This Metasploit module exploits a chain of vulnerabilities in Palo Alto Networks products running PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using an authentication bypass flaw to to exploit an XML injection issue, which is then abused to create an arbitrary directory, and finally gains root code execution by exploiting a vulnerable cron script. This Metasploit module uses an initial reverse TLS callback to stage arbitrary payloads on the target appliance. The cron job used for the final payload runs every 15 minutes by default and exploitation can take up to 20 minutes.
f9f9ce5b8abd0f8306e641f3db279345c840570cf53ebfcf9179efb66f27a90fRed Hat Security Advisory 2018-1328-01 - Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller framework for web application development. Action Pack implements the controller and the view components. Issues addressed include backup related, bypass, and code execution vulnerabilities.
b19e64c598c25f53ece8314ad1b6b240a0eb87dc98819f4541ad1d70d222c4f8Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.
39ead24f1d46a53a4118ca65333192e8b23de00376f175ad713483a533c61a56Ubuntu Security Notice 3638-1 - It was discovered that QPDF incorrectly handled certain malformed files. A remote attacker could use this issue to cause QPDF to crash, resulting in a denial of service, or possibly execute arbitrary code.
03118e2f1ab94bdf121ad97d5ad541897a62f7be559743c0db6cab94e8dd6849Debian Linux Security Advisory 4194-1 - An XML external entity expansion vulnerability was discovered in the DataImportHandler of Solr, a search server based on Lucene, which could result in information disclosure.
c3d0122b346b2e49856edd1e3ecee006be164ded42a9e805833c164648e5d292WebKitGTK+ versions prior to 2.20.0, 2.20.1, and 2.20.1 suffer from various memory corruption vulnerabilities.
a39a26b4f8a5581b6a4765e55261987ad531281dc1931b38e1e951b11f824539GNU Wget versions 1.7 through 1.19.4 suffer from a cookie injection vulnerability.
b72d6af0b5fe5fde5c7651980f119d80e8e2748eee305bde3f06e6b5d7c00dd2DeviceLock Plug and Play Auditor version 5.72 suffers from a unicode buffer overflow vulnerability.
a04b03f127039281244ae032ebdea9fd8c13669ff1f696e985585752c5e8d1d1The WordPress User Role Editor plugin prior to v4.25, is lacking an authorization check within its update user profile functionality ("update" function, contained within the "class-user-other-roles.php" module). Instead of verifying whether the current user has the right to edit other users' profiles ("edit_users" WP capability), the vulnerable function verifies whether the current user has the rights to edit the user ("edit_user" WP function) specified by the supplied user id ("user_id" variable/HTTP POST parameter). Since the supplied user id is the current user's id, this check is always bypassed (i.e. the current user is always allowed to modify its profile). This vulnerability allows an authenticated user to add arbitrary User Role Editor roles to its profile, by specifying them via the "ure_other_roles" parameter within the HTTP POST request to the "profile.php" module (issued when "Update Profile" is clicked). By default, this module grants the specified WP user all administrative privileges, existing within the context of the User Role Editor plugin.
86dde6c9282f9f7fb3fc66f8f29e9d2f98fa12526e58142988e5f83d173bd04cThis Metasploit module exploits an authenticated file upload remote code execution vulnerability in PlaySMS version 1.4. This issue is caused by improper file contents handling in import.php (aka the Phonebook import feature). Authenticated Users can upload a CSV file containing a malicious payload via vectors involving the User-Agent HTTP header and PHP code in the User-Agent. This Metasploit module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.
fd1838461438181db5479d38d1d1a6bb70ccdcb0e64b5040c592f5b4d3e3b3c7This Metasploit module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS version 1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. This Metasploit module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.
cd8509a13a4fadd5aa08a73c50a37e6e2a9bfc372d03a5e3789206904923adf9HWiNFO version 5.82-3410 suffers from a denial of service vulnerability.
3096c783d9985e49241b6f6336c9e82a4bad31f59babd5074e89e7e2455f7d2dDebian Linux Security Advisory 4193-1 - Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions or unsafe redirects.
3a73597483640c6f844278e07523629caecaa3b2e0d161d7fe18550e189cd6eb
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed