Gentoo Linux Security Advisory 202309-6 - Multiple vulnerabilities have been discovered in Samba, the worst of which could result in root remote code execution. Versions greater than or equal to 4.18.4 are affected.
6a49581d3fdfb4a2202121f6c5b6544b859edc2a8b279089f9dbccf4ce66b153
This Metasploit module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user.
ea4bf146aae20e6532518f5f14a0339f6c32348de42b3b15936e869ed48d8e04
VMware vRealize Log Insights versions 8.x contain multiple vulnerabilities, such as directory traversal, broken access control, deserialization, and information disclosure. When chained together, these vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. This Metasploit module achieves code execution via triggering a RemotePakDownloadCommand command via the exposed thrift service after obtaining the node token by calling a GetConfigRequest thrift command. After the download, it will trigger a PakUpgradeCommand for processing the specially crafted PAK archive, which then will place the JSP payload under a certain API endpoint (pre-authenticated) location upon extraction for gaining remote code execution. Successfully tested against version 8.0.2.
2e4132d3093987ff065179429e52ff5e9baad8185fde7f58136c18d0aa950a90
This Metasploit module exploits an unauthenticated command injection vulnerability in the key parameter in OpenTSDB through 2.4.1 in order to achieve unauthenticated remote code execution as the root user. The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.1 or lower, the module performs additional checks to obtain the configured metrics and aggregators. It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph. As part of this request, the key parameter is set to the payload, which will then be executed by the target if the latter is vulnerable. This module has been successfully tested against OpenTSDB version 2.4.1.
34f1ed88046d0a1cb1d6424711b6f621117f401a0d42ebfc307dc277ada181d2
Kingo ROOT version 1.5.8 suffers from an unquoted service path vulnerability.
15d004eafd004ef186559710d16b83e93f1983a89a80746dae43f1c8491e7c72
Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 suffers from an unpatched vulnerability in sudoedit, allowed by sudo configuration, which permits a low-privilege user to modify arbitrary files as root and subsequently execute arbitrary commands as root.
9caf2d86fd42cb7a6098a98695d2f0c8ac71c65afef31f1c6345f008453f417a
Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 has an insecure sudo configuration which permits a low-privilege user to run arbitrary commands as root via the tcpdump command without a password.
f0f074bfbbdfcf50b89b456bedfa1d6e2dad916eb9c805528576e82777cae103
Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 has an insecure sudo configuration which permits a low-privilege user to read root-only files via the dig command without a password.
9a639b868d2a607d6808f5cc9c66c20f4c697461ce4034c2ce7534df93c6ec6e
The AudioCodes VoIP phones store sensitive information, e.g. credentials and passwords, in encrypted form in their configuration files. These encrypted values can also be automatically configured, e.g. via the "One Voice Operation Center" or other central device management solutions. Due to the use of a hardcoded cryptographic key, an attacker with access to these configuration files is able to decrypt the encrypted values and retrieve sensitive information, e.g. the device root password. Firmware versions greater than or equal to 3.4.8.M4 are affected.
29414b5c1036f3966c46308f74f15451f22b582e783e487f7aa45422c6dfd70f
Ubuntu Security Notice 6292-1 - It was discovered that Ceph incorrectly handled crash dumps. A local attacker could possibly use this issue to escalate privileges to root.
75967740ce1a9069be3b5ffdad890e66bf3af3e56b32fbff26a28baf8de418c4
eLitius version 1.0 appears to leave backups in a world accessible directory under the document root.
37a6ad9ab40e37e23d7cbfe01ee9334c417b3339776c4691b7ae872e89ddb896
systemd version 246 suffers from a local root privilege escalation vulnerability.
5c18cab732f4f9e274da14d6344836a1cdf72bc01779fa89312ba4b4814d364b
e2 Distr CMS version 2.8.5.3 appears to leave backups in a world accessible directory under the document root.
5433c74f920760e59a3889a4eb94f7621298cabe8eddf15f30585be24f026e98
A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root.
94d1415f6fe455813346e8f6de25a1fa7b5b88484ea770a8bc9b669e25457a13
This Metasploit module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module first performs a check to see if the target is WD MyCloud. If so, it attempts to trigger an authentication bypass (CVE-2018-17153) via a crafted GET request to /cgi-bin/network_mgr.cgi. If the server responds as expected, the module assesses the vulnerability status by attempting to exploit a commend injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command. This is done via a crafted POST request to /web/google_analytics.php. If the server is vulnerable, the same command injection vector is leveraged to execute the payload. This module has been successfully tested against Western Digital MyCloud version 2.30.183.
0ce2f1497429d5e02113422d33a5d38d119e0b68b4af0aa04d5b4189b6ef07f8
VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of root on the appliance. VMWare 6.x version are vulnerable. This Metasploit module exploits the vulnerability to upload and execute payloads gaining root privileges. Successfully tested against version 6.8.0.
9a55a0c02bec8e756eeac40f3ab58ccc0499c9bbbde741db5c148ebfa61b29ee
WordPress Duplicator plugin version 3.8.7 appears to leave backups in a world accessible directory under the document root.
8f7867098777bfb7d7988fcc7cf6d15c45a7a00aa260411393d341e6ecc3e473
This Metasploit module exploits an authenticated command injection vulnerability in the "restore_rrddata()" function of pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup and Restore" privilege to execute arbitrary operating system commands as the "root" user. This module has been tested successfully on version 2.6.0-RELEASE.
aebb2b8cda994128d286f0b5a8a2c8b51efa5ec61f35fe1de15ab837e050e5a1
WordPress Duplicator plugin version 3.8.8 appears to leave backups in a world accessible directory under the document root.
dfcfcb24ad253ea2d39768da7b6e22274d168bdda3f278dad5f23b74f4c9b5dd
WordPress Duplicator plugin version 4.0.5 appears to leave backups in a world accessible directory under the document root.
ad0fa51ec975187287b8a06f41bafe979783319f010750beeb70fcc957fc356a
WordPress BackUpWordPress version 3.8 appears to leave backups in a world accessible directory under the document root.
0aa2086e4896317bbe3e7bdbf4459a1d7ed4b988564f1de3d17a4038856e606e
WordPress Google Maps plugin version 9.0.17 appears to leave backups in a world accessible directory under the document root.
156dd68545b65c54c2373a2cda8dd9dda4f59fcde02261a810d41ad5c595eea7
WordPress File Manager Pro plugin version 8.3.1 appears to leave backups in a world accessible directory under the document root.
4b88684db05c1e6e30e6201dd62cc4950900d94c6892036e226fe347c047f0f2
WordPress Envato plugin version 2.0.7 appears to leave backups in a world accessible directory under the document root.
f2094a0011047a7e71da6c767d74d1960b654e75fb3aa4d77b9cf52e5f7ccd7d
WordPress Unyson plugin version 2.7.28 appears to leave backups in a world accessible directory under the document root.
ded4568e592a56e54d8658c4b65d33823bedb435257d32a3cc86b431e0051255