exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 24 of 24 RSS Feed

Files Date: 2021-11-05

Ubuntu Security Notice USN-5133-1
Posted Nov 5, 2021
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 5133-1 - It was discovered that ICU contains a use after free issue. An attacker could use this issue to cause a denial of service with crafted input.

tags | advisory, denial of service
systems | linux, ubuntu
advisories | CVE-2020-21913
SHA-256 | 52f5aa9af62d018440d8e83a72361ff0609279aa3218e9be66014191e68d7e57
Pentaho Business Analytics / Pentaho Business Server 9.1 SQL Injection
Posted Nov 5, 2021
Authored by Altion Malka, Alberto Favero

Pentaho allows users to create and manage Data Sources. Users can select a Data Source when creating a Dashboard through the Pentaho User Console. When a Data Source is added, Pentaho makes a HTTP request to the dashboards editor (/pentaho/api/repos/dashboards/editor) in order to test the connection by executing a test SQL query. However, further examination revealed that by utilizing CVE-2021-31602, an authentication bypass of Spring APIs, it is possible for an unauthenticated user to execute arbitrary SQL queries on any Pentaho datasource and thus retrieve data from the related databases.

tags | exploit, web, arbitrary, sql injection
advisories | CVE-2021-31602, CVE-2021-34684
SHA-256 | aafd5de6352edfc97e93496f171ced94b49f52a6817c483a7aec6ee26649a0e9
Faraday 3.18.1
Posted Nov 5, 2021
Authored by Francisco Amato | Site github.com

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Changes: Fixed a CVE issue.
tags | tool, rootkit
systems | unix
SHA-256 | 2a00c01b9e899d658a8c916b7f69fd826cff814e5ab5b947806aa8dfd91c3e07
HealthForYou 1.11.1 / HealthCoach 2.9.2 Missing Password Policy
Posted Nov 5, 2021
Authored by Nick Decker | Site trovent.io

HealthForYou version 1.11.1 and HealthCoach version 2.9.2 are missing a server-side password policy. When creating an account or changing your password the mobile and web application both check the password against the password policy. But the API assumes that the given password is already checked therefore an attacker can intercept the HTTP request and change it to a weak password.

tags | exploit, web
SHA-256 | 76436b526ba9f4f32e343d01e9e2fa685e376cf002a7d94b46c1f713090fd4b3
Red Hat Security Advisory 2021-4134-01
Posted Nov 5, 2021
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2021-4134-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Issues addressed include bypass, spoofing, and use-after-free vulnerabilities.

tags | advisory, spoof, vulnerability
systems | linux, redhat
advisories | CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-38508, CVE-2021-38509
SHA-256 | a88eb764b65ec66c46ee3c76b70894989188f4e5965d111b4da0fa51f31687df
Pentaho Business Analytics / Pentaho Business Server 9.1 User Enumeration
Posted Nov 5, 2021
Authored by Altion Malka, Alberto Favero

Pentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. HAWSEC identified that the services userRoleListService and ServiceAction exposed through the /pentaho/webservices/userRoleListService and /pentaho/ServiceAction?action=SecurityDetails endpoints are not enforcing sufficient access controls. Specifically, an authenticated user can list all application usernames present in the Jackrabbit Repository.

tags | exploit, web, protocol
advisories | CVE-2021-31600
SHA-256 | df24858a662120cb07ae1d884fbbf73c40dde32c2c707e40ade959b4c867fc35
Backdoor.Win32.Jokerdoor MVID-2021-0390 Buffer Overflow
Posted Nov 5, 2021
Authored by malvuln | Site malvuln.com

Backdoor.Win32.Jokerdoor malware suffers from a buffer overflow vulnerability.

tags | exploit, overflow
systems | windows
SHA-256 | f9ac0dc563179b905dfc07b61a0149825ae2536c624a7f6cfb6a2ab07774f0ee
Red Hat Security Advisory 2021-4130-01
Posted Nov 5, 2021
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2021-4130-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Issues addressed include bypass, spoofing, and use-after-free vulnerabilities.

tags | advisory, spoof, vulnerability
systems | linux, redhat
advisories | CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-38508, CVE-2021-38509
SHA-256 | e8817b7475fcd78d00b1e034f0f524743e2b13cedea16cb733a200b676c97c57
Pentaho Business Analytics / Pentaho Business Server 9.1 Authentication Bypass
Posted Nov 5, 2021
Authored by Altion Malka, Alberto Favero

Pentaho Business Analytics and Pentaho Business Server versions 9.1 and below suffer from an authentication bypass vulnerability related to Spring APIs.

tags | exploit, bypass
advisories | CVE-2021-31602
SHA-256 | 7f8a25e1b9943928e3d57e11e94b4b22917396971502415544f387e2340268c3
PHP Event Calendar Lite Edition Cross Site Scripting
Posted Nov 5, 2021
Authored by Erik Steltzner, Maurizio Ruchay | Site syss.de

PHP Event Calendar Lite Edition suffers from a persistent cross site scripting vulnerability.

tags | exploit, php, xss
advisories | CVE-2021-42078
SHA-256 | 09c617426974d7713fb8ccab94dcccb7210bc336670db3a9f3be869096871afb
IBM Sterling B2B Integrator Cross Site Scripting
Posted Nov 5, 2021
Authored by T. Silpavarangkura, Sutthiwat Panithansuwan | Site sec-consult.com

IBM Sterling B2B Integrator suffers from a cross site scripting vulnerability. Versions affected include 5.2.0.0 through 5.2.6.5_3, 6.0.0.0 through 6.0.3.4, and 6.1.0.0 through 6.1.0.2.

tags | exploit, xss
advisories | CVE-2021-20562
SHA-256 | b6d82ee2ddf3add475ca8f0e7254bd649739bfd47a776b2327a65546609217f5
Backdoor.Win32.Ncx.b MVID-2021-0389 Code Execution
Posted Nov 5, 2021
Authored by malvuln | Site malvuln.com

Backdoor.Win32.Ncx.b malware suffers from a code execution vulnerability.

tags | exploit, code execution
systems | windows
SHA-256 | 47fc600df53efe7d5ddc71a7f247222ee2018c1c58652d07dd06fcd09771d24c
ImportExportTools NG 10.0.4 HTML Injection
Posted Nov 5, 2021
Authored by Vulnerability Laboratory | Site vulnerability-lab.com

ImportExportTools NG version 10.0.4 suffers from an html injection vulnerability.

tags | exploit
SHA-256 | 465fb0bd0b588f37cc0e2a9d0ddf87d7e2ac303878dfbdd275bc942ba514d07f
Pentaho Business Analytics / Pentaho Business Server 9.1 Insufficient Access Control
Posted Nov 5, 2021
Authored by Altion Malka, Alberto Favero

Pentaho implements a series of web services using the SOAP protocol to allow scripting interaction with the backend server. While most of the interfaces correctly implement ACL, the Data Source Management Service located at /pentaho/webservices/datasourceMgmtService allows low-privilege authenticated users to list the connection details of all data sources used by Pentaho.

tags | exploit, web, protocol
advisories | CVE-2021-31601
SHA-256 | 4aaf1b95b9800f81d2e66519aadddc6609e2f04e00314708ec9fc5479517ea37
Red Hat Security Advisory 2021-4132-01
Posted Nov 5, 2021
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2021-4132-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Issues addressed include bypass, spoofing, and use-after-free vulnerabilities.

tags | advisory, spoof, vulnerability
systems | linux, redhat
advisories | CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-38508, CVE-2021-38509
SHA-256 | 109d37dacc152c7201d9057d84aa66c0523cc939924c87f5d2d8031ddb6be127
PHP Event Calendar Lite Edition SQL Injection
Posted Nov 5, 2021
Authored by Erik Steltzner, Maurizio Ruchay | Site syss.de

PHP Event Calendar Lite Edition suffers from a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, php, sql injection
advisories | CVE-2021-42077
SHA-256 | 3faf37775ad2f15a9b2f6c16d0cf7e32bcf7f871fe41a4df925d3d66c307459e
Backdoor.Win32.Ncx.b MVID-2021-0388 Buffer Overflow
Posted Nov 5, 2021
Authored by malvuln | Site malvuln.com

Backdoor.Win32.Ncx.b malware suffers from a buffer overflow vulnerability.

tags | exploit, overflow
systems | windows
SHA-256 | de842114bff7044aacff49933ad7ecf0413dbb215c8efb1bc77300dd7112aa60
Pentaho Business Analytics / Pentaho Business Server 9.1 Filename Bypass
Posted Nov 5, 2021
Authored by Altion Malka, Alberto Favero

Pentaho allows users to upload various files of different file types. The upload service is implemented under the /pentaho/UploadService endpoint. The file types allowed by the application are csv, dat, txt, tar, zip, tgz, gz, gzip. When uploading a file with an extension other than the allowed file types, the application responds with the error message of UploadFileServlet.ERROR_0011 - File type not allowed. Allowable types are csv,dat,txt,tar,zip,tgz,gz,gzip. However, the file extension check can be bypassed by including a single dot "." at the end of the filename.

tags | exploit, bypass
advisories | CVE-2021-34685
SHA-256 | 88d6bd09be7fc284d1910e9a75bbeb0651c9da3a240f985ed3f97efbddeb9345
Payment Terminal 2.x / 3.x Cross Site Scripting
Posted Nov 5, 2021
Authored by Vulnerability Laboratory | Site vulnerability-lab.com

Payment Terminal versions 2.x and 3.x suffer from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 27a22428ead7127a84801eae1be728ca02501f8c8a79f21fd3ad57d22d4d25f5
Red Hat Security Advisory 2021-4133-01
Posted Nov 5, 2021
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2021-4133-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.3.0. Issues addressed include bypass, spoofing, and use-after-free vulnerabilities.

tags | advisory, spoof, vulnerability
systems | linux, redhat
advisories | CVE-2021-38503, CVE-2021-38504, CVE-2021-38506, CVE-2021-38507, CVE-2021-38508, CVE-2021-38509
SHA-256 | 55b1c367292bbdb62a4f4100dc6751df2844edde8cb290b99b3d7c708acfbae2
Pentaho Business Analytics / Pentaho Business Server 9.1 Remote Code Execution
Posted Nov 5, 2021
Authored by Altion Malka, Alberto Favero

Pentaho allows users to create and run Pentaho Report Bundles (.prpt). Users can create PRPT reports by utilizing the Pentaho Designer application and can include BeanShell Script functions to ease the production of complex reports. However, the BeanShell Script functions can allow for the execution of arbitrary Java code when Pentaho PRPT Reports are run by Pentaho Business Analytics. This functionality allows any user with sufficient privileges to upload or edit an existing Pentaho Report Bundle (through Pentaho Designer) and execute arbitrary code in the context of the Pentaho application user running on the web server.

tags | exploit, java, web, arbitrary
advisories | CVE-2021-31599
SHA-256 | 9f8cbd9f5ed4747e5a6fd8e34452cf38b7608a4e96f8f1551a4a3068ced96949
10-Strike Network Inventory Explorer Pro 9.31 Unquoted Service Path
Posted Nov 5, 2021
Authored by Brian Rodriguez

10-Strike Network Inventory Explorer Pro version 9.31 suffers from an unquoted service path vulnerability.

tags | exploit
SHA-256 | 4f0a6092e4c9264325b7d86141204520d03a4780c30c8b04cd8eae9096d43f78
Backdoor.Win32.Optix.03.b MVID-2021-0387 Code Execution
Posted Nov 5, 2021
Authored by malvuln | Site malvuln.com

Backdoor.Win32.Optix.03.b malware suffers from a code execution vulnerability.

tags | exploit, code execution
systems | windows
SHA-256 | 97b8e09b93614293932596d037cf5fe1190a33c7cb61ee0089546ab7541385a4
Khamenei.ir SQL Injection
Posted Nov 5, 2021
Authored by E1.Coders

Khamenei.ir suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | 0ade2eca419824b2ce0fa2099f840485ed70eb3df59af6f97f13c77201098c23
Page 1 of 1
Back1Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close