This Metasploit module creates a vsix file which can be installed in Visual Studio Code as an extension. At activation/install, the extension will execute a shell or two. Tested against VSCode 1.87.2 on Ubuntu 22.04.
e6880eb05602e6f92b535b42014f6031b0323eada13388a7f9aab0f3804a2789This Metasploit module exploits two vulnerabilities in Palo Alto Networks PAN-OS that allow an unauthenticated attacker to create arbitrarily named files and execute shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or GlobalProtect Portal enabled and telemetry collection on (default). Multiple versions are affected. Payloads may take up to one hour to execute, depending on how often the telemetry service is set to run.
9c69f9786e45a27c7e5254838feb1083b7180cc983336792158dcfa2db1cdf80LRMS PHP version 1.0 suffers from remote shell upload and multiple remote SQL injection vulnerabilities.
cd29b75f4fc26669967838b2cacc350651afd70ebc41fa183a818a2044008a19SofaWiki version 3.9.2 suffers from a remote shell upload vulnerability.
0f96734c2d9102385c242ff25bcaeda5c50413756e19e450e1bcbfe8ae166734FlatPress version 1.3 suffers from a remote shell upload vulnerability.
95b37bcd0ee004b10ed07d1d5449e20f0b6c896143d3d34e105388324e4c71e6WordPress Background Image Cropper plugin version 1.2 suffers from a remote shell upload vulnerability.
7fde3f2c891e83214995aac3e02a1bffb22561963731277fa9a9d738f179af92GLPI versions 10.x.x suffers from a remote command execution vulnerability via the shell commands plugin.
0937b05f1fb5c8e26650b3ff3036018e86cdfd467308fd6c3e1b37d5aa588d9cBMC Compuware iStrobe Web version 20.13 suffers from a remote shell upload vulnerability.
3c3484f8fcc75a92702655ca438887e9feb947e1b2bba0fc5284d6ea230f3db7Kruxton version 1.0 suffers from a remote shell upload vulnerability.
eac82a8882065fad4041f5e76566b23a349a9bac77c6028731f1d06a43bc4ca4Ubuntu Security Notice 6730-1 - It was discovered that Apache Maven Shared Utils did not handle double-quoted strings properly, allowing shell injection attacks. This could allow an attacker to run arbitrary code.
15c8d6e5b9065ade2c2ed5b94442496e05fb18a0a38ae85a9562327745d57a90The Ray Project dashboard contains a CPU profiling page, and the format parameter is not validated before being inserted into a system command executed in a shell, allowing for arbitrary command execution. If the system is configured to allow passwordless sudo (a setup some Ray configurations require) this will result in a root shell being returned to the user. If not configured, a user level shell will be returned. Versions 2.6.3 and below are affected.
71d55c6a52e12ee9261d11d52085671ffd68404f5deb15af6740a69e8a217fbaWordPress Membership for WooCommerce plugin versions prior to 2.1.7 suffer from a remote shell upload vulnerability.
02cf8f42362fb411dc46a34c050893842dde9be08183674517277a5f694702c4Soholaunch version 4.9.4 r44 suffers from a remote shell upload vulnerability.
38cf97e11373ce1137705690e0184e70046c7384264c09e97f32c832e3026b02Ubuntu Security Notice 6714-1 - It was discovered that debmany in Debian Goodies incorrectly handled certain deb files. An attacker could possibly use this issue to execute arbitrary shell commands.
d54f6944dfabbda777fb8a78361b6893760736de4073959bba84adbd8fa06495Orange Station version 1.0 suffers from a remote shell upload vulnerability.
5a9f8a0ab40cab9d931909357ed512b4a4e0910b05218556dc4ed1977fa5b4d8Ubuntu Security Notice 6711-1 - Vincent Berg discovered that CRM shell incorrectly handled certain commands. An local attacker could possibly use this issue to execute arbitrary code via shell code injection to the crm history commandline.
561d06378a4d832e9a803e7cdd95a4af11f2b3f29f3a2e2508d84ddaebf01a8dDebian Linux Security Advisory 5641-1 - It was discovered that fontforge, a font editor, is prone to shell command injection vulnerabilities when processing specially crafted files.
9b3201adff6afbd1a97b1cdf43d27c97115dada38acd1dbb20e51e10c8d2ca91Gasmark Pro version 1.0 suffers from a remote shell upload vulnerability.
74aac3d302e6dccc4a04f4bb3b7f33f7c74952c5fafd68a7b296c174889dd69bMembership Management System version 1.0 suffers from remote shell upload and remote SQL injection vulnerabilities.
bafbc2c7895ab97a3d57de482862b676a744678a894f6abb9103ae63f21b01a1MetaFox versions 5.1.8 and below suffer from a remote shell upload vulnerability.
e2b323542d1ae762fd44f17402386b535064f3b92a9eb3e937211dc86f883e48MSMS-PHP version 1.0 suffers from a remote shell upload vulnerability.
06dd3743528c052502c13e65a54289e54ef53298ff6beb4c6ee8a4810bae36dfDataCube3 version 1.0 suffers from a remote shell upload vulnerability.
a5ca9dcfc24b6607634b3ccc91b9b2cf12ca8ba0a229101f9e74e14975448d9aWallos versions prior to 1.11.2 suffer from a remote shell upload vulnerability.
77ba729fac9fbd6e562f329a83458d57ae71f13aaf4f55db7da1328097365d1aPetrol Pump Management System version 1.0 suffers from a remote shell upload vulnerability. This is a variant vector of attack in comparison to the original discovery attributed to SoSPiro in February of 2024.
0f0040501420a8f8ddd6c7f12a7f7140cff7687749ef9d7f7d32928b820114f8Real Estate Management System version 1.0 suffers from a remote shell upload vulnerability.
839e1e676d2dbd464ca5097616ef9a9bec7bfb837d94aa2a8ab1088675a02115
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed