Metasploit Exploits
3,228 exploits tracked across all sources.
AVM Fritz!Box - RCE
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.
by Unknown
Wazuh server remote code execution caused by an unsafe deserialization vulnerability.
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
CVSS 9.9
TP-Link IP Cameras <LM.1.6.18P12_sign6 - RCE
cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the ServerName parameter and (2) other unspecified parameters.
by Nicholas Starke <[email protected]>
ISPConfig language_edit.php PHP Code Injection
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
by syfi, Egidio Romano
CVSS 7.2
Eramba Limited <3.19.1 - RCE
An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.
by Trovent Security GmbH, Sergey Makarov, Stefan Pietsch, Niklas Rubel, msutovsky-r7
CVSS 8.8
Craft CMS unauthenticated Remote Code Execution (RCE)
Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.
CVSS 10.0
Webmin < 1.910 - OS Command Injection
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
by AkkuS <Özkan Mustafa Akkuş>
CVSS 8.8
Red Hat Linux Piranha - Command Injection
The web GUI for the Linux Virtual Server (LVS) software in the Red Hat Linux Piranha package has a backdoor password that allows remote attackers to execute arbitrary commands.
by aushack
Linear eMerge E3-Series - Command Injection
Linear eMerge E3-Series devices allow Command Injections.
CVSS 9.8
F5 Nginx < 1.4.0 - Out-of-Bounds Write
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.
by Greg MacManus, hal, saelo
Vmware Cloud Foundation < 5.0 - Path Traversal
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.
by George Noseevich, Sergey Gerasimov, VMware, Derek Abdine, wvu
CVSS 9.8
Pandora ITSM authenticated command injection leading to RCE via the backup function
Improper Neutralization of Special Elements in the backup name field may allow OS command injection. This issue affects Pandora ITSM 5.0.105.
Realtek SDK - RCE
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request, as exploited in the wild through 2023.
CVSS 9.8
Zenoss Core 3.x - Command Injection
Zenoss Core 3.x contains a command injection vulnerability in the showDaemonXMLConfig endpoint. The daemon parameter is passed directly to a Popen() call in ZenossInfo.py without proper sanitation, allowing authenticated users to execute arbitrary commands on the server as the zenoss user.
by bcoles
Webmin <1.997 - XSS
software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command.
by Christophe De La Fuente, Emir Polat
CVSS 9.8
CodeIgniter <2.2.0 - Info Disclosure
CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt extension for PHP is not available.
CVSS 9.8
Netgear Dgn2200 Series Firmware < 10.0.0.50 - OS Command Injection
dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the host_name field of an HTTP POST request, a different vulnerability than CVE-2017-6077.
by thecarterb, SivertPL
CVSS 8.8
Librenms < 1.47 - OS Command Injection
An issue was discovered in LibreNMS through 1.47. There is a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not the appropriate function to sanitize command arguments as it does not escape a number of command line syntax characters such as ` (backtick), allowing an attacker to inject commands into the variable $rrd_cmd, which gets executed via passthru().
by Eldar Marcussen, Shelby Pace
CVSS 7.2
Lucee Server <5.3.7.47-5.3.6.68-5.3.5.96 - RCE
Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
by rootxharsh, iamnoooob, wvu
CVSS 8.6
Western Digital MyCloud unauthenticated command injection
Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.
by Erik Wynter, Steven Campbell, Remco Vermeulen
CVSS 9.8
Vmware Vcenter Server < 3.10.2.1 - SSRF
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
by Ricter Z, wvu
CVSS 9.8
Multiple Camera Devices - Buffer Overflow
Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the action parameter, which may allow an attacker to remotely execute arbitrary code.
by Titouan Lazard - RandoriSec, Ibrahim Ayadhi - RandoriSec
CVSS 7.2
Linksys WRT54G <4.20.7 - Buffer Overflow
Buffer overflow in apply.cgi in Linksys WRT54G 3.01.03, 3.03.6, and possibly other versions before 4.20.7, allows remote attackers to execute arbitrary code via a long HTTP POST request.
Endian Firewall < 2.5.1 - Command Injection
Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi.
by Ben Lincoln
CraftCMS - Remote Code Execution
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
by Nicolas Bourras (Orange Cyberdefense), Valentin Lobstein
CVSS 10.0
By Source