Ruby Exploits
5,920 exploits tracked across all sources.
Linux kernel <3.19.0-21.21 - Privilege Escalation
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.
by h00die <[email protected]>, rebel
CVSS 7.8
Linux Kernel 4.6.3 Netfilter Privilege Escalation
The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.
by h00die <[email protected]>, vnik, Jesse Hertz, Tim Newsham
CVSS 7.8
libuser <0.56.13-8 & 0.60 <0.60-7 - DoS
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.
by Qualys, bcoles
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.
by Tavis Ormandy, zx2c4, I Can, t Race You Either, Marco Ivaldi, Todor Donev, bcoles
2021 Ubuntu Overlayfs LPE
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.
by g1vi, h00die, bwatters-r7, gardnerapp
CVSS 8.8
GameOver(lay) Privilege Escalation and Container Escape
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
by g1vi, h00die, bwatters-r7, gardnerapp
CVSS 7.8
Zimbra Collaboration Suite <8.6-8.8 - SSRF
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
by An Trinh, Khanh Viet Pham, Jacob Robles
CVSS 7.5
vRealize Operations Manager <8.4 - Privilege Escalation
Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.
by Egor Dimitrenko, wvu
CVSS 6.5
Vinchin Backup And Recovery < 7.0 - Command Injection
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain a command injection vulnerability.
by Gregory Boddin (LeakIX), Valentin Lobstein
CVSS 9.8
Arris Vap2500 Firmware < 08.41 - Authentication Bypass
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.
by HeadlessZeke
Unraid 6.8.0 - Auth Bypass
Unraid 6.8.0 allows authentication bypass.
by Nicolas CHATELAIN <[email protected]>
CVSS 7.5
Kaseya Unitrends Backup < 10.1 - Authentication Bypass
It was discovered that the Unitrends Backup (UB) before 10.1.0 user interface was exposed to an authentication bypass, which then could allow an unauthenticated user to inject arbitrary commands into its /api/hosts parameters using backquotes.
by Cale Smith, Benny Husted, Jared Arave, h00die
CVSS 9.8
Billion 5200w-t Firmware - OS Command Injection
The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is only accessible by an authenticated user. The vulnerability is in the logSet.asp page and can be exploited through the ServerIP parameter. Authentication can be achieved by exploiting CVE-2017-18371.
by Pedro Ribeiro <[email protected]>
CVSS 8.8
Trendmicro Interscan Web Security Virtual Appliance - Path Traversal
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to disclose sensitive informatoin on affected installations.
by Mehmet Ince <[email protected]>
CVSS 7.5
Trend Micro InterScan Web Security Virtual Appliance 6.5 - RCE
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability.
by Mehmet Ince <[email protected]>
CVSS 8.8
Trendmicro Interscan Messaging Securi... - Command Injection
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the "T" parameter within modTMCSS Proxy. Formerly ZDI-CAN-4745.
by mr_me <[email protected]>, Mehmet Ince <[email protected]>
CVSS 8.8
Trendmicro Interscan Messaging Security Virtual Appliance < 9.1 - XSS
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS.
by mr_me <[email protected]>, Mehmet Ince <[email protected]>
CVSS 6.1
Traccar - Unrestricted File Upload
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.
by Michael Heinzl, yiliufeng168, Naveen Sunkavally
CVSS 8.5
TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
CVSS 7.5
TerraMaster TOS 4.2.15 or lower - RCE chain from unauthenticated to root via session crafting.
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.
CVSS 9.8
Terramaster F4-210, F2-210 TOS 4.2.X - Info Disclosure
In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest.
CVSS 8.1
Terra-master Terramaster Operating System - OS Command Injection
An unauthenticated command-execution vulnerability exists in TerraMaster TOS through 4.2.06 via shell metacharacters in the Event parameter in include/makecvs.php during CSV creation.
CVSS 9.8
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none
by M. Cory Billington
Salesagility Suitecrm < 7.11.19 - Unrestricted File Upload
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328.
by M. Cory Billington
CVSS 8.8
CodeIgniter <3.0 & Kohana 3.2.3-3.3.2 - Code Injection
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
CVSS 9.8
By Source