Halit AKAYDIN (hLtAkydn)

9 exploits Active since May 2022
CVE-2021-47939 EXPLOITDB HIGH python WORKING POC
Evolution CMS 3.1.6 Authenticated Remote Code Execution via Module Creation
Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in the 'post' parameter to create modules that execute arbitrary commands when invoked.
CVSS 8.8
CVE-2021-47938 EXPLOITDB HIGH python WORKING POC
ImpressCMS 1.4.2 Remote Code Execution via Autotasks
ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the sat_code parameter. Attackers can authenticate, submit a POST request to /modules/system/admin.php?fct=autotasks&op=mod with crafted sat_code containing PHP commands, which creates an executable file that accepts arbitrary commands via GET parameters.
CVSS 8.8
CVE-2021-47937 EXPLOITDB HIGH python WORKING POC
e107 CMS 2.3.0 Authenticated Remote Code Execution via Theme Upload
e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Attackers can upload a crafted theme package through the theme.php endpoint that deploys a web shell to the e107_themes directory, then execute system commands via the payload.php script.
CVSS 8.8
CVE-2021-42645 WRITEUP CRITICAL WORKING POC
CMSimple_XH 1.7.4 - Remote Code Execution via File Upload
CMSimple_XH 1.7.4 is affected by a remote code execution (RCE) vulnerability. To exploit this vulnerability, an attacker must use the "File" parameter to upload a PHP payload to get a reverse shell from the vulnerable host.
CVSS 10.0
CVE-2021-47788 EXPLOITDB HIGH python WORKING POC
WebsiteBaker 2.13.0 - Authenticated Remote Code Execution via Language Installation Endpoint
WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve remote code execution on the server.
CVSS 8.8
CVE-2021-47753 EXPLOITDB CRITICAL python WORKING POC
phpKF CMS 3.00 Beta y6 - Unauthenticated Arbitrary File Upload via File Extension Bypass
phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter.
CVSS 9.8
CVE-2021-47736 EXPLOITDB HIGH python WORKING POC
CMSimple_XH 1.7.4 - Authenticated Remote Code Execution via Content Editing
CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitrary command execution on the server.
CVSS 7.2
EIP-2026-110198 EXPLOITDB python WORKING POC
Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
EIP-2026-106198 EXPLOITDB text WORKING POC
COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections