Brendan Coles

95 exploits Active since Oct 2006
CVE-2009-4140 EXPLOITDB ruby WORKING POC
Open Flash Chart v2 Beta 1-v2 Lug Wyrm Charmer - RCE
Unrestricted file upload vulnerability in ofc_upload_image.php in Open Flash Chart v2 Beta 1 through v2 Lug Wyrm Charmer, as used in Piwik 0.2.35 through 0.4.3, Woopra Analytics Plugin before 1.4.3.2, and possibly other products, when register_globals is enabled, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension through the name parameter with the code in the HTTP_RAW_POST_DATA parameter, then accessing it via a direct request to the file in tmp-upload-images/.
CVE-2014-3659 EXPLOITDB ruby WORKING POC
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-7169. Reason: This candidate is a reservation duplicate of CVE-2014-7169 because the CNA for this ID did not follow multiple procedures that are intended to minimize duplicate CVE assignments. Notes: All CVE users should reference CVE-2014-7169 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
CVE-2014-3671 EXPLOITDB ruby WORKING POC
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187. Reason: This candidate is a duplicate of CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187. Notes: All CVE users should reference CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
CVE-2014-6271 EXPLOITDB CRITICAL ruby WORKING POC
Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
CVSS 9.8
CVE-2014-62771 EXPLOITDB ruby WORKING POC
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6271. Reason: This candidate is a duplicate of CVE-2014-6271. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2014-6271 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
CVE-2014-7169 EXPLOITDB CRITICAL ruby WORKING POC
GNU Bash < 4.3 - Remote Code Execution via Malformed Environment Variable Function Definitions
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
CVSS 9.8
CVE-2014-7196 EXPLOITDB ruby WORKING POC
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-7169. Reason: This candidate is a duplicate of CVE-2014-7169. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2014-7169 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
CVE-2014-7227 EXPLOITDB ruby WORKING POC
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187. Reason: This candidate is a duplicate of CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187. Notes: All CVE users should reference CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
CVE-2025-34101 EXPLOITDB CRITICAL ruby WORKING POC
Serviio Media Server <1.8 - Command Injection
An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.
CVE-2025-34099 EXPLOITDB CRITICAL ruby WORKING POC
VICIdial <2.13 RC1 - Command Injection
An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.
CVE-2025-34097 EXPLOITDB HIGH ruby WORKING POC
ProcessMaker < 3.5.4 - Authenticated Remote Code Execution via Plugin Upload
An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.
CVE-2018-0706 EXPLOITDB HIGH ruby WORKING POC
QNAP Q'center Virtual Appliance <1.7.1063 - Info Disclosure
Exposure of Private Information in QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to access sensitive information.
CVSS 8.8
CVE-2017-3631 EXPLOITDB MEDIUM ruby WORKING POC
Oracle Sun Systems Products Suite 11 - Privilege Escalation
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data as well as unauthorized read access to a subset of Solaris accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Solaris. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
CVSS 5.3
CVE-2017-3629 EXPLOITDB HIGH ruby WORKING POC
Oracle Sun Systems Products Suite Kernel - Takeover
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris. CVSS 3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
CVSS 7.8
CVE-2016-15045 EXPLOITDB HIGH ruby WORKING POC
lastore-daemon <0.9.66-1 - Privilege Escalation
A local privilege escalation vulnerability exists in lastore-daemon, the system package manager daemon used in Deepin Linux (developed by Wuhan Deepin Technology Co., Ltd.). In versions 0.9.53-1 (Deepin 15.5) and 0.9.66-1 (Deepin 15.7), the D-Bus configuration permits any user in the sudo group to invoke the InstallPackage method without password authentication. By default, the first user created on Deepin is in the sudo group. An attacker with shell access can craft a .deb package containing a malicious post-install script and use dbus-send to install it via lastore-daemon, resulting in arbitrary code execution as root.
CVE-2015-3245 EXPLOITDB ruby WORKING POC
libuser < 0.56.13-8 and 0.60 < 0.60-7 - Denial of Service via GECOS Field Newline Injection
Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field.
CVE-2014-125126 EXPLOITDB CRITICAL ruby WORKING POC
Simple E-Document 3.0-3.1 - File Upload
An unrestricted file upload vulnerability exists in Simple E-Document versions 3.0 to 3.1 that allows an unauthenticated attacker to bypass authentication by sending a specific cookie header (access=3) with HTTP requests. The application’s upload mechanism fails to restrict file types and does not validate or sanitize user-supplied input, allowing attackers to upload malicious .php scripts. Authentication can be bypassed entirely by supplying a specially crafted cookie (access=3), granting access to the upload functionality without valid credentials. If file uploads are enabled on the server, the attacker can upload a web shell and gain remote code execution with the privileges of the web server user, potentially leading to full system compromise.
CVE-2014-125116 EXPLOITDB CRITICAL ruby WORKING POC
HybridAuth 2.0.9-2.2.2 - Unauthenticated Remote Code Execution via install.php Config Injection
A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application’s config.php file. An unauthenticated attacker can inject arbitrary PHP code into config.php, which is later executed when the file is loaded. This allows attackers to achieve remote code execution on the server. Exploitation of this issue will overwrite the existing configuration, rendering the application non-functional.
CVE-2014-125113 EXPLOITDB CRITICAL ruby WORKING POC
Dell KACE K1000 <5.4.76849-5.5.90547 - File Upload
An unrestricted file upload vulnerability exists in Dell (acquired by Quest) KACE K1000 System Management Appliance version 5.0 - 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547 in the download_agent.php endpoint. An attacker can upload arbitrary PHP files to a temporary web-accessible directory, which are later executed through inclusion in backend code that loads files under attacker-controlled paths.
CVE-2013-10070 EXPLOITDB CRITICAL ruby WORKING POC
PHP-Charts 1.0 - Unauthenticated Remote Code Execution via GET Parameter Eval Injection
PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution under the web server's context. The vulnerability allows unauthenticated attackers to execute system-level commands via base64-encoded payloads embedded in parameter names, leading to full compromise of the host system.
CVE-2013-10067 EXPLOITDB CRITICAL ruby WORKING POC
Glossword 1.8.8-1.8.12 - Authenticated Arbitrary File Upload and Remote Code Execution via Administrative Interface
Glossword versions 1.8.8 through 1.8.12 contain an authenticated arbitrary file upload vulnerability. When deployed as a standalone application, the administrative interface (gw_admin.php) allows users with administrator privileges to upload files to the gw_temp/a/ directory. Due to insufficient validation of file type and path, attackers can upload and execute PHP payloads, resulting in remote code execution.
CVE-2013-10066 EXPLOITDB CRITICAL ruby WORKING POC
Kordil EDMS v2.2.60rc3 - Unauthenticated RCE
An unauthenticated arbitrary file upload vulnerability exists in Kordil EDMS v2.2.60rc3. The application exposes an upload endpoint (users_add.php) that allows attackers to upload files to the /userpictures/ directory without authentication. This flaw enables remote code execution by uploading a PHP payload and invoking it via a direct HTTP request.
CVE-2013-10037 EXPLOITDB CRITICAL ruby WORKING POC
WebTester 5.x - Unauthenticated OS Command Injection via install2.php Parameters
An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges.
CVE-2013-10035 EXPLOITDB HIGH ruby WORKING POC
ProcessMaker Open Source 2.x - Code Injection
A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPage_Ajax.php, and cases_SchedulerGetPlugins.php, by supplying crafted POST requests to parameters such as action and params. These endpoints fail to validate user input and directly invoke PHP functions like system() with user-supplied parameters, enabling remote code execution. The vulnerability affects both Linux and Windows installations and is present in default configurations of versions including 2.0.23 through 2.5.1. The vulnerable skin cannot be removed through the web interface, and exploitation requires only valid user credentials.
CVE-2013-10033 EXPLOITDB CRITICAL ruby WORKING POC
Kimai 0.9.2.x - Unauthenticated SQL Injection via db_restore.php dates[] Parameter
An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST parameter, enabling file write via INTO OUTFILE under specific environmental conditions. This can lead to remote code execution by writing a PHP payload to the web-accessible temporary directory. The vulnerability has been confirmed in versions including 0.9.2.beta, 0.9.2.1294.beta, and 0.9.2.1306-3.