Pedro Ribeiro

213 exploits Active since Jan 2014
CVE-2014-5005 METASPLOIT ruby WORKING POC
ManageEngine Desktop Central < 9.0 - Remote Code Execution via File Upload Path Traversal
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate.
CVE-2020-11853 METASPLOIT HIGH ruby WORKING POC
Micro Focus Operation Bridge Manager - Remote Code Execution
Arbitrary code execution vulnerability affecting multiple Micro Focus products. 1.) Operation Bridge Manager affecting version: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, versions 10.6x and 10.1x and older versions. 2.) Application Performance Management affecting versions : 9.51, 9.50 and 9.40 with uCMDB 10.33 CUP 3 3.) Data Center Automation affected version 2019.11 4.) Operations Bridge (containerized) affecting versions: 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11 5.) Universal CMDB affecting version: 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30 6.) Hybrid Cloud Management affecting version 2020.05 7.) Service Management Automation affecting version 2020.5 and 2020.02. The vulnerability could allow to execute arbitrary code.
CVSS 8.8
CVE-2015-2995 METASPLOIT ruby WORKING POC
SysAid < 15.1 - Remote Code Execution via RdsLogsEntry File Upload
The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not properly check file extensions, which allows remote attackers to upload and execute arbitrary files via a NULL byte after the extension, as demonstrated by a .war%00 file.
CVE-2020-10644 METASPLOIT HIGH ruby WORKING POC
Ignition <8.0.10, <7.9.14 - Info Disclosure
The affected product lacks proper validation of user-supplied data, which can result in deserialization of untrusted data on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information.
CVSS 7.5
CVE-2018-18982 METASPLOIT HIGH ruby WORKING POC
NUUO CMS < 3.3 - SQL Injection
NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution.
CVSS 8.8
CVE-2018-17936 METASPLOIT CRITICAL ruby WORKING POC
NUUO CMS < 3.3 - Unauthenticated Arbitrary File Upload and Remote Code Execution
NUUO CMS All versions 3.3 and prior the application allows the upload of arbitrary files that can modify or overwrite configuration files to the server, which could allow remote code execution.
CVSS 9.8
CVE-2014-4872 METASPLOIT ruby WORKING POC
BMC Track-It! 11.3.0.355 - Unauthenticated Remote Code Execution via .NET Remoting
BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or obtain sensitive credential and configuration information via a .NET Remoting request to (1) FileStorageService or (2) ConfigurationService.
CVE-2015-6922 METASPLOIT CRITICAL ruby WORKING POC
Kaseya VSA <7.0.0.33, <8.0.0.23, <9.0.0.19, <9.1.0.9 - Unauthenticated RCE via File Write
Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require authentication, which allows remote attackers to bypass authentication and (1) add an administrative account via crafted request to LocalAuth/setAccount.aspx or (2) write to and execute arbitrary files via a full pathname in the PathData parameter to ConfigTab/uploader.aspx.
CVSS 9.8
CVE-2023-38098 METASPLOIT HIGH ruby WORKING POC
NETGEAR ProSAFE Network Management System < 1.7.0.20 - Remote Code Execution via UpLoadServlet Unrestricted File Upload
NETGEAR ProSAFE Network Management System UpLoadServlet Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the UpLoadServlet class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19720.
CVSS 8.8
CVE-2020-11855 METASPLOIT HIGH ruby WORKING POC
Micro Focus Operation Bridge Reporter < 10.40 - Local Privilege Escalation via Incorrect Permission Assignment
An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow local attackers on the OBR host to execute code with escalated privileges.
CVSS 7.8
CVE-2017-18368 METASPLOIT CRITICAL ruby WORKING POC
Billion 5200w-t Firmware - OS Command Injection
The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.
CVSS 9.8
CVE-2020-12029 METASPLOIT CRITICAL ruby WORKING POC
Rockwell Automation FactoryTalk View SE - Unauthenticated Remote Code Execution via Crafted Filename
All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx.
CVSS 9.0
CVE-2020-10884 METASPLOIT HIGH ruby WORKING POC
TP-Link Archer A7 Firmware <190726 - RCE
This vulnerability allows network-adjacent attackers execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. This issue results from the use of hard-coded encryption key. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9652.
CVSS 8.8
CVE-2022-20699 METASPLOIT CRITICAL ruby WORKING POC
Cisco RV340, RV340W, RV345, RV345P Firmware < 1.0.03.24 - Unauthenticated Remote Code Execution
Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory.
CVSS 10.0
CVE-2016-6563 METASPLOIT CRITICAL ruby WORKING POC
D-Link DIR Routers - Stack-Based Buffer Overflow via Malformed SOAP HNAP Login Action
Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack in some D-Link DIR routers. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha. The following products are affected: DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L, DIR-868L, and DIR-850L.
CVSS 9.8
CVE-2016-10174 METASPLOIT CRITICAL ruby WORKING POC
NETGEAR Multiple Routers - Unauthenticated Remote Code Execution via Hidden Lang AVI Parameter Buffer Overflow
The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cgi?/lang_check.html. This buffer overflow can be exploited by an unauthenticated attacker to achieve remote code execution.
CVSS 9.8
CVE-2021-22502 METASPLOIT CRITICAL ruby WORKING POC
Micro Focus Operation Bridge Reporter <10.40 - RCE
Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.
CVSS 9.8
CVE-2017-18371 METASPLOIT CRITICAL ruby WORKING POC
Billion 5200w-t Firmware - Hard-coded Credentials
The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has three user accounts with default passwords, including two hardcoded service accounts: one with the username true and password true, and another with the username supervisor and password zyad1234. These accounts can be used to login to the web interface, exploit authenticated command injections, and change router settings for malicious purposes.
CVSS 9.8
CVE-2020-11857 METASPLOIT CRITICAL ruby WORKING POC
Micro Focus Operation Bridge Reporter < 10.40 - Authorization Bypass via Default Credentials
An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to access the OBR host as a non-admin user
CVSS 9.8
CVE-2016-5674 METASPLOIT CRITICAL ruby WORKING POC
NETGEAR ReadyNAS Surveillance 1.1.1-1.4.1 & NUUO NVRmini2/NVRsolo 1.7.5-3.0.0 - RCE via __debugging_center_utils___.php
__debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter.
CVSS 9.8
CVE-2020-4428 METASPLOIT CRITICAL ruby WORKING POC
IBM Data Risk Manager 2.0.1-2.0.4 - Authenticated OS Command Injection
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to execute arbitrary commands on the system. IBM X-Force ID: 180533.
CVSS 9.1
CVE-2019-1937 METASPLOIT CRITICAL ruby WORKING POC
Cisco UCS Director Unauthenticated Remote Code Execution
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication. The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.
CVSS 9.8
CVE-2016-5675 METASPLOIT CRITICAL ruby WORKING POC
NETGEAR ReadyNAS Surveillance 1.1.1-1.4.1 - Remote Code Execution via NTPServer Parameter
handle_daylightsaving.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, NUUO Crystal 2.2.1 through 3.2.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the NTPServer parameter.
CVSS 9.8
CVE-2017-18372 METASPLOIT HIGH ruby WORKING POC
Billion 5200W-T Firmware - Authenticated OS Command Injection via uiViewSNTPServer Parameter
The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router distributed by TrueOnline has a command injection vulnerability in the Time Setting function, which is only accessible by an authenticated user. The vulnerability is in the tools_time.asp page and can be exploited through the uiViewSNTPServer parameter. Authentication can be achieved by exploiting CVE-2017-18373.
CVSS 8.8
CVE-2018-6000 METASPLOIT CRITICAL ruby WORKING POC
AsusWRT <3.0.0.4.384_10007 - Privilege Escalation
An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.
CVSS 9.8