j4k0m

11 exploits Active since Apr 2016
CVE-2021-24499 NOMISEC CRITICAL WORKING POC
Workreap < 2.2.2 - Unauthenticated Arbitrary File Upload via AJAX Temp File Uploader
The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.
16 stars
CVSS 9.8
CVE-2021-41773 NOMISEC CRITICAL WORKING POC
Apache 2.4.49/2.4.50 Traversal RCE
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
12 stars
CVSS 9.8
CVE-2018-18925 NOMISEC CRITICAL WORKING POC
Gogs < 0.11.66 - Remote Code Execution via Session File Forgery
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
7 stars
CVSS 9.8
CVE-2019-5420 NOMISEC CRITICAL WORKING POC
Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability
A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.
5 stars
CVSS 9.8
CVE-2018-0114 NOMISEC HIGH WRITEUP
Cisco node-jose < 0.11.0 - Unauthenticated Token Re-signing via Embedded Public Key
A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs). This standard specifies that a JSON Web Key (JWK) representing a public key can be embedded within the header of a JWS. This public key is then trusted for verification. An attacker could exploit this by forging valid JWS objects by removing the original signature, adding a new public key to the header, and then signing the object using the (attacker-owned) private key associated with the public key embedded in that JWS header.
4 stars
CVSS 7.5
CVE-2016-2098 NOMISEC HIGH WRITEUP
Debian Linux < 3.2.22.1 - Improper Input Validation
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
4 stars
CVSS 7.3
CVE-2020-14343 NOMISEC CRITICAL WORKING POC
PyYAML < 5.4 - Remote Code Execution via Python Object Constructor
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
3 stars
CVSS 9.8
CVE-2018-11235 NOMISEC HIGH WORKING POC
Debian Linux < 2.13.6 - Path Traversal
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.
2 stars
CVSS 7.8
CVE-2016-10033 NOMISEC CRITICAL WORKING POC
PHPMailer Sendmail Argument Injection
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
1 stars
CVSS 9.8
CVE-2018-18925 INTHEWILD CRITICAL WORKING POC
Gogs < 0.11.66 - Remote Code Execution via Session File Forgery
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
CVSS 9.8
CVE-2021-24499 INTHEWILD CRITICAL WORKING POC
Workreap < 2.2.2 - Unauthenticated Arbitrary File Upload via AJAX Temp File Uploader
The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.
CVSS 9.8