This Metasploit module exploits a vulnerability in the Supervisor process control software, where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.
99930294bef23f9b9d84c06aa2386d0ad63e5b162e9d0bb0cd32b041027c9f56
Clickheat version 1.13 suffers from a remote command execution vulnerability.
300ce9838bd8a669889600e36ca5c0dafd090928c0e4b644dfa8cac24db9a8a8
Untangle NGFW versions 9 through 11 suffer from a cross site scripting vulnerability that can allow for remote code execution as root. They also suffer from an information disclosure vulnerability. This is a follow up discussing additional attack vectors not previously disclosed in the prior advisory.
e86c9969d013c35f87d327a8f236b5f675e69ae24e898f23a4e957c0d77bf3ad
Untangle NGFW versions 9 through 11 suffer from a cross site scripting vulnerability that can allow for remote code execution as root.
a3cb12027a6ffc525cec30197ca2a8e07e4441321519f0aea96bf4b2ec12571a