h00die-gr3y

52 exploits Active since Sep 2014
CVE-2022-24989 METASPLOIT CRITICAL ruby WORKING POC
Terra-master Terramaster Operating System < 4.2.31 - Injection
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
CVSS 9.8
CVE-2023-30258 METASPLOIT CRITICAL ruby WORKING POC
Magnussolution Magnusbilling < 7.3.0 - Command Injection
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
CVSS 9.8
CVE-2024-22729 METASPLOIT CRITICAL ruby WORKING POC
Netis MW5360 V1.0.1.3031 - Command Injection
NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page.
CVSS 9.8
CVE-2020-28188 METASPLOIT CRITICAL ruby WORKING POC
Terra-master Tos < 4.2.06 - OS Command Injection
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
CVSS 9.8
CVE-2024-55556 METASPLOIT CRITICAL ruby WORKING POC
Crater Invoice - Code Injection
A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP_KEY to achieve remote command execution on the server by manipulating the laravel_session cookie, exploiting arbitrary deserialization through the encrypted session data. The exploitation vector of this vulnerability relies on an attacker obtaining Laravel's secret APP_KEY, which would allow them to decrypt and manipulate session cookies (laravel_session) containing serialized data. By altering this data and re-encrypting it with the APP_KEY, the attacker could trigger arbitrary deserialization on the server, potentially leading to remote command execution (RCE). The vulnerability is primarily exploited by accessing an exposed cookie and manipulating it using the secret key to gain malicious access to the server.
CVSS 9.8
CVE-2021-44529 METASPLOIT CRITICAL ruby WORKING POC
Ivanti Endpoint Manager Cloud Services Appliance - Code Injection
A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).
CVSS 9.8
CVE-2025-5946 METASPLOIT HIGH ruby WORKING POC
Centreon authenticated command injection leading to RCE via broker engine
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Poller reload setup in the configuration modules) allows OS Command Injection. On the poller parameters page, a user with high privilege is able to concatenate custom instructions into the poller reload command. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.
CVSS 7.2
CVE-2024-24578 METASPLOIT CRITICAL ruby WORKING POC
RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.
RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within the Java based `HMIPServer.jar` component. RaspberryMatric includes a Java based `HMIPServer`, that can be accessed through URLs starting with `/pages/jpages`. The `FirmwareController` class does however not perform any session id checks, thus this feature can be accessed without a valid session. Due to this issue, attackers can gain remote code execution as root user, allowing a full system compromise. Version 3.75.6.20240316 contains a patch.
CVSS 10.0
CVE-2024-12971 METASPLOIT HIGH ruby WORKING POC
Pandora FMS authenticated command injection leading to RCE via chromium_path or phantomjs_bin
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6
CVSS 8.8
CVE-2023-50919 METASPLOIT CRITICAL ruby WORKING POC
GL.iNet Unauthenticated Remote Command Execution via the logread module.
An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
CVSS 9.8
CVE-2024-55555 METASPLOIT HIGH ruby WORKING POC
Invoice Ninja <5.10.43 - RCE
Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function.
CVSS 8.8
CVE-2024-48456 METASPLOIT HIGH ruby WORKING POC
Netis Wifi Router - Info Disclosure
An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows a remote attacker to obtain sensitive information via the parameter password at the change admin password page at the router web interface.
CVSS 7.5
CVE-2023-23333 METASPLOIT CRITICAL ruby WORKING POC
Contec Solarview Compact Firmware < 6.00 - Command Injection
There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through downloader.php.
CVSS 9.8
CVE-2023-28770 METASPLOIT HIGH ruby WORKING POC
Zyxel DX5401-B0 <V5.17(ABYO.1)C0 - Info Disclosure
The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.
CVSS 7.5
CVE-2023-34960 METASPLOIT CRITICAL ruby WORKING POC
Chamilo unauthenticated command injection in PowerPoint upload
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
CVSS 9.8
CVE-2023-52251 METASPLOIT HIGH ruby WORKING POC
Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
CVSS 8.8
CVE-2021-45839 METASPLOIT MEDIUM ruby WORKING POC
Terramaster F4-210,F2-210 TOS 4.2.X - Info Disclosure
It is possible to obtain the first administrator's hash set up on the system in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) as well as other information such as MAC address, internal IP address etc. by performing a request to the /module/api.php?mobile/webNasIPS endpoint.
CVSS 6.5
CVE-2019-7276 METASPLOIT CRITICAL ruby WORKING POC
Optergy Proton/Enterprise - RCE
Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console.
CVSS 9.8
CVE-2023-45249 METASPLOIT CRITICAL ruby WORKING POC
Acronis Cyber Infrastructure <5.0.1-61, <5.1.1-71, <5.2.1-69, <5.3....
Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.
CVSS 9.8
CVE-2021-39144 METASPLOIT HIGH ruby WORKING POC
Xstream < 1.4.18 - Missing Authentication
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVSS 8.5
CVE-2025-4653 METASPLOIT HIGH ruby WORKING POC
Pandora ITSM authenticated command injection leading to RCE via the backup function
Improper Neutralization of Special Elements in the backup name field may allow OS command injection. This issue affects Pandora ITSM 5.0.105.
CVE-2019-7256 METASPLOIT CRITICAL ruby WORKING POC
Linear eMerge E3-Series - Command Injection
Linear eMerge E3-Series devices allow Command Injections.
CVSS 9.8
CVE-2023-41892 METASPLOIT CRITICAL ruby WORKING POC
Craft CMS unauthenticated Remote Code Execution (RCE)
Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.
CVSS 10.0
CVE-2025-24016 METASPLOIT CRITICAL ruby WORKING POC
Wazuh server remote code execution caused by an unsafe deserialization vulnerability.
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
CVSS 9.9
CVE-2024-28255 METASPLOIT CRITICAL ruby WORKING POC
OpenMetadata - Authentication Bypass
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `JwtFilter` handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request's path is checked against this list. When the request's path contains any of the excluded endpoints the filter returns without validating the JWT. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings. For example, a request to `GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/111` will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint, including the ones listed above that lead to arbitrary SpEL expression injection. This bypass will not work when the endpoint uses the `SecurityContext.getUserPrincipal()` since it will return `null` and will throw an NPE. This issue may lead to authentication bypass and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-237`.
CVSS 9.8