This Metasploit module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as SYSTEM. If the current user is a local admin, the system will attempt impersonation and the exploit will fail.
a872f68c00626fe384e850bbe5b416e5a094fcbf5639c9f1deb5248fc85413ca
RoyalTSX version 6.0.1 suffers from an RTSZ file handling heap memory corruption vulnerability. The application receives SIGABRT after the RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and the Test Connection is clicked the application crashes instantly.
6bddf02ee202f21877203f81e88ca57213713fa9fe71c747db9f8b293f536b4a
OPNsense versions 23.1.11_1, 23.7.3, and 23.7.4 suffer from cross site scripting vulnerabilities that can allow for privilege escalation.
76e4fc1b6aee4986d4bbb70760bae717204a144677ec04e5e69cc9e4ca014975
LogoBee CMS version 0.2 suffers from a cross site scripting vulnerability.
c2ead32c5cb5f5d010966c9529b1024ec709d62421149c9904c0751f97329087
Lamano LMS version 0.1 suffers from an ignored default credential vulnerability.
1211a4d26c19dfb4f055d2493981d0ec9270c990f56c26cfafa09b3466428519
Elasticsearch version 8.5.3 stack overflow proof of concept exploit.
3ea73849caae7368d08d81cb21e393baddfab08e0fc2108b64083363b66bb17a
Taskhub version 2.8.8 suffers from a cross site scripting vulnerability.
6848bc97935d0e957e7130f797a4d53871d013225ec80f59f0fcfe2afb38638c
Multiple TOTOLINK network products contain a command injection vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the command parameter. After exploitation, an attacker will have full access with the same user privileges under which the webserver is running - which is typically root.
fc2e74774d3c46b6268870bd1ebc63fc2bde4c03b9aa77f9c16fb05791fe2e00
Luxcal Event Calendar version 3.2.3 suffers from a cross site request forgery vulnerability.
2988b35bb1b22bee81c03c905525b0e5df1206ee53aee901ca3b610f65c28437
Lamano CMS version 2.0 suffers from a cross site request forgery vulnerability.
4edc3a8db5685aeb3ec3b74618f5d07d632dab06c41888d25c14ad6578ce55b4
WordPress Theme My Login 2FA plugin versions prior to 1.2 suffer from a brute forcing vulnerability.
fe8aceb8123364ee1922662e5a7cfebebb8673ffd8e52fc079dba68cb781494f
This Metasploit module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow version 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow's example DAGs, "example_trigger_target_dag", which allows any authenticated user to run arbitrary OS commands as the user running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default setting of Airflow 1.10.10 that allows unauthenticated access to Airflow's Experimental REST API to perform malicious actions such as creating the vulnerable DAG above. The two CVEs taken together allow vulnerable DAG creation and command injection, leading to unauthenticated remote code execution.
bb3e8db54407d69676a1eba8103ab6fd9b1a3d72a85765a5ca4067e046a3ef88
An unauthenticated remote code execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19. The vulnerability is only exposed if, when setting up the printer or device, the user selects "Set up Later" when asked if they would like to add an Admin user. If no Admin user is created, the endpoint /cgi-bin/fax_change_faxtrace_settings is accessible without authentication. The endpoint allows the user to configure a number of different fax settings. A number of the configurable parameters on the page fail to be sanitized properly before being used in a bash eval statement, allowing for an unauthenticated user to run arbitrary commands.
55b25ea44278a5136992f906756ff24cc7e2991ab7847a6388c6522fffc7a70a
WordPress Essential Blocks plugin versions 4.2.0 and below and Essential Blocks Pro versions 1.1.0 and below suffer from multiple PHP object injection vulnerabilities.
3bc456da9e240b7476040544d3e4f0b5fa6f68d4e3ad65a015be529481ab73ad
Taskhub version 2.8.7 suffers from a remote SQL injection vulnerability.
ec51f7c0ec6ec9827399486aa736c27e2875675b7757f895f52b660f9301b1c9
Packers and Movers Management System version 1.0 suffers from a remote blind SQL injection vulnerability. Proof of concept exploit written in python included.
392e218592b7d81bc0c0a1e2e699e9fe38ca587052d6e6393e97b66c59ab44ea
Super Store Finder versions 3.7 and below suffer from a remote command execution vulnerability.
59708f67b0915cf1156ee9e02ad60df7ef019793a0e335e432949ea847133ec7
Lamano CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
f412c3931e25a39ec1c5fcb717e74cf9484b0f9d3276f419ff29c98d94d3c48d
Lacabane version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
043fbb7035b63b83fc99760c04f28efb227c9bcf40d2f8b44ae15acfc3e31e28
Free and Open Source Inventory Management System version 1.0 suffers from a remote SQL injection vulnerability.
a9fc1340a0b9265105cd0bcbf5d9cfffa5e3d5d6ddb4326fc57ff7e8fe5d3573
Atos Unify OpenScape Session Border Controller, Atos Unify OpenScape Branch, and Atos Unify OpenScape BCF suffer from remote code execution and missing authentication vulnerabilities. Atos OpenScape SBC versions before 10 R3.3.0, Branch version 10 versions before R3.3.0, and BCF version 10 versions before 10 R10.10.0 are affected.
e2e8c6ce30a0287849087e96a892584daa40873cf0049db9a9cd2dc86e763b18
PTC - Codebeamer versions 22.10-SP7 and below, 22.04-SP5 and below, and 21.09-SP13 and below suffer from a cross site scripting vulnerability.
a3e11343a596c27acafa688a8dc7b67a179c5d43d4e4c49067b5f5f15cf9e85a
This Metasploit module exploits a buffer overflow condition in Ivanti Avalanche MDM versions prior to 6.4.1. An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions. This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types. The program tries to copy the item data using qmemcopy to a fixed size data buffer on stack. Upon successful exploitation the attacker gains full access to the target system. This vulnerability has been tested against Ivanti Avalanche MDM version 6.4.0.0 on Windows 10.
f923d88a736ee1b1d58c5f717428d9695cfc5a4107837de0f4006d0c4a042202
Razer Synapse versions before 3.8.0428.042117 (20230601) suffer from multiple vulnerabilities. Due to an unsafe installation path, improper privilege management, and a time-of-check time-of-use race condition, the associated system service "Razer Synapse Service" is vulnerable to DLL hijacking. As a result, local Windows users can abuse the Razer driver installer to obtain administrative privileges on Windows.
1110267026177d281063e2e963a45b1c22d0c934df7112a724fa52cee6a0a4bc
KPOT Stealer CMS 2.0 suffers from a directory traversal vulnerability.
a03351195e4ccd6346eb50122bfeeab02551f28a42e38a371693172b705c255b