m10sec

20 exploits Active since Sep 2014
CVE-2025-25063 GITHUB MEDIUM python WORKING POC
Backdrop CMS 1.28.0-1.28.4 and 1.29.0-1.29.2 - Stored Cross-Site Scripting via SVG Image Upload
An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. It does not sufficiently validate uploaded SVG images to ensure they do not contain potentially dangerous SVG tags. SVG images can contain clickable links and executable scripting, and using a crafted SVG, it is possible to execute scripting in the browser when an SVG image is viewed. This issue is mitigated by the attacker needing to be able to upload SVG images, and that Backdrop embeds all uploaded SVG images within <img> tags, which prevents scripting from executing. The SVG must be viewed directly by its URL in order to run any embedded scripting.
6 stars
CVSS 4.4
CVE-2025-8671 NOMISEC HIGH WORKING POC
SUSE Linux Enterprise Module for Development Tools - Denial of Service via HTTP/2 Stream Reset
A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.
6 stars
CVSS 7.5
CVE-2025-24271 NOMISEC MEDIUM WORKING POC
iPadOS < 17.7.6 - Unauthenticated AirPlay Command Execution via Network Access
An access issue was addressed with improved access restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4. An unauthenticated user on the same network as a signed-in Mac could send it AirPlay commands without pairing.
4 stars
CVSS 5.4
CVE-2025-59719 GITHUB CRITICAL python SCANNER
FortiWeb 7.4.0-7.4.9, 7.6.0-7.6.4, 8.0.0 - Unauthenticated SAML Authentication Bypass via Crafted SAML Response
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
2 stars
CVSS 9.8
CVE-2025-59718 NOMISEC CRITICAL SCANNER
Fortinet FortiOS/FortiProxy/FortiSwitchManager SAML Signature Verification Bypass
A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
2 stars
CVSS 9.8
CVE-2015-9251 NOMISEC MEDIUM WORKING POC
jQuery < 3.0.0 - Cross-Site Scripting via Cross-Domain Ajax Request
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
2 stars
CVSS 6.1
CVE-2025-29927 NOMISEC CRITICAL SCANNER
Next.js Middleware Bypass
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
1 stars
CVSS 9.1
CVE-2022-41741 NOMISEC HIGH SCANNER
NGINX <1.23.2-1.22.1 - Memory Corruption
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
1 stars
CVSS 7.0
CVE-2019-20372 NOMISEC MEDIUM WORKING POC
NGINX < 1.17.7 - HTTP Request Smuggling via error_page Configuration
NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
1 stars
CVSS 5.3
CVE-2025-31324 NOMISEC CRITICAL WORKING POC
SAP NetWeaver Visual Composer Metadata Uploader - Deserialization
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
CVSS 10.0
CVE-2024-51996 NOMISEC HIGH WORKING POC
Symfony <5.4.46, <6.4.14, <7.1.7 - Auth Bypass
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.
CVSS 7.5
CVE-2022-4174 NOMISEC HIGH SCANNER
Google Chrome < 108.0.5359.71 - Type Confusion in V8 via Crafted HTML Page
Type confusion in V8 in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVSS 8.8
CVE-2022-24894 NOMISEC MEDIUM SCANNER
Symfony 2.0.0-4.4.49 - Session Fixation via HTTP Cache Set-Cookie Header
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the `AbstractSessionListener`, the response might contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.
CVSS 5.9
CVE-2021-44228 NOMISEC CRITICAL WORKING POC
Log4Shell HTTP Header Injection
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
CVSS 10.0
CVE-2021-23017 NOMISEC HIGH SCANNER
nginx 0.6.18-1.20.0 - Denial of Service via DNS Resolver Off-by-one Error
A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.
CVSS 7.7
CVE-2021-21424 NOMISEC MEDIUM SCANNER
Symfony 3.4.0-3.4.48 - Unauthorized User Enumeration via Switch User Functionality
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.
CVSS 5.3
CVE-2019-10909 NOMISEC MEDIUM SCANNER
Symfony 2.7.0-2.7.50, 2.8.0-2.8.49, 3.0.0-3.4.25, 4.0.0-4.1.11, 4.2.0-4.2.6 - XSS in Validation Messages
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
CVSS 5.4
CVE-2018-15473 NOMISEC MEDIUM WORKING POC
OpenSSH < 7.7 - User Enumeration via Authentication Request Timing
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
CVSS 5.3
CVE-2014-6271 NOMISEC CRITICAL SCANNER
Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
CVSS 9.8
CVE-2025-29927 VULNCHECK_XDB CRITICAL SCANNER
Next.js Middleware Bypass
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
CVSS 9.1