mbadanoiu

62 exploits Active since Dec 2014
CVE-2022-40634 NOMISEC MEDIUM WRITEUP
Crafter CMS 3.1.0-3.1.22 - Authenticated Remote Code Execution via FreeMarker SSTI
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.
CVSS 6.4
CVE-2021-46363 NOMISEC HIGH WRITEUP
Magnolia CMS < 6.2.4 - Formula Injection via CSV/XLS Export
An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim's computer when opening the exported files with Microsoft Excel.
CVSS 7.8
CVE-2021-46361 NOMISEC CRITICAL WRITEUP
Magnolia CMS <6.2.11 - Code Injection
An issue in the Freemark Filter of Magnolia CMS v6.2.11 and below allows attackers to bypass security restrictions and execute arbitrary code via a crafted FreeMarker payload.
CVSS 9.8
CVE-2021-46362 NOMISEC CRITICAL WRITEUP
Magnolia CMS < 6.2.4 - Server-Side Template Injection via Registration and Forgotten Password Forms
A Server-Side Template Injection (SSTI) vulnerability in the Registration and Forgotten Password forms of Magnolia v6.2.3 and below allows attackers to execute arbitrary code via a crafted payload entered into the fullname parameter.
CVSS 9.8
CVE-2021-46365 NOMISEC HIGH WRITEUP
Magnolia CMS < 6.2.4 - XML External Entity Injection via XLF File
An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute XML External Entity attacks via a crafted XLF file.
CVSS 7.8
CVE-2021-46366 NOMISEC HIGH WRITEUP
Magnolia CMS <6.2.3 - CSRF,Open Redirect
An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials.
CVSS 8.8
CVE-2022-20818 NOMISEC HIGH WRITEUP
Cisco SD-WAN < 20.9 - Authenticated Privilege Escalation via CLI Command Injection
Multiple vulnerabilities in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges. These vulnerabilities are due to improper access controls on commands within the application CLI. An attacker could exploit these vulnerabilities by running a malicious command on the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.
CVSS 7.8
CVE-2022-24442 NOMISEC CRITICAL WRITEUP
JetBrains YouTrack <2021.4.40426 - SSRF
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
CVSS 9.8
CVE-2022-24818 NOMISEC HIGH WRITEUP
GeoTools < 24.6 - Authenticated Expression Language Injection via JNDI Lookup
GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings.
CVSS 8.2
CVE-2022-25813 NOMISEC HIGH WRITEUP
Apache OFBiz < 18.12.06 - Server-Side Template Injection via Ecommerce Contact Us Subject Field
In Apache OFBiz, versions 18.12.05 and earlier, an attacker acting as an anonymous user of the ecommerce plugin, can insert a malicious content in a message “Subject” field from the "Contact us" page. Then a party manager needs to list the communications in the party component to activate the SSTI. A RCE is then possible.
CVSS 7.5
CVE-2021-42559 NOMISEC HIGH WRITEUP
MITRE Caldera < 2.8.1 - Authenticated Command Injection via Startup Requirements
An issue was discovered in CALDERA 2.8.1. It contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the REST API, an authenticated user can insert arbitrary commands that will execute when the server is restarted.
CVSS 8.8
CVE-2021-42558 NOMISEC MEDIUM WRITEUP
MITRE Caldera < 2.8.1 - Cross-Site Scripting
An issue was discovered in CALDERA 2.8.1. It contains multiple reflected, stored, and self XSS vulnerabilities that may be exploited by authenticated and unauthenticated attackers.
CVSS 6.1
CVE-2021-42560 NOMISEC HIGH WRITEUP
MITRE Caldera 2.9.0 - XML External Entity Injection via Debrief Plugin SVG Parameter
An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.).
CVSS 8.8
CVE-2021-42561 NOMISEC HIGH WRITEUP
MITRE Caldera < 2.8.1 - OS Command Injection via Human Plugin Name Parameter
An issue was discovered in CALDERA 2.8.1. When activated, the Human plugin passes the unsanitized name parameter to a python "os.system" function. This allows attackers to use shell metacharacters (e.g., backticks "``" or dollar parenthesis "$()" ) in order to escape the current command and execute arbitrary shell commands.
CVSS 8.8
CVE-2021-42562 NOMISEC HIGH WRITEUP
MITRE Caldera < 2.8.1 - Improper Privilege Management
An issue was discovered in CALDERA 2.8.1. It does not properly segregate user privileges, resulting in non-admin users having access to read and modify configuration or other components that should only be accessible by admin users.
CVSS 8.1
CVE-2020-8249 NOMISEC HIGH WRITEUP
Pulse Secure Desktop Client (Linux) < 9.1R9 - Buffer Overflow
A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to perform buffer overflow.
CVSS 7.8
CVE-2020-8254 NOMISEC HIGH SUSPICIOUS
Pulse Secure Desktop Client <9.1R9 - RCE
A vulnerability in the Pulse Secure Desktop Client < 9.1R9 has Remote Code Execution (RCE) if users can be convinced to connect to a malicious server. This vulnerability only affects Windows PDC.To improve the security of connections between Pulse clients and Pulse Connect Secure, see below recommendation(s):Disable Dynamic certificate trust for PDC.
CVSS 8.8
CVE-2020-8250 NOMISEC HIGH WRITEUP
Pulse Secure Desktop Client (Linux) < 9.1R9 - Privilege Escalation
A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege.
CVSS 7.8
CVE-2020-8248 NOMISEC HIGH WRITEUP
Pulse Secure Desktop Client (Linux) < 9.1R9 - Privilege Escalation
A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege.
CVSS 7.8
CVE-2020-12625 NOMISEC MEDIUM WRITEUP
Roundcube Webmail < 1.4.4 - Stored Cross-Site Scripting via HTML Message CDATA
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
CVSS 6.1
CVE-2020-13965 NOMISEC MEDIUM WRITEUP
Roundcube Webmail < 1.3.12 and 1.4.x < 1.4.5 - Stored Cross-Site Scripting via XML Attachment Preview
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
CVSS 6.1
CVE-2020-13941 NOMISEC HIGH WRITEUP
Apache Solr < 8.6.0 - Unauthenticated Arbitrary File Read and Write via Replication Handler Location Parameter
Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.
CVSS 8.8
CVE-2020-12641 NOMISEC CRITICAL WRITEUP
Roundcube Webmail < 1.4.4 - Remote Code Execution via Shell Metacharacters in Image Configuration
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
CVSS 9.8
CVE-2020-12641 NOMISEC CRITICAL WRITEUP
Roundcube Webmail < 1.4.4 - Remote Code Execution via Shell Metacharacters in Image Configuration
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
CVSS 9.8
CVE-2020-12640 NOMISEC CRITICAL WRITEUP
Roundcube Webmail <1.4.4 - Path Traversal
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
CVSS 9.8