Nomisec Exploits
22,570 exploits tracked across all sources.
JBoss WildFly Application Server 9.x - Path Traversal via ServletResourceManager
A flaw was found in Wildfly 9.x. A path traversal vulnerability through the org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource method could lead to information disclosure of arbitrary local files.
by shoucheng3
CVSS 5.5
OWASP json-sanitizer < 1.2.1 - Cross-Site Scripting via SCRIPT Element Confusion
OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, may be able to confuse the HTML parser as to where the SCRIPT element ends, and cause non-script content to be interpreted as JavaScript.
by shoucheng3
CVSS 6.1
Apache DolphinScheduler <2.0.6 - Info Disclosure
Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.
by shoucheng3
CVSS 6.5
Apache Commons IO - Path Traversal via FileNameUtils.normalize
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
by shoucheng3
CVSS 4.8
Apache JSPWiki 2.9.0-2.11.0.M2 - Path Traversal via Specially Crafted URL
A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details.
by shoucheng3
CVSS 7.5
alibaba one-java-agent-plugin < 0.0.2 - Arbitrary File Write via Zip Slip Archive Extraction
All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.
by shoucheng3
CVSS 6.9
Tomcat Partial PUT Java Deserialization
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
by thebringerofdeath789
CVSS 9.8
Eclipse Vert.x <3.5.3 - Path Traversal
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems.
by shoucheng3
CVSS 9.8
Apache RocketMQ - Remote Command Execution
The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1.
When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as.
It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.
by shoucheng3
CVSS 9.8
Apache Tika 0.9-1.18 - Path Traversal via Embedded File with Absolute Path
In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.
by shoucheng3
CVSS 5.9
sqlpad < 6.10.1 - Remote Code Execution via Template Injection in Connection Test Endpoint
Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1.
by LipeOzyy
Jenkins Perfecto Plugin <1.17 - Command Injection
Jenkins Perfecto Plugin 1.17 and earlier executes a command on the Jenkins controller, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller
by shoucheng3
CVSS 8.8
Eclipse Hawkbit <0.3.0M7 - Info Disclosure
In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client.
by shoucheng3
CVSS 6.1
Below < 0.9.0 - Privilege Escalation via World-Writable Log Directory
A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.
by umutatalar
Below < 0.9.0 - Privilege Escalation via World-Writable Log Directory
A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.
by umutcamliyurt
netdata 1.44.0-60-1.45.0-169 and 1.45.0-1.45.3 - Local Privilege Escalation via PATH Environment Variable Manipulation
Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
by sPhyos
CVSS 8.8
Nacos 2.0.3 - Cross-Site Scripting via Auth Users Page Parameters
A Cross Site Scripting (XSS) vulnerability exists in Nacos 2.0.3 in auth/users via the (1) pageSize and (2) pageNo parameters.
by shoucheng3
CVSS 6.1
DSpace < 3.6, 4.0-4.5 - Path Traversal via XMLUI Themes Path
The XMLUI feature in DSpace before 3.6, 4.x before 4.5, and 5.x before 5.5 allows directory traversal via the themes/ path in an attack with two or more arbitrary characters and a colon before a pathname, as demonstrated by a themes/Reference/aa:etc/passwd URI.
by shoucheng3
CVSS 7.5
CureKit 1.0.1-1.1.3 - Path Traversal via isFileOutsideDir Input Sanitization Bypass
In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path traversal as the function isFileOutsideDir fails to sanitize the user input which may lead to path traversal.
by shoucheng3
CVSS 7.5
Payara < 4.1.2.191.36 and < 5.2022.3 - Unauthenticated Path Traversal
Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded.
by shoucheng3
CVSS 7.5
Apache RocketMQ 4.2.0-4.6.0 - Path Traversal via Automatic Topic Creation
In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability. Users of the affected versions should apply one of the following: Upgrade to Apache RocketMQ 4.6.1 or later.
by shoucheng3
CVSS 5.3
Apache Shiro < 1.12.0 - Path Traversal and Authentication Bypass via Non-Normalized Request Routing
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
by shoucheng3
CVSS 9.8
Apache Tapestry 5.4.0-5.4.4 and tapestry-core 5.4.0-5.4.5 - Path Traversal via Backslash Character
Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal attack to read any files on Windows platform.
by shoucheng3
CVSS 7.5
Jenkins Git Client Plugin < 2.8.4 - OS Command Injection via Git ls-remote URL Argument
Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.
by shoucheng3
CVSS 8.8
Qualcomm AQT1000 and FastConnect Firmware - Memory Corruption via Unauthorized GPU Micronode Command Execution
Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
by zhuowei
By Source