AkkuS <Özkan Mustafa Akkuş> - Security Researcher

CVE-2019-11447 NOMISEC HIGH WORKING POC

CutePHP CuteNews 2.1.2 - Code Injection

An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)

1 stars

CVSS 8.8

View Code

CVE-2019-11631 METASPLOIT ruby WORKING POC

Rejected

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none

View Code

CVE-2019-12840 METASPLOIT HIGH ruby WORKING POC

Webmin < 1.910 - Authenticated Remote Command Execution via Package Updates Module

In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.

CVSS 8.8

View Code

CVE-2019-11448 EXPLOITDB CRITICAL ruby WORKING POC

Zoho ManageEngine Applications Manager <14.0 - Privilege Escalation

An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file.

CVSS 9.8

View Code

CVE-2018-20166 EXPLOITDB HIGH ruby WORKING POC

Rukovoditel 2.3.1 - Authenticated Remote Code Execution via Malicious Background Image Upload

A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in ".php" with mixed case, such as the .pHp extension.

CVSS 8.8

View Code

CVE-2019-9623 EXPLOITDB CRITICAL ruby WORKING POC

Feng Office 3.7.0.5 - Unauthenticated Remote Code Execution via .shtml File Upload

Feng Office 3.7.0.5 allows remote attackers to execute arbitrary code via "<!--#exec cmd=" in a .shtml file to ck_upload_handler.php.

CVSS 9.8

View Code

CVE-2019-9581 EXPLOITDB HIGH ruby WORKING POC

phpscheduleit Booked Scheduler <2.7.5 - RCE

phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code, because Presenters/Admin/ManageThemePresenter.php does not ensure an image file extension.

CVSS 8.8

View Code

CVE-2019-11446 EXPLOITDB HIGH ruby WORKING POC

ATutor < 2.2.4 - Authenticated Arbitrary File Upload via File Manager

An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml.

CVSS 8.8

View Code

CVE-2019-12099 EXPLOITDB HIGH ruby WORKING POC

php-fusion < 9.03.00 - Authenticated Remote Code Execution via Avatar Upload

In PHP-Fusion 9.03.00, edit_profile.php allows remote authenticated users to execute arbitrary code because includes/dynamics/includes/form_fileinput.php and includes/classes/PHPFusion/Installer/Lib/Core.settings.inc mishandle executable files during avatar upload.

CVSS 8.8

View Code

CVE-2019-11631 EXPLOITDB ruby WORKING POC

Rejected

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none

View Code

CVE-2019-11447 EXPLOITDB HIGH ruby WORKING POC

CutePHP CuteNews 2.1.2 - Code Injection

An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)

CVSS 8.8

View Code

CVE-2019-10863 EXPLOITDB HIGH ruby WORKING POC

TeemIp < 2.4.0 - Remote Code Execution via exec.php new_config Parameter

A command injection vulnerability exists in TeemIp versions before 2.4.0. The new_config parameter of exec.php allows one to create a new PHP file with the exception of config information. The malicious PHP code sent is executed instantaneously and is not saved on the server.

CVSS 7.2

View Code

CVE-2019-13294 EXPLOITDB CRITICAL ruby WORKING POC

AROX School-ERP Pro - Unauthenticated Remote Code Execution via import_stud.php and upload_fille.php

AROX School-ERP Pro has a command execution vulnerability. import_stud.php and upload_fille.php do not have session control. Therefore an unauthenticated user can execute a command on the system.

CVSS 9.8

View Code

CVE-2019-11444 EXPLOITDB HIGH ruby WORKING POC

Liferay Portal CE 7.1.2 GA3 - Command Injection

An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw

CVSS 7.2

View Code

CVE-2021-43339 EXPLOITDB HIGH ruby WORKING POC

Ericsson Network Location <2021-07-31 - Command Injection

In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. For example, a new admin user could be created.

CVSS 8.8

View Code

CVE-2019-15105 EXPLOITDB HIGH ruby WORKING POC

ManageEngine Applications Manager < 14.2 - SQL Injection via NewThresholdConfiguration.jsp resourceid Parameter

An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.

CVSS 8.8

View Code

CVE-2019-15106 EXPLOITDB CRITICAL ruby WORKING POC

ManageEngine OpManager < 12.4.034 - Unauthenticated Remote Command Execution via Default Credential Bypass

An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.

CVSS 9.8

View Code

CVE-2019-15104 EXPLOITDB HIGH ruby WORKING POC

ManageEngine Applications Manager 12.0-13.9 - SQL Injection via NewThresholdConfiguration.jsp resourceid Parameter

An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.

CVSS 8.8

View Code

CVE-2019-11469 EXPLOITDB CRITICAL ruby WORKING POC

Zoho ManageEngine Apps Mgr <15 - SQL Injection

Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.

CVSS 9.8

View Code

CVE-2020-35665 EXPLOITDB CRITICAL ruby WORKING POC

TerraMaster Operating System <= 4.2.06 - Unauthenticated Remote Code Execution via Event Parameter in makecvs.php

An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.

CVSS 9.8

View Code

CVE-2020-35606 EXPLOITDB HIGH ruby WORKING POC

Webmin <= 1.962 - Authenticated Remote Command Execution via Package Updates Module

Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840.

CVSS 8.8

View Code

EIP-2026-103330 EXPLOITDB ruby WORKING POC

Usermin 1.750 - Remote Command Execution (Metasploit)

View Code

EIP-2026-103288 EXPLOITDB ruby WORKING POC

Jenkins 2.150.2 - Remote Command Execution (Metasploit)

View Code

CVE-2019-12840 EXPLOITDB HIGH ruby WORKING POC

Webmin < 1.910 - Authenticated Remote Command Execution via Package Updates Module

In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.

CVSS 8.8

View Code

CVE-2019-15107 EXPLOITDB CRITICAL ruby WORKING POC

Webmin <= 1.920 - OS Command Injection via password_change.cgi Old Parameter

An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

CVSS 9.8

View Code