alt3kx

45 exploits Active since Apr 2001
CVE-2023-24055 NOMISEC MEDIUM WORKING POC
KeePass < 2.53 - Cleartext Password Exposure via Export Trigger
KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
255 stars
CVSS 5.5
CVE-2021-21985 NOMISEC CRITICAL WORKING POC
VMware vCenter Server - Remote Code Execution via Virtual SAN Health Check Plugin
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
215 stars
CVSS 9.8
CVE-2022-22965 NOMISEC CRITICAL SCANNER
Spring Framework - Remote Code Execution via Data Binding
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
101 stars
CVSS 9.8
CVE-2022-1388 NOMISEC CRITICAL WORKING POC
F5 BIG-IP iControl RCE via REST Authentication Bypass
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
87 stars
CVSS 9.8
CVE-2021-21972 NOMISEC CRITICAL SCANNER
VMware vCenter Server and Cloud Foundation - Remote Code Execution via vSphere Client Plugin
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
54 stars
CVSS 9.8
CVE-2021-26084 NOMISEC CRITICAL WRITEUP
Atlassian Confluence Server and Data Center - OGNL Injection
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
54 stars
CVSS 9.8
CVE-2021-26855 NOMISEC CRITICAL WORKING POC
Microsoft Exchange ProxyLogon RCE
Microsoft Exchange Server Remote Code Execution Vulnerability
53 stars
CVSS 9.1
CVE-2022-22965 NOMISEC CRITICAL WORKING POC
Spring Framework - Remote Code Execution via Data Binding
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
17 stars
CVSS 9.8
CVE-2018-12463 NOMISEC CRITICAL WRITEUP
HP Fortify Software Security Center 17.1, 17.2, 18.1 - Unauthenticated XML External Entity Injection via Crafted DTD
An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC), version 17.1, 17.2, 18.1 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
5 stars
CVSS 9.8
CVE-2019-10685 NOMISEC MEDIUM WRITEUP
Heidelberg Prinect Archiver v2013 release 1.0 - Reflected Cross-Site Scripting
A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Heidelberg Prinect Archiver v2013 release 1.0.
2 stars
CVSS 6.1
CVE-2018-7691 NOMISEC MEDIUM WRITEUP
Micro Focus Fortify SSC <18.10 - RCE
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
1 stars
CVSS 6.5
CVE-2018-7690 NOMISEC MEDIUM WRITEUP
Micro Focus Fortify SSC <18.10 - RCE
A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access
1 stars
CVSS 6.5
CVE-2026-23918 NOMISEC HIGH WORKING POC
Apache HTTP Server: http2: double free and possible RCE on early reset
Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVSS 8.8
CVE-2018-12596 NOMISEC CRITICAL WRITEUP
Episerver Ektron CMS < 9.0 SP3 CU 31 / 9.1 < SP3 CU 45 / 9.2 < SP2 CU 22 - Unauthenticated Privilege Escalation
Episerver Ektron CMS before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU 45, or 9.2 before SP2 Site CU 22 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).
CVSS 9.8
CVE-2018-10732 NOMISEC MEDIUM WRITEUP
Dataiku Data Science Studio < 4.2.3 - Unauthenticated Sensitive Information Exposure via Profile Picture Visibility
The REST API in Dataiku DSS before 4.2.3 allows remote attackers to obtain sensitive information (i.e., determine if a username is valid) because of profile pictures visibility.
CVSS 5.3
CVE-2002-0448 NOMISEC STUB
Xerver < 2.10 - Denial of Service via HTTP Request with Repeated C:/ Sequences
Xerver Free Web Server 2.10 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request that contains many "C:/" sequences.
CVE-2002-0740 NOMISEC WORKING POC
slrn - Local Privilege Escalation via Long -d Argument
Buffer overflow in slrnpull for the SLRN package, when installed setuid or setgid, allows local users to gain privileges via a long -d (SPOOLDIR) argument.
CVE-2002-0991 NOMISEC WORKING POC
HP CIFS/9000 Client <= A.01.06 - Local Buffer Overflow via Long Command Parameters
Buffer overflows in the cifslogin command for HP CIFS/9000 Client A.01.06 and earlier, based on the Sharity package, allows local users to gain root privileges via long (1) -U, (2) -D, (3) -P, (4) -S, (5) -N, or (6) -u parameters.
CVE-2004-2549 NOMISEC STUB
Nortel WLAN Access Point 2220, 2221, 2225 - Denial of Service via TCP Request with Large String and Newlines
Nortel Wireless LAN (WLAN) Access Point (AP) 2220, 2221, and 2225 allow remote attackers to cause a denial of service (service crash) via a TCP request with a large string, followed by 8 newline characters, to (1) the Telnet service on TCP port 23 and (2) the HTTP service on TCP port 80, possibly due to a buffer overflow.
CVE-2007-3830 NOMISEC WRITEUP
ISS Proventia Network IPS GX5008 and GX5108 - Cross-Site Scripting via Alert Reminder Parameter
Cross-site scripting (XSS) vulnerability in alert.php in ISS Proventia Network IPS GX5108 1.3 and GX5008 1.5 allows remote attackers to inject arbitrary web script or HTML via the reminder parameter.
CVE-2007-3831 NOMISEC WRITEUP
IBM Proventia Network IPS GX5008 1.5 and GX5108 1.3 - Remote File Inclusion via main.php page Parameter
PHP remote file inclusion in main.php in ISS Proventia Network IPS GX5108 1.3 and GX5008 1.5 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.
CVE-2007-5036 NOMISEC WRITEUP
AirDefense Airsensor M520 4.3.1.1 and 4.4.1.4 - Authenticated Denial of Service via Crafted HTTPS Query String
Multiple buffer overflows in the AirDefense Airsensor M520 with firmware 4.3.1.1 and 4.4.1.4 allow remote authenticated users to cause a denial of service (HTTPS service outage) via a crafted query string in an HTTPS request to (1) adLog.cgi, (2) post.cgi, or (3) ad.cgi, related to the "files filter."
CVE-2007-6638 NOMISEC WRITEUP
March Networks DVR 3204 - Info Disclosure
March Networks DVR 3204 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain usernames, passwords, device names, and IP addresses via a direct request for scripts/logfiles.tar.gz.
CVE-2009-4118 NOMISEC WRITEUP
Cisco VPN client for Windows <5.0.06.0100 - DoS
The StartServiceCtrlDispatcher function in the cvpnd service (cvpnd.exe) in Cisco VPN client for Windows before 5.0.06.0100 does not properly handle an ERROR_FAILED_SERVICE_CONTROLLER_CONNECT error, which allows local users to cause a denial of service (service crash and VPN connection loss) via a manual start of cvpnd.exe while the cvpnd service is running.
CVE-2008-6827 NOMISEC HIGH STUB
Symantec Altiris Deployment Solution 6.0-6.9.355 - Local Privilege Escalation via Shatter Attack on AClient.exe
The ListView control in the Client GUI (AClient.exe) in Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 allows local users to gain SYSTEM privileges and execute arbitrary commands via a "Shatter" style attack on the "command prompt" hidden GUI button to (1) overwrite the CommandLine parameter to cmd.exe to use SYSTEM privileges and (2) modify the DLL that is loaded using the LoadLibrary API function.
CVSS 7.8