Dawid Golunski

78 exploits Active since Nov 2009
EIP-2026-107460 EXPLOITDB text WRITEUP
Google AdWords API PHP client library 6.2.0 - Arbitrary PHP Code Execution
EIP-2026-107459 EXPLOITDB text WORKING POC
Google AdWords 6.2.0 API client libraries - XML eXternal Entity Injection
CVE-2015-5161 EXPLOITDB text WORKING POC
Zend Framework < 1.12.14, 2.x < 2.4.6, 2.5.x < 2.5.2 - XML External Entity Injection via Multibyte Encoded Characters
The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.
EIP-2026-106744 EXPLOITDB text WORKING POC
eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Denial of Service)
CVE-2016-4793 EXPLOITDB HIGH text WORKING POC
CakePHP < 3.2.4 - IP Spoofing via CLIENT-IP HTTP Header
The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header.
CVSS 7.5
CVE-2016-10033 EXPLOITDB CRITICAL ruby WORKING POC
PHPMailer Sendmail Argument Injection
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
CVSS 9.8
CVE-2016-10073 EXPLOITDB HIGH bash WORKING POC
Vanilla Forums <2.3.1 - Info Disclosure
The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and potentially obtain sensitive information via a crafted HTTP Host header, as demonstrated by a password reset request.
CVSS 7.5
CVE-2015-5161 EXPLOITDB text WORKING POC
Zend Framework < 1.12.14, 2.x < 2.4.6, 2.5.x < 2.5.2 - XML External Entity Injection via Multibyte Encoded Characters
The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.
CVE-2016-1004 EXPLOITDB ruby WORKING POC
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none
CVE-2016-4264 EXPLOITDB HIGH python WORKING POC
Adobe ColdFusion <11-Update 10 - Info Disclosure
The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CVSS 8.6
CVE-2014-2913 EXPLOITDB text WORKING POC
Nagios Remote Plugin Executor <2.15 - RCE
Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments
CVE-2016-7098 EXPLOITDB HIGH python WORKING POC
wget < 1.17 - Race Condition in Recursive/Mirroring Mode
Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open.
CVSS 8.1
CVE-2016-10033 EXPLOITDB CRITICAL bash WORKING POC
PHPMailer Sendmail Argument Injection
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
CVSS 9.8
CVE-2017-8295 EXPLOITDB MEDIUM text WORKING POC
WordPress <= 4.7.4 - Unauthenticated Weak Password Recovery Mechanism via Host Header Manipulation
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.
CVSS 5.9
CVE-2016-4971 EXPLOITDB HIGH text WORKING POC
GNU wget < 1.18 - Arbitrary File Write via HTTP-to-FTP Redirect
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
CVSS 8.8
CVE-2017-7692 EXPLOITDB HIGH bash WORKING POC
SquirrelMail <20170427_0200-SVN - RCE
SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in the Deliver_SendMail.class.php with the initStream function that uses escapeshellcmd() to sanitize the sendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it doesn't escape whitespaces, allowing the injection of arbitrary command parameters. The problem is in -f$envelopefrom within the sendmail command line. Hence, if the target server uses sendmail and SquirrelMail is configured to use it as a command-line program, it's possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command. For exploitation, the attacker must upload a sendmail.cf file as an email attachment, and inject the sendmail.cf filename with the -C option within the "Options > Personal Informations > Email Address" setting.
CVSS 8.8
CVE-2016-9565 EXPLOITDB CRITICAL python WORKING POC
Nagios < 4.2.1 - Arbitrary File Read and Write via Spoofed RSS Feed Response
MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796.
CVSS 9.8
CVE-2016-4971 EXPLOITDB HIGH python WORKING POC
GNU wget < 1.18 - Arbitrary File Write via HTTP-to-FTP Redirect
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
CVSS 8.8
CVE-2016-1531 EXPLOITDB HIGH text WORKING POC
Exim <4.86.2 - Privilege Escalation
Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.
CVSS 7.0
CVE-2016-1247 EXPLOITDB HIGH bash WORKING POC
nginx <1.6.2-5+deb8u3 - Privilege Escalation
The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before 1.10.1-0ubuntu1.1 on Ubuntu 16.10, and the nginx ebuild before 1.10.2-r3 on Gentoo allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log.
CVSS 7.8
CVE-2014-4703 EXPLOITDB text WORKING POC
Nagios Plugins <2.0.2 - Info Disclosure
lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain sensitive information via a symlink attack on the configuration file in the extra-opts flag. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4701.
CVE-2016-9566 EXPLOITDB HIGH bash WORKING POC
Nagios < 4.2.3 - Privilege Escalation via Symlink Attack on Log File
base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged by remote attackers using CVE-2016-9565.
CVSS 7.8
CVE-2016-6664 EXPLOITDB HIGH bash WORKING POC
Oracle MySQL, MariaDB, Percona Server, Percona XtraDB Cluster - Privilege Escalation via Symlink Attack
mysqld_safe in Oracle MySQL through 5.5.51, 5.6.x through 5.6.32, and 5.7.x through 5.7.14; MariaDB; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17, when using file-based logging, allows local users with access to the mysql account to gain root privileges via a symlink attack on error logs and possibly other files.
CVSS 7.0
CVE-2016-6663 EXPLOITDB HIGH c WORKING POC
Oracle MySQL <5.5.52, 5.6.x <5.6.33, 5.7.x <5.7.15, and 8.x <8.0.1 - Privilege Escalation
Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.
CVSS 7.0
CVE-2016-6662 EXPLOITDB CRITICAL python WORKING POC
Oracle MySQL, MariaDB, Percona Server - Privilege Escalation via my.cnf
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.
CVSS 9.8