Vulnmachines

38 exploits Active since Jan 2019
CVE-2021-30461 NOMISEC CRITICAL WORKING POC
VoIPmonitor < 24.61 - Unauthenticated Remote Code Execution via SPOOLDIR Injection
A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.
2 stars
CVSS 9.8
CVE-2021-27651 NOMISEC CRITICAL WRITEUP
Pega Infinity 8.2.1-8.5.2 - Authentication Bypass via Password Reset
In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
2 stars
CVSS 9.8
CVE-2021-44228 NOMISEC CRITICAL WORKING POC
Log4Shell HTTP Header Injection
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
2 stars
CVSS 10.0
CVE-2022-33891 NOMISEC HIGH SUSPICIOUS
Apache Spark UI - Privilege Escalation
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
1 stars
CVSS 8.8
CVE-2021-38647 NOMISEC CRITICAL SUSPICIOUS
Microsoft OMI Management Interface Authentication Bypass
Open Management Infrastructure Remote Code Execution Vulnerability
1 stars
CVSS 9.8
CVE-2021-29349 NOMISEC MEDIUM SUSPICIOUS
Mahara 20.10 - Cross-Site Request Forgery via Inbox Mail Deletion
Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php pieform_delete_all_notifications request, which leads to removing all messages from a mailbox.
1 stars
CVSS 6.5
CVE-2021-3007 NOMISEC CRITICAL WORKING POC
Laminas Project laminas-http <2.14.2 - Code Injection
Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized
1 stars
CVSS 9.8
CVE-2020-8417 NOMISEC HIGH SUSPICIOUS
Code Snippets < 2.14.0 - Cross-Site Request Forgery via Import Menu
The Code Snippets plugin before 2.14.0 for WordPress allows CSRF because of the lack of a Referer check on the import menu.
1 stars
CVSS 8.8
CVE-2020-9496 NOMISEC MEDIUM SUSPICIOUS
Apache OFBiz 17.12.03 - Deserialization of Untrusted Data and Cross-Site Scripting via XML-RPC Requests
XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
1 stars
CVSS 6.1
CVE-2021-22053 NOMISEC HIGH WRITEUP
Spring Cloud Netflix Hystrix Dashboard - Remote Code Execution via Request URI Path SpringEL Injection
Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.
1 stars
CVSS 8.8
CVE-2019-19781 NOMISEC CRITICAL SUSPICIOUS
Citrix ADC (NetScaler) Directory Traversal Scanner
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
1 stars
CVSS 9.8
CVE-2021-44228 NOMISEC CRITICAL STUB
Log4Shell HTTP Header Injection
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
CVSS 10.0
CVE-2021-22214 NOMISEC MEDIUM SUSPICIOUS
GitLab 10.5-13.10.4 - Unauthenticated Server-Side Request Forgery via Webhook Internal Network Requests
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
CVSS 6.8