Pr0t0c01

12 exploits Active since Aug 2017
CVE-2023-39141 GITHUB HIGH python WORKING POC
ziahamza/webui-aria2 - Path Traversal via Node Server File Handling
webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability.
2 stars
CVSS 7.5
CVE-2022-1388 GITHUB CRITICAL python WORKING POC
F5 BIG-IP iControl RCE via REST Authentication Bypass
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
2 stars
CVSS 9.8
CVE-2024-24919 GITHUB HIGH python WORKING POC
Check Point Quantum Gateway - Information Disclosure
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
2 stars
CVSS 8.6
CVE-2023-4966 GITHUB CRITICAL python WORKING POC
Citrix NetScaler ADC/Gateway 12.1-55.300/13.0-92.19 Info Disclosure
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA  virtual server.
2 stars
CVSS 9.4
CVE-2024-1709 GITHUB CRITICAL python WORKING POC
ConnectWise ScreenConnect < 23.9.8 - Authentication Bypass
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
2 stars
CVSS 10.0
CVE-2023-25157 GITHUB CRITICAL python WORKING POC
GeoServer < 2.18.7 and 2.18.7-2.21.4 - SQL Injection via OGC Filter and CQL Expressions
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.
2 stars
CVSS 9.8
CVE-2017-9506 GITHUB MEDIUM python SCANNER
Atlassian OAuth Plugin <1.9.12, <2.0.4 - SSRF/XSS
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
2 stars
CVSS 6.1
CVE-2024-23897 GITHUB CRITICAL python WORKING POC
Jenkins cli Ampersand Replacement Arbitrary File Read
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
2 stars
CVSS 9.8
CVE-2023-36845 GITHUB CRITICAL python WORKING POC
Juniper Junos OS Multiple Versions - Unauthenticated Remote Code Execution via PHPRC
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code. This issue affects Juniper Networks Junos OS on EX Series and SRX Series: * All versions prior to 20.4R3-S9; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S7; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; * 22.4 versions prior to 22.4R2-S1, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2.
2 stars
CVSS 9.8
CVE-2024-4879 GITHUB CRITICAL python WORKING POC
ServiceNow Vancouver and Washington DC - Unauthenticated Remote Code Execution
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
2 stars
CVSS 9.8
CVE-2020-17453 GITHUB MEDIUM python WRITEUP
WSO2 Management Console <5.10 - XSS
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
2 stars
CVSS 6.1
CVE-2022-37042 GITHUB CRITICAL python WRITEUP
Zimbra Collaboration Suite 8.8.15/9.0 - Path Traversal & RCE via mboximport
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
2 stars
CVSS 9.8