RedTeam Pentesting GmbH

54 exploits Active since Jul 2007
CVE-2020-13935 NOMISEC HIGH WORKING POC
Apache Tomcat 7.0.27-7.0.104, 8.5.0-8.5.56, 9.0.0.M1-9.0.36, 10.0.0-M1-M6 DoS via WebSocket Frame Payload Length
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
169 stars
CVSS 7.5
CVE-2024-6592 NOMISEC CRITICAL WORKING POC
WatchGuard Authentication Gateway and Single Sign-On Client - Authentication Bypass via Protocol Communication
Incorrect Authorization vulnerability in the protocol communication between the WatchGuard Authentication Gateway (aka Single Sign-On Agent) on Windows and the WatchGuard Single Sign-On Client on Windows and MacOS allows Authentication Bypass.This issue affects the Authentication Gateway: through 12.10.2; Windows Single Sign-On Client: through 12.7; MacOS Single Sign-On Client: through 12.5.4.
3 stars
CVSS 9.1
CVE-2023-33243 NOMISEC HIGH WORKING POC
STARFACE < 7.3.0.10 - Authentication Bypass via Password Hash
RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.
1 stars
CVSS 8.1
CVE-2020-13935 NOMISEC HIGH WORKING POC
Apache Tomcat 7.0.27-7.0.104, 8.5.0-8.5.56, 9.0.0.M1-9.0.36, 10.0.0-M1-M6 DoS via WebSocket Frame Payload Length
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
CVSS 7.5
CVE-2019-1652 METASPLOIT HIGH ruby WORKING POC
Cisco RV320 and RV325 Firmware 1.4.2.15-1.4.2.21 - Authenticated Remote Code Execution via HTTP POST Request
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability.
CVSS 7.2
CVE-2021-42565 EXPLOITDB MEDIUM WRITEUP
myfactory FMS < 7.1-912 - Cross-Site Scripting via UID Parameter
myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
CVSS 6.1
CVE-2014-8868 EXPLOITDB WRITEUP
EntryPass N5200 Active Network Control Panel - Unauthenticated Sensitive Information Exposure via /4 Endpoint
EntryPass N5200 Active Network Control Panel does not properly restrict access, which allows remote attackers to obtain the administrator username and password, and possibly other sensitive information, via a request to /4.
CVE-2019-1652 EXPLOITDB HIGH ruby WORKING POC
Cisco RV320 and RV325 Firmware 1.4.2.15-1.4.2.21 - Authenticated Remote Code Execution via HTTP POST Request
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability.
CVSS 7.2
CVE-2019-1010268 EXPLOITDB CRITICAL text WORKING POC
Ladon 0.6.1-0.9.39 - XML External Entity Injection in SOAP Request Handlers
Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.
CVSS 9.8
CVE-2019-1653 METASPLOIT HIGH ruby WORKING POC
Cisco RV320 and RV325 Unauthenticated Remote Code Execution
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.
CVSS 7.5
CVE-2019-1653 METASPLOIT HIGH ruby WORKING POC
Cisco RV320 and RV325 Unauthenticated Remote Code Execution
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.
CVSS 7.5
CVE-2024-43425 METASPLOIT HIGH ruby WORKING POC
Moodle Remote Code Execution (CVE-2024-43425)
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.
CVSS 8.1
CVE-2014-2303 EXPLOITDB text WRITEUP
webEdition CMS <6.3.8-s1 - SQL Injection
Multiple SQL injection vulnerabilities in the file browser component (we_fs.php) in webEdition CMS before 6.2.7-s1.2 and 6.3.x through 6.3.8 before -s1 allow remote attackers to execute arbitrary SQL commands via the (1) table or (2) order parameter.
CVE-2015-2803 EXPLOITDB text WRITEUP
Akronymmanager < 0.5.0 - Authenticated SQL Injection via id Parameter
SQL injection vulnerability in mod1/index.php in the Akronymmanager (sb_akronymmanager) extension before 7.0.0 for TYPO3 allows remote authenticated users with permission to maintain acronyms to execute arbitrary SQL commands via the id parameter.
CVE-2011-0745 EXPLOITDB text WRITEUP
SugarCRM < 6.1.3 - Authenticated Information Disclosure via ShowDuplicates Action
SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover (1) the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or (2) the names of contact persons via a ShowDuplicates action to the Contacts module, reachable through index.php.
EIP-2026-111737 EXPLOITDB text WORKING POC
Relay Ajax Directory Manager relayb01-071706/1.5.1/1.5.3 - Arbitrary File Upload
EIP-2026-110470 EXPLOITDB text WORKING POC
Papoo 3.x - Upload Images Arbitrary File Upload
EIP-2026-110472 EXPLOITDB text WRITEUP
Papoo CMS 3.7.3 - (Authenticated) Arbitrary Code Execution
EIP-2026-110429 EXPLOITDB text WORKING POC
Owl Intranet Engine 1.00 - 'userid' Authentication Bypass
CVE-2008-0301 EXPLOITDB text WRITEUP
Mapbender 2.4.4 - SQL Injection via mod_gazetteer_edit.php gaz Parameter
Multiple SQL injection vulnerabilities in Mapbender 2.4.4 allow remote attackers to execute arbitrary SQL commands via the gaz parameter to mod_gazetteer_edit.php and other unspecified vectors.
CVE-2008-0300 EXPLOITDB text WORKING POC
Mapbender 2.4-2.4.4 - Remote Code Execution via mapFiler.php Factor Parameter
mapFiler.php in Mapbender 2.4 to 2.4.4 allows remote attackers to execute arbitrary PHP code via PHP code sequences in the factor parameter, which are not properly handled when accessing a filename that contains those sequences.
CVE-2009-1467 EXPLOITDB xml WORKING POC
IceWarp eMail Server < 9.3.0 - Cross-Site Scripting via Email Body or RSS Feed Elements
Multiple cross-site scripting (XSS) vulnerabilities in IceWarp eMail Server and WebMail Server before 9.4.2 allow remote attackers to inject arbitrary web script or HTML via (1) the body of a message, related to the email view and incorrect HTML filtering in the cleanHTML function in server/inc/tools.php; or the (2) title, (3) link, or (4) description element in an RSS feed, related to the getHTML function in server/inc/rss/item.php.
CVE-2009-1467 EXPLOITDB text WORKING POC
IceWarp eMail Server < 9.3.0 - Cross-Site Scripting via Email Body or RSS Feed Elements
Multiple cross-site scripting (XSS) vulnerabilities in IceWarp eMail Server and WebMail Server before 9.4.2 allow remote attackers to inject arbitrary web script or HTML via (1) the body of a message, related to the email view and incorrect HTML filtering in the cleanHTML function in server/inc/tools.php; or the (2) title, (3) link, or (4) description element in an RSS feed, related to the getHTML function in server/inc/rss/item.php.
CVE-2009-1469 EXPLOITDB python WORKING POC
IceWarp eMail Server < 9.4.2 - CRLF Injection via Forgot Password XML Subject
CRLF injection vulnerability in the Forgot Password implementation in server/webmail.php in IceWarp eMail Server and WebMail Server before 9.4.2 makes it easier for remote attackers to trick a user into disclosing credentials via CRLF sequences preceding a Reply-To header in the subject element of an XML document, as demonstrated by triggering an e-mail message from the server that contains a user's correct credentials, and requests that the user compose a reply that includes this message.
CVE-2021-42566 EXPLOITDB MEDIUM text WRITEUP
myfactory FMS < 7.1-912 - Cross-Site Scripting via Error Parameter
myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
CVSS 6.1