Metasploit

1,875 exploits Active since Aug 1990
CVE-2013-3631 EXPLOITDB ruby WORKING POC
Nas4free < 9.1.0.1.804 - Code Injection
NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to execute arbitrary PHP code via a request to exec.php, aka the "Advanced | Execute Command" feature. NOTE: this issue might not be a vulnerability, since it appears to be part of legitimate, intentionally-exposed functionality by the developer and is allowed within the intended security policy.
CVE-2014-7146 EXPLOITDB ruby WORKING POC
MantisBT <1.2.17 - RCE
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.
CVE-2008-4687 EXPLOITDB ruby WORKING POC
Mantis < 1.1.3 - Code Injection
manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php.
EIP-2026-104742 EXPLOITDB ruby WORKING POC
LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit)
CVE-2017-14143 EXPLOITDB CRITICAL ruby WORKING POC
Kaltura <13.2.0 - Code Injection
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie.
CVSS 9.8
CVE-2013-5576 EXPLOITDB ruby WORKING POC
Joomla! <2.5.14, <3.1.5 - Auth Bypass
administrator/components/com_media/helpers/media.php in the media manager in Joomla! 2.5.x before 2.5.14 and 3.x before 3.1.5 allows remote authenticated users or remote attackers to bypass intended access restrictions and upload files with dangerous extensions via a filename with a trailing . (dot), as exploited in the wild in August 2013.
CVE-2014-7228 EXPLOITDB ruby WORKING POC
Akeeba Restore <3.3.4 - Info Disclosure
Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and Professional 2.0.0 through 2.4.4; and CMS Update 1.0.a1 through 1.0.1, when performing a backup or update for an archive, does not delete parameters from $_GET and $_POST when it is cleansing $_REQUEST, but later accesses $_GET and $_POST using the getQueryParam function, which allows remote attackers to bypass encryption and execute arbitrary code via a command message that extracts a crafted archive.
CVE-2015-7858 EXPLOITDB ruby WORKING POC
Joomla! <3.4.4 - SQL Injection
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.
CVE-2013-3629 EXPLOITDB HIGH ruby WORKING POC
ISPConfig 3.0.5.2 - Code Injection
ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution
CVSS 8.8
CVE-2012-5692 EXPLOITDB ruby WORKING POC
Invision Power Board <3.3.x - Unknown Vuln
Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3.x has unknown impact and remote attack vectors.
EIP-2026-104733 EXPLOITDB ruby WORKING POC
Idera Up.Time Monitoring Station 7.4 - 'post2file.php' Arbitrary File Upload (Metasploit)
CVE-2017-1092 EXPLOITDB CRITICAL ruby WORKING POC
IBM Informix Open Admin Tool <12.1 - RCE
IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unauthorized user to execute arbitrary code as system admin on Windows servers. IBM X-Force ID: 120390.
CVSS 9.8
CVE-2014-1691 EXPLOITDB ruby WORKING POC
Horde <5.1.1 - Code Injection
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
CVE-2013-5696 EXPLOITDB ruby WORKING POC
Glpi < 0.84.1 - CSRF
inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or (2) execute arbitrary PHP code via an update_1 action.
EIP-2026-104729 EXPLOITDB ruby WORKING POC
GitList 0.6.0 - Argument Injection (Metasploit)
EIP-2026-104728 EXPLOITDB ruby WORKING POC
GitList 0.6.0 - Argument Injection (Metasploit)
CVE-2019-11231 EXPLOITDB CRITICAL ruby WORKING POC
Get-simple Getsimple Cms < 3.3.15 - Path Traversal
An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user; however, authentication can be bypassed. According to the official documentation for installation step 10, an admin is required to upload all the files, including the .htaccess files, and run a health check. However, what is overlooked is that the Apache HTTP Server by default no longer enables the AllowOverride directive, leading to data/users/admin.xml password exposure. The passwords are hashed but this can be bypassed by starting with the data/other/authorization.xml API key. This allows one to target the session state, since they decided to roll their own implementation. The cookie_name is crafted information that can be leaked from the frontend (site name and version). If a someone leaks the API key and the admin username, then they can bypass authentication. To do so, they need to supply a cookie based on an SHA-1 computation of this known information. The vulnerability exists in the admin/theme-edit.php file. This file checks for forms submissions via POST requests, and for the csrf nonce. If the nonce sent is correct, then the file provided by the user is uploaded. There is a path traversal allowing write access outside the jailed themes directory root. Exploiting the traversal is not necessary because the .htaccess file is ignored. A contributing factor is that there isn't another check on the extension before saving the file, with the assumption that the parameter content is safe. This allows the creation of web accessible and executable files with arbitrary content.
CVSS 9.8
EIP-2026-104724 EXPLOITDB ruby WORKING POC
eXtplorer 2.1 - Arbitrary File Upload (Metasploit)
CVE-2019-9194 EXPLOITDB CRITICAL ruby WORKING POC
Std42 Elfinder < 2.1.48 - OS Command Injection
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
CVSS 9.8
CVE-2019-6340 EXPLOITDB HIGH ruby WORKING POC
Drupal < 8.5.11 - Insecure Deserialization
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
CVSS 8.1
EIP-2026-104719 EXPLOITDB ruby WORKING POC
Dexter (CasinoLoader) - SQL Injection (Metasploit)
CVE-2013-2097 EXPLOITDB HIGH ruby WORKING POC
ZPanel <10.1.0 - RCE
ZPanel through 10.1.0 has Remote Command Execution
CVSS 7.8
CVE-2014-8998 EXPLOITDB ruby WORKING POC
X7 Chat <2.0.5.1 - Authenticated RCE
lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to index.php, which is processed by the preg_replace function with the eval switch.
CVE-2014-10021 EXPLOITDB ruby WORKING POC
Wpsymposiumpro WP Symposium - Unrestricted File Upload
Unrestricted file upload vulnerability in UploadHandler.php in the WP Symposium plugin 14.11 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in server/php/.
EIP-2026-104793 EXPLOITDB ruby WORKING POC
WordPress Plugin Work The Flow - Arbitrary File Upload (Metasploit)