egypt

56 exploits Active since Jan 1997
CVE-2013-0156 METASPLOIT ruby WORKING POC
Ruby on Rails JSON Processor YAML Deserialization Code Execution
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
CVE-2016-1560 METASPLOIT CRITICAL ruby WORKING POC
ExaGrid EX3000 Firmware - Use of Hard-coded Credentials
ExaGrid appliances with firmware before 4.8 P26 have a default password of (1) inflection for the root shell account and (2) support for the support account in the web interface, which allows remote attackers to obtain administrative access via an SSH or HTTP session.
CVSS 9.8
CVE-2009-1285 METASPLOIT ruby WORKING POC
phpMyAdmin < 3.1.3.2 - Remote Code Injection via ConfigFile.class.php
Static code injection vulnerability in the getConfigFile function in setup/lib/ConfigFile.class.php in phpMyAdmin 3.x before 3.1.3.2 allows remote attackers to inject arbitrary PHP code into configuration files.
CVE-2013-3130 EXPLOITDB ruby WORKING POC
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-3660, CVE-2013-3661. Reason: This candidate is a reservation duplicate of CVE-2013-3660 and CVE-2013-3661. Notes: All CVE users should reference CVE-2013-3660 and/or CVE-2013-3661 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
CVE-2013-3660 EXPLOITDB HIGH ruby WORKING POC
Windows - Local Privilege Escalation via EPATHOBJ::pprFlattenRec Pointer Initialization
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability."
CVSS 7.8
CVE-2012-1823 EXPLOITDB CRITICAL ruby WORKING POC
PHP < 5.3.12 and 5.4.x < 5.4.2 - Remote Code Execution via CGI Query String
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
CVSS 9.8
CVE-2012-2311 EXPLOITDB ruby WORKING POC
PHP < 5.3.13 and 5.4.x < 5.4.3 - Remote Code Execution via CGI Query String
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
CVE-2016-1560 EXPLOITDB CRITICAL ruby WORKING POC
ExaGrid EX3000 Firmware - Use of Hard-coded Credentials
ExaGrid appliances with firmware before 4.8 P26 have a default password of (1) inflection for the root shell account and (2) support for the support account in the web interface, which allows remote attackers to obtain administrative access via an SSH or HTTP session.
CVSS 9.8
CVE-2009-20006 EXPLOITDB CRITICAL ruby WORKING POC
osCommerce <= 2.2 RC2a - Unauthenticated Arbitrary File Upload via Admin File Manager
osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.
CVE-1999-0502 METASPLOIT ruby SCANNER
HP-UX - Unauthenticated Remote Login via Default Null Password
A Unix account has a default, null, blank, or missing password.
CVE-2009-20006 METASPLOIT CRITICAL ruby WORKING POC
osCommerce <= 2.2 RC2a - Unauthenticated Arbitrary File Upload via Admin File Manager
osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility (admin/file_manager.php). The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to upload a .php file containing arbitrary code, which is then executed by the server.
CVE-2013-0333 METASPLOIT ruby WORKING POC
Ruby on Rails 2.3.x-2.3.15 and 3.0.x-3.0.19 - Remote Code Execution via YAML Deserialization
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
CVE-2017-5638 METASPLOIT CRITICAL ruby WORKING POC
Apache Struts 2.3.x < 2.3.32 and 2.5.x < 2.5.10.1 - Remote Code Execution via Jakarta Multipart Parser
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
CVSS 9.8
CVE-2014-6271 METASPLOIT CRITICAL ruby WORKING POC
Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
CVSS 9.8
CVE-2013-4211 METASPLOIT CRITICAL ruby WORKING POC
OpenX Ad Server 2.8.10 - Remote Code Execution via Backdoor in flowplayer-3.1.1.min.js
A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user execute arbitrary PHP code
CVSS 9.8
CVE-2009-1151 METASPLOIT CRITICAL ruby WORKING POC
phpMyAdmin 2.11.0-2.11.9.4 and 3.x < 3.1.3.1 - Remote Code Injection via Setup Configuration Save
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
CVSS 9.8
CVE-2012-1823 METASPLOIT CRITICAL ruby WORKING POC
PHP < 5.3.12 and 5.4.x < 5.4.2 - Remote Code Execution via CGI Query String
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
CVSS 9.8
CVE-2010-4279 METASPLOIT ruby WORKING POC
Pandora FMS < 3.1 - Unauthenticated Authentication Bypass via Empty loginhash_pwd
The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.
CVE-2013-0422 METASPLOIT CRITICAL ruby WORKING POC
Oracle JDK 7 - Remote Code Execution via JMX MBean Instantiator and Reflection API
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks. NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11. If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.
CVSS 9.8
CVE-2010-0840 METASPLOIT CRITICAL ruby WORKING POC
Oracle Java SE/Jav for Bus <6-5.0-1.4.2 - Info Disclosure
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability."
CVSS 9.8
CVE-2010-0094 METASPLOIT ruby WORKING POC
Oracle Java SE/Jav for Bus <6-5 - Info Disclosure
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18 and 5.0 Update 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is due to missing privilege checks during deserialization of RMIConnectionImpl objects, which allows remote attackers to call system-level Java functions via the ClassLoader of a constructor that is being deserialized.
CVE-2008-4696 METASPLOIT ruby WORKING POC
Opera - Stored Cross-Site Scripting via History Search Database
Cross-site scripting (XSS) vulnerability in Opera.dll in Opera before 9.61 allows remote attackers to inject arbitrary web script or HTML via the anchor identifier (aka the "optional fragment"), which is not properly escaped before storage in the History Search database (aka md.dat).
CVE-2012-0507 METASPLOIT CRITICAL ruby WORKING POC
Java AtomicReferenceArray Type Violation Vulnerability
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency. NOTE: the previous information was obtained from the February 2012 Oracle CPU. Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object[] type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions. NOTE: this issue was originally mapped to CVE-2011-3571, but that identifier was already assigned to a different issue.
CVSS 9.8
CVE-2010-3563 METASPLOIT ruby WORKING POC
Oracle Java SE/Jav for Bus <6 Update 21 - Info Disclosure
Unspecified vulnerability in the Deployment component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to "how Web Start retrieves security policies," BasicServiceImpl, and forged policies that bypass sandbox restrictions.
CVE-2007-0015 METASPLOIT ruby WORKING POC
Apple QuickTime 7.1.3 - Remote Code Execution via Long RTSP URI
Buffer overflow in Apple QuickTime 7.1.3 allows remote attackers to execute arbitrary code via a long rtsp:// URI.