macOS iMessage - Heap Overflow when Deserializing

macOS iMessage - Heap Overflow when Deserializing There is a heap overflow in NSURL initWithCoder: that can be reached via iMessage and likely other paths. When an NSURL is deserialized, one property its plist can contain is NS.minimalBookmarkData, which is then used as a parameter for NSURL...

Rest - Cafe and Restaurant Website CMS - slug SQL Injection

Rest - Cafe and Restaurant Website CMS - slug SQL Injection Exploit Title: Rest - Cafe and Restaurant Website CMS - SQL Injection Date: 1.8.2019. Exploit Author: n1x MS-WEB Vendor Homepage: https://codecanyon.net/item/rest-cafe-and-restaurant-website-cms/21630154 CWE : CWE-89 Vulnerable parameter...

Sar2HTML 3.2.1 - Remote Command Execution

Sar2HTML 3.2.1 - Remote Command Execution Exploit Title: sar2html Remote Code Execution Date: 01/08/2019 Exploit Author: Furkan KAYAPINAR Vendor Homepage:https://github.com/cemtan/sar2html Software Link: https://sourceforge.net/projects/sar2html/ Version: 3.2.1 Tested on: Centos 7 In web...

1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting

1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting 1CRM On-Premise Software 8.5.7 Stored XSS //////////////////////////////////////////////////////////////////////////////////// Exploit Title: 1CRM On-Premise Software 8.5.7 - Cross-Site Scripting Date: 19/07/2019 Exploit Author: Kus...

Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery

Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery Product : Catalyst 3850 Series Device Manager Version : 3.6.10E Date: 01.08.2019 Vendor Homepage: https://www.cisco.com Exploit Author: Alperen Soydan Description : The application interface allows users to perform certain...

WebIncorp ERP - SQL injection

WebIncorp ERP - SQL injection Exploit Title: WebIncorp ERP - SQL injection Date: 1.8.2019. Exploit Author: n1x MS-WEB Vendor Homepage: https://www.webincorp.com/products/erp-software-qatar Version: Every version CWE : CWE-89 Vulnerable parameter: prodid productdetail.php GET Request GET...

SilverSHielD 6.x - Local Privilege Escalation

SilverSHielD 6.x - Local Privilege Escalation This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Exploit Title: extenua SilverSHielD 6.x local priviledge escalation Google Dork: na Date: 31 Jul 2019 Exploit Author: Ian...

Ultimate Loan Manager 2.0 - Cross-Site Scripting

Ultimate Loan Manager 2.0 - Cross-Site Scripting Exploit Title:Web Studio Ultimate Loan Manager V2.0 - Persistent Cross Site Scripting Exploit Author: Metin Yunus Kandemir kandemir Vendor Homepage: http://www.webstudio.co.zw/ Software Link: https://codecanyon.net/item/ultimate-loan-manager/198918...

Oracle Hyperion Planning 11.1.2.3 - XML External Entity

Oracle Hyperion Planning 11.1.2.3 - XML External Entity - Exploit Title: XXE Injection Oracle Hyperion - Exploit Author: Lucas Dinucci [email protected] - Twitter: @identik1t - Vendor Homepage: https://www.oracle.com/applications/performance-management - Date: 02/11/2019 - Affected Product:...

Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming

Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming Exploit Title: Unauthenticated Audio Streaming from Amcrest Camera Shodan Dork: html:"@WebVersion@" Date: 08/29/2019 Exploit Author: Jacob Baines Vendor Homepage: https://amcrest.com/ Software Link:...

macOS iOS JavaScriptCore - Loop-Invariant Code Motion (LICM) Leaves Object Property Access Unguarded

macOS iOS JavaScriptCore - Loop-Invariant Code Motion LICM Leaves Object Property Access Unguarded While fuzzing JavaScriptCore, I encountered the following modified and commented JavaScript program which crashes jsc from current HEAD and release...

iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1

iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1 There is a memory corruption vulnerability when decoding an object of class NSKnownKeysDictionary1. This class decodes an object of type NSKnownKeysMappingStrategy1, which decodes a length member which is supposed to represent the...

macOS iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances

macOS iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances When deserializing NSObjects with the NSArchiver API 1, one can supply a whitelist of classes that are allowed to be unarchived. In that case, any object in the archive whose class is not...

iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References

iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References When deserializing a class with initWithCoder, subclasses of that class can also be deserialized so long as they do not override initWithCoder and implement all methods that require a concrete implementation...

iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects

iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects The class NSDataFileBackedFuture can be deserialized even if secure encoding is enabled. This class is a file-backed NSData object that loads a local file into memory when the NSData bytes selector is called. This...

macOS iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles

macOS iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles While fuzzing JSC, I encountered the following JS program which crashes JSC from current HEAD and release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc: // Run with --useConcurrentJIT=false...

WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting

WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting Exploit Title: Real Estate 7 - Real Estate WordPress Theme v2.8.9 Persistent XSS Injection Google Dork: inurl:"/wp-content/themes/realestate-7/" Date: 2019/07/20 Author: m0ze Vendor Homepage: https://contempothemes.com Software Link:...

GigToDo 1.3 - Cross-Site Scripting

GigToDo 1.3 - Cross-Site Scripting Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection Google Dork: - Date: 2019/07/28 Author: m0ze Vendor Homepage: https://www.gigtodoscript.com Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/238553...

WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery

WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery Exploit Title: Cross Site Request Forgery in Wordpress Simple Membership plugin Date: 2019-07-27 Exploit Author: rubyman Vendor Homepage: https://wordpress.org/plugins/simple-membership/ wpvulndb :...

Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload Remote Code Execution

Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload Remote Code Execution Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. POC Date: 26-6-2019 Exploit Author: Wietse Boonstra Vendor Homepage: https://ahsay.com Software Link:...

Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation

Microsoft Windows 7 build 7601 x86 - Local Privilege Escalation include include / EDB Note: Download https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47176.zip / / PREPROCESSOR DEFINITIONS / define MNSELECTITEM 0x1E5 define MNSELECTFIRSTVALIDITEM 0x1E7 define...

Moodle Filepicker 3.5.2 - Server Side Request Forgery

Moodle Filepicker 3.5.2 - Server Side Request Forgery Exploit Title: Server Side Request Forgery in Moodle Filepicker Google Dork: / Date: 2019-07-25 Exploit Author: Fabian Mosch & Nick Theisinger r-tec IT Security GmbH Vendor Homepage: https://moodle.org/ Software Link:...

Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload Remote Code Execution (Metasploit)

Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload Remote Code Execution Metasploit Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. Metasploit Date: 26-6-2019 Exploit Author: Wietse Boonstra Vendor Homepage:...

pdfresurrect 0.15 - Buffer Overflow

pdfresurrect 0.15 - Buffer Overflow Exploit Title: pdfresurrect 0.15 Buffer Overflow Date: 2019-07-26 Exploit Author: j0lama Vendor Homepage: https://github.com/enferex/pdfresurrect Software Link: https://github.com/enferex/pdfresurrect Version: 0.15 Tested on: Ubuntu 18.04 CVE : CVE-2019-14267...

Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection

Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection Unauthenticated XML External Entity XXE in Ahsay Backup v7.x - v8.1.0.50. Date: 26-6-2019 Exploit Author: Wietse Boonstra Vendor Homepage: https://ahsay.com Software Link: http://ahsay-dn.ahsay.com/v8/81050/cbs-win.exe Version: 7.x...

Ovidentia 8.4.3 - SQL Injection

Ovidentia 8.4.3 - SQL Injection ------------------------------------------------------- Exploit Title: Ovidentia CMS - SQL Injection Authenticated Date: 06/05/2019 CVE: CVE-2019-13978 Exploit Author: Fernando Pinheiro n3k00n3 Victor Flores UserX Vendor Homepage: https://www.ovidentia.org/ Version...

WebKit - Universal Cross-Site Scripting due to Synchronous Page Loads

WebKit - Universal Cross-Site Scripting due to Synchronous Page Loads BACKGROUND As lokihardt@ has demonstrated in https://bugs.chromium.org/p/project-zero/issues/detail?id=1121, WebKit's support of the obsolete showModalDialog method gives an attacker the ability to perform synchronous...

Ovidentia 8.4.3 - Cross-Site Scripting

Ovidentia 8.4.3 - Cross-Site Scripting ------------------------------------------------------- Exploit Title: Ovidentia CMS - XSS Ovidentia 8.4.3 Description: The vulnerability permits any kind of XSS attacks. Reflected, DOM and Stored XSS. Date: 06/05/2019 CVE: CVE-2019-13977 Exploit Author:...

NoviSmart CMS - SQL injection

NoviSmart CMS - SQL injection Exploit Title: NoviSmart CMS SQL injection Date: 23.7.2019. Exploit Author: n1x MS-WEB Vendor Homepage: http://www.novismart.com/ Version: Every version CVE : CWE-89 Vulnerable parameter: Referer HTTP Header field GET Request GET / HTTP/1.1 Referer:...

WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions

WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions Exploit Title: Wordpress Hybrid Composer = 1.4.6 - Unauthenticated Configuration Access Admin Takeover Date: 2019-07-24 Vendor Homepage: http://wordpress.framework-y.com Software Link:...

Linux Kernel 4.10 5.1.17 - PTRACE_TRACEME pkexec Local Privilege Escalation

Linux Kernel 4.10 5.1.17 - PTRACETRACEME pkexec Local Privilege Escalation // Linux 4.10 // - added known helper paths // - added search for suitable helpers // - added automatic targeting // - changed target suid exectuable from passwd to pkexec //...

Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery

Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery Product : Cisco Wireless Controller Version : 3.6.10E last version Date: 23.07.2019 Vendor Homepage: https://www.cisco.com Exploit Author: Mehmet Önder Key Website: htts://cloudvist.com CVE: CVE-2019-12624 Description : The applicatio...

Trend Micro Deep Discovery Inspector IDS - Security Bypass

Trend Micro Deep Discovery Inspector IDS - Security Bypass + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DEEP-DISCOVERY-INSPECTOR-PERCENT-ENCODING-IDS-BYPASS.txt + ISR: Apparition Security Vendor...

Apple iMessage - DigitalTouch tap Message Processing Out-of-Bounds Read

Apple iMessage - DigitalTouch tap Message Processing Out-of-Bounds Read The digital touch iMessage extension can read out of bounds if a malformed Tap message contains a color array that is shorter than the points array and delta array. The method ETTapMessage initWithArchiveData: checks that the...

Axway SecureTransport 5 - Unauthenticated XML Injection

Axway SecureTransport 5 - Unauthenticated XML Injection Title: Axway SecureTransport 5 - Unauthenticated XML Injection Google Dork: intitle:"Axway SecureTransport" "Login" Date: 2019-07-20 Author: Dominik Penner / zer0pwn of Underdog Security Vendor Homepage: https://www.axway.com/en Software Lin...

BACnet Stack 0.8.6 - Denial of Service

BACnet Stack 0.8.6 - Denial of Service Exploit Title: BACnet Stack 0.8.6 - Denial of Service Google Dork: if applicable Date: 2019-07-19 Exploit Author: mmorillo Vendor Homepage: https://sourceforge.net/p/bacnet/ Software Link:...

Comtrend-AR-5310 - Restricted Shell Escape

Comtrend-AR-5310 - Restricted Shell Escape Exploit Title: Comtrend-AR-5310 - Restricted Shell Escape Date: 2019-07-20 Exploit Author: AMRI Amine Vendor Homepage: https://www.comtrend.com/ Version: GE31-412SSG-C01R10.A2pG039u.d24k Tested on: Linux busybox TL;DR: A local user can bypass the...

Web Ofisi Firma 13 - oz SQL Injection

Web Ofisi Firma 13 - oz SQL Injection Exploit Title: Web Ofisi Firma 13 - 'oz' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/kurumsal-firma-v13-sinirsiz-dil.html Demo Site: http://demobul.net/firmav13/ Version: v13 Tested on: Kali Linux...

Web Ofisi Platinum E-Ticaret 5 - q SQL Injection

Web Ofisi Platinum E-Ticaret 5 - q SQL Injection Exploit Title: Web Ofisi Platinum E-Ticaret 5 - 'q' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/platinum-e-ticaret-v5.html Demo Site: http://demobul.net/eticaretv5/ Version: v5 Tested on:...

Docker - Container Escape

Docker - Container Escape On the host docker run --rm -it --cap-add=SYSADMIN --security-opt apparmor=unconfined ubuntu bash In the container mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x echo 1 /tmp/cgrp/x/notifyonrelease hostpath=sed -n 's/.\perdir=^,./\1/p'...

Web Ofisi Emlak 3 - emlak_durumu SQL Injection

Web Ofisi Emlak 3 - emlakdurumu SQL Injection Exploit Title: Web Ofisi Emlak 3 - 'emlakdurumu' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v3.html Demo Site: http://demobul.net/emlakv3/ Version: V2 Tested on: Kali Linux CV...

MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)

MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow EggHunter Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow EggHunter Author: sasaga92 Discovery Date: 2019-07-18 Vendor Homepage: www.computerlab.com Software Link:...

REDCap 9.1.2 - Cross-Site Scripting

REDCap 9.1.2 - Cross-Site Scripting Exploit Title: REDCap - Details: Since it is an onkeypress event, it is triggered whenever the user touch any key and since the XSS payload is stored in the project name it appears in several pages. - Privileges: It requires admin privileges to store it. -...

fuelCMS 1.4.1 - Remote Code Execution

fuelCMS 1.4.1 - Remote Code Execution Exploit Title: fuelCMS 1.4.1 - Remote Code Execution Date: 2019-07-19 Exploit Author: 0xd0ff9 Vendor Homepage: https://www.getfuelcms.com/ Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 Version: = 0 and n 1: start =...

Web Ofisi Emlak 2 - ara SQL Injection

Web Ofisi Emlak 2 - ara SQL Injection Exploit Title: Web Ofisi Emlak 2 - 'ara' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/emlak-scripti-v2.html Demo Site: http://demobul.net/emlakv2/ Version: v2 Tested on: Kali Linux CVE: N/A ----- PoC...

Web Ofisi Rent a Car 3 - klima SQL Injection

Web Ofisi Rent a Car 3 - klima SQL Injection Exploit Title: Web Ofisi Rent a Car 3 - 'klima' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/rent-a-car-v3.html Demo Site: http://demobul.net/rentacarv3/ Version: v3 Tested on: Kali Linux CVE:...

Web Ofisi Firma Rehberi 1 - il SQL Injection

Web Ofisi Firma Rehberi 1 - il SQL Injection Exploit Title: Web Ofisi Firma Rehberi 1 - 'il' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/firma-rehberi-scripti-v1.html Demo Site: http://demobul.net/firma-rehberi-v1/ Version: v1 Tested on...

Web Ofisi E-Ticaret 3 - a SQL Injection

Web Ofisi E-Ticaret 3 - a SQL Injection Exploit Title: Web Ofisi E-Ticaret 3 - 'a' SQL Injection Date: 2019-07-19 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://www.web-ofisi.com/detay/e-ticaret-v3-sanal-pos.html Demo Site: http://demobul.net/eticaretv3/ Version: v3 Tested on: Kali Linux CVE:...

WordPress Plugin OneSignal 1.17.5 - subdomain Persistent Cross-Site Scripting

WordPress Plugin OneSignal 1.17.5 - subdomain Persistent Cross-Site Scripting Exploit Title: WordPress Plugin OneSignal 1.17.5 - Persistent Cross-Site Scripting Date: 2019-07-18 Vendor Homepage: https://www.onesignal.com Software Link:...

Microsoft Windows 10 19031809 - RPCSS Activation Kernel Security Callback Privilege Escalation

Microsoft Windows 10 19031809 - RPCSS Activation Kernel Security Callback Privilege Escalation Windows: RPCSS Activation Kernel Security Callback EoP Platform: Windows 10 1903/1809 not tested earlier Class: Elevation of Privilege Security Boundary per Windows Security Service Criteria: User...