Ruby Exploits
6,005 exploits tracked across all sources.
Cisco RV320 and RV325 Unauthenticated Remote Code Execution
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.
by RedTeam Pentesting GmbH <[email protected]>, Aaron Soto <[email protected]>
CVSS 7.5
Check Point Quantum Gateway - Information Disclosure
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.
by remmons-r7
CVSS 8.6
WordPress Photo Gallery Plugin SQL Injection (CVE-2022-0169)
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
by Krzysztof Zając, Valentin Lobstein, X3RX3S
CVSS 9.8
TP-LINK Multiple Routers - Path Traversal via PATH_INFO
Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310 allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/.
CVSS 7.5
n8n 1.65.0-1.120.9 - Unauthenticated Arbitrary File Read via Form-Based Workflow Execution
n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.
by dor attias, msutovsky-r7
CVSS 10.0
Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump
The UCM6200 series 1.0.20.22 and below stores unencrypted user passwords in an SQLite database. This could allow an attacker to retrieve all passwords and possibly gain elevated privileges.
by jbaines-r7
CVSS 9.8
UPSMON PRO - Insufficiently Protected Credentials in Configuration File
UPSMON PRO configuration file stores user password in plaintext under public user directory. A remote attacker with general user privilege can access all users‘ and administrators' account names and passwords via this unprotected configuration file.
by Michael Heinzl
CVSS 6.5
Microsoft Exchange ProxyLogon RCE
Microsoft Exchange Server Remote Code Execution Vulnerability
by Orange Tsai, GreyOrder, mekhalleh (RAMELLA Sébastien)
CVSS 9.1
Zabbix <2.2.14, <3.0.4 - SQL Injection
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.
by [email protected], bperry
CVSS 9.8
Microsoft Internet Explorer 10 and 11 - Information Disclosure via HTML5 Sandbox IFrame
Microsoft Internet Explorer 10 and 11 load different files for attempts to open a file:// URL depending on whether the file exists, which allows local users to enumerate files via vectors involving a file:// URL and an HTML5 sandbox iframe, aka "Internet Explorer Information Disclosure Vulnerability."
CVSS 2.5
Apache Rave 0.11-0.20 - Authenticated Sensitive Information Exposure via User RPC API
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
by Andreas Guth, juan vazquez
BQE BillQuick Web Suite 2018-2021 < 22.0.9.1 - Unauthenticated SQL Injection via txtID Parameter
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
by h00die
CVSS 9.8
X.org X11 - Unauthenticated Access Control Bypass via xhost Command
An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.
by h00die, nir tzachar
NETGEAR R8500-R8000 - Info Disclosure
An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices. They are prone to password disclosure via simple crafted requests to the web management server. The bug is exploitable remotely if the remote management option is set, and can also be exploited given access to the router over LAN or WLAN. When trying to access the web panel, a user is asked to authenticate; if the authentication is canceled and password recovery is not enabled, the user is redirected to a page that exposes a password recovery token. If a user supplies the correct token to the page /passwordrecovered.cgi?id=TOKEN (and password recovery is not enabled), they will receive the admin password for the router. If password recovery is set the exploit will fail, as it will ask the user for the recovery questions that were previously set when enabling that feature. This is persistent (even after disabling the recovery option, the exploit will fail) because the router will ask for the security questions.
by Simon Kenin, thecarterb
CVSS 8.1
Internet Explorer - Information Disclosure via Microsoft.XMLDOM ActiveX Error Codes
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014.
by Soroush Dalili, sinn3r
CVSS 6.5
GeoServer WMS GetMap XXE Arbitrary File Read
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.
by xbow-security
CVSS 8.2
Internet Explorer 9-11 - Universal Cross-Site Scripting via IFRAME Redirect and WindowProxy Eval
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka "Universal XSS (UXSS)."
by David Leo, filedescriptor, joev, sinn3r
AlienVault OSSIM < 4.7.0 - Authenticated SQL Injection
SQL injection vulnerability in AlienVault OSSIM before 4.7.0 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
ManageEngine ADAudit Plus Xnode Enumeration
Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.
by Sahil Dhar, Erik Wynter
CVSS 9.8
SSL Labs API Client
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
CVSS 7.4
Ruby On Rails File Content Disclosure (
There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
by Carter Brainerd <[email protected]>, John Hawthorn <[email protected]>
CVSS 7.5
SolarWinds Serv-U - Directory Traversal
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
by sfewer-r7, Hussein Daher
CVSS 8.6
Drupal 7.x < 7.16 - Arbitrary File Read via OpenID Module XRDS DOCTYPE Declaration
The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.
by Reginaldo Silva, juan vazquez
SuiteCRM < 7.14.1 - SQL Injection
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1.
by Exodus Intelligence, jheysel-r7, Redouane NIBOUCHA <[email protected]>
CVSS 9.1
Apache Tapestry 5.4.0-5.6.2 and 5.7.0 - Unauthenticated Remote Code Execution via Asset File URL Blacklist Bypass
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.
by Johannes Moritz
CVSS 9.8
By Source