This archive is a GhostRace proof of concept exploit exemplifying the concept of a speculative race condition in a step-by-step single-threaded fashion. Coccinelle scripts are used to scan the Linux kernel version 5.15.83 for Speculative Concurrent Use-After-Free (SCUAF) gadgets.
37e02a934f238521d1f775356b1e8c43d4c6a81948b9dad1162cc1387ca9c199
Cacti versions 1.2.26 and below suffer from a remote code execution execution vulnerability in import.php.
86b50d4574919755d30f44ebc0972085ad39e9820171813614fe42cf0df9f937
SAP Cloud Connector versions 2.15.0 through 2.16.1 were found to happily accept self-signed TLS certificates between SCC and SAP BTP.
bfc27f59ffa7a1d020eb1883e06f1b2a7891a0fff09f6afb7a4aef11cea69616
Zope version 5.9 suffers from a command injection vulnerability in /utilities/mkwsgiinstance.py.
1849107b888555128ddb84f1932e592e1a6cec7bad8f090a967908069ab52d02
CrushFTP versions prior to 11.1.0 suffers from a directory traversal vulnerability.
f6f0dfaaef61e480d92184b9e2c78f7ab875206b68a377d6f7d4d096b36e0e6b
TrojanSpy.Win64.EMOTET.A malware suffers from a code execution vulnerability.
10debc35623c145b6f978baa8cb84aaa54c64d5d82a5c05ac187f8de64eca19f
Plantronics Hub version 3.25.1 suffers from an arbitrary file read vulnerability.
c63a856ff1866ac2a5b1c7cca4db6ffecb90758e7c84070c8f4234cfa6c54caa
Backdoor.Win32.AsyncRat malware suffers from a code execution vulnerability.
aae895a856dbb790f39f2815c8d74efe74839c99e7531212e21ea34299f56a3e
Apache mod_proxy_cluster suffers from a cross site scripting vulnerability.
fadf8a3fa5550a659387386713c6d034a845c647a4595a8ba20fbad136400e1f
Chryp version 2.5.2 suffers from a persistent cross site scripting vulnerability.
595f50a797273bc71e600e16b0c302e64f4c3bc6413b4e2f4eac3ca9d31edcda
Leafpub version 1.1.9 suffers from a persistent cross site scripting vulnerability.
a319d222989340e097fcceb563dd16ea12ab8f0c1bc6bc240ca39b4f7c8bcfb0
Prison Management System Using PHP suffers from a remote SQL injection vulnerability that allows for authentication bypass.
e69f0a647f9409afaeb28fca9549b65a8f171f0f00a1d280a8d677cfdf0704ee
This Metasploit module abuses a feature of the sudo command on Progress Kemp LoadMaster. Certain binary files are allowed to automatically elevate with the sudo command. This is based off of the file name. Some files have this permission are not write-protected from the default bal user. As such, if the file is overwritten with an arbitrary file, it will still auto-elevate. This module overwrites the /bin/loadkeys file with another executable.
0ba86964552be2e15d8dfa5aee3dc906633226221f56038c5adfd5023d1cef02
Panel.SmokeLoader malware suffers from cross site request forgery, and cross site scripting vulnerabilities.
ef278eac34255b166212b8c3d391b9134c5e614f5beadcfc77d5664154f0a7de
Panel.SmokeLoader malware suffers from a cross site scripting vulnerability.
bcc5e47df8b2d6bd47ac6d8b30cb4be97dade1f97e3d46af383c50831ef76904
Esteghlal F.C.'s site suffers from a cross site scripting vulnerability.
27a3e849215cdeb3acce420536732c6bb9d4b0fd92ff4c0bea2720714ce42ece
In mmu_insert_pages_no_flush(), when a HUGE_HEAD page is mapped to a 2M aligned GPU address, this is done by creating an Address Translation Entry (ATE) at MIDGARD_MMU_LEVEL(2) (in other words, an ATE covering 2M of memory is created). This is wrong because it assumes that at least 2M of memory should be mapped. mmu_insert_pages_no_flush() can be called in cases where less than that should be mapped, for example when creating a short alias of a big native allocation. Later, when kbase_mmu_teardown_pgd_pages() tries to tear down this region, it will detect that unmapping a subsection of a 2M ATE is not possible and write a log message complaining about this, but then proceed as if everything was fine while leaving the ATE intact. This means the higher-level code will proceed to free the referenced physical memory while the ATE still points to it.
02b7002e9ef87f42111b8b994ec26a71eab28f5f71c23d3899c25a6cc7a85c92
Openmediavault versions prior to 7.0.32 have a vulnerability that occurs when users in the web-admin group enter commands on the crontab by selecting the root shell. As a result of exploiting the vulnerability, authenticated web-admin users can run commands with root privileges and receive reverse shell connections.
f54e108c3e072e69c000f9759d386e86aae92493e17fbe4348a5bdd7b5278328
RIOT versions 2024.01 and below suffers from multiple buffer overflows, ineffective size checks, and out-of-bounds memory access vulnerabilities.
43c245ca872e84173b6225084f324209f789f4e49b0b9c392d621feab1e1de58
The Security Explorations team has come up with two attack scenarios that make it possible to extract private ECC keys used by a PlayReady client (Windows SW DRM scenario) for the communication with a license server and identity purposes. Proof of concept included.
c2dc2010ee36581d568d891c24ac2a0dfd8b8a87de8de3d72f1072bb1e38964a
Panel Amadey.d.c malware suffers from cross site scripting vulnerabilities.
56d2e699a952bda76c68e9e01f6c3048db2c4af020ac1ac6adda3f4b9c409042
Clinic Queuing System version 1.0 suffers from a remote code execution vulnerability.
23c5d126d6744f4ca5ca7cb92f2a3a88c17df81ab9f24fd93329abb2706e0378
iboss Secure Web Gateway versions prior to 10.2.0 suffer from a persistent cross site scripting vulnerability.
50b166bd6a6b50ebc0b7770cf33221a56eafab69e5b4987b101fcd6a8a6d1e49
POMS PHP version 1.0 suffers from remote shell upload and remote SQL injection vulnerabilities.
6fbd9b24154b7a82bd33b970bc8f205aec51838beab9dfdcd8c402c4bc2fe213
Kortex version 1.0 suffers from a remote SQL injection vulnerability.
a16f4013115276b1f531688e40762325affcbf56e829fa0b4b9a3e3651bbef0d