RedTeam Pentesting

38 exploits Active since Feb 2005
CVE-2024-43425 NOMISEC HIGH WORKING POC
Moodle Remote Code Execution (CVE-2024-43425)
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.
19 stars
CVSS 8.1
CVE-2012-3830 EXPLOITDB WRITEUP
Decoda < 3.3.3 - Cross-Site Scripting via Video Directive
Cross-site scripting (XSS) vulnerability in decoda/templates/video.php in Decoda before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via the video directive.
CVE-2019-1010268 EXPLOITDB CRITICAL text WORKING POC
Ladon 0.6.1-0.9.39 - XML External Entity Injection in SOAP Request Handlers
Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.
CVSS 9.8
CVE-2014-6235 EXPLOITDB text WRITEUP
ke_dompdf < 0.0.3 - Remote Code Execution
Unspecified vulnerability in the ke DomPDF extension before 0.0.5 for TYPO3 allows remote attackers to execute arbitrary code via unknown vectors.
CVE-2015-2803 EXPLOITDB text WRITEUP
Akronymmanager < 0.5.0 - Authenticated SQL Injection via id Parameter
SQL injection vulnerability in mod1/index.php in the Akronymmanager (sb_akronymmanager) extension before 7.0.0 for TYPO3 allows remote authenticated users with permission to maintain acronyms to execute arbitrary SQL commands via the id parameter.
CVE-2012-3831 EXPLOITDB text WORKING POC
milesj/decoda < 3.3 - Cross-Site Scripting via img Tag URL
Cross-site scripting (XSS) vulnerability in decoda/templates/video.php in Decoda before 3.3.1 allows remote attackers to inject arbitrary web script or HTML via multiple URLs in an img tag.
EIP-2026-110472 EXPLOITDB text WRITEUP
Papoo CMS 3.7.3 - (Authenticated) Arbitrary Code Execution
CVE-2008-0301 EXPLOITDB text WRITEUP
Mapbender 2.4.4 - SQL Injection via mod_gazetteer_edit.php gaz Parameter
Multiple SQL injection vulnerabilities in Mapbender 2.4.4 allow remote attackers to execute arbitrary SQL commands via the gaz parameter to mod_gazetteer_edit.php and other unspecified vectors.
CVE-2008-0300 EXPLOITDB text WORKING POC
Mapbender 2.4-2.4.4 - Remote Code Execution via mapFiler.php Factor Parameter
mapFiler.php in Mapbender 2.4 to 2.4.4 allows remote attackers to execute arbitrary PHP code via PHP code sequences in the factor parameter, which are not properly handled when accessing a filename that contains those sequences.
CVE-2009-1468 EXPLOITDB bash WORKING POC
IceWarp eMail Server < 9.3.0 - Authenticated SQL Injection via XML Search Query
Multiple SQL injection vulnerabilities in the search form in server/webmail.php in the Groupware component in IceWarp eMail Server and WebMail Server before 9.4.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) sql and (2) order_by elements in an XML search query.
CVE-2009-1467 EXPLOITDB xml WORKING POC
IceWarp eMail Server < 9.3.0 - Cross-Site Scripting via Email Body or RSS Feed Elements
Multiple cross-site scripting (XSS) vulnerabilities in IceWarp eMail Server and WebMail Server before 9.4.2 allow remote attackers to inject arbitrary web script or HTML via (1) the body of a message, related to the email view and incorrect HTML filtering in the cleanHTML function in server/inc/tools.php; or the (2) title, (3) link, or (4) description element in an RSS feed, related to the getHTML function in server/inc/rss/item.php.
CVE-2005-0410 EXPLOITDB text WRITEUP
CitrusDB < 0.3.6 - SQL Injection via CSV File Import
SQL injection vulnerability in importcc.php for CitrusDB 0.3.6 and earlier allows remote attackers to inject data via the fields of a CSV file.
CVE-2005-0408 EXPLOITDB CRITICAL text WORKING POC
citrusdb <= 0.3.6 - Unauthenticated Authentication Bypass via Predictable MD5 Hash
CitrusDB 0.3.6 and earlier generates easily predictable MD5 hashes of the user name for the id_hash cookie, which allows remote attackers to bypass authentication and gain privileges by calculating the MD5 checksum of the user name combined with the "boogaadeeboo" string, which is hard-coded in the $hidden_hash variable.
CVSS 9.8
CVE-2005-0411 EXPLOITDB text WRITEUP
CitrusDB < 0.3.6 - Directory Traversal via Load Parameter
Directory traversal vulnerability in index.php for CitrusDB 0.3.6 and earlier allows remote attackers and local users to include arbitrary PHP files via .. (dot dot) sequences in the load parameter.
CVE-2005-0409 EXPLOITDB text WORKING POC
CitrusDB < 0.3.6 - Unauthenticated Sensitive Information Exposure via Import/Upload Endpoints
CitrusDB 0.3.6 and earlier does not verify authorization for the (1) importcc.php and (2) uploadcc.php, which allows remote attackers to upload credit card data and obtain sensitive information such as the pathnames for temporary files that store credit card data, and facilitates the exploitation of other vulnerabilities.
CVE-2005-0409 EXPLOITDB text WORKING POC
CitrusDB < 0.3.6 - Unauthenticated Sensitive Information Exposure via Import/Upload Endpoints
CitrusDB 0.3.6 and earlier does not verify authorization for the (1) importcc.php and (2) uploadcc.php, which allows remote attackers to upload credit card data and obtain sensitive information such as the pathnames for temporary files that store credit card data, and facilitates the exploitation of other vulnerabilities.
CVE-2007-3017 EXPLOITDB text WORKING POC
activeWeb contentserver <5.6.2964 - XSS
The WYSIWYG editor applet in activeWeb contentserver CMS before 5.6.2964 only filters malicious tags from articles sent to admin/applets/wysiwyg/rendereditor.asp, which allows remote authenticated users to inject arbitrary JavaScript via a request to admin/worklist/worklist_edit.asp.
CVE-2014-4650 EXPLOITDB CRITICAL text WRITEUP
Python 2.7.5 and 3.3.4 - Path Traversal via URL-Encoded Path Separators
The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.
CVSS 9.8
CVE-2014-2399 EXPLOITDB text WRITEUP
Oracle Endeca Server - Info Disclosure
Unspecified vulnerability in the Oracle Endeca Server component in Oracle Fusion Middleware 2.2.2 allows remote attackers to affect integrity via unknown vectors related to Oracle Endeca Information Discovery (Formerly Latitude), a different vulnerability than CVE-2014-2400.
CVE-2009-3555 EXPLOITDB CRITICAL python WORKING POC
Apache HTTP Server < 2.2.14 - Plaintext Injection via TLS Renegotiation
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
CVSS 9.8
CVE-2016-0736 EXPLOITDB HIGH python WORKING POC
Apache HTTP Server <2.4.24 - Info Disclosure
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
CVSS 7.5
EIP-2026-103720 EXPLOITDB text WRITEUP
Websockify (C Implementation) 0.8.0 - Buffer Overflow (PoC)
CVE-2006-2548 EXPLOITDB text WORKING POC
perlpodder < 0.5 - Remote Code Execution via Podcast URL Shell Metacharacters
Prodder before 0.5, and perlpodder before 0.5, allows remote attackers to execute arbitrary code via shell metacharacters in the URL of a podcast (url attribute of an enclosure tag, or $enc_url variable), which is executed when running wget.
EIP-2026-103098 EXPLOITDB text WRITEUP
Dovecot with Exim - 'sender_address' Remote Command Execution
CVE-2018-9842 EXPLOITDB MEDIUM text WRITEUP
CyberArk Password Vault < 9.7 - Exposure of Sensitive Information via Logon Message Replay
CyberArk Password Vault before 9.7 allows remote attackers to obtain sensitive information from process memory by replaying a logon message.
CVSS 5.3