Metasploit Exploits
3,295 exploits tracked across all sources.
NextGEN Gallery < 2.1.15 - Path Traversal via Path Selection
The NextGEN Gallery plugin before 2.1.15 for WordPress allows ../ Directory Traversal in path selection.
by Sathish Kumar
CVSS 6.5
EmbedThis GoAhead <3.4.1 - Path Traversal
EmbedThis GoAhead 3.0.0 through 3.4.1 does not properly handle path segments starting with a . (dot), which allows remote attackers to conduct directory traversal attacks, cause a denial of service (heap-based buffer overflow and crash), or possibly execute arbitrary code via a crafted URI.
by Matthew Daley
Accellion File Transfer Appliance < fta_9_11_200 - Path Traversal via Statecode Cookie
Directory traversal vulnerability in the template function in function.inc in Accellion File Transfer Appliance devices before FTA_9_11_210 allows remote attackers to read arbitrary files via a .. (dot dot) in the statecode cookie.
by hdm
CVSS 7.5
TVT NVMS-1000 Firmware - Path Traversal via GET Request
TVT NVMS-1000 devices allow GET /.. Directory Traversal
by Numan Türle, Dhiraj Mishra
CVSS 7.5
HP-UX - Unauthenticated Remote Login via Default Null Password
A Unix account has a default, null, blank, or missing password.
Subscribe to Comments for WordPress <=2.1.2 - Local File Inclusion
The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This same function can also be used to execute arbitrary PHP code.
CVSS 7.2
Apache httpd <2.4.28 - Use After Free
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
by Hanno Böck, h00die
CVSS 7.5
Dolibarr 16.0.0-16.0.4 - Unauthenticated Database Dump via Contact File Access
An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.
by Vladimir TOUTAIN, Nolan LOSSIGNOL-DRILLIEN
CVSS 7.5
Novell File Reporter 1.0.2 - Path Traversal
Directory traversal vulnerability in NFRAgent.exe in Novell File Reporter 1.0.2 allows remote attackers to read arbitrary files via a 126 /FSF/CMD request with a .. (dot dot) in a FILE element of an FSFUI record.
by juan vazquez
Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal
Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.
by Trustwave SpiderLabs, Dhiraj Mishra
CVSS 7.5
Red Hat Linux - Username Enumeration via Apache UserDir Error Code Discrepancy
Apache on Red Hat Linux with with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server.
Jenkins CLI RMI Java Deserialization Vulnerability
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
by altonjx, Jeffrey Cap
CVSS 9.8
Oracle Demantra Demand Management - Info Disclosure
Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.1, 12.2.2, and 12.2.3 allows remote attackers to affect confidentiality via unknown vectors related to DM Others.
by Oliver Gruskovnjak
HP-UX - Unauthenticated Remote Login via Default Null Password
A Unix account has a default, null, blank, or missing password.
by hdm
Apache ActiveMQ <5.3.2 and <5.4.0 - Info Disclosure
The Jetty ResourceHandler in Apache ActiveMQ 5.x before 5.3.2 and 5.4.x before 5.4.0 allows remote attackers to read JSP source code via a // (slash slash) initial substring in a URI for (1) admin/index.jsp, (2) admin/queues.jsp, or (3) admin/topics.jsp.
by Veerendra G.G, juan vazquez
Novell ZENworks Asset Management 7.5 - Info Disclosure
The rtrlet web application in the Web Console in Novell ZENworks Asset Management (ZAM) 7.5 uses a hard-coded username of Ivanhoe and a hard-coded password of Scott for the (1) GetFile_Password and (2) GetConfigInfo_Password operations, which allows remote attackers to obtain sensitive information via a crafted rtrlet/rtr request for the HandleMaintenanceCalls function.
by juan vazquez
HP Intelligent Management Center < 5.2 E0401 - Remote Information Disclosure, Data Modification, or Denial of Service
Unspecified vulnerability in HP Intelligent Management Center (iMC) and Intelligent Management Center for Automated Network Manager (ANM) before 5.2 E0401 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vectors, aka ZDI-CAN-1612.
ES File Explorer File Manager < 4.1.9.7.4 - Unauthenticated Arbitrary File Read via TCP Port 59777
The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network. This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.
by 小荷才露尖尖角, moonbocal, fs0c131y, h00die
CVSS 8.1
Symantec Messaging Gateway 9.5.x - Authenticated Path Traversal via Log Export or Backup Restore
Multiple directory traversal vulnerabilities in the management console in Symantec Messaging Gateway (SMG) 9.5.x allow remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) logFile parameter in a logs action to brightmail/export or (2) localBackupFileSelection parameter in an APPLIANCE restoreSource action to brightmail/admin/restore/download.do.
Linknat VOS Manager <2.1.9.07 - Path Traversal
A path traversal vulnerability exists in Linknat VOS Manager versions prior to 2.1.9.07, including VOS2009 and early VOS3000 builds, that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability is accessible via multiple localized subpaths such as '/eng/', '/chs/', or '/cht/', where the 'js/lang_en_us.js' or equivalent files are loaded. By injecting encoded traversal sequences such as '%c0%ae%c0%ae' into the request path, attackers can bypass input validation and disclose sensitive files.
by Nixawk
Apache HTTP Server 1.3.x-1.3.42, 2.0.x-2.0.64, 2.2.x-2.2.21 SSRF via Malformed URI with @
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.
by chao-mu
Canon MG3100/MG5300/MG6100/MP495/MX340/MX870/MX890/MX920/MX922 - Cleartext Wi-Fi PSK Exposure
English/pages_MacUS/wls_set_content.html on the Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers shows the Wi-Fi PSK passphrase in cleartext, which allows physically proximate attackers to obtain sensitive information by reading the screen of an unattended workstation.
by Matt
GNU Bash through 4.3 bash43-026 - Remote Code Execution via Environment Variable Function Parsing
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
by Stephane Chazelas, wvu, lcamtuf
CVSS 8.8
Ruby on Rails 2.3.x-2.3.15 and 3.0.x-3.0.19 - Remote Code Execution via YAML Deserialization
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
by jjarmoc, hdm
ManageEngine ServiceDesk Plus <= 8.0.0.12 - Path Traversal via FileDownload.jsp FILENAME Parameter
Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the FILENAME parameter. NOTE: this might overlap the US-CERT VU#543310 issue.
By Source