Zeyad Azima

12 exploits Active since Jan 2022
CVE-2024-27348 NOMISEC CRITICAL WORKING POC
Apache HugeGraph-Server - Remote Command Execution
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.
61 stars
CVSS 9.8
CVE-2024-38856 NOMISEC CRITICAL WORKING POC
Apache OFBiz forgotPassword/ProgramExport RCE
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
48 stars
CVSS 9.8
CVE-2023-26818 NOMISEC MEDIUM WORKING POC
Telegram 9.3.1 and 9.4.0 - Unauthenticated Incorrect Authorization via DYLD_INSERT_LIBRARIES Flag
Telegram 9.3.1 and 9.4.0 allows attackers to access restricted files, microphone ,or video recording via the DYLD_INSERT_LIBRARIES flag.
17 stars
CVSS 5.5
CVE-2022-1388 NOMISEC CRITICAL WORKING POC
F5 BIG-IP iControl RCE via REST Authentication Bypass
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
12 stars
CVSS 9.8
CVE-2024-22263 NOMISEC HIGH SCANNER
Spring Cloud Data Flow - Path Traversal
Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromises the server.
5 stars
CVSS 8.8
CVE-2022-22733 NOMISEC MEDIUM WORKING POC
Apache ShardingSphere ElasticJob-UI <= 3.0.0 - Authenticated Privilege Escalation via Guest Account
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.
2 stars
CVSS 6.5
CVE-2024-38856 NOMISEC CRITICAL WORKING POC
Apache OFBiz forgotPassword/ProgramExport RCE
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).
1 stars
CVSS 9.8
CVE-2021-46557 WRITEUP MEDIUM WORKING POC
Vicidial 2.14-783a - Stored Cross-Site Scripting via Input Tabs
Vicidial 2.14-783a was discovered to contain a cross-site scripting (XSS) vulnerability via the input tabs.
CVSS 5.4
CVE-2021-46558 WRITEUP MEDIUM WORKING POC
Issabel PBX 20200102 - Stored Cross-Site Scripting via Add User Module
Multiple cross-site scripting (XSS) vulnerabilities in the Add User module of Issabel PBX 20200102 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the username and password fields.
CVSS 5.4
EIP-2026-114643 EXPLOITDB text WORKING POC
Zoo Management System 1.0 - 'anid' SQL Injection
EIP-2026-112923 EXPLOITDB text WORKING POC
User Management System 1.0 - 'uid' SQL Injection
EIP-2026-110481 EXPLOITDB text WORKING POC
Park Ticketing Management System 1.0 - 'viewid' SQL Injection