Pedro Ribeiro

203 exploits Active since Jan 2014
CVE-2014-6035 EXPLOITDB WRITEUP
Zohocorp Manageengine Opmanager < 11.3 - Path Traversal
Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.
CVE-2014-6036 EXPLOITDB WRITEUP
Zohocorp Manageengine Opmanager < 11.3 - Path Traversal
Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.
CVE-2014-7866 EXPLOITDB WRITEUP
Zohocorp Manageengine Social IT Plus - Path Traversal
Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName parameter to the MigrateLEEData servlet or (2) zipFileName parameter in a downloadFileFromProbe operation to the MigrateCentralData servlet.
CVE-2014-7863 EXPLOITDB HIGH WRITEUP
Zohocorp Manageengine Applications Manager - Information Disclosure
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
CVSS 7.5
CVE-2014-5445 EXPLOITDB WRITEUP
Zohocorp Manageengine It360 < 10.2 - Path Traversal
Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.
CVE-2014-6038 EXPLOITDB HIGH WRITEUP
ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure
Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability. Fixed in EventLog Analyzer 10.0 Build 10000.
CVSS 7.5
CVE-2014-8146 EXPLOITDB WRITEUP
Apple Itunes < 12.1.3 - Memory Corruption
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.
CVE-2020-10882 EXPLOITDB HIGH ruby WORKING POC
TP-Link Archer A7 Firmware Ver: 190726 AC1750 - RCE
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9650.
CVSS 8.8
CVE-2020-10883 EXPLOITDB HIGH ruby WORKING POC
TP-Link Archer A7 Firmware <190726 - Privilege Escalation
This vulnerability allows local attackers to escalate privileges on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the file system. The issue lies in the lack of proper permissions set on the file system. An attacker can leverage this vulnerability to escalate privileges. Was ZDI-CAN-9651.
CVSS 7.8
CVE-2014-7866 EXPLOITDB WRITEUP
Zohocorp Manageengine Social IT Plus - Path Traversal
Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName parameter to the MigrateLEEData servlet or (2) zipFileName parameter in a downloadFileFromProbe operation to the MigrateCentralData servlet.
CVE-2013-7390 EXPLOITDB CRITICAL WRITEUP
ManageEngine DesktopCentral <8.0.0 - RCE
Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to execute arbitrary code by uploading a file with a jsp extension, then accessing it via a direct request to the file in the webroot.
CVSS 9.8
CVE-2014-5005 EXPLOITDB WRITEUP
Zohocorp Manageengine Desktop Central < 9.0 - Path Traversal
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate.
CVE-2014-5006 EXPLOITDB WRITEUP
Zohocorp Manageengine Desktop Central < 9.0 - Path Traversal
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader.
CVE-2019-1619 EXPLOITDB CRITICAL ruby WORKING POC
Cisco Data Center Network Manager - Improper Access Control
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.
CVSS 9.8
CVE-2019-1620 EXPLOITDB CRITICAL ruby WORKING POC
Cisco Data Center Network Manager - Path Traversal
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device. A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device.
CVSS 9.8
CVE-2015-2993 EXPLOITDB WORKING POC
SysAid Help Desk <15.2 - RCE
SysAid Help Desk before 15.2 does not properly restrict access to certain functionality, which allows remote attackers to (1) create administrator accounts via a crafted request to /createnewaccount or (2) write to arbitrary files via the fileName parameter to /userentry.
CVE-2015-2994 EXPLOITDB WRITEUP
SysAid Help Desk <15.2 - RCE
Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid Help Desk before 15.2 allows remote administrators to execute arbitrary code by uploading a file with a .jsp extension, then accessing it via a direct request to the file in icons/user_photo/.
CVE-2015-2995 EXPLOITDB WRITEUP
SysAid Help Desk <15.2 - RCE
The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not properly check file extensions, which allows remote attackers to upload and execute arbitrary files via a NULL byte after the extension, as demonstrated by a .war%00 file.
CVE-2015-2996 EXPLOITDB WRITEUP
SysAid Help Desk Arbitrary File Download
Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the fileName parameter to getGfiUpgradeFile or (2) cause a denial of service (CPU and memory consumption) via a .. (dot dot) in the fileName parameter to calculateRdsFileChecksum.
CVE-2015-2997 EXPLOITDB WRITEUP
SysAid Help Desk <15.2 - Info Disclosure
SysAid Help Desk before 15.2 allows remote attackers to obtain sensitive information via an invalid value in the accountid parameter to getAgentLogFile, as demonstrated by a large directory traversal sequence, which reveals the installation path in an error message.
CVE-2015-2998 EXPLOITDB WRITEUP
SysAid Help Desk <15.2 - Info Disclosure
SysAid Help Desk before 15.2 uses a hardcoded encryption key, which makes it easier for remote attackers to obtain sensitive information, as demonstrated by decrypting the database password in WEB-INF/conf/serverConf.xml.
CVE-2015-2999 EXPLOITDB WRITEUP
SysAid Help Desk <15.2 - SQL Injection
Multiple SQL injection vulnerabilities in SysAid Help Desk before 15.2 allow remote administrators to execute arbitrary SQL commands via the (1) groupFilter parameter in an AssetDetails report to /genericreport, customSQL parameter in a (2) TopAdministratorsByAverageTimer report or an (3) ActiveRequests report to /genericreport, (4) dir parameter to HelpDesk.jsp, or (5) grantSQL parameter to RFCGantt.jsp.
CVE-2015-3000 EXPLOITDB WRITEUP
SysAid Help Desk <15.2 - DoS
SysAid Help Desk before 15.2 allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an XML document to (1) /agententry, (2) /rdsmonitoringresponse, or (3) /androidactions, aka an XML Entity Expansion (XEE) attack.
CVE-2014-2921 EXPLOITDB WORKING POC
Pimcore < 2.2.0 - Code Injection
The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing \0 character.
CVE-2016-6598 WRITEUP CRITICAL WRITEUP
BMC Track-It! <11.4 - Code Injection
BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM.
CVSS 9.8