ar2o3

6 exploits Active since Jan 2020
CVE-2022-30190 NOMISEC HIGH WORKING POC
Microsoft Office Word MSDTJS
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.
8 stars
CVSS 7.8
CVE-2020-29607 NOMISEC HIGH WORKING POC
Pluck CMS <4.7.13 - RCE
A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution.
6 stars
CVSS 7.2
CVE-2022-26133 NOMISEC CRITICAL WORKING POC
Atlassian Bitbucket Data Center <7.17.6 - Code Injection
SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.
3 stars
CVSS 9.8
CVE-2021-25076 NOMISEC HIGH WORKING POC
WP User Frontend <3.5.26 - SQL Injection
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
3 stars
CVSS 8.8
CVE-2022-24124 NOMISEC HIGH WORKING POC
Casdoor <1.13.1 - SQL Injection
The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
1 stars
CVSS 7.5
CVE-2020-2551 NOMISEC CRITICAL SCANNER
Oracle WebLogic Server <12.2.1.4 - RCE
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
1 stars
CVSS 9.8