WordPress Smart Product Review plugin versions 1.0.4 and below suffer from a remote shell upload vulnerability.
161936cf087f98580dab17309058c9b7GitLab version 13.10.2 remote code execution exploit that provides a reverse shell.
a203e85e39e4798bc3ada54cb3cc7271Red Hat Security Advisory 2021-4702-01 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include XML injection, code execution, denial of service, information leakage, local file inclusion, man-in-the-middle, memory leak, open redirection, password leak, remote file inclusion, remote shell upload, and traversal vulnerabilities.
15d37f280e159b35ed6469b1f97ed672This Metasploit module exploits a deserialization vulnerability in the Report.ashx page of Sitecore XP 7.5 to 7.5.2, 8.0 to 8.0.7, 8.1 to 8.1.3, and 8.2 to 8.2.7. Versions 7.2.6 and earlier and 9.0 and later are not affected. The vulnerability occurs due to Report.ashx's handler, located in Sitecore.Xdb.Client.dll under the Sitecore.sitecore.shell.ClientBin.Reporting.Report definition, having a ProcessRequest() handler that calls ProcessReport() with the context of the attacker's request without properly checking if the attacker is authenticated or not. This request then causes ReportDataSerializer.DeserializeQuery() to be called, which will end up calling the DeserializeParameters() function of Sitecore.Analytics.Reporting.ReportDataSerializer, if a "parameters" XML tag is found in the attacker's request. Then for each subelement named "parameter", the code will check that it has a name and if it does, it will call NetDataContractSerializer().ReadObject on it. NetDataContractSerializer is vulnerable to deserialization attacks and can be trivially exploited by using the TypeConfuseDelegate gadget chain. By exploiting this vulnerability, an attacker can gain arbitrary code execution as the user that IIS is running as, aka NT AUTHORITY\NETWORK SERVICE. Users can then use technique 4 of the "getsystem" command to use RPCSS impersonation and get SYSTEM level code execution.
cdadfd61899fe57ebdfb290f0c923b2bUbuntu Security Notice 5147-1 - It was discovered that Vim incorrectly handled permissions on the .swp file. A local attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 14.04 ESM. It was discovered that Vim incorrectly handled restricted mode. A local attacker could possibly use this issue to bypass restricted mode and execute arbitrary commands. Note: This update only makes executing shell commands more difficult. Restricted mode should not be considered a complete security measure. This issue only affected Ubuntu 14.04 ESM. Various other issues were also addressed.
d7794bd2d9ad6ef2605e1615e1edac8dThis Metasploit module exploits local file inclusion and log poisoning vulnerabilities (CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a build-242466 and older in order to achieve unauthenticated remote code execution as the root user. NetConfig is the Aerohive/Extreme Networks HiveOS administrative webinterface. Vulnerable versions allow for LFI because they rely on a version of PHP 5 that is vulnerable to string truncation attacks. This module leverages this issue in conjunction with log poisoning to gain remote code execution as root. Upon successful exploitation, the Aerohive NetConfig application will hang for as long as the spawned shell remains open. Closing the session should render the application responsive again. The module provides an automatic cleanup option to clean the log. However, this option is disabled by default because any modifications to the /tmp/messages log, even via sed, may render the target (temporarily) unexploitable. This state can last over an hour. This module has been successfully tested against Aerohive NetConfig versions 8.2r4 and 10.0r7a.
70c6dcfbe8cd1056d848f4af42f66776Codiad version 2.8.4 remote reverse shell upload exploit. Original discovery of code execution in this version is attributed to WangYihang in 2018.
221c2c5e5a6e53dff35451f35d9e550eThis Metasploit module exploits an SID-based command injection in Sophos UTM's WebAdmin interface to execute shell commands as the root user.
450a9936d144b1ecd0f7e57c243bf4a9Online Student Admission System version 1.0 suffers from remote SQL injection and shell upload vulnerabilities.
7c229a5b9a8e0f3ef87c71a68a2a9b33Engineers Online Portal version 1.0 suffers from a remote shell upload vulnerability.
0b750d8a34a7cb1264a710eafc36a645Clinic Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for a shell upload.
89d48af5619424e600f5f3f549e39af5TextPattern CMS version 4.8.7 suffers from an authenticated remote shell upload vulnerability.
a48c73645293b99b6fbcfeb552bf7cc4Moodle allows an authenticated user to define spellcheck settings via the web interface. The user can update the spellcheck mechanism to point to a system-installed aspell binary. By updating the path for the spellchecker to an arbitrary command, an attacker can run arbitrary commands in the context of the web application upon spellchecking requests. This Metasploit module also allows an attacker to leverage another privilege escalation vuln. Using the referenced XSS vuln, an unprivileged authenticated user can steal an admin sesskey and use this to escalate privileges to that of an admin, allowing the module to pop a shell as a previously unprivileged authenticated user. This module was tested against Moodle version 2.5.2 and 2.2.3.
92a400708d6b383cfe2f1bd0d3314d11Cypress Solutions CTM-200 wireless gateway version 2.7.1 suffers from an authenticated semi-blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to the wget command in /usr/bin/cmdmain ELF binary.
5443c1ca578d802c9f7cf55428781490Aviatrix Controller versions 6.x prior to 6.5-1804.1922 shell upload exploit that leverages a directory traversal vulnerability.
c9d98e50193dc69bebb982a539da15c7This Metasploit module exploits a file upload in VMware vCenter Server's analytics/telemetry (CEIP) service to write a system crontab and execute shell commands as the root user. Note that CEIP must be enabled for the target to be exploitable by this module. CEIP is enabled by default.
d46c0245ccc36fc657f9f4ef1767092aOnline Traffic Offense Management System version 1.0 suffers from multiple remote shell upload vulnerabilities.
49a9a35505dbb9ef31bd821563cd591fWordPress MStore API plugin version 2.0.6 suffers from a remote shell upload vulnerability.
6e3f0552b63e3cd586048101955060f8Vehicle Service Management System version 1.0 unauthenticated remote shell upload exploit that uses authentication bypass with SQL injection.
243eaba5d6291c10ea45e14a67617fbfPet Shop Management System version 1.0 suffers from privilege escalation and remote shell upload vulnerabilities.
210c02bde43decbb2a8119311298118bVehicle Service Management System version 1.0 suffers from a remote shell upload vulnerability.
01d3085f8bd760fde3397a0c284829f2Pet Shop Management System version 1.0 suffers from a remote shell upload vulnerability.
627f1d99e1a6128d4f0c6fe3fd446a5bStorage Unit Rental Management System version 1.0 suffers from a remote shell upload vulnerability.
5421a7893a6512edbf13aa29036effffWordPress 3DPrint Lite plugin version 1.9.1.4 suffers from a remote shell upload vulnerability.
df05024a490ce087dd2a9ea5257bf09cE-Negosyo System version 1.0 suffers from a remote shell upload vulnerability.
f0d85a1322ee67d65a1f75316c55eebc
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed