Metasploit Exploits
3,295 exploits tracked across all sources.
VICIdial Authenticated Remote Code Execution
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
by Valentin Lobstein, Jaggar Henry of KoreLogic, Inc.
CVSS 9.8
Internet Information Services 5.0-5.1 - Internal IP Address Exposure via WebDAV Methods
IIS 5 and 5.1 supporting WebDAV methods allows remote attackers to determine the internal IP address of the system (which may be obscured by NAT) via (1) a PROPFIND HTTP request with a blank Host header, which leaks the address in an HREF property in a 207 Multi-Status response, or (2) via the WRITE or MKCOL method, which leaks the IP in the Location server header.
by Heather Pilkington, Matthew Dunn - k0pak4
Emby SSRF HTTP Scanner
Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.
CVSS 9.8
Cisco NAC Manager 4.8.x - Path Traversal via TCP Port 443
Directory traversal vulnerability in Cisco Network Admission Control (NAC) Manager 4.8.x allows remote attackers to read arbitrary files via crafted traffic to TCP port 443, aka Bug ID CSCtq10755.
WordPress TI WooCommerce Wishlist SQL Injection (CVE-2024-43917)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TemplateInvaders TI WooCommerce Wishlist allows SQL Injection.This issue affects TI WooCommerce Wishlist: from n/a through 2.8.2.
by Rafie Muhammad, Valentin Lobstein
CVSS 9.3
FortiMail Unauthenticated Login Bypass Scanner
An improper authentication vulnerability in FortiMail 5.4.10, 6.0.7, 6.2.2 and earlier and FortiVoiceEntreprise 6.0.0 and 6.0.1 may allow a remote unauthenticated attacker to access the system as a legitimate user by requesting a password change via the user interface.
by Mike Connor
CVSS 9.8
Supermicro IPMI < SMT_X9_315 Authenticated Path Traversal via url_redirect.cgi
Directory traversal vulnerability in url_redirect.cgi in Supermicro IPMI before SMT_X9_315 allows authenticated attackers to read arbitrary files via the url_name parameter.
by hdm, juan vazquez
CVSS 4.3
GitLab GraphQL API User Enumeration
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.
by jbaines-r7, mungsul
CVSS 5.3
ManageEngine SupportCenter Plus < 7.9 - Path Traversal via WorkOrder.do Attach Parameter
Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket.
LearnPress <3.2.6.7 - SQL Injection
LearnPress Wordpress plugin version prior and including 3.2.6.7 is vulnerable to SQL Injection
by h00die, Omri Herscovici, Sagi Tzadik, nhattruong
CVSS 8.8
VICIdial < 2.14b0.5-3555 - SQL Injection via AST Agent Time Sheet Agent Parameter
SQL Injection vulnerability in AST Agent Time Sheet interface ((/vicidial/AST_agent_time_sheet.php) of VICIdial via the agent parameter allows attacker to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. This issue affects: VICIdial 2.14b0.5 versions prior to 3555.
by h00die
CVSS 6.4
Icinga Web 2 <2.9.5 - Info Disclosure
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
by h00die, Jacob Ebben, Thomas Chauchefoin
CVSS 7.5
RIPS Scanner <0.54 - Path Traversal
A path traversal vulnerability exists in RIPS Scanner version 0.54. The vulnerability allows remote attackers to read arbitrary files on the system with the privileges of the web server by sending crafted HTTP GET requests to the 'windows/code.php' script with a manipulated 'file' parameter. This can lead to disclosure of sensitive information.
by localh0t
Spring Cloud Config <2.2.3 & <2.1.9 - Path Traversal
Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
by Fei Lu, [email protected], Dhiraj Mishra
CVSS 7.5
Novell File Reporter <1.0.2 - Path Traversal
Absolute path traversal vulnerability in NFRAgent.exe in Novell File Reporter 1.0.2 allows remote attackers to read arbitrary files via a /FSF/CMD request with a full pathname in a PATH element of an SRS record.
by juan vazquez
HP-UX - Unauthenticated Remote Login via Default Null Password
A Unix account has a default, null, blank, or missing password.
Paid Memberships Pro < 2.9.8 - Unauthenticated SQL Injection via Order REST Route Code Parameter
The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.
by h00die, Joshua Martinelle
CVSS 9.8
HP-UX - Unauthenticated Remote Login via Default Null Password
A Unix account has a default, null, blank, or missing password.
by hdm
mTheme-Unus < 2.3 - Path Traversal via CSS File Parameter
Directory traversal vulnerability in the mTheme-Unus theme before 2.3 for WordPress allows an attacker to read arbitrary files via a .. (dot dot) in the files parameter to css/css.php.
by Khwanchai Kaewyos
CVSS 7.5
Easy WP SMTP < 1.4.4 - Administrator Account Takeover via Password Reset Link Exposure in Debug Log
The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list the wp-content/plugins/easy-wp-smtp/ directory, then they can discover a log file (such as #############_debug_log.txt) that contains all password-reset links. The attacker can request a reset of the Administrator password and then use a link found there.
by h00die
CVSS 7.5
NetMechanica NetDecision < 4.5.1 - Denial of Service via Long URL
Stack-based buffer overflow in the HTTP Server in NetMechanica NetDecision before 4.6.1 allows remote attackers to cause a denial of service (application crash) via a long URL in an HTTP request. NOTE: some of these details are obtained from third party information.
by Luigi Auriemma, sinn3r
Red Hat JBoss EAP <4.2.0.CP09 and <4.3.0.CP08 - Info Disclosure
Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression.
by Tyler Krpata, Zach Grace <@ztgrace>
Exim GHOST (glibc gethostbyname) Buffer Overflow
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
by Robert Rowley, Christophe De La Fuente, Chaim Sanders, Felipe Costa, Jonathan Claudius, Karl Sigler, Christian Mehlmauer
Syncovery <9.47x - Privilege Escalation
An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens.
by Jan Rude
CVSS 9.8
Wordpress RegistrationMagic task_ids Authenticated SQLi
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue
by h00die, Hacker5preme (Ron Jost)
CVSS 7.2
By Source