0xsha

6 exploits Active since Dec 2019
CVE-2020-12828 NOMISEC CRITICAL WORKING POC
AnchorFree VPN SDK <1.3.3.218 - Code Injection
An issue was discovered in AnchorFree VPN SDK before 1.3.3.218. The VPN SDK service takes certain executable locations over a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges.
28 stars
CVSS 9.8
CVE-2021-44142 NOMISEC HIGH WORKING POC
Samba < 4.13.17 - Out-of-bounds Read and Write via Extended File Attributes
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
10 stars
CVSS 8.8
CVE-2020-10148 NOMISEC CRITICAL WORKING POC
SolarWinds Orion Platform 2019.4 HF 5, 2020.2, 2020.2 HF 1 - Unauthenticated API Authentication Bypass
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
5 stars
CVSS 9.8
CVE-2019-19844 NOMISEC CRITICAL WORKING POC
Django < 1.11.27, 2.x < 2.2.9, 3.x < 3.0.1 - Account Takeover via Unicode Case Transformation Bypass
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
4 stars
CVSS 9.8
CVE-2021-44142 NOMISEC HIGH WORKING POC
Samba < 4.13.17 - Out-of-bounds Read and Write via Extended File Attributes
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
CVSS 8.8
CVE-2020-8515 EXPLOITDB CRITICAL go WORKING POC
DrayTek Vigor2960/Vigor3900/Vigor300B Beta - Unauthenticated Remote Code Execution via mainfunction.cgi
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.
CVSS 9.8