xistence

71 exploits Active since Jul 1997
CVE-2015-7765 EXPLOITDB ruby WORKING POC
ZOHO ManageEngine OpManager <11.5.11600 - Auth Bypass
ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password.
CVE-2014-125125 EXPLOITDB text WRITEUP
A10 Networks AX Loadbalancer <2.7.0 - Path Traversal
A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion.
CVE-2014-125124 EXPLOITDB ruby WORKING POC
Pandora FMS <5.0RC1 - RCE
An unauthenticated remote command execution vulnerability exists in Pandora FMS versions up to and including 5.0RC1 via the Anyterm web interface, which listens on TCP port 8023. The anyterm-module endpoint accepts unsanitized user input via the p parameter and directly injects it into a shell command, allowing arbitrary command execution as the pandora user. In certain versions (notably 4.1 and 5.0RC1), the pandora user can elevate privileges to root without a password using a chain involving the artica user account. This account is typically installed without a password and is configured to run sudo without authentication. Therefore, full system compromise is possible without any credentials.
CVE-2014-125121 EXPLOITDB ruby WORKING POC
Array Networks vAPV/vxAG <8.3.2.17-9.2.0.34 - Privilege Escalation
Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise.
CVE-2013-10044 EXPLOITDB HIGH ruby WORKING POC
OpenEMR < 4.1.1 Patch 14 - SQL Injection
An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once elevated, the attacker can exploit an unrestricted file upload flaw to achieve remote code execution, resulting in full compromise of the application and its host system.
CVSS 8.8
CVE-2013-10044 EXPLOITDB HIGH text WORKING POC
OpenEMR < 4.1.1 Patch 14 - SQL Injection
An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once elevated, the attacker can exploit an unrestricted file upload flaw to achieve remote code execution, resulting in full compromise of the application and its host system.
CVSS 8.8
CVE-2013-10043 EXPLOITDB python WORKING POC
OAstium VoIP PBX astium-confweb-2.1-25399 - Auth Bypass & RCE
A vulnerability exists in OAstium VoIP PBX astium-confweb-2.1-25399 and earlier, where improper input validation in the logon.php script allows an attacker to bypass authentication via SQL injection. Once authenticated as an administrator, the attacker can upload arbitrary PHP code through the importcompany field in import.php, resulting in remote code execution. The malicious payload is injected into /usr/local/astium/web/php/config.php and executed with root privileges by triggering a configuration reload via sudo /sbin/service astcfgd reload. Successful exploitation leads to full system compromise.
CVE-2015-7857 EXPLOITDB ruby WORKING POC
Joomla! <3.4.5 - SQL Injection
SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.php.
CVE-2015-7297 EXPLOITDB ruby WORKING POC
Joomla! - SQL Injection
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.
CVE-2013-5015 EXPLOITDB ruby WORKING POC
Symantec Endpoint Protection Manager - SQL Injection
SQL injection vulnerability in the management console in Symantec Endpoint Protection Manager (SEPM) 11.0 before 11.0.7405.1424 and 12.1 before 12.1.4023.4080, and Symantec Protection Center Small Business Edition 12.x before 12.1.4023.4080, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
CVE-2018-1000115 METASPLOIT HIGH ruby SCANNER
Memcached <1.5.6 - DoS
Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported by reliable sources). This attack appear to be exploitable via network connectivity to port 11211 UDP. This vulnerability appears to have been fixed in 1.5.6 due to the disabling of the UDP protocol by default.
CVSS 7.5
CVE-2013-5211 METASPLOIT ruby SCANNER
NTP Monitor List Scanner
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
CVE-2014-100002 METASPLOIT ruby WORKING POC
Zohocorp Manageengine Supportcenter Plus < 7.9 - Path Traversal
Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket.
CVE-2011-2757 METASPLOIT ruby WORKING POC
Manageengine Servicedesk Plus < 8.0.0.12 - Path Traversal
Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the FILENAME parameter. NOTE: this might overlap the US-CERT VU#543310 issue.
CVE-2014-125125 METASPLOIT ruby WORKING POC
A10 Networks AX Loadbalancer <2.7.0 - Path Traversal
A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion.
CVE-2013-5211 METASPLOIT ruby SCANNER
NTP Monitor List Scanner
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
CVE-2013-10044 METASPLOIT HIGH ruby WORKING POC
OpenEMR < 4.1.1 Patch 14 - SQL Injection
An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once elevated, the attacker can exploit an unrestricted file upload flaw to achieve remote code execution, resulting in full compromise of the application and its host system.
CVSS 8.8
CVE-1999-0526 METASPLOIT ruby WORKING POC
X Server - Info Disclosure
An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.
CVE-2006-0987 METASPLOIT ruby SCANNER
ISC Bind - Denial of Service
The default configuration of ISC BIND before 9.4.1-P1, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses.
CVE-2008-5191 METASPLOIT ruby WORKING POC
SePortal 2.4 - SQL Injection
Multiple SQL injection vulnerabilities in SePortal 2.4 allow remote attackers to execute arbitrary SQL commands via the (1) poll_id parameter to poll.php and the (2) sp_id parameter to staticpages.php.
CVE-2014-1903 METASPLOIT ruby WORKING POC
FreePBX <2.9.0.14, <2.10.1.15, <2.11.0.23, <12.0.1alpha22 - RCE
admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.
CVE-2014-1683 METASPLOIT ruby WORKING POC
SkyBlueCanvas CMS <1.1 r248-04 - RCE
The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name, (2) email, (3) subject, or (4) message parameter to index.php.
CVE-2009-0545 METASPLOIT ruby WORKING POC
ZeroShell <1.0beta11 - Command Injection
cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
CVE-2015-7709 METASPLOIT ruby WORKING POC
Western Digital Arkeia <11.0.12 - Command Injection
The arkeiad daemon in the Arkeia Backup Agent in Western Digital Arkeia 11.0.12 and earlier allows remote attackers to bypass authentication and execute arbitrary commands via a series of crafted requests involving the ARKFS_EXEC_CMD operation.
CVE-2014-125121 METASPLOIT ruby WORKING POC
Array Networks vAPV/vxAG <8.3.2.17-9.2.0.34 - Privilege Escalation
Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise.