41207 matches found
libxml2 - htmlCurrentChar Heap Buffer Overread
libxml2 - htmlCurrentChar Heap Buffer Overread Source: https://code.google.com/p/google-security-research/issues/detail?id=636 The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 2.9.3, released 4 days ago, by feeding a...
Mambo 4.5.3h - Multiple Vulnerabilities
Mambo 4.5.3h - Multiple Vulnerabilities Mambo Multiple Vulnerabilities Vendor: Miro International Pty Ltd Product: Mambo Version: = 4.5.3h Website: http://www.mamboserver.com BID: 16775 CVE: CVE-2006-0871 CVE-2006-1794 OSVDB: 23402 23503 23505 SECUNIA: 18935 PACKETSTORM: 44191 Description: Mambo ...
Wireshark - vwr_read_s2_s3_W_rec Heap Buffer Overflow
Wireshark - vwrreads2s3Wrec Heap Buffer Overflow Source: https://code.google.com/p/google-security-research/issues/detail?id=647 The following crash due to a heap-based buffer overflow can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to tshark "$...
WordPress Plugin Extra User Details 0.4.2 - Privilege Escalation
WordPress Plugin Extra User Details 0.4.2 - Privilege Escalation """ Exploit Title: Extra User Details Privilege Escalation Discovery Date: 2016-02-13 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: http://vadimk.com/ Software Link:...
Ubiquiti Networks UniFi 3.2.10 - Cross-Site Request Forgery
Ubiquiti Networks UniFi 3.2.10 - Cross-Site Request Forgery RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ----------------------- Product: Ubiquiti Networks UniFi Vendor URL: www.ubnt.com Type: Cross-Site Request Forgery CWE-353 Date found: 2015-03-19 Date published:...
libquicktime 1.2.4 - Integer Overflow
libquicktime 1.2.4 - Integer Overflow !/usr/bin/env python - 7 February 2016 - My last bug hunting session for fun and no-profit has been dedicated to libquicktime Author: Marco Romano - @nemux http://www.nemux.org libquicktime 1.2.4 Integer Overflow Product Page:...
Dell OpenManage Server Administrator 8.2 - (Authenticated) Directory Traversal
Dell OpenManage Server Administrator 8.2 - Authenticated Directory Traversal Exploit Title: Dell OpenManage Server Administrator 8.2 Authenticated Directory Traversal Date: February 22, 2016 Exploit Author: hantwister Vendor Homepage: http://www.dell.com/ Software Link:...
Wireshark - dissect_oml_attrs Static Out-of-Bounds Read
Wireshark - dissectomlattrs Static Out-of-Bounds Read Source: https://code.google.com/p/google-security-research/issues/detail?id=656 The following crash due to an out-of-bounds read from static memory can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file t...
Linux Kernel 3.x (Ubuntu 14.04 Mint 17.3 Fedora 22) - Double-free usb-midi SMEP Privilege Escalation
Linux Kernel 3.x Ubuntu 14.04 Mint 17.3 Fedora 22 - Double-free usb-midi SMEP Privilege Escalation Source: https://xairy.github.io/blog/2016/cve-2016-2384 Source: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-2384 Source: https://www.youtube.com/watch?v=lfl1NJn1nvo Exploit-DB Note...
Wireshark - dissect_ber_set Static Out-of-Bounds Read
Wireshark - dissectberset Static Out-of-Bounds Read Source: https://code.google.com/p/google-security-research/issues/detail?id=648 The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to tshark "$...
Ubuntu 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation
Ubuntu 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation Source: http://www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNamespace/ Introduction Problem description: With Ubuntu Wily and earlier, /usr/lib/ptchown was used to change ownership of slave pts...
BlackBerry Enterprise Service 12.4 (BES12) Self-Service - Multiple Vulnerabilities
BlackBerry Enterprise Service 12.4 BES12 Self-Service - Multiple Vulnerabilities , , . '.' '. ', . , '. , .', , / / / \ \ ==/ /\ \ / / \ / \ / / | \ \ Y Y \ / /| / \ /||| / / /.-. / /:wq x.0 '=.|w|.=' =''"''=. presents.. BlackBerry Enterprise Service 12 BES12 Self-Service Affected...
Thru Managed File Transfer Portal 9.0.2 - SQL Injection
Thru Managed File Transfer Portal 9.0.2 - SQL Injection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2015-056 Product: Thru Managed File Transfer Portal Manufacturer: Thru Affected Versions: 9.0.2 Tested Versions: 9.0.2 Vulnerability Type: SQL Injection CWE-89 Risk Level: Hig...
InstantCoder 1.0 iOS - Multiple Vulnerabilities
InstantCoder 1.0 iOS - Multiple Vulnerabilities Document Title: =============== InstantCoder v1.0 iOS - Multiple Web Vulnerabilities References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1738 Release Date: ============= 2016-02-22 Vulnerability Laboratory ID...
Wireshark - add_ff_vht_compressed_beamforming_report Static Out-of-Bounds Read
Wireshark - addffvhtcompressedbeamformingreport Static Out-of-Bounds Read Source: https://code.google.com/p/google-security-research/issues/detail?id=654 The following crash due to an out-of-bounds read from static memory can be observed in an ASAN build of Wireshark current git master, by feedin...
Core FTP Server 1.2 - Local Buffer Overflow
Core FTP Server 1.2 - Local Buffer Overflow -- coding: utf-8 -- Exploit Title : Core FTP Server v1.2 - BufferOverflow POC Date: 2016-02-22 Author: INSECT.B Facebook : https://www.facebook.com/B.INSECT00 GitHub : binsect00 Blog : http://binsect00.tistory.com Vendor Homepage : http://www.coreftp.co...
PEAR LiveUser 0.16.8 - Arbitrary File Access
PEAR LiveUser 0.16.8 - Arbitrary File Access PEAR LiveUser Arbitrary File Access Vendor: Markus Wolff Product: PEAR LiveUser Version: options'cookie''name'; if strlen$cookieData deleteRememberCookie; $this-stack-pushLIVEUSERERRORCOOKIE, 'error', array, 'Wrong data in cookie store in...
SOLIDserver 5.0.4 - Local File Inclusion
SOLIDserver 5.0.4 - Local File Inclusion Title: SOLIDserver =5.0.4 - Local File Inclusion Vunerability Author: Saeed reza Zamanian penetrationtest @ Linkedin Product: SOLIDserver Tested Version: : 5.0.4 and 4.0.2 Vendor: efficient IP http://www.efficientip.com Google Dork: SOLIDserver login Date:...
QuickHeal 16.00 - webssx.sys Driver Denial of Service
QuickHeal 16.00 - webssx.sys Driver Denial of Service Exploit Title: QuickHeal webssx.sys driver DOS vulnerability Date: 19/02/2016 Exploit Author: Csaba Fitzl Vendor Homepage: http://www.quickheal.co.in/ Version: 16.00 Tested on: Win7x86, Win7x64 CVE : CVE-2015-8285 from ctypes import from...
STIMS Cutter 1.1.3.20 - Buffer Overflow (Denial of Service) (PoC)
STIMS Cutter 1.1.3.20 - Buffer Overflow Denial of Service PoC Exploit Title: STIMS CUTTER OVERFLOW SEH OVERWRITE Date: 19 Feb 2016 Exploit Author: Shantanu Khandelwal Vendor Homepage: http://www.stimslabs.com/ Software Link: http://www.stimslabs.com/en/cutter/STIMSCutterEnSetup.exe Version:...
Adobe Flash - SimpleButton Creation Type Confusion
Adobe Flash - SimpleButton Creation Type Confusion Source: https://code.google.com/p/google-security-research/issues/detail?id=640 There is a type confusion vulnerability in the SimpleButton constructor. Flash stores an empty button to use to create buttons for optimization reasons. If this objec...
AUFS (Ubuntu 15.10) - allow_userns FuseXattr User Namespaces Privilege Escalation
AUFS Ubuntu 15.10 - allowuserns FuseXattr User Namespaces Privilege Escalation Source: http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/ Introduction Problem description: Aufs is a union filesystem to mix content of different underlying filesystems, e.g. read-only medi...
STIMS Buffer 1.1.20 - Buffer Overflow (PoC) (SEH Overwrite)
STIMS Buffer 1.1.20 - Buffer Overflow PoC SEH Overwrite Exploit Title: STIMS BUFFER OVERFLOW SEH OVERWRITE Date: 19 Feb 2016 Exploit Author: Ishita Sailor Vendor Homepage: http://www.stimslabs.com/ Software Link: http://www.stimslabs.com/en/buffer/STIMSBufferEnSetup.exe Version: 1.1.20 Tested on:...
Chamilo LMS IDOR - messageId Delete POST Injection
Chamilo LMS IDOR - messageId Delete POST Injection Document Title: =============== Chamilo LMS IDOR - messageId Delete POST Inject Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1720 Video: https://www.youtube.com/watch?v=3ApPhUIk12Y Relea...
Chamilo LMS - Persistent Cross-Site Scripting
Chamilo LMS - Persistent Cross-Site Scripting Document Title: =============== Chamilo LMS - Persistent Cross Site Scripting Vulnerability References Source: ==================== https://www.vulnerability-lab.com/getcontent.php?id=1727 Video: https://www.youtube.com/watch?v=gNZsQjmtiGI Release Dat...
Geeklog 1.4.0 - Multiple Vulnerabilities
Geeklog 1.4.0 - Multiple Vulnerabilities Geeklog Multiple Vulnerabilities Vendor: Geeklog Product: Geeklog Version: = 1.4.0 Website: http://www.geeklog.net/ BID: 16755 CVE: CVE-2006-0823 OSVDB: 23348 23349 SECUNIA: 18920 PACKETSTORM: 44070 Description: Geeklog is one of the most popular content...
ManageEngine Firewall Analyzer 8.5 - Multiple Vulnerabilities
ManageEngine Firewall Analyzer 8.5 - Multiple Vulnerabilities ================================================================ ManageEngine Firewall Analyzer 8.5– Privilege Escalation Vulnerability ================================================================ Description : Vulnerability Type :...
XM Easy Personal FTP Server 5.8.0 - HELP Remote Denial of Service
XM Easy Personal FTP Server 5.8.0 - HELP Remote Denial of Service !/usr/bin/python XM Easy Personal FTP Server 5.8.0 HELP Denial of Service Tested on : Windows XP SP 3 EN Author : Pawan Lal [email protected] Date : 18-02-2016 import socket import sys def Usage: print "Usage:...
ADOdb 4.71 - Cross Site Scripting
ADOdb 4.71 - Cross Site Scripting ADOdb Cross Site Scripting Vendor: John Lim Product: ADOdb Version: currpage = $SESSION$currpage; The above code is taken from adodb-pager.inc.php @ lines 72-77 and ultimately set's the $this-currpage variable to unsanitized user supplied input. Later on this...
DirectAdmin 1.491 - Cross-Site Request Forgery
DirectAdmin 1.491 - Cross-Site Request Forgery ============================================================================= Title : DirectAdmin 1.491 CSRF Vulnerability Date : 27-10-2014 updated 18-02-2016 Version : =1.491 Author : Necmettin COSKUN =@babayarisi Blog :http://ha.cker.io Vendor...
Vesta Control Panel 0.9.8-15 - Persistent Cross-Site Scripting
Vesta Control Panel 0.9.8-15 - Persistent Cross-Site Scripting Exploit Title :Vesta Control Panel " http://victimserver 3. We wait Administrator to read access.log that injected our evil.js 4...
JMX2 Email Tester - save_email.php Arbitrary File Upload
JMX2 Email Tester - saveemail.php Arbitrary File Upload Exploit Title: JMX2 Email Tester - Web Shell Uploadsaveemail.php Date: 2016-02-15 Blog: http://www.hahwul.com Vendor Homepage: https://github.com/johnfmorton/jmx2-Email-Tester Software Link:...
Adobe Flash - LoadVars.decode Use-After-Free
Adobe Flash - LoadVars.decode Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=667 There is a use-after-free in LoadVars.decode. If a watch is set on the object that the parameters are being decoded into, and the watch deletes the object, then other metho...
Adobe Flash - Sound.loadPCMFromByteArray Dangling Pointer
Adobe Flash - Sound.loadPCMFromByteArray Dangling Pointer Source: https://code.google.com/p/google-security-research/issues/detail?id=698 There is a dangling pointer that can be read, but not written to in loadPCMFromByteArray. A minimal PoC is as follows: var s = new Sound; var b = new ByteArray...
Redaxo 5.0.0 - Multiple Vulnerabilities
Redaxo 5.0.0 - Multiple Vulnerabilities === LSE Leading Security Experts GmbH - Security Advisory 2016-01-18 === Redaxo CMS contains multiple vulnerabilities ------------------------------------------------------------- Problem Overview ================ Technical Risk: high Likelihood of...
OCS Inventory NG 2.2 - SQL Injection
OCS Inventory NG 2.2 - SQL Injection Exploit Title: OCS Inventory NG /ocsreports/index.php?function=visusearch - Time-based SQL Injection Choose a parameter, use EXACTLY operator: ' union select sleep5; - Code execution Bypass input escape and write to filesystem webshell PoC: ' union select...
Adobe Flash - H264 Parsing Out-of-Bounds Read
Adobe Flash - H264 Parsing Out-of-Bounds Read Source: https://code.google.com/p/google-security-research/issues/detail?id=632 There is an out-of-bounds read in H264 parsing, a fuzzed file is attached. To load, load LoadMP4.swf with the URL parameter file=computepoc.flv from a remote server. Proof...
Adobe Flash - ATF Processing Heap Overflow
Adobe Flash - ATF Processing Heap Overflow Source: https://code.google.com/p/google-security-research/issues/detail?id=635 The attached file causes a crash due to a heap overflow, probably due to an issue in ATF processing by the URLStream class. Proof of Concept:...
Adobe Flash - H264 File Stack Corruption
Adobe Flash - H264 File Stack Corruption Source: https://code.google.com/p/google-security-research/issues/detail?id=633 The attached flv file causes stack corruption when loaded into Flash. To use the PoC, load LoadMP42.swf?file=lownull.flv from a remote server. Proof of Concept:...
Adobe Flash - Out-of-Bounds Image Read
Adobe Flash - Out-of-Bounds Image Read Source: https://code.google.com/p/google-security-research/issues/detail?id=630 The attached file can cause an out-of-bounds read of an image. While the bits of the image are null, the width, height and other values can make it a valid pointer. Proof of...
Adobe Flash - textfield Constructor Type Confusion
Adobe Flash - textfield Constructor Type Confusion Source: https://code.google.com/p/google-security-research/issues/detail?id=701 There is a type confusion vulnerability in the TextField constructor in AS3. When a TextField is constructed, a generic backing object is created and reused when...
Adobe Flash - BitmapData.drawWithQuality Heap Overflow
Adobe Flash - BitmapData.drawWithQuality Heap Overflow Source: https://code.google.com/p/google-security-research/issues/detail?id=609 The attached fuzz test case causes a crash due to a heap overflow in BitmapData.drawWithQuality. Proof of Concept:...
Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers
Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers Vendor: Inductive Automation Product web page: http://www.inductiveautomation.com Affected version: 7.8.1 b2016012216 and 7.8.0 b2015101414 Platform: Java...
WordPress Plugin ALO EasyMail NewsLetter 2.6.01 - Cross-Site Request Forgery
WordPress Plugin ALO EasyMail NewsLetter 2.6.01 - Cross-Site Request Forgery Exploit Title: Wordpress ALO EasyMail Newsletter plugin cross-site request forgery vulnerability Software Link: https://wordpress.org/plugins/alo-easymail/ Affected Version: 2.6.01 Exploit Author: Mohsen Lotfi Contact:...
CyberCop Scanner Smbgrind 5.5 - Buffer Overflow (PoC)
CyberCop Scanner Smbgrind 5.5 - Buffer Overflow PoC + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SMBGRIND-BUFFER-OVERFLOW.txt Vendor: ======================= Network Associates Inc. Product: =========================================...
ManageEngine Network Configuration Management Build 11000 - Privilege Escalation
ManageEngine Network Configuration Management Build 11000 - Privilege Escalation =================================================================================== Privilege escalation Vulnerability in ManageEngine Network Configuration Management...
ManageEngine OPutils 8.0 - Multiple Vulnerabilities
ManageEngine OPutils 8.0 - Multiple Vulnerabilities =================================================================================== Privilege escalation Vulnerability in ManageEngine oputils =================================================================================== Overview ========...
Flash ActiveX 28.0.0.137 - Code Execution (1)
Flash ActiveX 28.0.0.137 - Code Execution 1 CVE-2018-4878 flash exploit Pop up a calculator - tested with installation of flash activeX plugin 28.0.0.137 Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44744.xlsx...
phpMyBackupPro 2.5 - Remote Command Execution Cross-Site Request Forgery
phpMyBackupPro 2.5 - Remote Command Execution Cross-Site Request Forgery + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/PHPMYBACKUPPRO-v2.5-RCE.txt Vendor: ============================= www.phpmybackuppro.net project site:...
glibc - getaddrinfo Stack Buffer Overflow (PoC)
glibc - getaddrinfo Stack Buffer Overflow PoC Sources: https://googleonlinesecurity.blogspot.sg/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://github.com/fjserna/CVE-2015-7547 Technical information: glibc reserves 2048 bytes in the stack through alloca for the DNS answer at...