This archive contains all of the 69 exploits added to Packet Storm in November, 2022.
10d4085fbdba3d419d26c81bfaf764c2fc51340ab34556657890eb62b9eaa869A partial blind cross site request forgery (CSRF) vulnerability exists in perfSONAR versions 4.x through 4.4.5 within the /perfsonar-graphs/ test results page. Parameters and values can be injected/passed via the URL parameter, forcing the client to connect unknowingly in the background to other sites via transparent XMLHTTPRequests. This partial blind CSRF bypasses the built-in whitelisting function in perfSONAR.
44092efeff9a22718267fc8ee3d1add5f9f7c1bd035ed2fb94ece0d6baf60239perfSONAR bundles with it a graphData.cgi script, used to graph and visualize data. There is a flaw in graphData.cgi allowing for unauthenticated users to proxy and relay HTTP/HTTPS traffic through the perfSONAR server. The vulnerability can potentially be leveraged to exfiltrate or enumerate data from internal web servers. This vulnerability was patched in perfSONAR version 4.4.5. Versions 4.x through 4.4.4 are affected. There is a whitelisting function that will mitigate, but is disabled by default.
57258cc3a50359f248bba303d6a0892af6f77e5cbd93340c72b5018222e14550This Metasploit module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only supports Exchange Server 2019. These vulnerabilities were patched in November 2022.
52e94b2539eeb923ed6dfcf33bf21788d037db18208e166670e34916d20844ddOX App Suite versions 7.10.6 and below suffer from cross site scripting, server-side request forgery, and resource exhaustion vulnerabilities.
ba6b2cbc7f4a93851df3e4965e0195411ca754b70e55778fee524c5fadf9d260Hirschmann (Belden) BAT-C2 version 8.8.1.0R8 suffers from a remote authenticated command injection vulnerability.
902fa02d042cb42bf90b944d2600703447b836b6f9b4d286e2b0bca32793a471This Metasploit module utilizes the Remote Control Server's protocol to deploy a payload and run it from the server. Remote Control Collection by Steppschuh version 3.1.1.12 was tested and affected at the time of the module writing.
8ec54480d8b7f9ded99d2b49657f9832dc3a324e3a72069c93377bd06f3766c0Concrete CMS version 9.1.3 suffers from an XPATH injection vulnerability.
e81e801bc0f5b4dd82d9ce4bcee4b54402b79d6db04d4e1b64a573d494436372vBulletin versions 5.5.2 and below suffers from an issue where user input passed through the "messageids" request parameter to /ajax/api/vb4_private/movepm is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to carry out a variety of attacks, such as executing arbitrary PHP code.
642eb80065f04eaf2d94765043c9d033ac86f7e4e3dda966ce90660dd7167e15Backdoor.Win32.Autocrat.b malware suffers from a weak hardcoded credential vulnerability.
d7a1dbe69c51797b7a119cf51d50bfdc0cf2f5d6383559a3c42e0b551d24f2ffWin32.Ransom.Conti ransomware fails to encrypt non PE files that have a ".exe" in the filename. Creating specially crafted file names successfully evaded encryption for this malware sample.
d9c0e9406b722512df44cebb17c86eb5064420bbea72fa35eda62ac98a591282Trojan.Win32.DarkNeuron.gen malware creates an IPC pipe with a NULL DACL allowing RW for the Everyone user.
419a95e24053a48a5b8a151771f5d30d68d5dbe8ac113c538ae6b1f007c00d2aHelmet Store Showroom version 1.0 suffers from an authenticated remote SQL injection vulnerability.
3e66b115ba8748f4ad2101302dc9ed47242e049cd2dfe657bde160d836d22ceeSanitization Management System version 1.0 suffers from a remote SQL injection vulnerability. This entry was updated in January of 2024 with additional findings.
3a4de72e3b739ff23b5ce1e6d25229108f69fd6464014bc7ad7fb001ce6a3b8cChrome suffers from a heap use-after-free vulnerability in blink::LocalFrameView::PerformLayout due to an incomplete fix for CVE-2022-3199.
ede5dbd6ee9c5895a1b02c8bc6cefd5dfe9adef84fd2fceb45bd3140cd0fa16bXNU suffers from a vm_object use-after-free vulnerability due to invalid error handling in vm_map_enter.
5ef6c77b173e377d874346d025662d6a74af50dd2789a4af20f0430f362f87dfXNU suffers from a dangling PTE entry due to integer truncation when collapsing vm_object shadow chains.
29e4042cd9a0b7666d0b7fda5c45703a1a078adf7f5202670b30f28e36559698This Metasploit module exploits a newline injection into an RPM .rpmspec file that permits authenticated users to remotely execute commands. Successful exploitation results in remote code execution as the root user.
ab0811cdeca1e7b40855fbeb9922d915dac86f0ccb16efdb3855d5d39ebf43acEcommerce version 1.0 suffers from cross site scripting and open redirection vulnerabilities.
10974d3f0eb8f35db411dab410b7a1c77554ed694b184ccc2855d4f78f6cf262Backdoor.Win32.Serman.a malware suffers from an unauthenticated open proxy vulnerability.
e221bc8a4c226f37e8a799ddd862aa9890e65551bd528db38964e5e344ccb498This Metasploit module exploits the logic in the CartView.php page when crafting a draft email with an attachment. By uploading an attachment for a draft email, the attachment will be placed in the /tmp_attach/ folder of the ChurchInfo web server, which is accessible over the web by any user. By uploading a PHP attachment and then browsing to the location of the uploaded PHP file on the web server, arbitrary code execution as the web daemon user (e.g. www-data) can be achieved.
d722a625744f0e9dc54c97184f41f3a6b314c7e49874af507dfdc2295535278eThis Metasploit module exploits a cross-site request forgery (CSRF) vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are unavailable. By default, we write to a script that executes at reboot, which means the payload will execute the next time the server boots. An alternate target - Login - will add a backdoor that executes next time a user logs in interactively. This overwrites a file, but we restore it when we get a session Note that because this is a CSRF vulnerability, it starts a web server, but an authenticated administrator must visit the site, which redirects them to the target.
0942abdee0725fc32a285ecb9a23fb1bfe3ecc058946e6d59dda0de6b91cbca4Roxy Fileman versions 1.4.6 and below remote shell upload proof of concept exploit.
16a9c59173c82b869a340397a5e68377531e0e0f9be9781793142e4f47786e1bBoa Web Server versions 0.94.13 through 0.94.14 fail to validate the correct security constraint on the HEAD HTTP method allowing everyone to bypass the Basic Authorization mechanism.
74e7caa0bc29548de21944cffdfcab5eda40da0abe02546c835047e2ff2799f1This is a whitepaper along with a proof of concept eml file discussing CVE-2020-16947 where a remote code execution vulnerability exists in Microsoft Outlook 2019 version 16.0.13231.20262 when it fails to properly handle objects in memory.
e10886839475e813dff9362bc048392f047b424255b849ca304a468b0daa17a3
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed