Ibonok

5 exploits Active since Jan 2020
CVE-2020-4463 NOMISEC HIGH WORKING POC
IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 - XML External Entity Injection
IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181484.
52 stars
CVSS 8.2
CVE-2020-1611 NOMISEC MEDIUM WORKING POC
Juniper Networks Junos Space <19.4R1 - Local File Inclusion
A Local File Inclusion vulnerability in Juniper Networks Junos Space allows an attacker to view all files on the target when the device receives malicious HTTP packets. This issue affects: Juniper Networks Junos Space versions prior to 19.4R1.
29 stars
CVSS 6.5
CVE-2026-33439 GITHUB CRITICAL python WORKING POC
Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.
4 stars
CVSS 9.8
CVE-2026-33439 GITHUB CRITICAL java WORKING POC
Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6.
CVSS 9.8
CVE-2019-17658 NOMISEC CRITICAL WRITEUP
FortiClient Windows <6.2.2 - Privilege Escalation
An unquoted service path vulnerability in the FortiClient FortiTray component of FortiClientWindows v6.2.2 and prior allow an attacker to gain elevated privileges via the FortiClientConsole executable service path.
CVSS 9.8