This archive contains all of the 169 exploits added to Packet Storm in September, 2021.
2d5335d8a4719b57986a4b6b030b83b25c923ac73802cc371f160375e3b46e97PlaceOS version 1.2109.1 suffers from an open redirection vulnerability.
9230fb10c8a88600b3268329baa1ee6acb5f4ae8cd635068dcd1d6419c76b0d3Cmsimple version 5.4 authenticated remote code execution exploit.
9c66365017cd37b01e328c9eadccc39e261944d0e29fb70b25ae5aacd4f85a3aWordPress JS Jobs Manager plugin version 1.1.7 suffers from an unauthenticated plugin installation and activation vulnerability.
476b7c83bbaedc72abf814d5c8e7070dcc8f90d29894a855004150ad54d829afPharmacy Point of Sale System version 1.0 suffers from multiple remote SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to Janik Wehrli in September of 2021.
c48c955fe8392ca3517e9829a5ddffe745c764c0b8977cacae3f618a20d90f0fThis code is a proof-of-concept of the recently revealed Azure Active Directory password brute-forcing vulnerability announced by Secureworks.
776f9c87b943ea490dee90a4f117eb7062122a1a4ccdfcf9e16e09ca2416cd61Pet Shop Management System version 1.0 suffers from a remote shell upload vulnerability.
28477ad85ab4111f1df3679d0ad89f7074a8bafd27483d7ca25f37d1c4298c64Mitrastar GPT-2541GNAC-N1 suffers from a privilege escalation vulnerability that provides root privileges.
79eee6856f1f12654bc6bb4b93dba0735934aa5df9b92db70648672e0168b534Google's Extensible Service Proxy suffers from a header forgery vulnerability.
c2a95ac806be1e61288f44e7ec319f21ec2702adefa41386a2ad0039ac44ff37Storage Unit Rental Management System version 1.0 suffers from a remote shell upload vulnerability.
40921e68c1ec93ec4338b185d832ad6b9271cae7bd61a5da66366bf26fd606e0WordPress Redirect 404 to Parent plugin version 1.3.0 suffers from a cross site scripting vulnerability.
f4ebfcd69e7f5176c540dbe75f7090e041c52868c64e8097859a7b178f1d3f4bWordPress Select All Categories And Taxonomies plugin version 1.3.1 suffers from a cross site scripting vulnerability.
68fc9f4058f733ea1e46d65dc918535536c09807be809a6fe766a63989c5c709OpenSIS version 8.0 suffers from a cross site scripting vulnerability.
bac5d8f25561abe1b7b4f87c94bf527231e8fcd6a9f8623f5506441d4deed74cCovid Vaccination Scheduler System version 1.0 suffers from cross site scripting and remote SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to faisalfs10x in July of 2021.
ae710b05bd025d7e79e63517677882000a5dc8e341484db8f13afd0794170b66FatPipe Networks WARP/IPVPN/MPVPN version 10.2.2 suffers from a remote privilege escalation vulnerability.
6ef66ed70e92ad612290d98df48054d67d1c964e07a0683eaed0ee4abc38ad4eFatPipe Networks WARP/IPVPN/MPVPN version 10.2.2 has the hidden administrative account cmuser that has no password and has write access permissions to the device. The user cmuser is not visible in the Users menu list of the application.
76986786233f93566ddb9953be6f98bfa450885a5ac241ed16617a8870a9ff2bFatPipe Networks WARP/IPVPN/MPVPN version 10.2.2 is vulnerable to an unauthenticated configuration disclosure when a direct object reference is made to the backup archive file using an HTTP GET request.
c9208e538a5afc70b3635572f890f2667c94de059d48740427d2b3abf186786cFatPipe Networks WARP version 10.2.2 suffers from an authorization bypass vulnerability.
d011bfaa75604c3b3dc63ad611330b11fc8a534120edc38f724e1a4f58929d87The application interface FatPipe Networks WARP/IPVPN/MPVPN version 10.2.2 allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
7e2119d2b169c3fb6fb1b259c686bac08187edd3b7de42bea6ab93a108d54445WordPress Ultimate Maps plugin version 1.2.4 suffers from a cross site scripting vulnerability.
ffbdf36c553fc01d39018fe0185356f74c5cc7f17c0c33a393d62e41f2a8b4f0Apache James Server version 2.3.2 remote command execution exploit.
c9b253ccb01558d000573b82422dd40cdb537674eba685ea7b12e068e995cf6bWordPress Popup plugin version 1.10.4 suffers from a cross site scripting vulnerability.
ed1b48d005de68bb19e777a8b0f2eaf4468a6b8c5f2311d3d8b400aa188e742bWordPress Contact Form plugin version 1.7.14 suffers from a cross site scripting vulnerability.
0e0ab4bcf75174837ae5ceeeb37aa6426986dc34ed136e26b958c7fd2bc5c479WordPress TranslatePress plugin version 2.0.8 suffers from a persistent cross site scripting vulnerability.
3822bef2a24677b6eb4b93a67de4fe8417a8820f848d7d696fae51a0be909fc2Zero day exploit for Nehelper Wifi Info on iOS 15.0. XPC endpoint com.apple.nehelper accepts user-supplied parameter sdk-version, and if its value is less than or equal to 524288, the com.apple.developer.networking.wifi-info entitlement check is skipped. This makes it possible for any qualifying application (e.g. possessing location access authorization) to gain access to Wifi information without the required entitlement. This happens in -[NEHelperWiFiInfoManager checkIfEntitled:] in /usr/libexec/nehelper.
0af5f880ff757d8f4ecf82631a976eb88cd98d6646578d823eeb66b9199ddf29
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed