mbadanoiu

62 exploits Active since Dec 2014
CVE-2024-22274 NOMISEC HIGH SUSPICIOUS
VMware vCenter Server - Authenticated Appliance Shell Command Execution
The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system.
38 stars
CVSS 7.2
CVE-2025-31644 NOMISEC HIGH WRITEUP
BIG-IP TMOS Shell - Command Injection
When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command which may allow an authenticated attacker with administrator role privileges to execute arbitrary system commands. A successful exploit can allow the attacker to cross a security boundary.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
24 stars
CVSS 8.7
CVE-2025-20029 NOMISEC HIGH WRITEUP
F5 BIG-IP 15.1.0-15.1.10.6 - Authenticated OS Command Injection via iControl REST and TMOS Shell Save Command
Command injection vulnerability exists in iControl REST and BIG-IP TMOS Shell (tmsh) save command, which may allow an authenticated attacker to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
22 stars
CVSS 8.8
CVE-2024-34693 NOMISEC MEDIUM SUSPICIOUS
Apache Superset < 3.1.3 - Authenticated File Read via MariaDB Connection with local_infile
Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0 Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.
10 stars
CVSS 6.8
CVE-2024-37081 NOMISEC HIGH SUSPICIOUS
vCenter Sudo Privilege Escalation
The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance.
10 stars
CVSS 7.8
CVE-2023-49964 NOMISEC HIGH WRITEUP
Hyland Alfresco Content Services < 7.2.0 - Server-Side Template Injection via folder.get.html.ftl
An issue was discovered in Hyland Alfresco Community Edition through 7.2.0. By inserting malicious content in the folder.get.html.ftl file, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and achieve RCE (Remote Code Execution). NOTE: this issue exists because of an incomplete fix for CVE-2020-12873.
7 stars
CVSS 8.8
CVE-2023-34468 NOMISEC HIGH WRITEUP
Apache NiFi 0.0.2-1.21.0 - Authenticated Remote Code Execution via H2 JDBC Database URL
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
5 stars
CVSS 8.8
CVE-2022-21392 NOMISEC HIGH WRITEUP
Oracle Enterprise Manager <13.5.0.0 - Unauthorized Access
Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Policy Framework). Supported versions that are affected are 13.4.0.0 and 13.5.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 8.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
4 stars
CVSS 8.8
CVE-2023-34212 NOMISEC MEDIUM WRITEUP
Apache NiFi 1.8.0-1.21.0 - Authenticated Deserialization of Untrusted Data via JNDI URL Configuration
The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
3 stars
CVSS 6.5
CVE-2024-22275 NOMISEC MEDIUM SUSPICIOUS
VMware Cloud Foundation 4.0-5.1.0 - Authenticated Partial File Read
The vCenter Server contains a partial file read vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to partially read arbitrary files containing sensitive data.
2 stars
CVSS 4.9
CVE-2023-26269 NOMISEC HIGH WRITEUP
Apache James <3.7.3 - Privilege Escalation
Apache James server version 3.7.3 and earlier provides a JMX management service without authentication by default. This allows privilege escalation by a malicious local user. Administrators are advised to disable JMX, or set up a JMX password. Note that version 3.7.4 onward will set up a JMX password automatically for Guice users.
2 stars
CVSS 7.8
CVE-2022-40635 NOMISEC MEDIUM WRITEUP
Crafter CMS 3.1.0-3.1.22 - Authenticated Remote Code Execution via Groovy Sandbox Bypass
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.
2 stars
CVSS 6.4
CVE-2022-41678 NOMISEC HIGH WRITEUP
Apache ActiveMQ Jolokia - Authenticated MBean Code Execution
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RCE through via various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.
2 stars
CVSS 8.8
CVE-2022-41853 NOMISEC HIGH WORKING POC
HSQLDB <2.7.1 - Remote Code Execution via Untrusted SQL Method Calls
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
2 stars
CVSS 8.0
CVE-2023-51518 NOMISEC CRITICAL WRITEUP
Apache James <3.7.5, 3.8.0 - Privilege Escalation
Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally. We recommend users to:  - Upgrade to a non-vulnerable Apache James version  - Run Apache James isolated from other processes (docker - dedicated virtual machine)  - If possible turn off JMX
1 stars
CVSS 9.8
CVE-2021-46364 NOMISEC HIGH WRITEUP
Magnolia CMS < 6.2.4 - Remote Code Execution via Snake YAML Deserialization
A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and below allows attackers to execute arbitrary code via a crafted YAML file.
1 stars
CVSS 7.8
CVE-2022-29063 NOMISEC CRITICAL WRITEUP
Apache OFBiz < 18.12.06 - Remote Code Execution via Solr Plugin RMI Request
The Solr plugin of Apache OFBiz is configured by default to automatically make a RMI request on localhost, port 1099. In version 18.12.05 and earlier, by hosting a malicious RMI server on localhost, an attacker may exploit this behavior, at server start-up or on a server restart, in order to run arbitrary code. Upgrade to at least 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12646.
1 stars
CVSS 9.8
CVE-2022-23862 NOMISEC HIGH WRITEUP
Y Soft SAFEQ 6 Build 53 - Privilege Escalation
A Local Privilege Escalation issue was discovered in Y Soft SAFEQ 6 Build 53. The SafeQ JMX service running on port 9696 is vulnerable to JMX MLet attacks. Because the service did not enforce authentication and was running under the "NT Authority\System" user, an attacker is able to use the vulnerability to execute arbitrary code and elevate to the system user.
1 stars
CVSS 7.8
CVE-2022-23861 NOMISEC MEDIUM WRITEUP
Y Soft SAFEQ 6 Build 53 - Stored Cross-Site Scripting via Multiple Web Application Fields
Multiple Stored Cross-Site Scripting vulnerabilities were discovered in Y Soft SAFEQ 6 Build 53. Multiple fields in the YSoft SafeQ web application can be used to inject malicious inputs that, due to a lack of output sanitization, result in the execution of arbitrary JS code. These fields can be leveraged to perform XSS attacks on legitimate users accessing the SafeQ web interface.
1 stars
CVSS 5.4
CVE-2021-20253 NOMISEC MEDIUM SUSPICIOUS
Ansible-Tower - Privilege Escalation
A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1 stars
CVSS 6.7
CVE-2016-4971 NOMISEC HIGH WORKING POC
GNU wget < 1.18 - Arbitrary File Write via HTTP-to-FTP Redirect
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
1 stars
CVSS 8.8
CVE-2025-6384 NOMISEC CRITICAL WRITEUP
CrafterCMS 4.0.0-4.2.2 - Authenticated Remote Code Execution via Groovy Sandbox Bypass
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution). This issue affects CrafterCMS: from 4.0.0 through 4.2.2.
CVSS 9.1
CVE-2025-26865 NOMISEC LOW WRITEUP
Apache OFBiz <18.12.18 - Info Disclosure
Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18.   It's a regression between 18.12.17 and 18.12.18. In case you use something like that, which is not recommended! For security, only official releases should be used. In other words, if you use 18.12.17 you are still safe. The version 18.12.17 is not a affected. But something between 18.12.17 and 18.12.18 is. In that case, users are recommended to upgrade to version 18.12.18, which fixes the issue.
CVSS 3.5
CVE-2023-40037 NOMISEC MEDIUM SUSPICIOUS
Apache NiFi 1.21.0-1.23.0 - Authenticated Connection URL Validation Bypass via Custom Input Formatting
Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.
CVSS 6.5
CVE-2023-50780 NOMISEC HIGH WRITEUP
Apache ActiveMQ Artemis < 2.29.0 - Authenticated Arbitrary File Write and Remote Code Execution via Log4J2 MBean
Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Before version 2.29.0, this also included the Log4J2 MBean. This MBean is not meant for exposure to non-administrative users. This could eventually allow an authenticated attacker to write arbitrary files to the filesystem and indirectly achieve RCE. Users are recommended to upgrade to version 2.29.0 or later, which fixes the issue.
CVSS 8.8