CVE-2023-2606

Related Files

Lexmark Device Embedded Web Server Remote Code Execution

Posted Sep 19, 2023

Authored by jheysel-r7, James Horseman, Zach Hanley | Site metasploit.com

An unauthenticated remote code execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19. The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user. If no Admin user is created, the endpoint /cgi-bin/fax_change_faxtrace_settings is accessible without authentication. The endpoint allows the user to configure a number of different fax settings. A number of the configurable parameters on the page fail to be sanitized properly before being used in a bash eval statement, allowing for an unauthenticated user to run arbitrary commands.

tags | exploit, remote, arbitrary, cgi, code execution, bash

advisories | CVE-2023-26067, CVE-2023-26068

SHA-256 | 55b25ea44278a5136992f906756ff24cc7e2991ab7847a6388c6522fffc7a70a

Download | Favorite | View

WordPress WP Brutal AI Cross Site Scripting

Posted Jul 25, 2023

Authored by Taurus Omar

WordPress WP Brutal AI plugin versions prior to 2.06 suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2023-2606

SHA-256 | f0fe10550341a549f41e0bbc187064bdd166943b60a5efc5282b037ad1af5e87

Download | Favorite | View