Patrick Pirker

6 exploits Active since May 2023
CVE-2025-59945 WRITEUP HIGH WRITEUP
sysreptor 2024.74-2025.83 - Authenticated Privilege Escalation via Self-Assigned Project Admin Permission
SysReptor is a fully customizable pentest reporting platform. In versions from 2024.74 to before 2025.83, authenticated and unprivileged (non-admin) users can assign the is_project_admin permission to their own user. This allows users to read, modify and delete pentesting projects they are not members of and are therefore not supposed to access. This issue has been patched in version 2025.83.
CVSS 8.1
CVE-2022-47874 EXPLOITDB MEDIUM text WORKING POC
Jedox Cloud 2020.2.5 - Authenticated Database Credential Disclosure via /tc/rpc Connections Endpoint
Improper Access Control in /tc/rpc in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to view details of database connections via class 'com.jedox.etl.mngr.Connections' and method 'getGlobalConnection'.
CVSS 6.5
CVE-2022-47878 EXPLOITDB HIGH text WRITEUP
Jedox <= 22.2 - Authenticated Remote Code Execution via Default Storage Path Misconfiguration
Incorrect input validation for the default-storage-path in the settings page in Jedox 2020.2.5 allows remote, authenticated users to specify the location as Webroot directory. Consecutive file uploads can lead to the execution of arbitrary code. NOTE: The vendor states that the vulnerability affects installations running version 22.2 or earlier. The issue was resolved with the version 22.3 and later versions are not affected. Additionally, the vendor states that this vulnerability affects on-premises deployments only and that it does not impact cloud-hosted or SaaS environments.
CVSS 8.8
CVE-2022-47876 EXPLOITDB HIGH text WORKING POC
Jedox GmbH Jedox <2020.2.5 - Command Injection
The integrator in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts.
CVSS 8.8
CVE-2022-47879 EXPLOITDB HIGH text WORKING POC
Jedox <= 22.5 - Authenticated Remote Code Execution via /be/rpc.php
A Remote Code Execution (RCE) vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods. NOTE: The vendor states that the vulnerability affects installations running version 22.5 or earlier. The issue was resolved with version 23.2 and later versions are not affected.
CVSS 7.5
CVE-2022-47880 EXPLOITDB MEDIUM text WRITEUP
Jedox 2020.2.5 - Authenticated Information Disclosure via Test Connection Function
An Information disclosure vulnerability in /be/rpc.php in Jedox GmbH Jedox 2020.2.5 allow remote, authenticated users with permissions to modify database connections to disclose a connections' cleartext password via the 'test connection' function.
CVSS 5.3