RedTeam Pentesting GmbH

54 exploits Active since Jul 2007
CVE-2023-38357 EXPLOITDB MEDIUM text WRITEUP
RWS WorldServer <11.7.3 - Info Disclosure
Session tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions.
CVSS 5.3
CVE-2023-0214 EXPLOITDB MEDIUM text WRITEUP
Skyhigh SWG <11.2.6-10.2.17-12.0.1 - XSS
A cross-site scripting vulnerability in Skyhigh SWG in main releases 11.x prior to 11.2.6, 10.x prior to 10.2.17, and controlled release 12.x prior to 12.0.1 allows a remote attacker to craft SWG-specific internal requests with URL paths to any third-party website, causing arbitrary content to be injected into the response when accessed through SWG.
CVSS 6.1
CVE-2020-25820 EXPLOITDB MEDIUM text WORKING POC
BigBlueButton < 2.2.27 - Authenticated Server-Side Request Forgery via ODF xlink Field
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
CVSS 6.5
CVE-2016-0736 EXPLOITDB HIGH python WORKING POC
Apache HTTP Server <2.4.24 - Info Disclosure
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
CVSS 7.5
CVE-2021-37425 EXPLOITDB CRITICAL text WORKING POC
Altova MobileTogether Server < 7.3 SP1 - XML External Entity Injection via Workflow Management Endpoint
Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key.
CVSS 9.1
CVE-2009-3555 EXPLOITDB CRITICAL python WORKING POC
Apache HTTP Server < 2.2.14 - Plaintext Injection via TLS Renegotiation
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
CVSS 9.8
EIP-2026-103720 EXPLOITDB text WRITEUP
Websockify (C Implementation) 0.8.0 - Buffer Overflow (PoC)
CVE-2007-3011 EXPLOITDB text WORKING POC
Fujitsu-Siemens Computers ServerView <4.50.09 - Command Injection
The DBAsciiAccess CGI Script in the web interface in Fujitsu-Siemens Computers ServerView before 4.50.09 allows remote attackers to execute arbitrary commands via shell metacharacters in the Servername subparameter of the ParameterList parameter.
CVE-2011-0751 EXPLOITDB bash WORKING POC
nostromo < 1.9.4 - Remote Code Execution and Arbitrary File Read via Encoded Dot-Dot-Slash
Directory traversal vulnerability in nhttpd (aka Nostromo webserver) before 1.9.4 allows remote attackers to execute arbitrary programs or read arbitrary files via a ..%2f (encoded dot dot slash) in a URI.
EIP-2026-103098 EXPLOITDB text WRITEUP
Dovecot with Exim - 'sender_address' Remote Command Execution
CVE-2018-9842 EXPLOITDB MEDIUM text WRITEUP
CyberArk Password Vault < 9.7 - Exposure of Sensitive Information via Logon Message Replay
CyberArk Password Vault before 9.7 allows remote attackers to obtain sensitive information from process memory by replaying a logon message.
CVSS 5.3
CVE-2010-0553 EXPLOITDB ruby WORKING POC
Geo++ GNCASTER <= 1.4.0.7 - DoS and Possible RCE via Long NMEA Data
Geo++ GNCASTER 1.4.0.7 and earlier allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a long NMEA data sentence.
CVE-2010-0552 EXPLOITDB text WORKING POC
Geo++ GNCASTER < 1.4.0.7 - Denial of Service via Long URI Request
Geo++ GNCASTER 1.4.0.7 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via multiple requests for a non-existent file using a long URI.
CVE-2022-42953 EXPLOITDB HIGH text WRITEUP
ZKTeco ZEM and ZMM Firmware - Unauthenticated Sensitive Information Exposure via Direct Request
Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs. The affected versions may be before 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210). The fixed versions are firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and firmware version 15.00 (ZMM200-220-210).
CVSS 7.5
CVE-2023-33243 EXPLOITDB HIGH text WORKING POC
STARFACE < 7.3.0.10 - Authentication Bypass via Password Hash
RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash.
CVSS 8.1
EIP-2026-102432 EXPLOITDB text WRITEUP
WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure
CVE-2022-23178 EXPLOITDB CRITICAL text WRITEUP
Crestron HD-MD4X2-4K-E Firmware 1.0.0.2159 - Unauthenticated Credential Disclosure via aj.html
An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.
CVSS 9.8
CVE-2014-9303 EXPLOITDB text WRITEUP
EntryPass N5200 Active Network Control Panel - Unauthenticated Exposure of Sensitive Information via URL Character Range
EntryPass N5200 Active Network Control Panel allows remote attackers to read device memory and obtain the administrator username and password via a URL starting with an ASCII character o through z or A through D, different vectors than CVE-2014-8868.
CVE-2020-26567 EXPLOITDB MEDIUM text WRITEUP
D-Link DSR-250N < 3.17b - Unauthenticated Denial of Service via upgradeStatusReboot.cgi
An issue was discovered on D-Link DSR-250N before 3.17B devices. The CGI script upgradeStatusReboot.cgi can be accessed without authentication. Any access reboots the device, rendering it therefore unusable for several minutes.
CVSS 5.5
EIP-2026-101166 EXPLOITDB text WORKING POC
Auerswald COMpact 8.0B - Privilege Escalation
CVE-2021-40859 EXPLOITDB CRITICAL text WRITEUP
Auerswald COMpact 5500R <8.0B - RCE
Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full administrative access to the device.
CVSS 9.8
EIP-2026-101164 EXPLOITDB text WRITEUP
Auerswald COMfortel 2.8F - Authentication Bypass
EIP-2026-101165 EXPLOITDB text WORKING POC
Auerswald COMpact 8.0B - Arbitrary File Disclosure
CVE-2020-26887 EXPLOITDB HIGH text WRITEUP
FRITZ!Box 7490 Firmware < 7.21 - DNS Rebinding Protection Mechanism Bypass
FRITZ!OS before 7.21 on FRITZ!Box devices allows a bypass of a DNS Rebinding protection mechanism.
CVSS 7.8
CVE-2019-1653 EXPLOITDB HIGH ruby WORKING POC
Cisco RV320 and RV325 Unauthenticated Remote Code Execution
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.
CVSS 7.5