securitystuffbackup

12 exploits Active since Oct 2020
CVE-2021-25735 GITLAB MEDIUM WORKING POC
Kube-apiserver - Privilege Escalation
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
CVSS 6.5
CVE-2021-21315 GITLAB HIGH WORKING POC
systeminformation < 5.3.1 - OS Command Injection via Service Parameter Handling
The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.
CVSS 7.1
CVE-2021-21972 GITLAB CRITICAL SCANNER
VMware vCenter Server and Cloud Foundation - Remote Code Execution via vSphere Client Plugin
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
CVSS 9.8
CVE-2021-23132 GITLAB HIGH WORKING POC
Joomla! 3.0.0-3.9.24 - Unauthenticated Arbitrary File Upload via com_media
An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads
CVSS 7.5
CVE-2021-21975 GITLAB HIGH WORKING POC
VMware vRealize Operations Manager < 8.4 - Server-Side Request Forgery via API
Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.
CVSS 7.5
CVE-2021-21551 GITLAB HIGH WORKING POC
Dell DBUtil < 2.3 - Authenticated Insufficient Access Control in IOCTL Handler
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
CVSS 8.8
CVE-2021-31166 GITLAB CRITICAL WORKING POC
Windows IIS HTTP Protocol Stack DOS
HTTP Protocol Stack Remote Code Execution Vulnerability
CVSS 9.8
CVE-2021-31166 GITLAB CRITICAL WORKING POC
Windows IIS HTTP Protocol Stack DOS
HTTP Protocol Stack Remote Code Execution Vulnerability
CVSS 9.8
CVE-2021-21985 GITLAB CRITICAL WORKING POC
VMware vCenter Server - Remote Code Execution via Virtual SAN Health Check Plugin
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
CVSS 9.8
CVE-2021-28476 GITLAB CRITICAL WORKING POC
Windows Hyper-V - Remote Code Execution
Windows Hyper-V Remote Code Execution Vulnerability
CVSS 9.9
CVE-2020-15906 GITLAB CRITICAL WORKING POC
Tiki 16.3-21.1 - Authentication Bypass via Excessive Login Attempts
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
CVSS 9.8
CVE-2021-26855 PATCHAPALOOZA CRITICAL WORKING POC
Microsoft Exchange ProxyLogon RCE
Microsoft Exchange Server Remote Code Execution Vulnerability
CVSS 9.1