Metasploit Exploits
3,299 exploits tracked across all sources.
Microsoft Exchange ProxyLogon RCE
Microsoft Exchange Server Remote Code Execution Vulnerability
by Orange Tsai, GreyOrder, mekhalleh (RAMELLA Sébastien)
CVSS 9.1
Zabbix <2.2.14, <3.0.4 - SQL Injection
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.
by [email protected], bperry
CVSS 9.8
Microsoft Internet Explorer 10 and 11 - Information Disclosure via HTML5 Sandbox IFrame
Microsoft Internet Explorer 10 and 11 load different files for attempts to open a file:// URL depending on whether the file exists, which allows local users to enumerate files via vectors involving a file:// URL and an HTML5 sandbox iframe, aka "Internet Explorer Information Disclosure Vulnerability."
CVSS 2.5
Apache Rave 0.11-0.20 - Authenticated Sensitive Information Exposure via User RPC API
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
by Andreas Guth, juan vazquez
BQE BillQuick Web Suite 2018-2021 < 22.0.9.1 - Unauthenticated SQL Injection via txtID Parameter
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
by h00die
CVSS 9.8
X.org X11 - Unauthenticated Access Control Bypass via xhost Command
An X server's access control is disabled (e.g. through an "xhost +" command) and allows anyone to connect to the server.
by h00die, nir tzachar
NETGEAR R8500-R8000 - Info Disclosure
An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices. They are prone to password disclosure via simple crafted requests to the web management server. The bug is exploitable remotely if the remote management option is set, and can also be exploited given access to the router over LAN or WLAN. When trying to access the web panel, a user is asked to authenticate; if the authentication is canceled and password recovery is not enabled, the user is redirected to a page that exposes a password recovery token. If a user supplies the correct token to the page /passwordrecovered.cgi?id=TOKEN (and password recovery is not enabled), they will receive the admin password for the router. If password recovery is set the exploit will fail, as it will ask the user for the recovery questions that were previously set when enabling that feature. This is persistent (even after disabling the recovery option, the exploit will fail) because the router will ask for the security questions.
by Simon Kenin, thecarterb
CVSS 8.1
Internet Explorer - Information Disclosure via Microsoft.XMLDOM ActiveX Error Codes
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014.
by Soroush Dalili, sinn3r
CVSS 6.5
GeoServer WMS GetMap XXE Arbitrary File Read
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.
by xbow-security
CVSS 8.2
Internet Explorer 9-11 - Universal Cross-Site Scripting via IFRAME Redirect and WindowProxy Eval
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka "Universal XSS (UXSS)."
by David Leo, filedescriptor, joev, sinn3r
AlienVault OSSIM < 4.7.0 - Authenticated SQL Injection
SQL injection vulnerability in AlienVault OSSIM before 4.7.0 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
ManageEngine ADAudit Plus Xnode Enumeration
Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.
by Sahil Dhar, Erik Wynter
CVSS 9.8
SSL Labs API Client
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
CVSS 7.4
Ruby On Rails File Content Disclosure (
There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
by Carter Brainerd <[email protected]>, John Hawthorn <[email protected]>
CVSS 7.5
SolarWinds Serv-U - Directory Traversal
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
by sfewer-r7, Hussein Daher
CVSS 8.6
Drupal 7.x < 7.16 - Arbitrary File Read via OpenID Module XRDS DOCTYPE Declaration
The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.
by Reginaldo Silva, juan vazquez
SuiteCRM < 7.14.1 - SQL Injection
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1.
by Exodus Intelligence, jheysel-r7, Redouane NIBOUCHA <[email protected]>
CVSS 9.1
Apache Tapestry 5.4.0-5.6.2 and 5.7.0 - Unauthenticated Remote Code Execution via Asset File URL Blacklist Bypass
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.
by Johannes Moritz
CVSS 9.8
Huawei E355 Firmware 21.157.37.01.910 - Unauthenticated Sensitive Information Disclosure via API
The Huawei E355 adapter with firmware 21.157.37.01.910 does not require authentication for API pages, which allows remote attackers to change passwords and settings, or obtain sensitive information, via a direct request to (1) api/wlan/security-settings, (2) api/device/information, (3) api/wlan/basic-settings, (4) api/wlan/mac-filter, (5) api/monitoring/status, or (6) api/dhcp/settings.
by Jimson K James
Peplink Balance 305, 380, 580, 710, 1350, and 2500 Firmware < 7.0.1-build2093 - SQL Injection via bauth Cookie
SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a session ID can be retrieved from the sessions database.
by X41 D-Sec GmbH <[email protected]>
CVSS 9.8
XBMC/Media Center < 11.0 - Authenticated Path Traversal via HTTP Server URI
XBMC version 11.0 contains a path traversal vulnerability in its embedded HTTP server. When accessed via HTTP Basic Authentication, the server fails to properly sanitize URI input, allowing authenticated users to request files outside the intended document root. An attacker can exploit this flaw to read arbitrary files from the host filesystem, including sensitive configuration or credential files.
by sinn3r, s yaws_traversal exploit as a skeleton, acidgen, ,, hostess
IBM Sametime 8.x-8.5.2.1 and 9.x-9.0.0.1 - Unauthenticated Exposure of Sensitive Information via Public Page
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to obtain unspecified installation information and technical data via a request to a public page.
by kicks4kittens
McAfee ePolicy Orchestrator < 4.6.9 and 5.x < 5.1.2 - Authenticated Credential Exposure via Shared Secret Key
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.
Advantech WebAccess 8.1 Post Authentication Credential Collector
An issue was discovered in Advantech WebAccess Version 8.1. To be able to exploit the SQL injection vulnerability, an attacker must supply malformed input to the WebAccess software. Successful attack could result in administrative access to the application and its data files.
by h00die, sinn3r
CVSS 9.8
Ray < 2.8.1 - Unauthenticated Local File Inclusion via Static Directory
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.
by byt3bl33d3r <[email protected]>, danmcinerney <[email protected]>, Takahiro Yokoyama
CVSS 7.5
By Source