jakabakos

24 exploits Active since Nov 2017
CVE-2023-36664 NOMISEC HIGH WORKING POC
Artifex Ghostscript <10.01.2 - Privilege Escalation
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).
130 stars
CVSS 7.8
CVE-2023-50164 NOMISEC CRITICAL WORKING POC
Apache Struts 2.0.0-2.5.32 - Path Traversal and Remote Code Execution via File Upload
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
85 stars
CVSS 9.8
CVE-2023-51467 NOMISEC CRITICAL WORKING POC
Apache OFBiz XML-RPC Java Deserialization
The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code
72 stars
CVSS 9.8
CVE-2023-36884 NOMISEC HIGH WORKING POC
Microsoft Windows Search - Remote Code Execution
Windows Search Remote Code Execution Vulnerability
41 stars
CVSS 7.5
CVE-2023-27524 NOMISEC HIGH WORKING POC
Apache Superset Signed Cookie Priv Esc
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
28 stars
CVSS 8.9
CVE-2024-23692 NOMISEC CRITICAL WORKING POC
Rejetto HTTP File Server - Template injection
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.
16 stars
CVSS 9.8
CVE-2017-9096 NOMISEC HIGH WORKING POC
iText < 5.5.12 and 7.x < 7.0.3 - XML External Entity Injection
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
13 stars
CVSS 8.8
CVE-2024-34102 NOMISEC CRITICAL WORKING POC
Adobe Commerce and Magento - XML External Entity Injection to Code Execution
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
9 stars
CVSS 9.8
CVE-2023-22884 NOMISEC CRITICAL WORKING POC
Apache Airflow < 2.5.1 and Apache Airflow MySQL Provider < 4.0.0 - Command Injection
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.
9 stars
CVSS 9.8
CVE-2023-48022 NOMISEC CRITICAL WORKING POC
Anyscale Ray 2.6.3 and 2.8.0 - Remote Code Execution via Job Submission API
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
6 stars
CVSS 9.8
CVE-2023-37679 GITHUB CRITICAL python WORKING POC
Mirth Connect Deserialization RCE
A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.
5 stars
CVSS 9.8
CVE-2023-26360 NOMISEC HIGH WORKING POC
Adobe ColdFusion <2018 Update 15, 2021 Update 5 - RCE
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
5 stars
CVSS 8.6
CVE-2024-27348 NOMISEC CRITICAL WORKING POC
Apache HugeGraph-Server - Remote Command Execution
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.
4 stars
CVSS 9.8
CVE-2024-4040 NOMISEC CRITICAL WORKING POC
CrushFTP < 10.7.1 - Unauthenticated Server-Side Template Injection
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
3 stars
CVSS 9.8
CVE-2023-43208 NOMISEC CRITICAL WORKING POC
NextGen Healthcare Mirth Connect <4.4.1 - RCE
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.
3 stars
CVSS 9.8
CVE-2023-39362 NOMISEC HIGH WORKING POC
Cacti < 1.2.25 - Authenticated Remote Code Execution via SNMP Device Options
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
2 stars
CVSS 7.2
CVE-2022-40127 NOMISEC HIGH WORKING POC
Apache Airflow < 2.4.0 - Authenticated Remote Code Execution via Run ID Parameter
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
2 stars
CVSS 8.8
CVE-2022-22965 NOMISEC CRITICAL WORKING POC
Spring Framework - Remote Code Execution via Data Binding
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
2 stars
CVSS 9.8
CVE-2023-51448 NOMISEC HIGH
Cacti 1.2.25 - Authenticated Blind SQL Injection via SNMP Notification Receivers
Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `‘managers.php’`. An authenticated attacker with the “Settings/Utilities” permission can send a crafted HTTP GET request to the endpoint `‘/cacti/managers.php’` with an SQLi payload in the `‘selected_graphs_array’` HTTP GET parameter. As of time of publication, no patched versions exist.
1 stars
CVSS 8.8
CVE-2024-36401 NOMISEC CRITICAL SCANNER
Geoserver unauthenticated Remote Code Execution
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
CVSS 9.8
CVE-2024-4577 NOMISEC CRITICAL WORKING POC
PHP CGI Argument Injection Remote Code Execution
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
CVSS 9.8
CVE-2023-36664 NOMISEC HIGH WORKING POC
Artifex Ghostscript <10.01.2 - Privilege Escalation
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).
CVSS 7.8
CVE-2023-33246 WRITEUP CRITICAL WORKING POC
Apache RocketMQ update config RCE
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.  Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.  To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
CVSS 9.8
CVE-2023-49070 VULNCHECK_XDB CRITICAL WORKING POC
Apache OFBiz < 18.12.10 - Unauthenticated Remote Code Execution via XML-RPC
Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.  Users are recommended to upgrade to version 18.12.10
CVSS 9.8