d0rb

26 exploits Active since Jul 2021
CVE-2023-36874 NOMISEC HIGH WORKING POC
Windows Error Reporting Service - Privilege Escalation
Windows Error Reporting Service Elevation of Privilege Vulnerability
77 stars
CVSS 7.8
CVE-2024-6387 NOMISEC HIGH WORKING POC
OpenSSH - DoS
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
49 stars
CVSS 8.1
CVE-2023-38545 NOMISEC CRITICAL WORKING POC
libcurl 7.69.0-8.4.0 - Heap-Based Buffer Overflow in SOCKS5 Proxy Handshake
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
22 stars
CVSS 9.8
CVE-2023-30943 NOMISEC MEDIUM WORKING POC
Moodle 4.1.0-4.1.2 - Unauthenticated Arbitrary Folder Creation via TinyMCE Loader
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.
18 stars
CVSS 6.5
CVE-2024-21762 NOMISEC CRITICAL WORKING POC
FortiOS/FortiProxy Out-of-bounds Write Vulnerability
A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests
13 stars
CVSS 9.8
CVE-2024-4439 NOMISEC HIGH WORKING POC
WordPress 6.0-6.5.2 - Stored Cross-Site Scripting via Avatar Block Display Name
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
10 stars
CVSS 7.2
CVE-2024-21378 NOMISEC HIGH WORKING POC
Microsoft Outlook - Remote Code Execution
Microsoft Outlook Remote Code Execution Vulnerability
9 stars
CVSS 8.8
CVE-2024-41107 NOMISEC HIGH WORKING POC
Apache CloudStack 4.5.0-4.18.2.1 - Authentication Bypass via SAML Response Spoofing
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account. Affected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.
8 stars
CVSS 8.1
CVE-2023-42931 NOMISEC HIGH WORKING POC
macOS < Ventura 13.6.3 - Privilege Escalation
The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.3, macOS Sonoma 14.2, macOS Monterey 12.7.2. A process may gain admin privileges without proper authentication.
7 stars
CVSS 7.8
CVE-2024-21388 NOMISEC MEDIUM WORKING POC
Microsoft Edge Chromium < 121.0.2277.83 - Elevation of Privilege
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
6 stars
CVSS 6.5
CVE-2023-36899 NOMISEC HIGH WORKING POC
.NET Framework - Elevation of Privilege via ASP.NET
ASP.NET Elevation of Privilege Vulnerability
4 stars
CVSS 8.8
CVE-2023-49606 NOMISEC CRITICAL WORKING POC
tinyproxy 1.10.0 and 1.11.1 - Unauthenticated Use-After-Free in HTTP Connection Headers Parsing
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.
4 stars
CVSS 9.8
CVE-2023-33242 NOMISEC CRITICAL WORKING POC
lindell17 - Private Key Extraction via Abort Handling in Lindell17 TSS Protocol
Crypto wallets implementing the Lindell17 TSS protocol might allow an attacker to extract the full ECDSA private key by exfiltrating a single bit in every signature attempt (256 in total) because of not adhering to the paper's security proof's assumption regarding handling aborts after a failed signature.
4 stars
CVSS 9.6
CVE-2024-27130 NOMISEC HIGH WORKING POC
QNAP QTS and QuTS hero - Remote Code Execution via Stack-based Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later
2 stars
CVSS 7.2
CVE-2023-37979 NOMISEC HIGH WORKING POC
Ninja Forms < 3.6.26 - Unauthenticated Reflected Cross-Site Scripting
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions.
2 stars
CVSS 7.1
CVE-2024-4323 NOMISEC CRITICAL WORKING POC
Fluent Bit 2.0.7-3.0.3 - Heap-based Buffer Overflow in HTTP Server Trace Request Parsing
A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution.
1 stars
CVSS 9.8
CVE-2023-26469 NOMISEC CRITICAL WORKING POC
Jorani 1.0.0 - Path Traversal and Remote Code Execution
In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
1 stars
CVSS 9.8
CVE-2023-33246 NOMISEC CRITICAL WORKING POC
Apache RocketMQ update config RCE
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.  Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.  To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
1 stars
CVSS 9.8
CVE-2024-34102 NOMISEC CRITICAL WORKING POC
Adobe Commerce and Magento - XML External Entity Injection to Code Execution
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
CVSS 9.8
CVE-2023-4174 NOMISEC LOW WORKING POC
mooSocial mooStore 3.1.6 - Cross-Site Scripting
A vulnerability has been found in mooSocial mooStore 3.1.6 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. The identifier VDB-236209 was assigned to this vulnerability.
CVSS 3.5
CVE-2023-49103 NOMISEC CRITICAL WORKING POC
ownCloud Phpinfo Reader
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
CVSS 10.0
CVE-2023-3519 NOMISEC CRITICAL SCANNER
Citrix NetScaler ADC and Gateway - Unauthenticated Remote Code Execution
Unauthenticated remote code execution
CVSS 9.8
CVE-2023-34992 NOMISEC CRITICAL WORKING POC
FortiSIEM 6.6.0-6.6.2 - OS Command Injection via Crafted API Requests
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via crafted API requests.
CVSS 10.0
CVE-2023-2916 NOMISEC HIGH WORKING POC
InfiniteWP Client <= 1.11.1 - Authenticated Sensitive Information Exposure via admin_notice Function
The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges.
CVSS 7.5
CVE-2021-34527 NOMISEC HIGH WORKING POC
Windows Print Spooler - Remote Code Execution via Privileged File Operations
<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.</p> <p>In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (<strong>Note</strong>: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):</p> <ul> <li>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint</li> <li>NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)</li> <li>UpdatePromptSettings = 0 (DWORD) or not defined (default setting)</li> </ul> <p><strong>Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.</strong></p> <p>UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also <a href="https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7">KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates</a>.</p> <p>Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.</p>
CVSS 8.8