This archive contains all of the 79 exploits added to Packet Storm in August, 2022.
3e7ab5fb77e64191899c0e7cef2d8c023c404479de54077b3bf438091ae753afThis Metasploit module exploits CVE-2022-30526, a local privilege escalation vulnerability that allows a low privileged user (e.g. nobody) escalate to root. The issue stems from a suid binary that allows all users to copy files as root. This module overwrites the firewall's crontab to execute an attacker provided script, resulting in code execution as root. In order to use this module, the attacker must first establish shell access. For example, by exploiting CVE-2022-30525. Known affected Zyxel models include USG FLEX (50, 50W, 100W, 200, 500, 700), ATP (100, 200, 500, 700, 800), VPN (50, 100, 300, 1000), USG20-VPN and USG20W-VPN.
ce0978f09bdc4f825505d8590e1f429b3ba8069c5e7e83d2268b514b437133c9The WordPress Core version 6.0.2 release addresses cross site scripting and remote SQL injection vulnerabilities.
0294b797dfc8902604de84c76092b7f611cd98068035d347145eca92a5a38499KVM instruction emulation can run while KVM_VCPU_PREEMPTED is set, which can lead other vcpus to skip sending TLB flush IPIs. As a consequence, KVM instruction emulation can access memory through stale translations when the guest kernel thinks it has flushed all cached translations. This could potentially be used by unprivileged userspace inside a guest to compromise the guest kernel.
16fd49b64aee26c8f9a9ad6cb4265e74537f37bede65109a50798f82ac77833bAeroCMS version 0.0.1 suffers from a remote SQL injection vulnerability.
6ad6e0c3d5d0d42b2784f9f7f7a8d4b0d53123b46c7de609a3173db9ed01f80aThe Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
2ba78b07aefa0b49411c9850601bb70eafd9ced41709aea21651ae90f931e2adCentreon version 22.04.0 suffers from a persistent cross site scripting vulnerability.
3d70a278906238ba02b36becf352ebf454b3dd1b330a5747bf3dbac98c1a8336PrestaShop Ap Pagebuilder module versions 2.4.4 and below suffer from a remote SQL injection vulnerability.
572afc861ea0ca4a81aaeb41616b518ea19cd0e87bb3b4b529c0171db4fdd9cbIn the Arm Mali driver's handling of CSF user I/O mappings, VMA splitting is handled incorrectly, leading to a page being given back to the kernel's page allocator while it is still mapped into userspace. On devices with recent Mali GPUs that support CSF, this is a security bug that should be very straightforward to exploit.
6ee0db58337e2459a3e0a317b84488b6c9019397c42a860c2baea1a6661f8592This Metasploit module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on Zimbra Collaboration Suite Network Edition versions 9.0.0 Patch 23 and below as well as Zimbra Collaboration Suite Network Edition versions 8.8.15 Patch 30 and below.
d58f4c7d7dbb0ee3b34e5a5a98ecaa59aa1118d324973a875b3ee85a53d569d4Teleport 9.3.6 is vulnerable to command injection leading to remote code execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.
5228298638858e0e106cda75b65bd4c283027b5bc6dff934d99ebc3b59a112f710-Strike Network Inventory Explorer versions 9.3 and below are vulnerable to a SEH based buffer overflow which leads to code execution or local privilege escalation. The vulnerable part of the program is the functionality to add computers from a text file.
1dff0a8ce3b87274d21f80b9363b6ad6aff3966452e9561847b4d6b7d6caeac4This Metasploit module exploits vulnerabilities within the ChainedSerializationBinder as used in Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and Exchange Server 2016 CU22 all prior to Mar22SU. Note that authentication is required to exploit these vulnerabilities.
357c3536b07ff810cec76347c7e5ce16faf862cac3951d66875221d4f487430dPersonnel Property Equipment 2015-2022 suffers from a remote SQL injection vulnerability.
cacfd917834264c882209ac565378bfb3e65a6fcfed1eade2534a0761a5dd12cThere is a buffer overflow in how AppleAVD.kext parses the ref_pic_list_modification component of H264 slice headers in AVC_RBSP::parseSliceHeader. When pic modification entries are copied into the pic modification list, the loop only terminates when the end code (3) is encountered, meaning that any number of entries can be copied into the fixed size modification buffer. This can corrupt the remainder of the decoder structure, as well as write outside of allocated memory.
f0e86dbff30f8c2f08674e561b12277b9f50b736d022814b1917489c1e9f1d2cTransposh WordPress Translation versions 1.0.8.1 and below suffer from an incorrect authorization vulnerability.
cf075b58a8a1c31fce95fca535703432ed02017dc8456967462b1e93044c2dccFLIR AX8 versions 1.46.16 and below suffer from command injection, directory traversal, improper access control, and cross site scripting vulnerabilities.
d4b0fa3d39bb7d9eb67520d399557821deb5682ab4e0f91e473b5af510fec4d7Chrome suffers from a heap use-after-free vulnerability in content::ServiceWorkerVersion::MaybeTimeoutRequest. Google Chrome version 103.0.5060.53 and Chromium version 105.0.5134.0 are affected.
a5cedab667714abf085c2a940066ea32b5ec7735eceff8cf7a6da8ce5a4eae7bFLIR AX8 versions 1.46.16 and below unauthenticated remote OS command injection exploit.
d69929a972eb08cfeb279707887a6f7dd7e33ba6198b5c583c8af9bc510a1eb7Advantech iView software versions prior to 5.7.04.6469 are vulnerable to an unauthenticated command injection vulnerability via the NetworkServlet endpoint. The database backup functionality passes a user-controlled parameter, backup_file to the mysqldump command. The sanitization functionality only tests for SQL injection attempts and directory traversal, so leveraging the -r and -w mysqldump flags permits exploitation. The command injection vulnerability is used to write a payload on the target and achieve remote code execution as NT AUTHORITY\SYSTEM.
23eb648158fbc4d29b6a4548a4494b101e1715cad07dd93ecd76726409d9069dPolar Flow for Android version 5.7.1 stores the username and password in clear text in a file on mobile devices.
534a0fb256871c4890c13c7c9eff7a99819ffd05819971ead460bbca15cc9fb0FreeBSD versions 11.0 through 13.0 suffers from a local privilege escalation vulnerability via an aio_aqueue kernel refcount bug. This research post goes into great depth on how the researcher traversed the logic flow and achieved exploitability.
326b5e8f7907c92be98ab7e3ac35bb7766ebdf09bf20a0f1659fef3debf9aa56Whitepaper called Race Against the Sandbox - Root Cause Analysis of a Tianfu Cup bug that used a Ntoskrnl bug to escape the Google Chrome sandbox.
0f616b5cf39ba9d918c5536f81ef8913f0d5085d06313e728467400d30c01737TypeORM version 0.3.7 suffers from an information disclosure vulnerability.
246e2571f6477cd3e3f3b0900f9c7911b435e8fef9e4f9208dcfefc345575951On Windows, when registered to use a public key for computer authentication, the certificate is stored in a user accessible registry key leading to elevation of privilege.
1feeee68d37491874f775b215beec9a53d02ac93f453ad09df73f1cd980977f8
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed