Sarang Tumne

10 exploits Active since Nov 2020
CVE-2021-46360 WRITEUP HIGH WORKING POC
Composr-CMS <10.0.39 - Authenticated RCE
Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.
CVSS 8.8
CVE-2022-26149 WRITEUP HIGH WRITEUP
MODX Revolution <2.8.3-pl - Authenticated RCE
MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator.
CVSS 7.2
CVE-2020-37025 EXPLOITDB HIGH python WORKING POC
Port Forwarding Wizard 4.8.0 - Local Buffer Overflow via Register Feature
Port Forwarding Wizard 4.8.0 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code through a long request in the Register feature. Attackers can craft a malicious payload with an egg tag and overwrite SEH handlers to potentially execute shellcode on vulnerable Windows systems.
CVSS 8.4
CVE-2020-28183 EXPLOITDB CRITICAL text WORKING POC
SourceCodester Water Billing System 1.0 - SQL Injection via Username and Password Parameters
SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the username and password parameters to process.php.
CVSS 9.8
CVE-2022-26982 EXPLOITDB HIGH text WORKING POC
SimpleMachinesForum <2.1.1 - Authenticated RCE
SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator. NOTE: the vendor's position is that administrators are intended to have the ability to modify themes, and can thus choose any PHP code that they wish to have executed on the server.
CVSS 7.2
CVE-2022-26149 EXPLOITDB HIGH text WORKING POC
MODX Revolution <2.8.3-pl - Authenticated RCE
MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator.
CVSS 7.2
CVE-2022-26986 EXPLOITDB HIGH text WORKING POC
ImpressCMS < 1.4.3 - SQL Injection
SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attacker can even upload a malicious web shell to compromise the entire system.
CVSS 7.2
CVE-2021-46360 EXPLOITDB HIGH text WORKING POC
Composr-CMS <10.0.39 - Authenticated RCE
Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.
CVSS 8.8
CVE-2022-26521 EXPLOITDB HIGH text WORKING POC
Abantecart <= 1.3.2 - Authenticated Remote Code Execution via Media Manager Image Upload
Abantecart through 1.3.2 allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Catalog>Media Manager>Images settings can be changed by an administrator (e.g., by configuring .php to be a valid image file type).
CVSS 7.2
EIP-2026-101540 EXPLOITDB text WORKING POC
Avaya Aura Communication Manager 5.2 - Remote Code Execution