This Metasploit module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as SYSTEM. If the current user is a local admin, the system will attempt impersonation and the exploit will fail.
a872f68c00626fe384e850bbe5b416e5a094fcbf5639c9f1deb5248fc85413caRoyalTSX version 6.0.1 suffers from an RTSZ file handling heap memory corruption vulnerability. The application receives SIGABRT after the RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and the Test Connection is clicked the application crashes instantly.
6bddf02ee202f21877203f81e88ca57213713fa9fe71c747db9f8b293f536b4aOPNsense versions 23.1.11_1, 23.7.3, and 23.7.4 suffer from cross site scripting vulnerabilities that can allow for privilege escalation.
76e4fc1b6aee4986d4bbb70760bae717204a144677ec04e5e69cc9e4ca014975LogoBee CMS version 0.2 suffers from a cross site scripting vulnerability.
c2ead32c5cb5f5d010966c9529b1024ec709d62421149c9904c0751f97329087Lamano LMS version 0.1 suffers from an ignored default credential vulnerability.
1211a4d26c19dfb4f055d2493981d0ec9270c990f56c26cfafa09b3466428519Elasticsearch version 8.5.3 stack overflow proof of concept exploit.
3ea73849caae7368d08d81cb21e393baddfab08e0fc2108b64083363b66bb17aTaskhub version 2.8.8 suffers from a cross site scripting vulnerability.
6848bc97935d0e957e7130f797a4d53871d013225ec80f59f0fcfe2afb38638cMultiple TOTOLINK network products contain a command injection vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the command parameter. After exploitation, an attacker will have full access with the same user privileges under which the webserver is running - which is typically root.
fc2e74774d3c46b6268870bd1ebc63fc2bde4c03b9aa77f9c16fb05791fe2e00Luxcal Event Calendar version 3.2.3 suffers from a cross site request forgery vulnerability.
2988b35bb1b22bee81c03c905525b0e5df1206ee53aee901ca3b610f65c28437Lamano CMS version 2.0 suffers from a cross site request forgery vulnerability.
4edc3a8db5685aeb3ec3b74618f5d07d632dab06c41888d25c14ad6578ce55b4WordPress Theme My Login 2FA plugin versions prior to 1.2 suffer from a brute forcing vulnerability.
fe8aceb8123364ee1922662e5a7cfebebb8673ffd8e52fc079dba68cb781494fThis Metasploit module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow version 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow's example DAGs, "example_trigger_target_dag", which allows any authenticated user to run arbitrary OS commands as the user running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default setting of Airflow 1.10.10 that allows unauthenticated access to Airflow's Experimental REST API to perform malicious actions such as creating the vulnerable DAG above. The two CVEs taken together allow vulnerable DAG creation and command injection, leading to unauthenticated remote code execution.
bb3e8db54407d69676a1eba8103ab6fd9b1a3d72a85765a5ca4067e046a3ef88An unauthenticated remote code execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19. The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user. If no Admin user is created, the endpoint /cgi-bin/fax_change_faxtrace_settings is accessible without authentication. The endpoint allows the user to configure a number of different fax settings. A number of the configurable parameters on the page fail to be sanitized properly before being used in a bash eval statement, allowing for an unauthenticated user to run arbitrary commands.
55b25ea44278a5136992f906756ff24cc7e2991ab7847a6388c6522fffc7a70aWordPress Essential Blocks plugin versions 4.2.0 and below and Essential Blocks Pro versions 1.1.0 and below suffer from multiple PHP object injection vulnerabilities.
3bc456da9e240b7476040544d3e4f0b5fa6f68d4e3ad65a015be529481ab73adTaskhub version 2.8.7 suffers from a remote SQL injection vulnerability.
ec51f7c0ec6ec9827399486aa736c27e2875675b7757f895f52b660f9301b1c9Packers and Movers Management System version 1.0 suffers from a remote blind SQL injection vulnerability. Proof of concept exploit written in python included.
392e218592b7d81bc0c0a1e2e699e9fe38ca587052d6e6393e97b66c59ab44eaSuper Store Finder versions 3.7 and below suffer from a remote command execution vulnerability.
59708f67b0915cf1156ee9e02ad60df7ef019793a0e335e432949ea847133ec7Lamano CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
f412c3931e25a39ec1c5fcb717e74cf9484b0f9d3276f419ff29c98d94d3c48dLacabane version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
043fbb7035b63b83fc99760c04f28efb227c9bcf40d2f8b44ae15acfc3e31e28Free and Open Source Inventory Management System version 1.0 suffers from a remote SQL injection vulnerability.
a9fc1340a0b9265105cd0bcbf5d9cfffa5e3d5d6ddb4326fc57ff7e8fe5d3573Atos Unify OpenScape Session Border Controller, Atos Unify OpenScape Branch, and Atos Unify OpenScape BCF suffer from remote code execution and missing authentication vulnerabilities. Atos OpenScape SBC versions before 10 R3.3.0, Branch version 10 versions before R3.3.0, and BCF version 10 versions before 10 R10.10.0 are affected.
e2e8c6ce30a0287849087e96a892584daa40873cf0049db9a9cd2dc86e763b18PTC - Codebeamer versions 22.10-SP7 and below, 22.04-SP5 and below, and 21.09-SP13 and below suffer from a cross site scripting vulnerability.
a3e11343a596c27acafa688a8dc7b67a179c5d43d4e4c49067b5f5f15cf9e85aThis Metasploit module exploits a buffer overflow condition in Ivanti Avalanche MDM versions prior to 6.4.1. An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions. This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types. The program tries to copy the item data using qmemcopy to a fixed size data buffer on stack. Upon successful exploitation the attacker gains full access to the target system. This vulnerability has been tested against Ivanti Avalanche MDM version 6.4.0.0 on Windows 10.
f923d88a736ee1b1d58c5f717428d9695cfc5a4107837de0f4006d0c4a042202Razer Synapse versions before 3.8.0428.042117 (20230601) suffer from multiple vulnerabilities. Due to an unsafe installation path, improper privilege management, and a time-of-check time-of-use race condition, the associated system service "Razer Synapse Service" is vulnerable to DLL hijacking. As a result, local Windows users can abuse the Razer driver installer to obtain administrative privileges on Windows.
1110267026177d281063e2e963a45b1c22d0c934df7112a724fa52cee6a0a4bcKPOT Stealer CMS 2.0 suffers from a directory traversal vulnerability.
a03351195e4ccd6346eb50122bfeeab02551f28a42e38a371693172b705c255b
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed