Nomisec Exploits
22,664 exploits tracked across all sources.
Rafed CMS Website 1.44 - Cross-Site Scripting via index.php
A cross-site scripting (XSS) vulnerability in the component index.php of Rafed CMS Website v1.44 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
by bigzooooz
7-Zip 24.09 - Mark-of-the-Web Bypass Code Execution
7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.
by ishwardeepp
magnusbilling 6.0.0-7.2.9 - Unauthenticated OS Command Injection
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
by tinashelorenzi
Apache Druid < 0.20.0 - Authenticated Remote Code Execution via JavaScript Code Injection
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
by gps1949
CVSS 8.8
wpDiscuz 7.0-7.0.4 - Unauthenticated Remote Code Execution via File Upload
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.
by GazettEl
CVSS 10.0
Fortinet FortiMail <6.4.0, 6.2.0-6.2.4 - DoS
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiMail version 6.4.0, version 6.2.0 through 6.2.4 and before 6.0.9 allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.
by chessredoffsec
Windows Hyper-V NT Kernel Integration VSP - Elevation of Privilege via Heap-based Buffer Overflow
Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability
by aleongx
CVSS 7.8
Microsoft Office CVE-2017-11882
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
by xdrake1010
CVSS 7.8
WPFactory EAN for WooCommerce <4.8.9 - Privilege Escalation
Improper Privilege Management vulnerability in WPFactory EAN for WooCommerce allows Privilege Escalation.This issue affects EAN for WooCommerce: from n/a through 4.8.9.
by pashayogi
W3 Total Cache <= 2.7.5 - Unauthenticated Sensitive Information Exposure via Google OAuth API Secrets
The W3 Total Cache plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.5 via Google OAuth API secrets stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to impersonate W3 Total Cache and gain access to user account information in successful conditions. This would not impact the WordPress users site in any way.
by spyata123
CVSS 3.7
WordPress Really Simple SSL Plugin Authentication Bypass to RCE
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
by sharafu-sblsec
CVSS 9.8
W3 Total Cache < 0.9.2.8 - Remote PHP Code Execution
WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability
by spyata123
CVSS 9.8
wpweb WooCommerce PDF Vouchers <4.9.9 - Privilege Escalation
Incorrect Privilege Assignment vulnerability in wpweb WooCommerce PDF Vouchers woocommerce-pdf-vouchers allows Privilege Escalation.This issue affects WooCommerce PDF Vouchers: from n/a through < 4.9.9.
by pashayogi
CVSS 9.8
MultiVendorX <4.2.0 - Privilege Escalation
The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to privilege escalation/de-escalation and account takeover due to an insufficient capability check on the update_item_permissions_check and create_item_permissions_check functions in all versions up to, and including, 4.2.0. This makes it possible for unauthenticated attackers to change the password of any user with the vendor role, create new users with the vendor role, and demote other users like administrators to the vendor role.
by pashayogi
CVSS 9.8
W3 Total Cache <= 2.8.1 - Unauthenticated Sensitive Information Exposure via Debug Log File
The W3 Total Cache plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.8.1 through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For example, the log file may contain nonce values that can be used in further CSRF attacks.
Note: the debug feature must be enabled for this to be a concern, and it is disabled by default.
by spyata123
CVSS 5.3
W3 Total Cache <= 2.8.1 - Authenticated Missing Authorization in is_w3tc_admin_page
The W3 Total Cache plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_w3tc_admin_page function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain the plugin's nonce value and perform unauthorized actions, resulting in information disclosure, service plan limits consumption as well as making web requests to arbitrary locations originating from the web application that can be used to query information from internal services, including instance metadata on cloud-based applications.
by spyata123
CVSS 8.5
W3 Total Cache <0.9.4 - Info Disclosure
pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data.
by spyata123
CVSS 7.5
pymatgen < 2024.2.20 - Remote Code Execution via JonesFaithfulTransformation.from_transformation_str()
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.
by 9carlo6
Archer Platform <6.14.00202.10024 - Privilege Escalation
In Archer Platform 6 through 6.14.00202.10024, an authenticated user with record creation privileges can manipulate immutable fields, such as the creation date, by intercepting and modifying a Copy request via a GenericContent/Record.aspx?id= URI. NOTE: the Supplier analyzed the reported exploitation steps and found that, although the user can modify the immutable field, upon switching to View mode the field is reverted to its original value, without anything being saved to the database (and consequently there is no impact).
by NastyCrow
CVSS 1.8
Apache 2.4.49/2.4.50 Traversal RCE
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
by Vanshuk-Bhagat
CVSS 9.8
Spring WebMvc.fn and WebFlux.fn 6.1.0-6.1.13 - Path Traversal via Static Resource Handling
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
by skrkcb2
CVSS 7.5
UVDesk Community Skeleton v1.1.1 - Unauthenticated Login Brute Force
UVDesk Community Skeleton v1.1.1 allows unauthenticated attackers to perform brute force attacks on the login page to gain access to the application.
by oussama-binike
CVSS 9.8
Sudo Heap-Based Buffer Overflow
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
by Sornphut
CVSS 7.8
Ivanti Connect Secure <22.7R2.5 - RCE
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
by punitdarji
Windows 10 1507-24H2 and Windows Server 2012-2016 - Active Directory Domain Services Elevation of Privilege
Active Directory Domain Services Elevation of Privilege Vulnerability
by ahmedumarehman
By Source