SAP NetWeaver AS JAVA - BC-BMT-BPM-DSK XML External Entity Injection

SAP NetWeaver AS JAVA - BC-BMT-BPM-DSK XML External Entity Injection Application: SAP NetWeaver AS JAVA Versions Affected: SAP NetWeaver AS JAVA 7.5 Vendor URL: SAP Bugs: XXE Reported: 09.03.2016 Vendor response: 10.03.2016 Date of Public Advisory: 09.08.2016 Reference: SAP Security Note 2296909...

Microsoft Internet Explorer 8 - MSHTML Ptls5::Ls­Find­Span­Visual­Boundaries Memory Corruption

Microsoft Internet Explorer 8 - MSHTML Ptls5::Ls­Find­Span­Visual­Boundaries Memory Corruption...

AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting

AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting RCESEC-2016-009 AppFusions Doxygen for Atlassian Confluence v1.3.2 renderContent Persistent Cross-Site Scripting RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product:...

Huawei UTPS - Unquoted Service Path Privilege Escalation

Huawei UTPS - Unquoted Service Path Privilege Escalation Exploit Title: Unquoted Service Path Vulnerability in Huawei UTPS Software Date: Nov 16 2016 Author: Dhruv Shah @Snypter Website: http://security-geek.in Contact: [email protected] Category: local Vendor Homepage: http://www.huawei.com/...

TP-LINK TDDP - Multiple Vulnerabilities

TP-LINK TDDP - Multiple Vulnerabilities 1. Advisory Information Title: TP-LINK TDDP Multiple Vulnerabilities Advisory ID: CORE-2016-0007 Advisory URL: http://www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities Date published: 2016-11-21 Date of last update: 2016-11-18 Vendors...

EasyPHP Devserver 16.1.1 - Cross-Site Request Forgery Remote Command Execution

EasyPHP Devserver 16.1.1 - Cross-Site Request Forgery Remote Command Execution + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/EASYPHP-DEV-SERVER-REMOTE-CMD-EXECUTION.txt + ISR: ApparitionSec Vendor: ===============...

Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal

Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: AppFusions Doxygen for Atlassian Confluence Vendor URL: www.appfusions.com Type: Path Traversal CWE-22 Date found:...

LEPTON 2.2.2 - SQL Injection

LEPTON 2.2.2 - SQL Injection Security Advisory - Curesec Research Team 1. Introduction Affected Product: LEPTON 2.2.2 stable Fixed in: 2.3.0 Fixed Version Link: http://www.lepton-cms.org/posts/ important-lepton-2.3.0-101.php Vendor Website: http://www.lepton-cms.org/ Vulnerability Type: SQL...

FUDforum 3.0.6 - Cross-Site Scripting Cross-Site Request Forgery

FUDforum 3.0.6 - Cross-Site Scripting Cross-Site Request Forgery Security Advisory - Curesec Research Team 1. Introduction Affected Product: FUDforum 3.0.6 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://fudforum.org/forum/ Vulnerability Type: XSS, Login CSRF Remote Exploitable...

LEPTON 2.2.2 - Remote Code Execution

LEPTON 2.2.2 - Remote Code Execution Security Advisory - Curesec Research Team 1. Introduction Affected Product: LEPTON 2.2.2 stable Fixed in: 2.3.0 Fixed Version Link: http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php Vendor Website: http://www.lepton-cms.org/ Vulnerability Type: Co...

Microsoft Edge Scripting Engine - Memory Corruption (MS16-129)

Microsoft Edge Scripting Engine - Memory Corruption MS16-129 !-- Source: http://www.security-assessment.com/files/documents/advisory/edgechakramemcorruption.pdf Name: Microsoft Edge Scripting Engine Memory Corruption Vulnerability MS16-129 CVE: CVE-2016-7202 Vendor Website:...

Microsoft Internet Explorer 8 - jscript Reg­Exp­Base::FBad­Header Use-After-Free (MS15-018)

Microsoft Internet Explorer 8 - jscript Reg­Exp­Base::FBad­Header Use-After-Free MS15-018 // This Po­C attempts to exploit a use-after-free bug in Microsoft Internet // Explorer 8. // See http://blog.skylined.nl/20161116001.html for details. var r=new Reg­Exp"A|x|x|xx|xxxxxxxxxxxxxxxxxxxx+", "g";...

WordPress Plugin Instagram Feed 1.4.6.2 - Cross-Site Request Forgery

WordPress Plugin Instagram Feed 1.4.6.2 - Cross-Site Request Forgery !-- Source: https://sumofpwn.nl/advisory/2016/persistentcrosssitescriptingininstagramfeedpluginviacsrf.html Persistent Cross-Site Scripting in Instagram Feed plugin via CSRF Abstract A persistent Cross-Site Scripting vulnerabili...

Mezzanine 4.2.0 - Cross-Site Scripting

Mezzanine 4.2.0 - Cross-Site Scripting Security Advisory - Curesec Research Team 1. Introduction Affected Product: Mezzanine 4.2.0 Fixed in: 4.2.1 Fixed Version Link: https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1 Vendor Website: http://mezzanine.jupo.org/ Vulnerability Type: XSS Remo...

FUDforum 3.0.6 - Local File Inclusion

FUDforum 3.0.6 - Local File Inclusion Security Advisory - Curesec Research Team 1. Introduction Affected Product: FUDforum 3.0.6 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://fudforum.org/forum/ Vulnerability Type: LFI Remote Exploitable: Yes Reported to vendor: 04/11/2016...

WordPress Plugin Olimometer 2.56 - SQL Injection

WordPress Plugin Olimometer 2.56 - SQL Injection Exploit Title: Olimometer Plugin for WordPress – Sql Injection Date: 14/11/2016 Exploit Author: TAD GROUP Vendor Homepage: https://wordpress.org/plugins/olimometer/ Software Link: https://wordpress.org/plugins/olimometer/ Contact: infoattad.group...

Microsoft Edge - CText­Extractor::Get­Block­Text Out-of-Bounds Read (MS16-104)

Microsoft Edge - CText­Extractor::Get­Block­Text Out-of-Bounds Read MS16-104 ::first-letter border: 0; white-space: pre-line; Aalert;&x­D;&x­D;B Description Though I did not investigate thoroughly, I did find out the following: The root cause appears to be an integer underflow in a 32-bit variabl...

NTP 4.2.8p8 - Denial of Service

NTP 4.2.8p8 - Denial of Service !/usr/bin/env python Exploit Title: ntpd remote pre-auth Denial of Service Date: 2016-11-21 Exploit Author: Magnus Klaaborg Stubman @magnusstubman Website: http://dumpco.re/cve-2016-7434/ Vendor Homepage: http://www.ntp.org/ Software Link:...

ScriptCase 8.1.053 - Multiple Vulnerabilities

ScriptCase 8.1.053 - Multiple Vulnerabilities + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SCRIPTCASE-PHP-WEB-TOOL-MULTIPLE-VULNERABILITIES.txt + ISR: ApparitionSec Vendor: ================== www.scriptcase.net Product:...

Microsoft Edge - Array.splice Heap Overflow

Microsoft Edge - Array.splice Heap Overflow var a = ; class dummy a.length = 200000; a.fill7, 10000, 10200; var o = ; Object.definePropertyo, 'constructor', get: function a.length = 0xfffffffe; var k = ; k.fill.calla, 7.7, 0xfffff000, 0xfffffffe; return dummy; ; a.proto = o; var q = ; q.length =...

Palo Alto Networks PanOS - root_trace Local Privilege Escalation

Palo Alto Networks PanOS - roottrace Local Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912 The setuid root executable /usr/local/bin/roottrace essentially just does setuid0 then system"/usr/local/bin/masterd", which is a python script: $ ls -l...

FTPShell Client 5.24 - PWD Remote Buffer Overflow

FTPShell Client 5.24 - PWD Remote Buffer Overflow -- coding: utf-8 -- Exploit Title: FTPShell Client v5.24 PWD Remote Buffer Overflow Date: 16/11/2016 Author: Yunus YILDIRIM Th3GundY Team: CT-Zer0 @CRYPTTECH - http://www.ct-zer0.com Author Website: http://yildirimyunus.com Contact:...

Microsoft Edge - Array.filter Information Leak

Microsoft Edge - Array.filter Information Leak var b = new Array1,2,3; var d = new Array1,2,3; class dummy constructor alert"in constructor"; return d; class MyArray extends Array // Overwrite species to the parent Array constructor static get Symbol.species alert"get"; b0 = ; return dummy; var a...

Microsoft Edge - Array.reverse Overflow

Microsoft Edge - Array.reverse Overflow left = uint32length - seg-left + seg-length; Can become a very large value as length is larger than seg-length and seg-left is generally 0. This can cause the segment length to become larger than the segment size the next time...

Palo Alto Networks PanOS - root_reboot Local Privilege Escalation

Palo Alto Networks PanOS - rootreboot Local Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=913 This was fixed by PAN: http://securityadvisories.paloaltonetworks.com/Home/Detail/67 The rootreboot utility is setuid root, but performs multiple calls to system...

Palo Alto Networks PanOS - appweb3 Stack Buffer Overflow

Palo Alto Networks PanOS - appweb3 Stack Buffer Overflow Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=908 Palo Alto Networks have published a fix for this issue: http://securityadvisories.paloaltonetworks.com/Home/Detail/68 PanOS uses a modified version of the appweb3 embedde...

EditMe CMS - Cross-Site Request Forgery (Add Admin)

EditMe CMS - Cross-Site Request Forgery Add Admin Document Title: =============== EditMe CMS - CSRF Privilege Escalate Web Vulnerability References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=1996 Release Date: ============= 2016-11-14 Vulnerability Laboratory...

Nagios 4.2.2 - Local Privilege Escalation

Nagios 4.2.2 - Local Privilege Escalation Affected Product: Nagios 4 Vulnerability Type: root privilege escalation Fixed in Version: N/A Vendor Website: https://www.nagios.com/ Software Link: : https://sourceforge.net/projects/nagios/files/latest/download?source=directory-featured Affected Versio...

Microsoft Edge - FillFromPrototypes Type Confusion

Microsoft Edge - FillFromPrototypes Type Confusion var a = new Array0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x12121212, 0x23232323, 0x12345670, 0x7777; var handler = getPrototypeOf: functiontarget, name // print"get proto"; return a;...

Moxa SoftCMS 1.5 - Denial of Service (PoC)

Moxa SoftCMS 1.5 - Denial of Service PoC ''' Title: Moxa SoftCMS 1.5 AspWebServer Denial of Service Vulnerability Author: Zhou Yu Email: [email protected] Vendor: http://www.moxa.com/ Versions affected: 1.5 or prior versions Test on: Moxa SoftCMS 1.5 on Windows 7 SP1 x32 CVE: CVE-2016-9332 Advisor...

WordPress Plugin Answer My Question 1.3 - SQL Injection

WordPress Plugin Answer My Question 1.3 - SQL Injection Exploit Title: Answer My Question 1.3 Plugin for WordPress – Sql Injection Date: 10/11/2016 Exploit Author: Lenon Leite Vendor Homepage: https://wordpress.org/plugins/answer-my-question/ Software Link:...

WordPress Plugin Sirv 1.3.1 - SQL Injection

WordPress Plugin Sirv 1.3.1 - SQL Injection Exploit Title: Sirv 1.3.1 Plugin For WordPress Sql Injection Date: 10/11/2016 Exploit Author: Lenon Leite Vendor Homepage: https://wordpress.org/plugins/sirv/ Software Link: https://wordpress.org/plugins/sirv/ Contact: http://twitter.com/lenonleite...

Microsoft Edge - eval Type Confusion

Microsoft Edge - eval Type Confusion var p = new Proxyeval, ; p"alert"e"";...

Nginx (Debian Based Distros + Gentoo) - logrotate Local Privilege Escalation

Nginx Debian Based Distros + Gentoo - logrotate Local Privilege Escalation !/bin/bash Nginx Debian-based distros + Gentoo - Root Privilege Escalation PoC Exploit nginxed-root.sh ver. 1.0 CVE-2016-1247 Discovered and coded by: Dawid Golunski dawidatlegalhackers.com https://legalhackers.com Follow...

CS-Cart 4.3.10 - XML External Entity Injection

CS-Cart 4.3.10 - XML External Entity Injection Software : CS-Cart Ahmed sultan 0x4148 "; echo rawurlencodebase64encode$xml; ? change YOURHOST to your server address , use the output in the following POST request Action - HOST/cs-cart/index.php?dispatch=twigmo.post Data -...

Microsoft Windows - VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138)

Microsoft Windows - VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation MS16-138 / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=915 Windows: VHDMP ZwDeleteFile Arbitrary File Deletion EoP Platform: Windows 10 10586 and 14393. No idea about 7 or 8.1 versions. Class...

Easy Internet Sharing Proxy Server 2.2 - Remote Overflow (SEH) (Metasploit)

Easy Internet Sharing Proxy Server 2.2 - Remote Overflow SEH Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Easy Internet Sharing Proxy Server 2.2 SEH buffer...

Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)

Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation MS16-138 / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=916 Windows: VHDMP Arbitrary Physical Disk Cloning EoP Platform: Windows 10 10586. No idea about 14393, 7 or 8.1 versions. Class: Elevation o...

Microsoft Edge 11.0.10240.16384 - edgehtml CAttr­Array::Destroy Use-After-Free

Microsoft Edge 11.0.10240.16384 - edgehtml CAttr­Array::Destroy Use-After-Free Alternatively: Description When an element is created and style properties are added, these are stored in a CAttr­Array object. A new CAttr­Array is able to store up to 8 properties. If more properties need to be store...

Microsoft Windows Kernel - Registry Hive Loading nt!RtlEqualSid Out-of-Bounds Read (MS16-138)

Microsoft Windows Kernel - Registry Hive Loading nt!RtlEqualSid Out-of-Bounds Read MS16-138 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=874 We have encountered a Windows kernel crash in the nt!RtlEqualSid function invoked through nt!SeAccessCheck by...

Microsoft Windows - VHDMP Arbitrary File Creation Privilege Escalation (MS16-138)

Microsoft Windows - VHDMP Arbitrary File Creation Privilege Escalation MS16-138 / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=914 Windows: VHDMP Arbitrary File Creation EoP Platform: Windows 10 10586 and 14393. Unlikely to work on 7 or 8.1 as I think it’s new functionality...

Linux Kernel 4.8.0-223.10.0-327 (Ubuntu 16.10 RedHat) - keyctl Null Pointer Dereference

Linux Kernel 4.8.0-223.10.0-327 Ubuntu 16.10 RedHat - keyctl Null Pointer Dereference / OS-S Security Advisory 2016-21 Local DoS: Linux Kernel Nullpointer Dereference via keyctl Date: October 31th, 2016 Authors: Sergej Schumilo, Ralf Spenneberg, Hendrik Schwartke CVE: Not yet assigned CVSS: 4.9...

Microsoft Internet Explorer 11 - MSHTML CMap­Element::Notify Use-After-Free (MS15-009)

Microsoft Internet Explorer 11 - MSHTML CMap­Element::Notify Use-After-Free MS15-009 Element::Notify functions to make another such call and at least one of these functions is non-reentrant. This can have various repercussions, e.g. when an attacker triggers this vulnerability using a CMap­Elemen...

Boonex Dolphin 7.3.2 - Authentication Bypass Remote Code Execution

Boonex Dolphin 7.3.2 - Authentication Bypass Remote Code Execution !/usr/bin/env python -- coding: utf-8 -- ''' Software : Dolphin = 7.3.2 Auth bypass / RCE exploit Vendor : www.boonex.com Author : Ahmed sultan 0x4148 Home : 0x4148.com | https://www.linkedin.com/in/0x4148 Email : [email protected]...

Schoolhos CMS 2.29 - Remote Code Execution SQL Injection

Schoolhos CMS 2.29 - Remote Code Execution SQL Injection \x0d\x0a-----------------------------26518470919255\x0d\x0a\x0d\x0a' \ 'http://HOST/PATH/elearningku/proses.php?pilih=guru&untukdi=upload'...

ATutor 2.2.2 - Cross-Site Request Forgery (Add New Course)

ATutor 2.2.2 - Cross-Site Request Forgery Add New Course Exploit Title: ATutor2.2.2 Learning Management System Cross-Site Request Forgery Add New Course Date: 13-11-2016 Software Link: https://github.com/atutor/ATutor/releases/tag/atutor222 Vendor: http://www.atutor.ca/ Exploit Author: Saravana...

WordPress Plugin Product Catalog 8 1.2.0 - SQL Injection

WordPress Plugin Product Catalog 8 1.2.0 - SQL Injection Exploit Title: Product Catalog 8 1.2 Plugin WordPress – Sql Injection Date: 12/11/2016 Exploit Author: Lenon Leite Vendor Homepage: https://wordpress.org/plugins/product-catalog-8/ Software Link:...

WordPress Plugin BBS e-Franchise 1.1.1 - SQL Injection

WordPress Plugin BBS e-Franchise 1.1.1 - SQL Injection Exploit Title: BBS e-Franchise 1.1.1 Plugin of WordPress – Sql Injection Date: 12/11/2016 Exploit Author: Lenon Leite Vendor Homepage: https://wordpress.org/plugins/bbs-e-franchise/ Software Link: https://wordpress.org/plugins/bbs-e-franchise...

InvoicePlane 1.4.8 - Password Reset

InvoicePlane 1.4.8 - Password Reset Exploit Title: InvoicePlane v1.4.8 Incorrect Access Control for password = reset Date: 12-11-2016 Exploit Author: feedersec Contact: [email protected] Vendor Homepage: https://invoiceplane.com Software Link: https://invoiceplane.com/download/v1.4.8 Version:...

Microsoft WININET.dll - CHttp­Header­Parser::Parse­Status­Line Out-of-Bounds Read (MS16-104MS16-105)

Microsoft WININET.dll - CHttp­Header­Parser::Parse­Status­Line Out-of-Bounds Read MS16-104MS16-105 !-- Source: http://blog.skylined.nl/20161110001.html Synopsis A specially crafted HTTP response can cause the CHttp­Header­Parser::Parse­Status­Line method in WININET to read data beyond the end of ...