SEC Consult

94 exploits Active since Dec 2005
CVE-2015-7255 WRITEUP HIGH WRITEUP
ZTE Ox-330p Firmware - Information Disclosure
ZTE OX-330P, ZXHN H108N, W300V1.0.0S_ZRD_TR1_D68, HG110, GAN9.8T101A-B, MF28G, ZXHN H108N use non-unique X.509 certificates and SSH host keys, which might allow remote attackers to obtain credentials or other sensitive information via a man-in-the-middle attack, passive decryption attack, or impersonating a legitimate device.
CVSS 7.5
CVE-2018-7706 EXPLOITDB MEDIUM text WRITEUP
SecurEnvoy SecurMail <9.2.501 - Path Traversal
Directory traversal vulnerability in SecurEnvoy SecurMail before 9.2.501 allows remote authenticated users to read arbitrary e-mail messages via a .. (dot dot) in the option2 parameter in an attachment action to secmail/getmessage.exe.
CVSS 6.5
CVE-2018-7705 EXPLOITDB HIGH text WRITEUP
SecurEnvoy SecurMail <9.2.501 - Path Traversal
Directory traversal vulnerability in SecurEnvoy SecurMail before 9.2.501 allows remote authenticated users to read e-mail messages to arbitrary recipients via a .. (dot dot) in the filename parameter to secupload2/upload.aspx.
CVSS 8.1
CVE-2018-7704 EXPLOITDB MEDIUM text WRITEUP
SecurEnvoy SecurMail <9.2.501 - Info Disclosure
SecurEnvoy SecurMail before 9.2.501 allows remote authenticated users to read arbitrary e-mail messages via the option1 parameter in a reply action to secmail/getmessage.exe.
CVSS 6.5
CVE-2018-7703 EXPLOITDB MEDIUM text WRITEUP
SecurEnvoy SecurMail <9.2.501 - XSS
Cross-site scripting (XSS) vulnerability in SecurEnvoy SecurMail before 9.2.501 allows remote attackers to inject arbitrary web script or HTML via the mailboxid parameter to secmail/getmessage.exe.
CVSS 6.1
CVE-2018-7702 EXPLOITDB CRITICAL text WRITEUP
SecurEnvoy SecurMail <9.2.501 - RCE
SecurEnvoy SecurMail before 9.2.501 allows remote attackers to spoof transmission of arbitrary e-mail messages, resend e-mail messages to arbitrary recipients, or modify arbitrary message bodies and attachments by leveraging missing authentication and authorization.
CVSS 9.1
CVE-2018-7701 EXPLOITDB MEDIUM text WRITEUP
SecurEnvoy SecurMail <9.2.501 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in SecurEnvoy SecurMail before 9.2.501 allow remote attackers to hijack the authentication of arbitrary users for requests that (1) delete e-mail messages via a delete action in a request to secmail/getmessage.exe or (2) spoof arbitrary users and reply to their messages via a request to secserver/securectrl.exe.
CVSS 6.5
CVE-2018-14058 EXPLOITDB MEDIUM text WRITEUP
Pimcore <5.3.0 - SQL Injection
Pimcore before 5.3.0 allows SQL Injection via the REST web service API.
CVSS 6.5
CVE-2018-14057 EXPLOITDB HIGH text WRITEUP
Pimcore <5.3.0 - CSRF
Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.
CVSS 8.8
CVE-2018-12980 EXPLOITDB HIGH text WRITEUP
Wago 762-3000 Firmware < 02 - Unrestricted File Upload
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. The vulnerability allows an authenticated user to upload arbitrary files to the file system with the permissions of the web server.
CVSS 8.8
CVE-2018-12979 EXPLOITDB MEDIUM text WRITEUP
Wago 762-3000 Firmware < 02 - Incorrect Permission Assignment
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. Weak permissions allow an authenticated user to overwrite critical files by abusing the unrestricted file upload in the WBM.
CVSS 6.5
CVE-2015-1481 EXPLOITDB text WRITEUP
Ansible Tower <2.0.5 - Privilege Escalation
Ansible Tower (aka Ansible UI) before 2.0.5 allows remote organization administrators to gain privileges by creating a superuser account.
CVE-2016-8526 EXPLOITDB HIGH text WRITEUP
Aruba Airwave <8.2.3.1 - XXE
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation.
CVSS 8.8
CVE-2016-1611 EXPLOITDB HIGH text WRITEUP
Novell Filr <1.2-2.0 - Privilege Escalation
Novell Filr 1.2 before Hot Patch 6 and 2.0 before Hot Patch 2 uses world-writable permissions for /etc/profile.d/vainit.sh, which allows local users to gain privileges by replacing this file's content with arbitrary shell commands.
CVSS 7.8
CVE-2016-1609 EXPLOITDB MEDIUM text WRITEUP
Novell Filr <1.2 SU3 & <2.0 SU2 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allow remote authenticated users to inject arbitrary web script or HTML via crafted input, as demonstrated by a crafted attribute of an IMG element in the phone field of a user profile.
CVSS 5.4
CVE-2016-1608 EXPLOITDB HIGH text WRITEUP
Novell Filr <2.0 - Authenticated RCE
vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ntpServer parameter.
CVSS 8.8
CVE-2016-1607 EXPLOITDB HIGH text WRITEUP
Novell Filr <2.0 SU2 - CSRF
Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative interface in Novell Filr before 2.0 Security Update 2 allow remote attackers to hijack the authentication of administrators, as demonstrated by reconfiguring time settings via a vaconfig/time request.
CVSS 7.2
CVE-2015-7570 EXPLOITDB HIGH text WRITEUP
Yeager CMS 1.2.1 - SSRF
Multiple server-side request forgery (SSRF) vulnerabilities in Yeager CMS 1.2.1 allow remote attackers to trigger outbound requests and enumerate open ports via the dbhost parameter to libs/org/adodb_lite/tests/test_adodb_lite.php, libs/org/adodb_lite/tests/test_datadictionary.php, or libs/org/adodb_lite/tests/test_adodb_lite_sessions.php.
CVSS 7.2
CVE-2015-7569 EXPLOITDB HIGH text WRITEUP
Yeager CMS 1.2.1 - SQL Injection
SQL injection vulnerability in "yeager/y.php/tab_USERLIST" in Yeager CMS 1.2.1 allows local users to execute arbitrary SQL commands via the "pagedir_orderby" parameter.
CVSS 8.8
CVE-2015-7568 EXPLOITDB CRITICAL text WRITEUP
Yeager CMS 1.2.1 - SQL Injection
SQL injection vulnerability in the password recovery feature in Yeager CMS 1.2.1 allows remote attackers to change the account credentials of known users via the "userEmail" parameter.
CVSS 9.8
CVE-2015-7567 EXPLOITDB CRITICAL text WRITEUP
Yeager CMS 1.2.1 - SQL Injection
SQL injection vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary SQL commands via the "passwordreset&token" parameter.
CVSS 9.8
CVE-2015-1368 EXPLOITDB text WRITEUP
Ansible Tower <2.0.5 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in Ansible Tower (aka Ansible UI) before 2.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) order_by parameter to credentials/, (2) inventories/, (3) projects/, or (4) users/3/permissions/ in api/v1/ or the (5) next_run parameter to api/v1/schedules/.
CVE-2015-7571 EXPLOITDB HIGH text WRITEUP
Yeager CMS 1.2.1 - RCE
Unrestricted file upload vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension.
CVSS 7.8
CVE-2015-4684 EXPLOITDB MEDIUM text WRITEUP
Polycom Realpresence Resource Manager < 8.3.2 - Credentials Management
Multiple directory traversal vulnerabilities in Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allow (1) remote authenticated users to read arbitrary files via a .. (dot dot) in the Modifier parameter to PlcmRmWeb/FileDownload; or remote authenticated administrators to upload arbitrary files via the (2) Filename or (3) SE_FNAME parameter to PlcmRmWeb/FileUpload or to read and remove arbitrary files via the (4) filePathName parameter in an importSipUriReservations SOAP request to PlcmRmWeb/JUserManager.
CVSS 6.5
CVE-2015-4683 EXPLOITDB CRITICAL text WRITEUP
Polycom Realpresence Resource Manager < 8.3.2 - Access Control
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows attackers to obtain sensitive information and potentially gain privileges by leveraging use of session identifiers as parameters with HTTP GET requests.
CVSS 9.8