Metasploit

1,875 exploits Active since Aug 1990
CVE-2012-10037 EXPLOITDB CRITICAL ruby WORKING POC
PhpTax 0.8 - Unauthenticated Remote Code Execution via drawimage.php pfilez Parameter
PhpTax version 0.8 contains a remote code execution vulnerability in drawimage.php. The pfilez GET parameter is unsafely passed to the exec() function without sanitization. A remote attacker can inject arbitrary shell commands, leading to code execution under the web server's context. No authentication is required.
CVE-2012-10036 EXPLOITDB CRITICAL ruby WORKING POC
Project Pier <0.8.8 - Unauthenticated RCE
Project Pier 0.8.8 and earlier contains an unauthenticated arbitrary file upload vulnerability in tools/upload_file.php. The upload handler fails to validate the file type or enforce authentication, allowing remote attackers to upload malicious PHP files directly into a web-accessible directory. The uploaded file is stored with a predictable suffix and can be executed by requesting its URL, resulting in remote code execution.
CVE-2012-10035 EXPLOITDB CRITICAL ruby WORKING POC
Turbo FTP Server <1.30.823-1.30.826 - Buffer Overflow
Turbo FTP Server versions 1.30.823 and 1.30.826 contain a buffer overflow vulnerability in the handling of the PORT command. By sending a specially crafted payload, an unauthenticated remote attacker can overwrite memory structures and execute arbitrary code with SYSTEM privileges.
CVE-2012-10033 EXPLOITDB CRITICAL ruby WORKING POC
Narcissus backend.php - release Parameter Command Injection
Narcissus is vulnerable to remote code execution via improper input handling in its image configuration workflow. Specifically, the backend.php script fails to sanitize the release parameter before passing it to the configure_image() function. This function invokes PHP’s passthru() with the unsanitized input, allowing attackers to inject arbitrary system commands. Exploitation occurs via a crafted POST request, resulting in command execution under the web server’s context.
CVE-2012-10032 EXPLOITDB HIGH ruby WORKING POC
Maxthon3 < 3.2.2 build 1000 - Cross-Context Scripting via about:history Page
Maxthon3 version 3.2.2 build 1000 and prior are vulnerable to cross context scripting (XCS) via the about:history page. The browser’s trusted zone improperly handles injected script content, allowing attackers to execute arbitrary JavaScript in a privileged context. This flaw enables modification of browser configuration and execution of arbitrary code through Maxthon’s exposed DOM APIs, including maxthon.program.Program.launch() and maxthon.io.writeDataURL(). Exploitation requires user interaction, typically by visiting a malicious webpage that triggers the injection.
CVE-2012-10031 EXPLOITDB HIGH ruby WORKING POC
BlazeVideo HDTV Player Pro v6.6.0.3 - Buffer Overflow
BlazeVideo HDTV Player Pro v6.6.0.3 is vulnerable to a stack-based buffer overflow due to improper handling of user-supplied input embedded in .plf playlist files. When parsing a crafted .plf file, the MediaPlayerCtrl.dll component invokes PathFindFileNameA() to extract a filename from a URL-like string. The returned value is then copied to a fixed-size stack buffer using an inline strcpy call without bounds checking. If the input exceeds the buffer size, this leads to a stack overflow and potential arbitrary code execution under the context of the user.
CVE-2012-10030 EXPLOITDB CRITICAL ruby WORKING POC
FreeFloat FTP Server - Unauthenticated RCE
FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, defaults user access to the root of the C:\ drive, and imposes no restrictions on file type or destination path. These conditions enable attackers to upload executable payloads and .mof files to locations such as system32 and wbem\mof, where Windows Management Instrumentation (WMI) automatically processes and executes them. This results in remote code execution with SYSTEM-level privileges, without requiring user interaction.
CVSS 9.8
CVE-2012-10029 EXPLOITDB HIGH ruby WORKING POC
Nagios XI Network Monitor <1.3 - Command Injection
Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized parameters such as `host`, resulting in remote code execution.
CVE-2012-10028 EXPLOITDB HIGH ruby WORKING POC
Netwin SurgeFTP <23c8 - Command Injection
Netwin SurgeFTP version 23c8 and prior contains a vulnerability in its web-based administrative console that allows authenticated users to execute arbitrary system commands via crafted POST requests to `surgeftpmgr.cgi`. This can lead to full remote code execution on the underlying system.
CVE-2012-10027 EXPLOITDB CRITICAL ruby WORKING POC
WP-Property < 1.35.0 - Unauthenticated Arbitrary File Upload via uploadify.php
WP-Property plugin for WordPress up to and including version 1.35.0 contains an unauthenticated file upload vulnerability in the third-party `uploadify.php` script. A remote attacker can upload arbitrary PHP files to a temporary directory without authentication, leading to remote code execution.
CVE-2012-10026 EXPLOITDB CRITICAL ruby WORKING POC
WordPress Plugin Asset-Manager < 2.0 - Unauthenticated Arbitrary File Upload via upload.php
The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded file types, allowing remote attackers to upload malicious PHP scripts to a predictable temporary directory. Once uploaded, the attacker can execute the file via a direct HTTP GET request, resulting in remote code execution under the web server’s context.
CVE-2012-10025 EXPLOITDB CRITICAL ruby WORKING POC
WordPress Advanced Custom Fields <= 3.5.1 - Remote File Inclusion Code Execution
The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host.
CVE-2012-10055 EXPLOITDB CRITICAL ruby WORKING POC
ComSndFTP FTP Server <1.3.7 Beta - Code Injection
ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically WSACleanup from Ws2_32.dll). This allows the attacker to redirect execution flow and bypass DEP protections using a ROP chain, ultimately leading to arbitrary code execution. The vulnerability is exploitable without authentication and affects default configurations.
CVE-2012-10054 EXPLOITDB CRITICAL ruby WORKING POC
Umbraco CMS < 4.7.1 - Unauthenticated Remote Code Execution via codeEditorSave.asmx SaveDLRScript Path Traversal
Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the fileName parameter, attackers can write malicious ASPX scripts directly into the web-accessible /umbraco/ directory and execute them remotely.
CVSS 9.8
CVE-2012-10053 EXPLOITDB CRITICAL ruby WORKING POC
Simple Web Server 2.2 rc2 - Buffer Overflow
Simple Web Server 2.2 rc2 contains a stack-based buffer overflow vulnerability in its handling of the Connection HTTP header. When a remote attacker sends an overly long string in this header, the server uses vsprintf() without proper bounds checking, leading to a buffer overflow on the stack. This flaw allows remote attackers to execute arbitrary code with the privileges of the web server process. The vulnerability is triggered before authentication.
CVE-2012-10052 EXPLOITDB CRITICAL ruby WORKING POC
EGallery 1.2 - Unauthenticated Arbitrary File Upload via uploadify.php
EGallery version 1.2 contains an unauthenticated arbitrary file upload vulnerability in the uploadify.php script. The application fails to validate file types or enforce authentication, allowing remote attackers to upload malicious PHP files directly into the web-accessible egallery/ directory. This results in full remote code execution under the web server context.
CVE-2012-10051 EXPLOITDB HIGH ruby WORKING POC
Photodex ProShow Producer <5.0.3256 - Buffer Overflow
Photodex ProShow Producer version 5.0.3256 contains a stack-based buffer overflow vulnerability in the handling of plugin load list files. When a specially crafted load file is placed in the installation directory, the application fails to properly validate its contents, leading to a buffer overflow when the file is parsed during startup. Exploitation requires local access to place the file and user interaction to launch the application.
CVE-2012-10050 EXPLOITDB CRITICAL ruby WORKING POC
CuteFlow < 2.11.2 - Unauthenticated Arbitrary File Upload via restart_circulation_values_write.php
CuteFlow version 2.11.2 and earlier contains an arbitrary file upload vulnerability in the restart_circulation_values_write.php script. The application fails to validate or restrict uploaded file types, allowing unauthenticated attackers to upload arbitrary PHP files to the upload/___1/ directory. These files are then accessible via the web server, enabling remote code execution.
CVE-2011-3490 EXPLOITDB ruby WORKING POC
Measuresoft ScadaPro <4.0.0 - Buffer Overflow
Multiple stack-based buffer overflows in service.exe in Measuresoft ScadaPro 4.0.0 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long command to port 11234, as demonstrated with the TF command.
CVE-2011-3175 EXPLOITDB ruby WORKING POC
Novell ZENworks Configuration Management 11.1 and 11.1a - Remote Code Execution via Preboot Service Opcode 0x6c
Stack-based buffer overflow in the Preboot Service in Novell ZENworks Configuration Management (ZCM) 11.1 and 11.1a allows remote attackers to execute arbitrary code via an opcode 0x6c request.
CVE-2011-10032 EXPLOITDB CRITICAL ruby WORKING POC
Sunway ForceControl <6.1 SP3 - Buffer Overflow
Sunway ForceControl version 6.1 SP3 and earlier contains a stack-based buffer overflow vulnerability in the SNMP NetDBServer service, which listens on TCP port 2001. The flaw is triggered when the service receives a specially crafted packet using opcode 0x57 with an overly long payload. Due to improper bounds checking during packet parsing, attacker-controlled data overwrites the Structured Exception Handler (SEH), allowing arbitrary code execution in the context of the service. This vulnerability can be exploited remotely without authentication and may lead to full system compromise on affected Windows hosts.
CVE-2011-10030 EXPLOITDB HIGH ruby WORKING POC
Foxit PDF Reader < 4.3.1.0218 - Code Injection
Foxit PDF Reader <  4.3.1.0218 exposes a JavaScript API function, createDataObject(), that allows untrusted PDF content to write arbitrary files anywhere on disk. By embedding a malicious PDF that calls this API, an attacker can drop executables or scripts into privileged folders, leading to code execution the next time the system boots or the user logs in.
CVE-2011-10028 EXPLOITDB HIGH ruby WORKING POC
RealArcade 2.6.0.445 ActiveX - Exec Method Command Execution
The RealNetworks RealArcade platform includes an ActiveX control (InstallerDlg.dll, version 2.6.0.445) that exposes a method named Exec via the StubbyUtil.ProcessMgr COM object. This method allows remote attackers to execute arbitrary commands on a victim's Windows machine without proper validation or restrictions. This platform was sometimes referred to or otherwise known as RealArcade or Arcade Games and has since consolidated with RealNetworks' platform, GameHouse.
CVE-2011-10027 EXPLOITDB HIGH ruby WORKING POC
AOL Desktop < 9.6 - Stack-based Buffer Overflow via RTX Hyperlink Tag
AOL Desktop 9.6 contains a buffer overflow vulnerability in its Tool\rich.rct component when parsing .rtx files. By embedding an overly long string in a hyperlink tag, an attacker can trigger a stack-based buffer overflow due to the use of unsafe strcpy operations. This allows remote attackers to execute arbitrary code when a victim opens a malicious .rtx file. AOL Desktop is end-of-life and no longer supported. Users are encouraged to migrate to AOL Desktop Gold or alternative platforms.
CVE-2011-10026 EXPLOITDB CRITICAL ruby WORKING POC
Spreecommerce < 0.50.x - Unauthenticated Remote Code Execution via API Search Parameter
Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby’s send method. This flaw enables unauthenticated attackers to execute commands on the server.
CVSS 9.8