Spring Security OAuth - Open Redirector

Spring Security OAuth - Open Redirector Exploit Title: Open Redirector in spring-security-oauth2 Date: 17 June 2019 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...

Thunderbird ESR 60.7.XXX - icalrecur_add_bydayrules Stack-Based Buffer Overflow

Thunderbird ESR 60.7.XXX - icalrecuraddbydayrules Stack-Based Buffer Overflow X41 D-Sec GmbH Security Advisory: X41-2019-003 Stack-based buffer overflow in Thunderbird ========================================== Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed...

Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell)

Microsoft Windows - UAC Protection Bypass Via Slui File Handler Hijack PowerShell Interactive Version: function SluiHijackBypass Param ParameterMandatory=$True String$command, ValidateSet64,86 int$arch = 64 Create registry structure New-Item "HKCU:\Software\Classes\exefile\shell\open\command"...

Netperf 2.6.0 - Stack-Based Buffer Overflow

Netperf 2.6.0 - Stack-Based Buffer Overflow Exploit Author: Juan Sacco - http://exploitpack.com Tested on: Kali i686 GNU/Linux Description: Netperf 2.6.0 s a benchmark tool than developed by Helett Packard that can be used to measure the performance of many different types of networking. It...

Thunderbird ESR 60.7.XXX - Type Confusion

Thunderbird ESR 60.7.XXX - Type Confusion -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-004 Type confusion in Thunderbird ============================= Severity Rating: Medium Confirmed Affected Versions: All versions affected Confirmed Patched Version...

Thunderbird ESR 60.7.XXX - icalmemorystrdupanddequote Heap-Based Buffer Overflow

Thunderbird ESR 60.7.XXX - icalmemorystrdupanddequote Heap-Based Buffer Overflow X41 D-Sec GmbH Security Advisory: X41-2019-001 Heap-based buffer overflow in Thunderbird ========================================= Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed...

Aida64 6.00.5100 - Log to CSV File Local SEH Buffer Overflow

Aida64 6.00.5100 - Log to CSV File Local SEH Buffer Overflow !/usr/bin/python Exploit : Aida64 6.00.5100 'Log to CSV File' Local SEH Buffer Overflow Exploit Author : Nipun Jaswal Tested On : Windows 7 Home Basicx86 Version : 6.00.5100 Release Date : 31/May/2019 Build : 21/May/2019 Vendor Homepage...

CentOS 7.6 - ptrace_scope Privilege Escalation

CentOS 7.6 - ptracescope Privilege Escalation !/usr/bin/env bash 'ptracescope' misconfiguration Local Privilege Escalation Affected operating systems TESTED: Parrot Home/Workstation 4.6 Latest Version Parrot Security 4.6 Latest Version CentOS / RedHat 7.6 Latest Version Kali Linux 2018.4 Latest...

Sitecore 8.x - Deserialization Remote Code Execution

Sitecore 8.x - Deserialization Remote Code Execution Exploit Title: Sitecore v 8.x Deserialization RCE Date: Reported to vendor October 2018, fix released April 2019. Exploit Author: Jarad Kopf Vendor Homepage: https://www.sitecore.com/ Software Link: Sitecore downloads:...

Pronestor Health Monitoring 8.1.11.0 - Privilege Escalation

Pronestor Health Monitoring 8.1.11.0 - Privilege Escalation Summary The Pronestor service "PNHM" aka Health Monitoring or HealthMonitor before 8.1.12.0 has "BUILTIN\Users:IF" permissions for the "%PROGRAMFILESX86%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, which allo...

FusionPBX 4.4.3 - Remote Command Execution

FusionPBX 4.4.3 - Remote Command Execution Exploit Title: FusionPBX = 4.4.3 Command Injection RCE via XSS Date: 06-11-2019 Exploit Author: Dustin Cobb Vendor Homepage: https://www.fusionpbx.com Software Link: https://https://github.com/fusionpbx/fusionpbx Version: = 4.4.3 Tested on: Debian 8.11 C...

phpMyAdmin 4.8 - Cross-Site Request Forgery

phpMyAdmin 4.8 - Cross-Site Request Forgery Exploit Title: Cross Site Request Forgery CSRF Date: 11 June 2019 Exploit Author: Riemann Vendor Homepage: https://www.phpmyadmin.net/ Software Link: https://www.phpmyadmin.net/downloads/ Version: 4.8 Tested on: UBUNTU 16.04 LTS -Installed Docker image ...

Webmin 1.910 - Package Updates Remote Command Execution (Metasploit)

Webmin 1.910 - Package Updates Remote Command Execution Metasploit This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Webmin Package Updates Remote Command Execution', 'Description' = %q This modu...

ProShow 9.0.3797 - Local Privilege Escalation

ProShow 9.0.3797 - Local Privilege Escalation !/usr/bin/python coding:utf-8 Exploit Title: ProShow v9.0.3797 Local Exploit Exploit Author: @YonatanCorrea website with details: https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html Vendor Homepage: http://www.photodex.com/ProShow...

WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution

WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution Exploit Title: Authenticated code execution in insert-or-embed-articulate-content-into-wordpress Wordpress plugin Description: It is possible to upload and execute a PHP file using the plugin option to uplo...

Liferay Portal 7.1 CE GA3 SimpleCaptcha API - Cross-Site Scripting

Liferay Portal 7.1 CE GA3 SimpleCaptcha API - Cross-Site Scripting Exploit Title: Liferay Portal ” / or ” /. A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability. Poc In a sample scenario of custom code...

Ubuntu 18.04 - lxd Privilege Escalation

Ubuntu 18.04 - lxd Privilege Escalation !/usr/bin/env bash ---------------------------------- Authors: Marcelo Vazquez S4vitar Victor Lasa vowkin ---------------------------------- Step 1: Download build-alpine = wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine...

UliCMS 2019.1 Spitting Lama - Persistent Cross-Site Scripting

UliCMS 2019.1 Spitting Lama - Persistent Cross-Site Scripting Exploit Title: UliCMS 2019.1 "Spitting Lama" - Stored Cross-Site Scripting Google Dork: intext:"by UliCMS" Date: 2019-05-12 Exploit Author: Unk9vvN Vendor Homepage: https://en.ulicms.de Software Link:...

Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)

Microsoft Windows - AppX Deployment Service Local Privilege Escalation 3 CVE-2019-0841 BYPASS 2 There is a second bypass for CVE-2019-0841. This can be triggered as following: Delete all files and subfolders within "c:\users%username%\appdata\local\packages\Microsoft.MicrosoftEdge8wekyb3d8bbwe"...

VMware WorkStation 12.5.3 - Virtual Machine Escape

VMware WorkStation 12.5.3 - Virtual Machine Escape VMware Escape Exploit VMware Escape Exploit before VMware WorkStation 12.5.3 Host Target: Win10 x64 Compiler: VS2013 Test on VMware 12.5.2 build-4638234 Known issues Failing to heap manipulation causes host process crash. About 50% successful rat...

Supra Smart Cloud TV - openLiveURL() Remote File Inclusion

Supra Smart Cloud TV - openLiveURL Remote File Inclusion Exploit Title: Remote file inclusion Date: 03-06-2019 Exploit Author: Dhiraj Mishra Vendor Homepage: https://supra.ru Software Link: https://supra.ru/catalog/televizory/televizorsuprastvlc40lt0020f/ CVE: CVE-2019-12477 References:...

Exim 4.87 4.91 - (Local Remote) Command Execution

Exim 4.87 4.91 - Local Remote Command Execution Qualys Security Advisory The Return of the WIZard: RCE in Exim CVE-2019-10149 ======================================================================== Contents ======================================================================== Summary Local...

Google Chrome 73.0.3683.103 - WasmMemoryObject::Grow Use-After-Free

Google Chrome 73.0.3683.103 - WasmMemoryObject::Grow Use-After-Free memoryobject, uint32t pages ... Handle newbuffer; if oldbuffer-isshared // Adjust protections for the buffer. if !AdjustBufferPermissionsisolate, oldbuffer, newsize return -1; void backingstore = oldbuffer-backingstore; if...

Zimbra 8.8.11 - XML External Entity Injection Server-Side Request Forgery

Zimbra 8.8.11 - XML External Entity Injection Server-Side Request Forgery coding=utf8 import requests import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disablewarningsInsecureRequestWarning baseurl=sys.argv1 baseurl=baseurl.rstrip"/" uplo...

Zoho ManageEngine ServiceDesk Plus 9.3 - SearchN.do Cross-Site Scripting

Zoho ManageEngine ServiceDesk Plus 9.3 - SearchN.do Cross-Site Scripting Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SearchN.do Date: 2019-06-04 Exploit Author: Tarantula Team - VinCSS a member of Vingroup Vendor Homepage:...

Cisco RV130W 1.0.3.44 - Remote Stack Overflow

Cisco RV130W 1.0.3.44 - Remote Stack Overflow !/usr/bin/python Exploit Title: Cisco RV130W Remote Stack Overflow Google Dork: n/a Date: Advisory Published: Feb 2019 Exploit Author: @0x00string Vendor Homepage: cisco.com Software Link:...

DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)

DVD X Player 5.5 Pro - Local Buffer Overflow SEH Exploit Title: DVDXPlayer 5.5 Pro Local Buffer Overflow with SEH Date: 6-3-2019 Exploit Author: Kevin Randall Vendor Homepage: http://www.dvd-x-player.com/download.htmldvdPlayer Software Link: http://www.dvd-x-player.com/download.htmldvdPlayer...

IceWarp 10.4.4 - Local File Inclusion

IceWarp 10.4.4 - Local File Inclusion Exploit Title: IceWarp =10.4.4 local file include Date: 02/06/2019 Exploit Author: JameelNabbo Website: uitsec.com Vendor Homepage: http://www.icewarp.com Software Link: https://www.icewarp.com/downloads/trial/ Version: 10.4.4 Tested on: Windows 10 CVE:...

NUUO NVRMini 2 3.9.1 - sscanf Stack Overflow

NUUO NVRMini 2 3.9.1 - sscanf Stack Overflow !/usr/bin/python Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow Google Dork: n/a Date: Advisory Published: Nov 18 Exploit Author: @0x00string Vendor Homepage: nuuo.com Software Link: https://www.nuuo.com/ProductNode.php?node=2 Version: 3.9....

Zoho ManageEngine ServiceDesk Plus 9.3 - PurchaseRequest.do Cross-Site Scripting

Zoho ManageEngine ServiceDesk Plus 9.3 - PurchaseRequest.do Cross-Site Scripting Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via PurchaseRequest.do Date: 2019-06-04 Exploit Author: Tarantula Team - VinCSS a member of Vingroup Vendor Homepage:...

Vim 8.1.1365 Neovim 0.3.6 - Arbitrary Code Execution

Vim 8.1.1365 Neovim 0.3.6 - Arbitrary Code Execution by Arminius @rawsec Vim/Neovim Arbitrary Code Execution via Modelines ================================================= Product: Vim 8.1.1365, Neovim 0.3.6 Type: Arbitrary Code Execution CVE: CVE-2019-12735 Date: 2019-06-04 Author: Arminius...

Zoho ManageEngine ServiceDesk Plus 9.3 - SiteLookup.do Cross-Site Scripting

Zoho ManageEngine ServiceDesk Plus 9.3 - SiteLookup.do Cross-Site Scripting Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SiteLookup.do Date: 2019-06-04 Exploit Author: Tarantula Team - VinCSS a member of Vingroup Vendor Homepage:...

Zoho ManageEngine ServiceDesk Plus 9.3 - SolutionSearch.do Cross-Site Scripting

Zoho ManageEngine ServiceDesk Plus 9.3 - SolutionSearch.do Cross-Site Scripting Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SolutionSearch.do Date: 2019-06-04 Exploit Author: Tarantula Team - VinCSS a member of Vingroup Vendor Homepage:...

KACE System Management Appliance (SMA) 9.0.270 - Multiple Vulnerabilities

KACE System Management Appliance SMA 9.0.270 - Multiple Vulnerabilities Exploit Title: Dell Kace Appliance Multiple Vulnerabilities Date: 12/04/2018 Exploit Author: SlidingWindow, Twitter: @kapilkhot Vendor Homepage: https://www.quest.com/products/kace-systems-management-appliance/ Affected...

Nvidia GeForce Experience Web Helper - Command Injection

Nvidia GeForce Experience Web Helper - Command Injection //Send request to local GFE server function submitRequestport,secret var xhr = new XMLHttpRequest; xhr.open"POST", "http://127.0.0.1:"+port+"/gfeupdate/autoGFEInstall/", true; xhr.setRequestHeader"Accept",...

AUO Solar Data Recorder 1.3.0 - Incorrect Access Control

AUO Solar Data Recorder 1.3.0 - Incorrect Access Control Exploit Title: AUO Solar Data Recorder - Incorrect Access Control Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.auo.com/zh-TW Version: AUO Solar Data Recorder all versions prior to v1.3.0 Tested on: It is a...

WordPress Plugin Form Maker 1.13.3 - SQL Injection

WordPress Plugin Form Maker 1.13.3 - SQL Injection -- coding: utf-8 -- Exploit Title: WordPress Plugin Form Maker 1.13.3 - SQL Injection Date: 22-03-2019 Exploit Author: Daniele Scanu @ Certimeter Group Vendor Homepage: https://10web.io/plugins/ Software Link:...

Microsoft Windows Remote Desktop - BlueKeep Denial of Service

Microsoft Windows Remote Desktop - BlueKeep Denial of Service import socket, sys, struct from OpenSSL import SSL from impacket.structure import Structure I'm not responsible for what you use this to accomplish and should only be used for education purposes Could clean these up since I don't even...

Spidermonkey - IonMonkey Leaks JS_OPTIMIZED_OUT Magic Value to Script

Spidermonkey - IonMonkey Leaks JSOPTIMIZEDOUT Magic Value to Script IonMonkey can, during a bailout, leak an internal JSOPTIMIZEDOUT magic value to the running script. This magic value can then be used to achieve memory corruption. Prerequisites Magic Values Spidermonkey represents JavaScript...

Free SMTP Server 2.5 - Denial of Service (PoC)

Free SMTP Server 2.5 - Denial of Service PoC Exploit Title: Free SMTP Server - Local Denial of Service Crash PoC Date: February 3, 2009 Exploit Author: Metin Kandemir kandemir Vendor Homepage: http://www.softstack.com/freesmtp.html Software Link:...

pfSense 2.4.4-p3 (ACME Package 0.59_14) - Persistent Cross-Site Scripting

pfSense 2.4.4-p3 ACME Package 0.5914 - Persistent Cross-Site Scripting Exploit Title: pfSense 2.4.4-p3 ACMEPackage 0.5.71 - Stored Cross-Site Scripting Date: 05.28.2019 Exploit Author: Chi Tran Vendor Homepage: https://www.pfsense.org Version: 2.4.4-p3/0.5.71 Software Link: N/A Google Dork: N/A...

Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL

Qualcomm Android - Kernel Use-After-Free via Incorrect setpagedirty in KGSL The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm and possibly others: When kgslmementrydestroy in drivers/gpu/msm/kgsl.c is called for a writable entry with...

Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation

Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation While fuzzing Spidermonkey, I encountered the following commented and modified JavaScript program which crashes debug builds of the latest release version of Spidermonkey from commit...

Phraseanet 4.0.7 - Cross-Site Scripting

Phraseanet 4.0.7 - Cross-Site Scripting Exploit title: Stored XSS vulnerability in Phraseanet DAM Open Source software Date: 10/10/2018 Exploit Author: Krzysztof Szulski Vendor Homepage: https://www.phraseanet.com Software Link also VM: https://www.phraseanet.com/en/download/ Version affected:...

EquityPandit 1.0 - Password Disclosure

EquityPandit 1.0 - Password Disclosure Exploit title: EquityPandit v1.0 - Insecure Logging Date:27/05/2019 Exploit Author: ManhNho Software name: "EquityPandit" Software link: https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit Version: 1.0 Category: Android apps Descriptio...

Petraware pTransformer ADC 2.1.7.22827 - Login Bypass

Petraware pTransformer ADC 2.1.7.22827 - Login Bypass Exploit Title: Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form. Date: 28-05-2019 Exploit Author: Faudhzan Rahman Website: https://faudhzanrahman.blogspot.com/ Vendor Homepage:...

Deltek Maconomy 2.2.5 - Local File Inclusion

Deltek Maconomy 2.2.5 - Local File Inclusion Exploit Title: Maconomy Erp local file include Date: 22/05/2019 Exploit Author: JameelNabbo Website: jameelnabbo.com Vendor Homepage: https://www.deltek.com Software Link: https://www.deltek.com/en-gb/products/project-erp/maconomy CVE: CVE-2019-12314...

Pidgin 2.13.0 - Denial of Service (PoC)

Pidgin 2.13.0 - Denial of Service PoC -- coding: utf-8 -- Exploit Title: Pidgin 2.13.0 - Denial of Service PoC Date: 24/05/2019 Author: Alejandra Sánchez Vendor Homepage: https://pidgin.im/ Software https://cfhcable.dl.sourceforge.net/project/pidgin/Pidgin/2.13.0/pidgin-2.13.0.exe Version: 2.13.0...

Typora 0.9.9.24.6 - Directory Traversal

Typora 0.9.9.24.6 - Directory Traversal Exploit Title: Code execution via path traversal Date: 17-05-2019 Exploit Author: Dhiraj Mishra Vendor Homepage: http://typora.io Software Link: https://typora.io/download/Typora.dmg Version: 0.9.9.24.6 Tested on: macOS Mojave v10.14.4 CVE: CVE-2019-12137...

Opencart 3.0.3.2 - extensionfeedgoogle_base Denial of Service PoC

Opencart 3.0.3.2 - extensionfeedgooglebase Denial of Service PoC !/bin/bash Opencart PoC exploit, just for test... Tested on store with added more than 1000 products Usage: ./cartkiller.sh storeurl threads sleep Example: ./cartkiller.sh https://storename 50 5 Disclaimer: This or previous programs...