This Metasploit module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld unsetenv() function fails to remove LD_* environment variables if __findenv() fails. This can be abused to load arbitrary shared objects using LD_PRELOAD, resulting in privileged code execution.
8389e3a76ad8302ffe4213d460a38debThis Metasploit module exploits a race condition vulnerability in Mac's Feedback Assistant. A successful attempt would result in remote code execution under the context of root.
92e9e59de8b1c44532025e2d75591bf9This Metasploit module exploits a php object instantiation vulnerability that can lead to remote code execution in Shopware. An authenticated backend user could exploit the vulnerability. The vulnerability exists in the createInstanceFromNamedArguments function, where the code insufficiently performs whitelist check which can be bypassed to trigger an object injection. An attacker can leverage this to deserialize an arbitrary payload and write a webshell to the target system, resulting in remote code execution. Tested on Shopware git branches 5.6, 5.5, 5.4, 5.3.
a99c1e8083c3f15ba37bddffdcfae6aeXNU suffers from a use-after-free vulnerability due to a stale pointer left by in6_pcbdetach.
a4597bf5b2e139422599f9470288ee0aVisual Voicemail for iPhone suffers from a use-after-free vulnerability in IMAP NAMESPACE processing.
ee209f50afa19dc15f5533506c05c21cDarktrace Enterprise Immune System versions 3.0.9 and 3.0.10 contain multiple cross site request forgery vulnerabilities. It is highly likely that older versions are affected as well, but this has not been confirmed. An attacker can whitelist domains and/or change core Darktrace configuration.
be5c3f64b5b2fcf3157da5bda8fa15d8XNU suffers from a wild-read (and possible corruption) due to bad cast in stf_ioctl.
82933fea5ae121113514f59c5ffb704cThe Microsoft Windows kernel's Registry Virtualization does not safely open the real key for a virtualization location leading to enumerating arbitrary keys resulting in privilege escalation.
b9ac41d7a345cbb537b2a935197cf91bJavaScriptCore loop-invariant code motion (LICM) in DFG JIT leaves a stack variable uninitialized.
e3d6af3254ffc8f7e66b61e4895a6d8aSecurity controls configured via php.ini directives at the PHP_INI_SYSTEM level are ineffective as they could be bypassed by malicious scripts via writing their own process memory on the Linux platform. Proof of concept code included.
f04fc6f6465d117497efa31d8a63fc4eSlims CMS Akasia version 8.3.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
b206a2df6f22213d6d130b50f86b3892Emerson Network Power Liebert Challenger version 5.1E0.5 suffers from a cross site scripting vulnerability.
aa6b0f6fad2870e8a0d444aefcd1682fphpKF version 1.10 suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.
795ed99fa78d642c4fd08d6d72e99027A buffer overflow in the DtPrinterAction::PrintActionExists() function in the Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long printer name passed to dtprintinfo by a malicious lpstat program.
ea6e7c2d1a9b43266fe95e8a9d5cbc8aHuawei eSpace version 1.1.11.103 Meeting suffers from a heap-based memory overflow vulnerability when parsing large amount of bytes to the 'strNum' string parameter in GetNameyNum() in 'ContactsCtrl.dll' and 'strName' string parameter in SetUserInfo() in eSpaceStatusCtrl.dll library, resulting in heap memory corruption. An attacker can gain access to the system of the affected node and execute arbitrary code.
43fe6543f8cb002cb254160219802dbfHuawei eSpace version 1.1.11.103 Meeting conference whiteboard functionality is vulnerable to a buffer overflow issue when inserting known image file formats. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
c36d1acbfc97338fa91b2582495a9065Huawei eSpace Meeting cenwpoll.dll unicode stack buffer overflow exploit with SEH overwrite.
b8123371cc62e9e56ed5c1b8a3190dbfHuawei eSpace version 1.1.11.103 suffers from a DLL Hijacking issue. The vulnerability is caused due to the application loading libraries (mfc71enu.dll, mfc71loc.dll, tcapi.dll and airpcap.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a related application file (.html, .jpg, .png) located on a remote WebDAV or SMB share.
164434fe76b34f5ac83975379ce13f13Cisco Expressway Gateway version 11.5.1 suffers from a directory traversal vulnerability.
5e57b3dc6cda4bfab16fe178906a4ab3Freelance Cockpit CRM version 3.3.1 suffers from a remote SQL injection vulnerability.
9517e26f9795d2d12180dbcabcd3756fHorde Webmail version 5.2.22 suffers from code execution, cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.
3a2774bb8454eb33abd06b33e79cff19GAT-Ship Web Module versions 1.30 and below suffer from an information disclosure vulnerability.
fa08f0398b0cd67b7741c9b10aaadbd5This Metasploit module exploits a remote code execution vulnerability found in GetSimpleCMS versions 3.3.15 and below. An arbitrary file upload (PHPcode for example) vulnerability can be triggered by an authenticated user, however authentication can be bypassed by leaking the cms API key to target the session manager.
6062088ad83896c13ad8c78e57d1baf2SEL AcSELerator Architect version 2.2.24 suffers from a CPU exhaustion denial of service vulnerability.
f89167b20fd02592d6e08fff3a0dad89Axessh version 4.2 denial of service proof of concept exploit.
b00661627ba27ca16d4c162c06ddac7c
© 2019 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed