This archive contains all of the 158 exploits added to Packet Storm in November, 2014.
24de2b71477635f2bdb96e6990ed37de9cb8848dd29210ffe8ddd1d0ec948734
This Metasploit module exploits Windows OLE Automation Array Vulnerability known as CVE-2014-6332. The vulnerability affects Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10. Powershell is required on the target machine. On Internet Explorer versions using Protected Mode, the user has to manually allow powershell.exe to execute in order to be compromised.
a21c73516ca752edd0b68c3886ddd782c3596ad30278942d9c8600f98098d65b
Tiny Server version 1.1.9 suffers from a file disclosure vulnerability via directory traversal.
8e024c6f998f6f042e074c97d5919ff9e0154ff022aa987da869b585ca75c143
WordPress versions 4.0 and below suffer from a denial of service vulnerability.
db06a68758cd9dad1d5395c990fc04dd3f23911c44cbcde51be81bd708299ba0
Tuleap versions 7.6-4 and below suffer from a PHP object injection vulnerability in register.php.
192dd00027ad64789b52484759c17f92a935cf687f895373607d3b900d19a1ad
Microsoft IIS version 7.5 suffers from an error message cross site scripting vulnerability.
81fc5a1359863025158fd7f1f9fdf3d02dcf4f689641d8608af4bda5ce325575
The D-Link DAP-1360 suffers from cross site request forgery and cross site scripting vulnerabilities.
55251ecf0633440957d348713dd25ad1aa213796491552bd68d69efa4111b2e0
A specially-crafted sniffit configuration file can be leveraged to execute code as root.
0e5fe0fcd83bf75ca01e02b696edc874fa9921b6318df3ad0fddb1136bf2a3eb
The India Times site suffers from multiple cross site scripting vulnerabilities.
27ec2357a0f195cb6415de9ecdba19bb9890d2d4f6cbd1342c38d2f4dcf4dd04
WordPress Ad-Manager version 1.1.2 suffers from an open redirection vulnerability.
481e53868adfd461ba5cde08f15d349c49cb6d5d3b80e29c05bf4b37ff39b763
Springshare LibCal version 2.0 suffers from a cross site scripting vulnerability.
4c0fe54916f30cdf49c6c044a53f873e35b2d1c4e776981a9ad714a82f7cc20f
Weather Channel's weather.com suffers from multiple cross site scripting vulnerabilities.
4659c08736f1b4bac545584b83972e574cc06de7ed4a970775fe6adbe922aacd
This Metasploit module attempts to exploit multiple issues in order to gain remote code execution under Pandora FMS versions equal to and prior to 5.0 SP2. First, an attempt to authenticate using default credentials is performed. If this method fails, a SQL injection vulnerability is leveraged in order to extract the "Auto Login" password hash. If this value is not set, the module will then extract the administrator account's MD5 password hash.
fc913d99854d2c8194e4f3b46434494278885d559958fa670ed923151a77b005
xEpan version 1.0.1 suffers from a cross site request forgery vulnerability.
93905a94b8881af358eda8b862d28a7d5a7bdbd6d87c6e77054c3f04728082bf
Android versions prior to 5.0 suffer from a remote SQL injection vulnerability in the opt module WAPPushManager.
18706be9be8033c24e8c2f06033de0b992c7dd3941e112ef9d8ce5cecd8fdef9
Android versions prior to 5.0 allow an unprivileged application the ability to resend all the SMS's stored in the users phone.
9954c7e735f97d8deaa62bdd4dd7a93cbbb3e11d2057e1ba006ba091a07683fc
In Android versions prior to 5.0 and possibly greater than and equal to 4.0, Settings application leaks Pendingintent with a blank base intent (neither the component nor the action is explicitly set) to third party applications. Due to this, a malicious app can use this to broadcast intent with the same permissions and identity of the Settings application, which runs as SYSTEM uid.
cfc2aeebb8ce7b28e800f8cd2c1a2ef4f012afd9da67892dea7842b3fef42e7c
Device42 DCIM Appliance Manager versions 5.10 and 6.0 have hardcoded credentials and also suffer from remote command injection vulnerabilities.
47d0bb4ee432dc13a705f89a07909d8cdbdeeb3f951e98bf1888d524fb84ce61
Device42 DCIM Appliance Manager versions 5.10 and 6.0 with WAN emulator version 2.3 remote command injection exploit for Metasploit that leverages traceroute.
e2f6512a30f338fd030b36604071a79b13a88b9fdf4c8034dc527a27aa2ff592
Device42 DCIM Appliance Manager versions 5.10 and 6.0 with WAN emulator version 2.3 remote command injection exploit for Metasploit that leverages ping.
09e949ee2c12810265edcb0ba195795b730ea412d995e215b44e58c84ea6d497
CCH Wolters Kluwer PFX Engagement versions 7.1 and below suffer from a local privilege escalation vulnerability.
36550649271a777da5e3bdb31f777a4a5c0c5f089e34ab04078ef57d4129ecbe
MyBB versions 1.8.2 and below suffer from an unset_globals() function bypass and remote code execution vulnerabilities.
a691b9b40b1b09c878c6dabf004797b5a74ac29c49123dfae6aadb61bdba3161
phpBB versions 3.1.1 and below suffer from a deregister_globals() bypass vulnerability.
05feb1c2143bc563aea79f035ee6a9f2a25fd7538e2a1eaf959167cbc2e80130
Slider Revolution versions 3.0.95 and below and Showbiz Pro versions 1.7.1 and below suffer from a remote shell upload vulnerability.
ca657f1a9a31a06a387229bf959af2f2630ece3badc1c268a0ca6e9c67272e71
WordPress Sexy Squeeze Pages plugin suffers from a cross site scripting vulnerability.
8793ad38d9dfbe4490552ccd9b80858ec761b30f9e6cba3c99073dba85c6703d