This archive contains all of the 205 exploits added to Packet Storm in March, 2019.
c93d1b13c676a6a24517848c02f420b5dc6abfa2c8fa2fdf5908d320d76ad119
This Metasploit module combines an information disclosure (CVE-2019-1653) and a command injection vulnerability (CVE-2019-1652) together to gain unauthenticated remote code execution on Cisco RV320 and RV325 small business routers. Can be exploited via the WAN interface of the router. Either via HTTPS on port 443 or HTTP on port 8007 on some older firmware versions.
3a5930431c87e0e5f639afb9c3aa17008a55b97dc03414a6b04b7d6a4f631c82
CentOS Web Panel version 0.9.8.78 suffers from a persistent cross site scripting vulnerability.
4404e8c938f6d4d0e0d317bd05a0446f824bd543b0d4a1da16bcbf824fe4bf32
Pydio 8 suffers from cross site scripting, command injection, and various other vulnerabilities.
a040ca84e3fd0ca2896f938ac0fca7bbaf88d693a9572cf3da774c7fb292a8a0
Magento versions 2.2.0 through 2.3.0 unauthenticated remote SQL injection exploit.
fb8e5118d988e50510319ef6725fac056f280cc00faa123b19459e9412e70b6b
A bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects.
0d0ded10759c5c95d391d24ddcc96e23e393aa708a7bf5a1a78768bd095306ee
Job Portal version 3.1 suffers from a remote SQL injection vulnerability.
72dab00c048a74489c29ed11f0c93ca0b886539e1c18f621ec374ca74a79e755
BigTree CMS version 4.3.4 suffers from multiple remote SQL injection vulnerabilities.
13e9cd30845227ceaabba925ef144956906a05523bb372523cd3c9dc22e42d40
Jettweb PHP Hazir Rent A Car Sitesi Scripti version 2 suffers from a remote SQL injection vulnerability.
620a81c8dfcb37bcad977a0d288b1b4742cc0ac2dfd84d6049d425c0c24def05
Thomson Reuters Concourse and Firm Central versions prior to 2.13.0097 suffer from directory traversal and local file inclusion vulnerabilities.
dd1a8a58e94896bb658e405b745d8d0621b3c62d7851007f762314a5bb6d4397
WordPress Anti-Malware Security and Brute-Force Firewall plugin version 4.18.63 suffers from a local file inclusion vulnerability.
90c88206b5de76ae7c38991cc6c101065007d85a6ed42d41bd5cde5095588252
Base64 Decoder version 1.1.2 local buffer overflow exploit with SEH egghunter.
7aed5e065bff8d7671fdb6c3033e92166861c26f9b4d5a23f9df4d52ff2c1e9f
WordPress Loco Translate plugin version 2.2.1 suffers from a local file inclusion vulnerability.
c5949dc384a330b6a87217ac176d7c5ffceffb16ee8a127b9c4100d951756cf7
Microsoft Visio 2016 version 16.0.4738.1000 suffers from a denial of service vulnerability.
3ce5706f37d31ab8a69d53892a0ba52e9a7d8577a40906f49543326156645fec
i-doit version 1.12 suffers from a cross site scripting vulnerability.
fb0838c0400c022ec5221479543a20086b1cb21bd268d29ad3df0f1b3da1d936
Airbnb Clone Script (Homeybnb) suffers from multiple remote SQL injection vulnerabilities.
390b42dab050f6e5f04aee1de6edf47ec084ab7326d7e902c8e4720bb52cc08d
Masch CMStudio Banners module version 8.6.1 suffers from an open redirection vulnerability.
2e6d19111da91575e68eade23f7674f6a28022210ce2cbcd0e0204c5e0a9646c
WordPress Form Builder plugin version 1.0 suffers from a database disclosure vulnerability.
d1d6727947d55142fd467d2f62a81b7197288fba1340846e6676ea5b07c4e6ff
This Metasploit module exploits a file upload vulnerability that allows for remote command execution in Showtime2 module versions 3.6.2 and below in CMS Made Simple (CMSMS). An authenticated user with "Use Showtime2" privilege could exploit the vulnerability. The vulnerability exists in the Showtime2 module, where the class "class.showtime2_image.php" does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG). Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, 3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1.
1df098a0e8333fb97bab3cd80dd2de6a5ea4a18a6d09b8daa9ff38cd10e5965a
This Metasploit module demonstrates that an unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (weblogic.jms.common.StreamMessag eImpl) to the interface to execute code on vulnerable hosts.
e9fa1048c7115283a85c77ab6fc28657f1c314f5367d3be58cd22dda512105d6
A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement (OSR) allows the compilation of JITed functions that cause type confusions between arbitrary objects.
69137aa1448d0433945fde8e7e4340601a30cc89d0f1611dc9c4960de77a3759
This is a critical memory corruption vulnerability in any API backed by verify_crt(), including gnutls_x509_trust_list_verify_crt() and related routines in GnuTLS.
533f01efe3a32a400eae85ee0cf901c9f9719f4ada7f40836cc2938e024c4866
Fat Free CRM version 0.19.0 suffers from an html injection vulnerability.
df06e72549fffc50f5424d1db04c2b934ef5ad16747d4a3c950bb915e38af30f
RedTeam Pentesting discovered a command injection vulnerability in the web-based certificate generator feature of the Cisco RV320 router which was inadequately patched by the vendor.
fa1fddffe139a0d576a787664aa6b3b1d1207ed373110904ad3b88fa8d1e4370
RedTeam Pentesting discovered that the Cisco RV320 router still exposes sensitive diagnostic data without authentication via the device's web interface due to an inadequate fix by the vendor.
2b7e66ad19b6068e6af38b37416a2c3c4c1dbb9a1a959f50323d828c81b0520e