Python Exploits
5,746 exploits tracked across all sources.
Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated)
by Mohin Paramasivam
Opencats < 0.9.4-3 - XXE
lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. The attacker must upload a file in the docx or odt format.
by Jake Ruston
CVSS 7.5
Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated)
by syntegris information solutions GmbH
e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)
by Halit AKAYDIN
Yenkee Yms 3029 Firmware - Out-of-Bounds Write
Yenkee Hornet Gaming Mouse driver GM312Fltr.sys contains a buffer overrun vulnerability that allows attackers to crash the system by sending oversized input. Attackers can exploit the driver by sending a 2000-byte buffer through DeviceIoControl to trigger a kernel-level system crash.
by Quadron Research Lab
CVSS 7.5
Websitebaker - Unrestricted File Upload
WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve remote code execution on the server.
by Halit AKAYDIN
CVSS 8.8
Online Food Ordering System - Unrestricted File Upload
Remote Code Exection (RCE) vulnerability exists in Sourcecodester Online Food Ordering System 2.0 via a maliciously crafted PHP file that bypasses the image upload filters.
by Abdullah Khawaja
CVSS 9.8
Church Management System - Unrestricted File Upload
Remote Code Execution (RCE) vulnerability exists in Sourcecodester Church Management System 1.0 via the image upload field.
by Abdullah Khawaja
CVSS 9.8
Booster For Woocommerce < 5.4.3 - Authentication Bypass
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Email Verification module to be active in the plugin and the Login User After Successful Verification setting to be enabled, which it is by default.
by 0xB455
CVSS 9.8
Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)
by boku
ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)
by Halit AKAYDIN
Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)
by Halit AKAYDIN
AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated)
by Ricardo Ruiz
Purchase Order Management System 1.0 - Remote File Upload
by Aryan Chehreghani
PHPGurukul AVMS <1.0 - SQL Injection
SQL injection vulnerability in PHPGurukul Apartment Visitors Management System (AVMS) v. 1.0 allows attackers to execute arbitrary SQL statements and to gain RCE.
by mari0x00
CVSS 9.8
Facebook Parlai < 1.1.0 - Insecure Deserialization
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.
by Abhiram V
CVSS 9.8
Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload
by spacehen
Windows IIS HTTP Protocol Stack DOS
HTTP Protocol Stack Remote Code Execution Vulnerability
by Y5neKO
Oracle WebLogic Server <14.1.1.0.0 - RCE
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
by Y5neKO
Netlogon Weak Cryptographic Authentication
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).
When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
by Y5neKO
CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.
by Y5neKO
Oracle WebLogic Server - Info Disclosure
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586.
by Y5neKO
Oracle Virtual Desktop Infrastructure - Insecure Deserialization
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
by Y5neKO
Oracle WebLogic Server <10.3.6.0 - Info Disclosure
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect confidentiality via vectors related to WLS - Web Services.
by Y5neKO
6 stars
Phpmyadmin < 3.3.10.2 - Code Injection
libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."
by Y5neKO
6 stars
By Source