Moodle allows an authenticated user to define spellcheck settings via the web interface. The user can update the spellcheck mechanism to point to a system-installed aspell binary. By updating the path for the spellchecker to an arbitrary command, an attacker can run arbitrary commands in the context of the web application upon spellchecking requests. This Metasploit module also allows an attacker to leverage another privilege escalation vuln. Using the referenced XSS vuln, an unprivileged authenticated user can steal an admin sesskey and use this to escalate privileges to that of an admin, allowing the module to pop a shell as a previously unprivileged authenticated user. This module was tested against Moodle version 2.5.2 and 2.2.3.
ac6f5ab057f512464caba3ae5c9eb29729a37923234846241c7451944f72ebf8
This archive contains a zip file of EXR images that cause segmentation faults in the OpenEXR library version 2.2.0.
1865e85495f25d1e947a73c7cddc392c1eb7891d3c07ba9b51859f7909ea697b
This archive contains numerous TDS streams that cause segmentation faults in the FreeTDS library. The 'tsql' binary was used for the fuzzing, so these most likely only affect client-side functionality. These have been resolved on master and the 1.0 branch.
66f3f4a74d00b0e618225737ba456b7a11922247bc49c5ae8f7ef7ad115866f7
Oracle Outside In File ID library version 8.5.3 suffers from a memory corruption issue.
9c8ae6dc6a9a6d7b3b12479fd7a07ef5b5ceea818473f03193e8c865a379ff34
Wrapper classes provided by PrinceXML appear to suffer from command injection vulnerabilities.
af3f900b8ea8475a7548d9c557b237e3693679f81551df21a63dddf1a022c03f
The Xerces-C XML parser fails to successfully parse a DTD that is deeply nested, and this causes a stack overflow, which makes a denial of service attack against many applications possible by an unauthenticated attacker. Apache Xerces-C XML Parser library versions prior to 3.1.4 are affected.
a0b966184480f64c7fc857680e37cc670d35cc9e4cccf14b0d26c6528bbbdd5a
libical versions 0.47 and 1.0 suffer from a crash issue.
e314583b6bf83ffbfdfd9a7a4875334a7dbd17311c08e56a43e14b40b4d360a7
This Metasploit module exploits a vulnerability found in Dell SonicWALL Scrutinizer. The methodDetail parameter in exporters.php allows an attacker to write arbitrary files to the file system with an SQL Injection attack, and gain remote code execution under the context of SYSTEM for Windows, or as Apache for Linux. Authentication is required to exploit this vulnerability, but this module uses the default admin:admin credential.
46eef5e2e82adcace1eb86cca34fa1691dfc435af8857a0821e91b120976f5fc
Dell SonicWall Scrutinizer versions 11.0.1 and below setUserSkin/deleteTab SQL injection / remote code execution exploit that leverages a vulnerability found by Brandon Perry in July of 2014.
6dc759bc14a238d30a49e98bea0afabd99f1ed4bda69fec060f0fc09e8cf5e1a
Raritan PowerIQ ships with three default backdoor credentials left in.
2dcd98105d78a18b206ac52d081745dcf42c639e862b7b25a8d8a0c7ab5e2c5e
This Metasploit module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities include an authentication bypass, a directory traversal and a privilege escalation to get privileged code execution.
55479cb3065f838f82cc61df0c4fdee54d41ee44aace24351aecba453e3be8c5
Joomla J2Store extension version 3.1.6 suffers from multiple remote SQL injection vulnerabilities.
2495ca05c8e312061ad70427868645898c2ed7b6d86871b75506ad32b299c074
OS Solution OSProperty version 2.8.0 suffers from a remote SQL injection vulnerability.
afb9d76a0580b59eef035727449af6742f88e1ec6208060bf24d021e74f952d4
Joomla ECommerce-WD plugin version 1.2.5 suffers from multiple remote SQL injection vulnerabilities.
cc4be435a403cd80f5b4f40120c961b2dbee70db21b36e683a07c11ebdb15757
Raritan PowerIQ versions 4.1, 4.2, and 4.3 ship with a Rails 2 web interface with a hardcoded session secret. This can be used to achieve unauthenticated remote code execution as the nginx user on vulnerable systems.
681c8bb72ae6628420487909d37bf9e367efcdc762196f727263b8b5ca086eda
Various remote SQL injection vulnerabilities exist in the core Orion service used in most of the Solarwinds products. Affected products include Network Performance Monitor below version 11.5, NetFlow Traffic Analyzer below version 4.1, Network Configuration Manager below version 7.3.2, IP Address Manager below version 4.3, User Device Tracker below version 3.2, VoIP
40f0cfd35789791a3221e29e1e315107c0ccf98e5d5f17f0defa24fafd955c3f
eTouch Samepage version 4.4.0.0.239 suffers from remote SQL injection and arbitrary file read vulnerabilities.
3d132193ed477d7d4ba1937eda3c2f767b2192990404bb7846361beb567d88c6
This Metasploit module exploits an unauthenticated SQL injection in order to enumerate the Wordpress users tables, including password hashes. This Metasploit module was tested against version 1.2.7.
b0515350e4ccd496fb0e7266e0caa11158145540d2f845735488187df6eb3bf1
This Metasploit module will exploit an authenticated XXE vulnerability to read the keystore.properties off of the filesystem. This properties file contains an encrypted password that is set during installation. What is interesting about this password is that it is set as the same password as the database 'sa' user and of the admin user created during installation. This password is encrypted with a static key, and is encrypted using a weak cipher at that (ECB).
01a438afa7dd5e3323cf3bdca6d5720f8815799cc27eaf5498b39b69ad28f5a5
BMC TrackIt! version 11.3 suffers from an unauthenticated local user password change vulnerability.
5fefd8b05da0065be210ad2c623884f150fbcfc0f1be8ecb4ef3325bee6f4935
Device42 DCIM Appliance Manager versions 5.10 and 6.0 have hardcoded credentials and also suffer from remote command injection vulnerabilities.
47d0bb4ee432dc13a705f89a07909d8cdbdeeb3f951e98bf1888d524fb84ce61
Device42 DCIM Appliance Manager versions 5.10 and 6.0 with WAN emulator version 2.3 remote command injection exploit for Metasploit that leverages traceroute.
e2f6512a30f338fd030b36604071a79b13a88b9fdf4c8034dc527a27aa2ff592
Device42 DCIM Appliance Manager versions 5.10 and 6.0 with WAN emulator version 2.3 remote command injection exploit for Metasploit that leverages ping.
09e949ee2c12810265edcb0ba195795b730ea412d995e215b44e58c84ea6d497
Mulesoft ESB Runtime version 3.5.1 suffers from an authenticated privilege escalation vulnerability that can lead to remote code execution.
08794d520edeb726f186f14cdf7b89697a8145e119476f5b25642ede0d501b5c
This Metasploit module exploits the Drupal HTTP Parameter Key/Value SQL Injection (aka Drupageddon) in order to achieve a remote shell on the vulnerable instance. This Metasploit module was tested against Drupal 7.0 and 7.31 (was fixed in 7.32).
59c783da21c64e0178897d8573702afbd579b90f368e1d6b75b500bd779f1e7d