todb

21 exploits Active since Mar 1998
CVE-2016-0800 METASPLOIT MEDIUM ruby SCANNER
OpenSSL <1.0.1s, 1.0.2 before 1.0.2g - RCE
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.
CVSS 5.9
CVE-2013-2566 METASPLOIT MEDIUM ruby SCANNER
Oracle Communications Application Session Controller 3.0.0-3.9.1 - Inadequate Encryption Strength via RC4 Algorithm
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
CVSS 5.9
CVE-2011-3389 METASPLOIT ruby SCANNER
SSL - Info Disclosure
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
CVE-2022-3358 METASPLOIT HIGH ruby SCANNER
OpenSSL 3.0.0-3.0.5 - NULL Pointer Dereference via Legacy Custom Cipher Handling
OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).
CVSS 7.5
CVE-2015-4000 METASPLOIT LOW ruby SCANNER
OpenSSL 1.0.1-1.0.1l - Man-in-the-Middle Cipher Downgrade via DHE_EXPORT
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
CVSS 3.7
CVE-2013-4164 METASPLOIT ruby WORKING POC
Ruby 1.8 1.9-1.9.3-p484 2.0-2.0.0-p353 2.1-2.1.0 preview2 - Heap-based Buffer Overflow via String to Float Conversion
Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse.
CVE-2009-3563 METASPLOIT ruby WORKING POC
ntp < 4.2.4p8 and 4.2.5 - Denial of Service via MODE_PRIVATE Packet Spoofing
ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.
CVE-1999-0502 METASPLOIT ruby SCANNER
HP-UX - Unauthenticated Remote Login via Default Null Password
A Unix account has a default, null, blank, or missing password.
CVE-1999-0502 METASPLOIT ruby SCANNER
HP-UX - Unauthenticated Remote Login via Default Null Password
A Unix account has a default, null, blank, or missing password.
CVE-2014-3566 METASPLOIT LOW ruby SCANNER
SSL/TLS Version Detection
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
CVSS 3.4
CVE-2013-0229 METASPLOIT ruby SCANNER
miniupnpd < 1.4 - Denial of Service via Crafted SSDP Request
The ProcessSSDPRequest function in minissdp.c in the SSDP handler in MiniUPnP MiniUPnPd before 1.4 allows remote attackers to cause a denial of service (service crash) via a crafted request that triggers a buffer over-read.
CVE-1999-0502 METASPLOIT ruby SCANNER
HP-UX - Unauthenticated Remote Login via Default Null Password
A Unix account has a default, null, blank, or missing password.
CVE-1999-0502 METASPLOIT ruby SCANNER
HP-UX - Unauthenticated Remote Login via Default Null Password
A Unix account has a default, null, blank, or missing password.
CVE-1999-0502 METASPLOIT ruby SCANNER
HP-UX - Unauthenticated Remote Login via Default Null Password
A Unix account has a default, null, blank, or missing password.
CVE-2014-4936 METASPLOIT ruby WORKING POC
Malwarebytes Anti-Malware <2.0.3 & MBAE <1.04.1.1012 - RCE
The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer 1.04.1.1012 and earlier allow man-in-the-middle attackers to execute arbitrary code by spoofing the update server and uploading an executable.
CVE-2015-0936 METASPLOIT CRITICAL ruby WORKING POC
Ceragon FibeAir IP-10 - Privilege Escalation
Ceragon FibeAir IP-10 have a default SSH public key in the authorized_keys file for the mateidu user, which allows remote attackers to obtain SSH access by leveraging knowledge of the private key.
CVSS 9.8
CVE-2016-10372 METASPLOIT CRITICAL ruby WORKING POC
Eir D1000 Modem Firmware - Remote Code Execution via TR-064 Protocol
The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as demonstrated by opening WAN access to TCP port 80, retrieving the login password (which defaults to the Wi-Fi password), and using the NewNTPServer feature.
CVSS 9.8
CVE-2007-3280 METASPLOIT ruby WORKING POC
PostgreSQL 8.1 - Authenticated Remote Code Execution via Database Link Library
The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in libc.so.6 to gain shell access.
EIP-2026-119015 EXPLOITDB ruby WORKING POC
Oracle MySQL for Microsoft Windows - Payload Execution (Metasploit)
CVE-2014-4936 EXPLOITDB ruby WORKING POC
Malwarebytes Anti-Malware <2.0.3 & MBAE <1.04.1.1012 - RCE
The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer 1.04.1.1012 and earlier allow man-in-the-middle attackers to execute arbitrary code by spoofing the update server and uploading an executable.
CVE-2015-0936 EXPLOITDB CRITICAL ruby WORKING POC
Ceragon FibeAir IP-10 - Privilege Escalation
Ceragon FibeAir IP-10 have a default SSH public key in the authorized_keys file for the mateidu user, which allows remote attackers to obtain SSH access by leveraging knowledge of the private key.
CVSS 9.8