels between the Chrome OS host system and the crosvm guest. This bug report focuses on communication on TCP port 8889...

osTicket 1.10.1 - Arbitrary File Upload

osTicket 1.10.1 - Arbitrary File Upload Exploit Title: osTicket 1.10.1 - Arbitrary File Upload Exploit Author: r3j10r Rajwinder Singh Date: 2018-08-08 Vendor Homepage: http://osticket.com/ Software Link: http://osticket.com/download Version: osTicket v1.10.1 CVE-2017-15580 Vulnerability Details:...

OpenSLP 2.0.0 - Double-Free

OpenSLP 2.0.0 - Double-Free ''' | | | | | | | || | | | | -| | . | . | | . | . | | | . | | -| | | | -| -| ||| || ||||||| || || ||| || 2018-06-28 SLPD DOUBLE FREE ================ CVE-2018-12938 An issue was found in openslp-2.0.0 that can be used to induce a double free bug or memory corruption by...

Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)

Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow PoC Exploit Title: Delta Electronics Delta Industrial Automation COMMGR - Remote STACK-BASED BUFFER OVERFLOW Date: 02.07.2018 Exploit Author: t4rkd3vilz Vendor Homepage: http://www.deltaww.com/ Software Link:...

RSA Authentication Manager 8.2.1.4.0-build1394922 8.3 P1 - XML External Entity Injection Cross-Site Flashing DOM Cross-Site Scripting

RSA Authentication Manager 8.2.1.4.0-build1394922 8.3 P1 - XML External Entity Injection Cross-Site Flashing DOM Cross-Site Scripting SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: XXE & XSS vulnerabilities product: R...

Spring Data REST 2.6.9 (Ingalls SR9) 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution

Spring Data REST 2.6.9 Ingalls SR9 3.0.1 Kay SR1 - PATCH Request Remote Code Execution // Exploit Title: RCE in PATCH requests in Spring Data REST // Date: 2018-03-10 // Exploit Author: Antonio Francesco Sardella // Vendor Homepage: https://pivotal.io/ // Software Link:...

SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities

SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple Critical Vulnerabilities product: SecurEnvoy SecurMail vulnerable version: 9.1.501 fixed version: 9.2.501...

Sony Playstation 4 (PS4) 4.55 5.50 - WebKit Code Execution (PoC)

Sony Playstation 4 PS4 4.55 5.50 - WebKit Code Execution PoC window.didload = 0; window.didpost = 0; window.onload = function window.didload = 1; if window.didpost == 1 window.stage2; window.postExpl = function window.didpost = 1; if window.didload == 1 window.stage2; function makeid var text = "...

Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass

Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass + Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt + ISR: ApparitionSec Vendor: =======...

FiberHome - Directory Traversal

FiberHome - Directory Traversal Vulnerability Summary The following advisory describes a directory traversal vulnerability found in FiberHome routers. FiberHome Technologies Group “was established in 1974. After continuous and intensive development for over 40 years, its business has been extende...

Linux Kernel 4.14.rc3 - Local Denial of Service

Linux Kernel 4.14.rc3 - Local Denial of Service / Exploit Title: Linux Kernelnrfrags was overwritten by ev-iferror = err 0xff in the condition where nlh-nlmsglen==0x10 and skb-len nlh-nlmsglen. POC: / include include include include include define NETLINKUSER 31 define MAXPAYLOAD 1024 / maximum...

Trend Micro OfficeScan 11.0XG (12.0) - Information Disclosure

Trend Micro OfficeScan 11.0XG 12.0 - Information Disclosure + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14085-TRENDMICRO-OFFICESCAN-XG-REMOTE-NT-DOMAIN-PHP-INFO-DISCLOSURE.txt + ISR: ApparitionSec Vendor:...

Jungo DriverWizard WinDriver 12.4.0 - Kernel Pool Overflow Local Privilege Escalation (2)

Jungo DriverWizard WinDriver 12.4.0 - Kernel Pool Overflow Local Privilege Escalation 2 -- coding: utf-8 -- """ Jungo DriverWizard WinDriver Kernel Pool Overflow Vulnerability Download: http://www.jungo.com/st/products/windriver/ File: WD1240.EXE Sha1: 3527cc974ec885166f0d96f6aedc8e542bb66cba...

Apple macOSiOS - xpc_data Objects Sandbox Escape Privilege Escalation

Apple macOSiOS - xpcdata Objects Sandbox Escape Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1247 When XPC serializes large xpcdata objects it creates mach memory entry ports to represent the memory region then transfers that region to the receiving proce...

PEGA Platform 7.2 ML0 - Missing Access Control Cross-Site Scripting

PEGA Platform 7.2 ML0 - Missing Access Control Cross-Site Scripting Summary ======= 1. Missing access control CVE-2017-11356 2. Multiple cross-site scripting CVE-2017-11355 Vendor ====== "Pegasystems Inc. is the leader in software for customer engagement and operational excellence. Pega’s adaptiv...

Apple Safari 10.0.3 - JSC::CachedCall Use-After-Free

Apple Safari 10.0.3 - JSC::CachedCall Use-After-Free function makecompiledfunction function targetx return x5 + x - xx; // Call only once so that function gets compiled with low level interpreter // but none of the optimizing JITs target0; return target; function pwn var haxs = new Array0x100; fo...

PHP PEAR 1.10.1 - Arbitrary File Download

PHP PEAR 1.10.1 - Arbitrary File Download + + Credits / Discovery: John Page AKA hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/PEAR-ARBITRARY-FILE-DOWNLOAD.txt + ISR: ApparitionSEC + Vendor: ============ pear.php.net Product:...

NTP 4.2.8p8 - Denial of Service

NTP 4.2.8p8 - Denial of Service !/usr/bin/env python Exploit Title: ntpd remote pre-auth Denial of Service Date: 2016-11-21 Exploit Author: Magnus Klaaborg Stubman @magnusstubman Website: http://dumpco.re/cve-2016-7434/ Vendor Homepage: http://www.ntp.org/ Software Link:...

Apple macOS 10.12 - task_t Local Privilege Escalation

Apple macOS 10.12 - taskt Local Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837 TL;DR you cannot hold or use a task struct pointer and expect the euid of that task to stay the same. Many many places in the kernel do this and there are a great many very...

Microsoft Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)

Microsoft Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation MS16-124 / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=871 Windows: NtLoadKeyEx Read Only Hive Arbitrary File Write EoP Platform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7...

XhP CMS 0.5.1 - Cross-Site Request Forgery Persistent Cross-Site Scripting

XhP CMS 0.5.1 - Cross-Site Request Forgery Persistent Cross-Site Scripting Exploit Title: XhP CMS 0.5.1 - Cross-Site Request Forgery to Persistent Cross-Site Scripting Exploit Author: Ahsan Tahir Date: 19-10-2016 Software Link: https://sourceforge.net/projects/xhp/ Vendor:...

Microsoft Windows - DFS Client Driver Arbitrary Drive Mapping Privilege Escalation (MS16-123)

Microsoft Windows - DFS Client Driver Arbitrary Drive Mapping Privilege Escalation MS16-123 / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=885 Windows: DFS Client Driver Arbitrary Drive Mapping EoP Platform: Windows 10 10586, Edge 25.10586.0.0 not tested 8.1 Update 2 or Windo...

vBulletin 5.2.2 - Server-Side Request Forgery

vBulletin 5.2.2 - Server-Side Request Forgery ''' ============================================= - Discovered by: Dawid Golunski - http://legalhackers.com - dawid at legalhackers.com - CVE-2016-6483 - Release date: 05.08.2016 - Severity: High ============================================= I...

Microsoft Windows 7 (x64) - afd.sys Dangling Pointer Privilege Escalation (MS14-040)

Microsoft Windows 7 x64 - afd.sys Dangling Pointer Privilege Escalation MS14-040 Exploit Title: MS14-040 - AFD.SYS Dangling Pointer Date: 2016-03-03 Exploit Author: Rick Larabee Vendor Homepage: www.microsoft.com Version: Windows 7, 64 bit Tested on: Win7 x64 afd.sys - 6.1.7601.17514 ntdll.dll -...

NETGEAR NMS300 ProSafe Network Management System - Multiple Vulnerabilities

NETGEAR NMS300 ProSafe Network Management System - Multiple Vulnerabilities Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300 Discovered by Pedro Ribeiro [email protected], Agile Information Security http://www.agileinfosec.co.uk/...

Baumer VeriSens Application Suite 2.6.2 - Buffer Overflow (PoC)

Baumer VeriSens Application Suite 2.6.2 - Buffer Overflow PoC !/usr/bin/env python Baumer VeriSens Application Suite 2.6.2 Buffer Overflow Vulnerability Vendor: Baumer Holding AG | Baumer Optronic GmbH Product web page: http://www.baumer.com Software link:...

Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (1)

Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation 1 / Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings Date: 19/1/2016 Exploit Author: Perception Point Team CVE : CVE-2016-0728 / / $ gcc cve20160728.c -o cve20160728 -lkeyutils -Wa...

Zen Cart 1.5.4 - Local File Inclusion

Zen Cart 1.5.4 - Local File Inclusion Advisory ID: HTB23282 Product: Zen Cart Vendor: Zen Ventures, LLC Vulnerable Versions: 1.5.4 Tested Version: 1.5.4 Advisory Publication: November 25, 2015 without technical details Vendor Notification: November 25, 2015 Vendor Patch: November 26, 2015 Public...

TECO AP-PCLINK 1.094 - .tpc File Handling Buffer Overflow (PoC)

TECO AP-PCLINK 1.094 - .tpc File Handling Buffer Overflow PoC TECO AP-PCLINK 1.094 TPC File Handling Buffer Overflow Vulnerability Vendor: TECO Electric and Machinery Co., Ltd. Product web page: http://www.teco-group.eu Download: http://globalsa.teco.com.tw/supportdownload.aspx?KindID=9 Affected...

Hawkeye-G 3.0.1.4912 - Cross-Site Request Forgery

Hawkeye-G 3.0.1.4912 - Cross-Site Request Forgery Exploit Title: CSRF, Network Threat Appliance IDS / IPS Google Dork: intitle: CSRF Network Threat Appliance IDS / IPS Date: 2015-07-24 Exploit Author: John Page hyp3rlinx Website: hyp3rlinx.altervista.org Vendor Homepage: www.hexiscyber.com Softwa...

Sefrengo CMS 1.6.1 - Multiple SQL Injections

Sefrengo CMS 1.6.1 - Multiple SQL Injections Exploit Title: Sefrengo CMS v1.6.1 - Multiple SQL Injection Vulnerabilities Google Dork: N/A Date: 01/26/2015 Exploit Author: Nguyen Hung Tuan [email protected] & ITAS Team www.itas.vn Vendor Homepage: http://www.sefrengo.org/ Software Link:...

WordPress Plugin All In One WP Security 3.8.2 - SQL Injection

WordPress Plugin All In One WP Security 3.8.2 - SQL Injection Advisory ID: HTB23231 Product: All In One WP Security WordPress plugin Vendor: Tips and Tricks HQ, Peter, Ruhul, Ivy Vulnerable Versions: 3.8.2 and probably prior Tested Version: 3.8.2 Advisory Publication: September 3, 2014 without...

Infoblox 6.8.2.11 - OS Command Injection

Infoblox 6.8.2.11 - OS Command Injection Product: Network Automation, licensed as: • NetMRI • Switch Port Manager • Automation Change Manager • Security Device Controller Vendor: Infoblox Vulnerable Versions: 6.4.X.X-6.8.4.X Tested Version: 6.8.2.11 Vendor Notification: May 12th, 2014 Vendor Patc...

eGroupWare 1.8.006 - Multiple Vulnerabilities

eGroupWare 1.8.006 - Multiple Vulnerabilities Advisory ID: HTB23212 Product: EGroupware Vendor: http://www.egroupware.org/ Vulnerable Versions: 1.8.006 community edition and probably prior Tested Version: 1.8.006 community edition Advisory Publication: April 23, 2014 without technical details...

SAP Router - Timing Attack Password Disclosure

SAP Router - Timing Attack Password Disclosure Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ SAP Router Password Timing Attack 1. Advisory Information Title: SAP Router Password Timing Attack Advisory ID: CORE-2014-0003 Advisory URL:...