ox1111

5 exploits Active since Mar 2019
CVE-2024-23334 NOMISEC MEDIUM SUSPICIOUS
aiohttp - Directory Traversal
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
5 stars
CVSS 5.9
CVE-2022-32932 NOMISEC HIGH WRITEUP
Apple Ipados < 15.7.1 - Out-of-Bounds Write
The issue was addressed with improved memory handling. This issue is fixed in iOS 15.7.1 and iPadOS 15.7.1, iOS 16.1 and iPadOS 16, watchOS 9.1. An app may be able to execute arbitrary code with kernel privileges.
2 stars
CVSS 7.8
CVE-2019-6225 NOMISEC HIGH WORKING POC
Apple Iphone OS < 12.1.3 - Out-of-Bounds Write
A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2. A malicious application may be able to elevate privileges.
CVSS 7.8
CVE-2024-1874 NOMISEC CRITICAL
PHP <8.1.28, 8.2.*<8.2.18, 8.3.*<8.3.5 - Command Injection
In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.
CVSS 9.4
CVE-2022-32898 NOMISEC HIGH WRITEUP
Apple Ipados < 15.7 - Denial of Service
The issue was addressed with improved memory handling. This issue is fixed in iOS 15.7 and iPadOS 15.7, iOS 16, macOS Ventura 13, watchOS 9. An app may be able to execute arbitrary code with kernel privileges.
CVSS 7.8