Metasploit Exploits
3,294 exploits tracked across all sources.
Apache Tomcat 7.0.0-7.0.99, 8.5.0-8.5.50, 9.0.0.M1-9.0.0.30 - Remote Code Execution via AJP File Read and JSP Processing
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
by A Security Researcher of Chaitin Tech, SunCSR Team
CVSS 9.8
Red Hat CloudForms 5.1 / ManageIQ <=5.0 SQL Injection via miq_policy Profile
SQL injection vulnerability in the miq_policy controller in Red Hat CloudForms 2.0 Management Engine (CFME) 5.1 and ManageIQ Enterprise Virtualization Manager 5.0 and earlier allows remote authenticated users to execute arbitrary SQL commands via the profile[] parameter in an explorer action.
vBulletin 4.1 and 5 - Unauthenticated Administrative Account Creation via install/upgrade.php
The install/upgrade.php scripts in vBulletin 4.1 and 5 allow remote attackers to create administrative accounts via the customerid, htmldata[password], htmldata[confirmpassword], and htmldata[email] parameters, as exploited in the wild in October 2013.
by Unknown, juan vazquez
MantisBT < 2.3.0 - Unauthenticated Arbitrary Password Reset via Empty Confirm Hash
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
by John (hyp3rlinx) Page, Julien (jvoisin) Voisin
CVSS 8.8
ManageEngine Applications Manager <11.9/OpManager 8-11.5/IT360 <=10.5 - Unauthenticated Arbitrary File Read
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
CVSS 7.5
ManageEngine Netflow Analyzer 8.6-10.2 and IT360 10.3 - Path Traversal via schFilePath Parameter
Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.
WP Symposium < 15.7 - SQL Injection via Size Parameter
SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the size parameter to get_album_item.php.
by PizzaHatHacker
Ulterius Server < 1.9.5.0 - Directory Traversal
The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ulterius before 1.9.5.0 allows HTTP server directory traversal.
by Rick Osgood, Jacob Robles
CVSS 7.5
TYPO3 News module <5.3.2 - SQL Injection
SQL injection vulnerability in NewsController.php in the News module 5.3.2 and earlier for TYPO3 allows unauthenticated users to execute arbitrary SQL commands via vectors involving overwriteDemand for order and OrderByAllowed.
by Marco Rivoli, Charles Fol
CVSS 9.8
Cisco IOX XE Unauthenticated RCE Chain
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
by sfewer-r7
CVSS 10.0
Cambium Networks cnPilot <4.3.2-R4 - Path Traversal
In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, the 'ping' and 'traceroute' functions of the web administrative console expose a file path traversal vulnerability, accessible to all authenticated users.
CVSS 8.8
Cisco IOX XE Unauthenticated RCE Chain
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
by sfewer-r7
CVSS 10.0
Arris / Motorola Surfboard SBG6580 Web Interface Takeover
The web interface for the Arris / Motorola Surfboard SBG6580 has several vulnerabilities that, when combined, allow an arbitrary website to take control of the modem, even if the user is not currently logged in. The attacker must successfully know, or guess, the target's internal gateway IP address. This is usually a default value of 192.168.0.1. First, a hardcoded backdoor account was discovered in the source code of one device with the credentials "technician/yZgO8Bvj". Due to lack of CSRF in the device's login form, these credentials - along with the default "admin/motorola" - can be sent to the device by an arbitrary website, thus inadvertently logging the user into the router. Once successfully logged in, a persistent XSS vulnerability is exploited in the firewall configuration page. This allows injection of Javascript that can perform any available action in the router interface. The following firmware versions have been tested as vulnerable: SBG6580-6.5.2.0-GA-06-077-NOSH, and SBG6580-8.6.1.0-GA-04-098-NOSH
by joev
Cambium Networks cnPilot <4.3.2-R4 - Privilege Escalation
In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path https://<device-ip-or-hostname>/adm/syscmd.asp.
CVSS 8.8
WhatsUp Gold SQL Injection (CVE-2024-6670)
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
by Michael Heinzl, Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)
CVSS 9.8
Linksys WRT54GL 4.30.18.006 - Command Injection
There is a command injection vulnerability in the Linksys WRT54GL router with firmware version 4.30.18.006. If an attacker gains web management privileges, they can inject commands into the post request parameters wl_ant, wl_rate, WL_atten_ctl, ttcp_num, ttcp_size in the httpd s Start_EPI() function, thereby gaining shell privileges.
CVSS 7.2
ZOHO WebNMS Framework <5.2-5.2 SP1 - Path Traversal
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
CVSS 7.5
Novell File Reporter <= 1.0.4.2 - Arbitrary File Deletion via SRS OPERATION 4 CMD 5 Request
NFRAgent.exe in Novell File Reporter 1.0.4.2 and earlier allows remote attackers to delete arbitrary files via a full pathname in an SRS OPERATION 4 CMD 5 request to /FSF/CMD.
by Luigi Auriemma, juan vazquez
TYPO3 <4.0.12-4.3alpha1 - Info Disclosure
The jumpUrl mechanism in class.tslib_fe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret (juHash) in an error message, which allows remote attackers to read arbitrary files by including the hash in a request.
NETGEAR Management System NMS300 <1.5.0.11 - RCE
Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-1.0/external/flash/fileUpload.do to upload a JSP file, and then accessing it via a direct request for a /null URI.
CVSS 9.6
WP EasyCart 1.1.30-3.0.20 - Unauthenticated Privilege Escalation and RCE via option_name/option_value
The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyCart plugin 1.1.30 through 3.0.20 for WordPress allow remote attackers to gain administrator privileges and execute arbitrary code via the option_name and option_value parameters.
by rastating
CVSS 8.8
Wordpress POST SMTP Account Takeover
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover. CVE-2023-52233 appears to be a duplicate of this issue.
by h00die, Ulysses Saicha
CVSS 9.8
Linksys E1200 and E2500 Firmware - OS Command Injection via Router Name Parameter
Devices in the Linksys ESeries line of routers (Linksys E1200 Firmware Version 2.0.09 and Linksys E2500 Firmware Version 3.0.04) are susceptible to OS command injection vulnerabilities due to improper filtering of data passed to and retrieved from NVRAM. Data entered into the 'Router Name' input field through the web portal is submitted to apply.cgi as the value to the 'machine_name' POST parameter. When the 'preinit' binary receives the SIGHUP signal, it enters a code path that continues until it reaches offset 0x0042B5C4 in the 'start_lltd' function. Within the 'start_lltd' function, a 'nvram_get' call is used to obtain the value of the user-controlled 'machine_name' NVRAM entry. This value is then entered directly into a command intended to write the host name to a file and subsequently executed.
CVSS 7.2
TYPO3 4.0.0-4.0.9 4.1.0-4.1.7 4.2.0-4.2.3 - Use of Insufficiently Random Values in System Extension Install Tool
The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key.
by Chris John Riley
CVSS 7.5
Axigen Free Mail Server - Path Traversal
Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote attackers to read or delete arbitrary files via a .. (dot dot) in (1) the fileName parameter in a download action to source/loggin/page_log_dwn_file.hsp, or the fileName parameter in (2) an edit action or (3) a delete action to the default URI.
by Zhao Liang, juan vazquez
By Source