Metasploit Exploits
3,221 exploits tracked across all sources.
Cacti 1.2.22 unauthenticated command injection
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`.
This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.
by Stefan Schiller, Steven Seeley, Owen Gong, Erik Wynter
CVSS 9.8
IPFire 2.25-core155 - Privilege Escalation
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.
by Mücahit Saratar <[email protected]>, Grant Willcox
CVSS 8.8
Micro Focus Operation Bridge Reporter <10.40 - RCE
Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.
CVSS 9.8
Apache HugeGraph-Server - Remote Command Execution
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11
Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.
by 6right, jheysel-r7
CVSS 9.8
Jenkins <2.56-<2.46.1 LTS - RCE
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
by SSD, Unknown, Shelby Pace
CVSS 9.8
Unraid <6.8.0 - RCE
Unraid through 6.8.0 allows Remote Code Execution.
by Nicolas CHATELAIN <[email protected]>
CVSS 9.8
D-Link Routers - Remote Code Execution via ping.ccp
The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr parameter to ping.ccp.
CVSS 9.8
Linksys router <v2.0.03 - Command Injection
An authenticated OS command injection vulnerability exists in various Linksys router models (tested on WRT160Nv2) running firmware version v2.0.03 via the apply.cgi endpoint. The web interface fails to properly sanitize user-supplied input passed to the ping_size parameter during diagnostic operations. An attacker with valid credentials can inject arbitrary shell commands, enabling remote code execution.
Appsmith < 1.52 - Code Injection
An issue was discovered in Appsmith before 1.52. An incorrectly configured PostgreSQL instance in the Appsmith image leads to remote command execution inside the Appsmith Docker container. The attacker must be able to access Appsmith, login to it, create a datasource, create a query against that datasource, and execute that query.
by Whit Taylor (Rhino Security Labs), Takahiro Yokoyama
CVSS 9.8
Qnap Q'center < 1.7.1063 - OS Command Injection
Command injection vulnerability in change password of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.
by Ivan Huertas, bcoles
CVSS 7.2
Billion 5200w-t Firmware - OS Command Injection
The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.
by Pedro Ribeiro <[email protected]>
CVSS 9.8
Skyvern SSTI Remote Code Execution
Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks such as the Navigation v2 Block. Improper sanitization of Jinja2 template input allows authenticated users to inject crafted expressions that are evaluated on the server, leading to blind remote code execution (RCE).
by Cristian Branet, msutovsky-r7
CVSS 8.5
Anyscale Ray - SSRF
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
by sierrabearchell, byt3bl33d3r <[email protected]>, Takahiro Yokoyama
CVSS 9.8
Apache Nifi < 1.22.0 - Code Injection
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution.
The resolution validates the Database URL and rejects H2 JDBC locations.
You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
by h00die, Matei, Badanoiu
CVSS 8.8
Riverbed SteelCentral NetProfiler & NetExpress <10.8.7 - RCE
An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the '/api/common/1.0/login' endpoint can be exploited to create a new user account in the appliance database. This user can then trigger a command injection vulnerability in the '/index.php?page=licenses' endpoint to execute arbitrary commands. The attacker may escalate privileges to root by exploiting an insecure sudoers configuration that allows the 'mazu' user to execute arbitrary commands as root via SSH key extraction and command chaining. Successful exploitation allows full remote root access to the virtual appliance.
OpenTSDB - RCE
OpenTSDB is a open source, distributed, scalable Time Series Database (TSDB). OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. This issue has been patched in commit `07c4641471c` and further refined in commit `fa88d3e4b`. These patches are available in the `2.4.2` release. Users are advised to upgrade. User unable to upgrade may disable Gunuplot via the config option`tsd.core.enable_ui = true` and remove the shell files `mygnuplot.bat` and `mygnuplot.sh`.
by Gal Goldstein, Daniel Abeles, Erik Wynter
CVSS 9.8
Autosectools V-cms - Code Injection
Unrestricted file upload vulnerability in includes/inline_image_upload.php in AutoSec Tools V-CMS 1.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in temp/.
by AutoSec Tools, sinn3r
Dlink Dwl-2600ap Firmware < 4.2.0.15 - OS Command Injection
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Restore Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_restore configRestore or configServerip parameter.
by RAKI BEN HAMOUDA, Nick Starke
CVSS 7.8
Netsweeper <6.4.3 - RCE
Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.
by wvu
CVSS 9.8
PostgreSQL - SQL Injection
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
by sfewer-r7
CVSS 8.1
D-Link DSP-W215 <1.01b06 - Buffer Overflow
Stack-based buffer overflow in the do_hnap function in www/my_cgi.cgi in D-Link DSP-W215 (Rev. A1) with firmware 1.01b06 and earlier, DIR-505 with firmware before 1.08b10, and DIR-505L with firmware 1.01 and earlier allows remote attackers to execute arbitrary code via a long Content-Length header in a GetDeviceSettings action in an HNAP request.
by Craig Heffner
D-Link DIR-605L Wireless N300 Cloud Router <1.13 - Buffer Overflow
A stack-based buffer overflow vulnerability exists in D-Link DIR-605L Wireless N300 Cloud Router firmware versions 1.12 and 1.13 via the getAuthCode() function. The flaw arises from unsafe usage of sprintf() when processing user-supplied CAPTCHA data via the FILECODE parameter in /goform/formLogin. A remote unauthenticated attacker can exploit this to execute arbitrary code with root privileges on the device.
by Craig Heffner, juan vazquez
CVSS 9.8
Apache Spark < 2.4.0 - Authentication Bypass
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.
by Fengwei Zhang, Imran Rashid, aRe00t
CVSS 4.2
BentoML v1.4.2 - RCE
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.
by c2an1, Takahiro Yokoyama
CVSS 9.8
Rejected
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-19518. Reason: This candidate is a reservation duplicate of CVE-2018-19518. Notes: All CVE users should reference CVE-2018-19518 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage
by Anton Lopanitsyn, Twoster, h00die, Paolo Serracino, Pietro Minniti, Damiano Proietti
By Source