Stefan Broeder

CVE-2018-2879 NOMISEC CRITICAL WORKING POC

Oracle Fusion Middleware 11.1.2.3.0-12.2.1.3.0 - Unauthenticated RCE

Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID <a href="http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2386496.1">My Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

25 stars

CVSS 9.0

View Code

EIP-2026-114209 EXPLOITDB text WRITEUP

Wordpress Plugin WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure

View Code

CVE-2018-9035 EXPLOITDB CRITICAL text WRITEUP

Contact Form 7 to Database Ext <2.10.32 - Code Injection

CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.

CVSS 9.6

View Code

CVE-2018-8729 EXPLOITDB MEDIUM text WRITEUP

WordPress Activity Log <2.4.1 - XSS

Multiple cross-site scripting (XSS) vulnerabilities in the Activity Log plugin before 2.4.1 for WordPress allow remote attackers to inject arbitrary JavaScript or HTML via a title that is not escaped.

CVSS 6.1

View Code

CVE-2018-9034 EXPLOITDB MEDIUM text WORKING POC

Relevanssi < 4.0.4 - XSS

Cross-site scripting (XSS) vulnerability in lib/interface.php of the Relevanssi plugin 4.0.4 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the tab GET parameter.

CVSS 5.4

View Code

CVE-2018-7543 EXPLOITDB MEDIUM text WORKING POC

Awesomemotive Duplicator - XSS

Cross-site scripting (XSS) vulnerability in installer/build/view.step4.php of the SnapCreek Duplicator plugin 1.2.32 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the json parameter.

CVSS 6.1

View Code

CVE-2018-8729 EXPLOITDB MEDIUM text WRITEUP

WordPress Activity Log <2.4.1 - XSS

Multiple cross-site scripting (XSS) vulnerabilities in the Activity Log plugin before 2.4.1 for WordPress allow remote attackers to inject arbitrary JavaScript or HTML via a title that is not escaped.

CVSS 6.1

View Code