This archive contains all of the 79 exploits added to Packet Storm in August, 2022.
3e7ab5fb77e64191899c0e7cef2d8c023c404479de54077b3bf438091ae753af
This Metasploit module exploits CVE-2022-30526, a local privilege escalation vulnerability that allows a low privileged user (e.g. nobody) escalate to root. The issue stems from a suid binary that allows all users to copy files as root. This module overwrites the firewall's crontab to execute an attacker provided script, resulting in code execution as root. In order to use this module, the attacker must first establish shell access. For example, by exploiting CVE-2022-30525. Known affected Zyxel models include USG FLEX (50, 50W, 100W, 200, 500, 700), ATP (100, 200, 500, 700, 800), VPN (50, 100, 300, 1000), USG20-VPN and USG20W-VPN.
ce0978f09bdc4f825505d8590e1f429b3ba8069c5e7e83d2268b514b437133c9
The WordPress Core version 6.0.2 release addresses cross site scripting and remote SQL injection vulnerabilities.
0294b797dfc8902604de84c76092b7f611cd98068035d347145eca92a5a38499
KVM instruction emulation can run while KVM_VCPU_PREEMPTED is set, which can lead other vcpus to skip sending TLB flush IPIs. As a consequence, KVM instruction emulation can access memory through stale translations when the guest kernel thinks it has flushed all cached translations. This could potentially be used by unprivileged userspace inside a guest to compromise the guest kernel.
16fd49b64aee26c8f9a9ad6cb4265e74537f37bede65109a50798f82ac77833b
AeroCMS version 0.0.1 suffers from a remote SQL injection vulnerability.
6ad6e0c3d5d0d42b2784f9f7f7a8d4b0d53123b46c7de609a3173db9ed01f80a
The Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
2ba78b07aefa0b49411c9850601bb70eafd9ced41709aea21651ae90f931e2ad
Centreon version 22.04.0 suffers from a persistent cross site scripting vulnerability.
3d70a278906238ba02b36becf352ebf454b3dd1b330a5747bf3dbac98c1a8336
PrestaShop Ap Pagebuilder module versions 2.4.4 and below suffer from a remote SQL injection vulnerability.
572afc861ea0ca4a81aaeb41616b518ea19cd0e87bb3b4b529c0171db4fdd9cb
In the Arm Mali driver's handling of CSF user I/O mappings, VMA splitting is handled incorrectly, leading to a page being given back to the kernel's page allocator while it is still mapped into userspace. On devices with recent Mali GPUs that support CSF, this is a security bug that should be very straightforward to exploit.
6ee0db58337e2459a3e0a317b84488b6c9019397c42a860c2baea1a6661f8592
This Metasploit module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on Zimbra Collaboration Suite Network Edition versions 9.0.0 Patch 23 and below as well as Zimbra Collaboration Suite Network Edition versions 8.8.15 Patch 30 and below.
d58f4c7d7dbb0ee3b34e5a5a98ecaa59aa1118d324973a875b3ee85a53d569d4
Teleport 9.3.6 is vulnerable to command injection leading to remote code execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.
5228298638858e0e106cda75b65bd4c283027b5bc6dff934d99ebc3b59a112f7
10-Strike Network Inventory Explorer versions 9.3 and below are vulnerable to a SEH based buffer overflow which leads to code execution or local privilege escalation. The vulnerable part of the program is the functionality to add computers from a text file.
1dff0a8ce3b87274d21f80b9363b6ad6aff3966452e9561847b4d6b7d6caeac4
This Metasploit module exploits vulnerabilities within the ChainedSerializationBinder as used in Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and Exchange Server 2016 CU22 all prior to Mar22SU. Note that authentication is required to exploit these vulnerabilities.
357c3536b07ff810cec76347c7e5ce16faf862cac3951d66875221d4f487430d
Personnel Property Equipment 2015-2022 suffers from a remote SQL injection vulnerability.
cacfd917834264c882209ac565378bfb3e65a6fcfed1eade2534a0761a5dd12c
There is a buffer overflow in how AppleAVD.kext parses the ref_pic_list_modification component of H264 slice headers in AVC_RBSP::parseSliceHeader. When pic modification entries are copied into the pic modification list, the loop only terminates when the end code (3) is encountered, meaning that any number of entries can be copied into the fixed size modification buffer. This can corrupt the remainder of the decoder structure, as well as write outside of allocated memory.
f0e86dbff30f8c2f08674e561b12277b9f50b736d022814b1917489c1e9f1d2c
Transposh WordPress Translation versions 1.0.8.1 and below suffer from an incorrect authorization vulnerability.
cf075b58a8a1c31fce95fca535703432ed02017dc8456967462b1e93044c2dcc
FLIR AX8 versions 1.46.16 and below suffer from command injection, directory traversal, improper access control, and cross site scripting vulnerabilities.
d4b0fa3d39bb7d9eb67520d399557821deb5682ab4e0f91e473b5af510fec4d7
Chrome suffers from a heap use-after-free vulnerability in content::ServiceWorkerVersion::MaybeTimeoutRequest. Google Chrome version 103.0.5060.53 and Chromium version 105.0.5134.0 are affected.
a5cedab667714abf085c2a940066ea32b5ec7735eceff8cf7a6da8ce5a4eae7b
FLIR AX8 versions 1.46.16 and below unauthenticated remote OS command injection exploit.
d69929a972eb08cfeb279707887a6f7dd7e33ba6198b5c583c8af9bc510a1eb7
Advantech iView software versions prior to 5.7.04.6469 are vulnerable to an unauthenticated command injection vulnerability via the NetworkServlet endpoint. The database backup functionality passes a user-controlled parameter, backup_file to the mysqldump command. The sanitization functionality only tests for SQL injection attempts and directory traversal, so leveraging the -r and -w mysqldump flags permits exploitation. The command injection vulnerability is used to write a payload on the target and achieve remote code execution as NT AUTHORITY\SYSTEM.
23eb648158fbc4d29b6a4548a4494b101e1715cad07dd93ecd76726409d9069d
Polar Flow for Android version 5.7.1 stores the username and password in clear text in a file on mobile devices.
534a0fb256871c4890c13c7c9eff7a99819ffd05819971ead460bbca15cc9fb0
FreeBSD versions 11.0 through 13.0 suffers from a local privilege escalation vulnerability via an aio_aqueue kernel refcount bug. This research post goes into great depth on how the researcher traversed the logic flow and achieved exploitability.
326b5e8f7907c92be98ab7e3ac35bb7766ebdf09bf20a0f1659fef3debf9aa56
Whitepaper called Race Against the Sandbox - Root Cause Analysis of a Tianfu Cup bug that used a Ntoskrnl bug to escape the Google Chrome sandbox.
0f616b5cf39ba9d918c5536f81ef8913f0d5085d06313e728467400d30c01737
TypeORM version 0.3.7 suffers from an information disclosure vulnerability.
246e2571f6477cd3e3f3b0900f9c7911b435e8fef9e4f9208dcfefc345575951
On Windows, when registered to use a public key for computer authentication, the certificate is stored in a user accessible registry key leading to elevation of privilege.
1feeee68d37491874f775b215beec9a53d02ac93f453ad09df73f1cd980977f8