Pedro Ribeiro

213 exploits Active since Jan 2014
CVE-2015-2993 EXPLOITDB WORKING POC
SysAid < 15.1 - Unauthenticated Arbitrary File Write via fileName Parameter
SysAid Help Desk before 15.2 does not properly restrict access to certain functionality, which allows remote attackers to (1) create administrator accounts via a crafted request to /createnewaccount or (2) write to arbitrary files via the fileName parameter to /userentry.
CVE-2015-2994 EXPLOITDB WRITEUP
SysAid < 15.1 - Unauthenticated Arbitrary File Upload and Remote Code Execution via ChangePhoto.jsp
Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid Help Desk before 15.2 allows remote administrators to execute arbitrary code by uploading a file with a .jsp extension, then accessing it via a direct request to the file in icons/user_photo/.
CVE-2015-2995 EXPLOITDB WRITEUP
SysAid < 15.1 - Remote Code Execution via RdsLogsEntry File Upload
The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not properly check file extensions, which allows remote attackers to upload and execute arbitrary files via a NULL byte after the extension, as demonstrated by a .war%00 file.
CVE-2015-2996 EXPLOITDB WRITEUP
SysAid Help Desk Arbitrary File Download
Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the fileName parameter to getGfiUpgradeFile or (2) cause a denial of service (CPU and memory consumption) via a .. (dot dot) in the fileName parameter to calculateRdsFileChecksum.
CVE-2015-2997 EXPLOITDB WRITEUP
SysAid Help Desk <15.2 - Info Disclosure
SysAid Help Desk before 15.2 allows remote attackers to obtain sensitive information via an invalid value in the accountid parameter to getAgentLogFile, as demonstrated by a large directory traversal sequence, which reveals the installation path in an error message.
CVE-2015-2998 EXPLOITDB WRITEUP
SysAid Help Desk <15.2 - Info Disclosure
SysAid Help Desk before 15.2 uses a hardcoded encryption key, which makes it easier for remote attackers to obtain sensitive information, as demonstrated by decrypting the database password in WEB-INF/conf/serverConf.xml.
CVE-2015-2999 EXPLOITDB WRITEUP
SysAid Help Desk <15.2 - SQL Injection
Multiple SQL injection vulnerabilities in SysAid Help Desk before 15.2 allow remote administrators to execute arbitrary SQL commands via the (1) groupFilter parameter in an AssetDetails report to /genericreport, customSQL parameter in a (2) TopAdministratorsByAverageTimer report or an (3) ActiveRequests report to /genericreport, (4) dir parameter to HelpDesk.jsp, or (5) grantSQL parameter to RFCGantt.jsp.
CVE-2015-3000 EXPLOITDB WRITEUP
SysAid < 15.1 - Denial of Service via XML Entity Expansion
SysAid Help Desk before 15.2 allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an XML document to (1) /agententry, (2) /rdsmonitoringresponse, or (3) /androidactions, aka an XML Entity Expansion (XEE) attack.
CVE-2014-2921 EXPLOITDB WORKING POC
pimcore 1.4.9-2.0.0 - Remote Code Execution via Newsletter Import URL Parameter
The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing \0 character.
CVE-2016-6598 WRITEUP CRITICAL WRITEUP
BMC Track-It! <11.4 - Code Injection
BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010. This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM.
CVSS 9.8
CVE-2020-28347 WRITEUP CRITICAL WRITEUP
TP-Link Archer A7 AC1750 Firmware < 201029 - Remote Code Execution via tdpServer slave_mac Parameter
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.
CVSS 9.8
CVE-2020-28347 WRITEUP CRITICAL WRITEUP
TP-Link Archer A7 AC1750 Firmware < 201029 - Remote Code Execution via tdpServer slave_mac Parameter
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.
CVSS 9.8
CVE-2021-36224 WRITEUP CRITICAL WRITEUP
Western Digital My Cloud <OS5 - Info Disclosure
Western Digital My Cloud devices before OS5 have a nobody account with a blank password.
CVSS 9.8
CVE-2021-36225 WRITEUP HIGH WRITEUP
Western Digital My Cloud <OS5 - Privilege Escalation
Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation.
CVSS 8.8
CVE-2021-36226 WRITEUP CRITICAL WRITEUP
Western Digital My Cloud <OS5 - Info Disclosure
Western Digital My Cloud devices before OS5 do not use cryptographically signed Firmware upgrade files.
CVSS 9.8
CVE-2021-46829 WRITEUP HIGH WRITEUP
GDK-PixBuf <2.42.8 - Buffer Overflow
GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems.
CVSS 7.8
CVE-2022-23227 WRITEUP CRITICAL WRITEUP
NUUO NVRmini2 < 3.11.0 - Unauthenticated Arbitrary User Creation via handle_import_user.php
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.
CVSS 9.8
CVE-2024-57822 WRITEUP MEDIUM WRITEUP
raptor_rdf_syntax_library <= 2.0.16 - Heap-Based Buffer Over-Read in N-Quads Parser
In Raptor RDF Syntax Library through 2.0.16, there is a heap-based buffer over-read when parsing triples with the nquads parser in raptor_ntriples_parse_term_internal().
CVSS 4.0
CVE-2024-57823 WRITEUP CRITICAL WRITEUP
raptor_rdf_syntax_library <= 2.0.16 - Integer Underflow in URI Normalization
In Raptor RDF Syntax Library through 2.0.16, there is an integer underflow when normalizing a URI with the turtle parser in raptor_uri_normalize_path().
CVSS 9.3
CVE-2018-1418 EXPLOITDB HIGH ruby WORKING POC
IBM Security QRadar SIEM <7.4 - Auth Bypass
IBM Security QRadar SIEM 7.2 and 7.3 could allow a user to bypass authentication which could lead to code execution. IBM X-Force ID: 138824.
CVSS 8.8
CVE-2018-5999 EXPLOITDB CRITICAL ruby WORKING POC
AsusWRT <3.0.0.4.384_10007 - Info Disclosure
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.
CVSS 9.8
CVE-2018-5999 EXPLOITDB CRITICAL text WRITEUP
AsusWRT <3.0.0.4.384_10007 - Info Disclosure
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.
CVSS 9.8
CVE-2016-5679 EXPLOITDB HIGH text WORKING POC
NUUO NVRmini <3.0.0 - Command Injection
cgi-bin/cgi_main in NUUO NVRmini 2 1.7.6 through 3.0.0 and NETGEAR ReadyNAS Surveillance 1.1.2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the sn parameter to the transfer_license command.
CVSS 8.8
CVE-2016-5677 EXPLOITDB HIGH text WORKING POC
NUUO NVRmini <3.0.0 - Info Disclosure
NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 have a hardcoded qwe23622260 password for the nuuoeng account, which allows remote attackers to obtain sensitive information via an __nvr_status___.php request.
CVSS 7.5
CVE-2016-5676 EXPLOITDB HIGH text WORKING POC
NETGEAR ReadyNAS Surveillance 1.1.1-1.4.1 & NUUO NVRmini2/NVRsolo 1.7.5-2.x - Unauthenticated Admin Password Reset
cgi-bin/cgi_system in NUUO NVRmini 2 1.7.5 through 2.x, NUUO NVRsolo 1.7.5 through 2.x, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to reset the administrator password via a cmd=loaddefconfig action.
CVSS 7.5