ricardojoserf

4 exploits Active since Nov 2019
CVE-2021-31159 NOMISEC MEDIUM WORKING POC
Zoho ManageEngine ServiceDesk Plus MSP <10519 - Info Disclosure
Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.
3 stars
CVSS 5.3
CVE-2019-19033 NOMISEC CRITICAL SCANNER
Jalios JCMS 10 - Privilege Escalation
Jalios JCMS 10 allows attackers to access any part of the website and the WebDAV server with administrative privileges via a backdoor account, by using any username and the hardcoded dev password.
3 stars
CVSS 9.8
CVE-2021-40845 NOMISEC HIGH WORKING POC
Zenitel AlphaCom XE Audio Server <11.2.3.10 - Code Injection
The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory.
2 stars
CVSS 8.8
CVE-2025-52136 WRITEUP LOW WORKING POC
EMQX < 5.8.6 - Authenticated Arbitrary Plugin Installation via Dashboard
In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier's position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin's acceptability (for later Dashboard installation) is set by the "emqx ctl plugins allow" CLI command.
CVSS 3.0