Nomisec Exploits

22,697 exploits tracked across all sources.

Sort: Activity Stars
CVE-2013-0156 NOMISEC
Ruby on Rails JSON Processor YAML Deserialization Code Execution
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
by oxben10
CVE-2021-21425 NOMISEC CRITICAL
Grav Admin Plugin < 1.10.8 - Unauthenticated Arbitrary YAML Write via Administrator Controller
Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. This vulnerability is fixed in version 1.10.8. Blocking access to the `/admin` path from untrusted sources can be applied as a workaround.
by bluetoothStrawberry
1 stars
CVSS 9.3
CVE-2024-50972 NOMISEC HIGH
Itsourcecode Construction Management System 1.0 - SQL Injection via borrow_id Parameter
A SQL injection vulnerability in printtool.php of Itsourcecode Construction Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the borrow_id parameter.
by Akhlak2511
CVSS 7.2
CVE-2024-50971 NOMISEC HIGH
Itsourcecode Construction Management System 1.0 - SQL Injection via print.php map_id Parameter
A SQL injection vulnerability in print.php of Itsourcecode Construction Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the map_id parameter.
by Akhlak2511
CVSS 7.2
CVE-2024-50970 NOMISEC HIGH
online_furniture_shopping_project 1.0 - SQL Injection via orderview1.php id Parameter
A SQL injection vulnerability in orderview1.php of Itsourcecode Online Furniture Shopping Project 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
by Akhlak2511
CVSS 8.8
CVE-2024-50969 NOMISEC MEDIUM
Code-projects Jonnys Liquor 1.0 - Reflected Cross-Site Scripting via Search Parameter
A Reflected cross-site scripting (XSS) vulnerability in browse.php of Code-projects Jonnys Liquor 1.0 allows remote attackers to inject arbitrary web scripts or HTML via the search parameter.
by Akhlak2511
CVSS 6.1
CVE-2024-10629 NOMISEC HIGH
GPX Viewer <= 2.2.9 - Authenticated Arbitrary File Creation via gpxv_file_upload()
The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible.
by RandomRobbieBF
CVSS 8.8
CVE-2015-1328 NOMISEC HIGH
Linux kernel <3.19.0-21.21 - Privilege Escalation
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.
by YastrebX
CVSS 7.8
CVE-2022-21661 NOMISEC HIGH
WordPress 3.7-3.7.36 - SQL Injection via WP_Query
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
by w0r1i0g1ht
CVSS 8.0
CVE-2024-50968 NOMISEC HIGH
iSourcecode Agri-Trading Online Shopping System 1.0 - Info Disclosure
A business logic vulnerability exists in the Add to Cart function of itsourcecode Agri-Trading Online Shopping System 1.0, which allows remote attackers to manipulate the quant parameter when adding a product to the cart. By setting the quantity value to -0, an attacker can exploit a flaw in the application's total price calculation logic. This vulnerability causes the total price to be reduced to zero, allowing the attacker to add items to the cart and proceed to checkout.
by Akhlak2511
CVSS 7.5
CVE-2024-25292 NOMISEC CRITICAL
martinbarker/rendertune 1.1.4 - Cross-Site Scripting via Upload Title Parameter
Cross-site scripting (XSS) vulnerability in RenderTune v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Upload Title parameter.
by EQSTLab
2 stars
CVSS 9.6
CVE-2023-1999 NOMISEC MEDIUM
libwebp 0.4.2-1.3.0 - Use-After-Free in ApplyFiltersAndEncode
There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.
by Pazhanivelmani
CVSS 5.3
CVE-2024-50251 NOMISEC MEDIUM
Linux Kernel 4.5-6.11.6 - DoS via nft_payload Offset/Length Check Bypass
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_payload: sanitize offset and length before calling skb_checksum() If access to offset + length is larger than the skbuff length, then skb_checksum() triggers BUG_ON(). skb_checksum() internally subtracts the length parameter while iterating over skbuff, BUG_ON(len) at the end of it checks that the expected length to be included in the checksum calculation is fully consumed.
by slavin-ayu
2 stars
CVSS 6.2
CVE-2016-6328 NOMISEC HIGH
libexif < 0.6.22 - Integer Overflow in MNOTE Entry Parsing
A vulnerability was found in libexif. An integer overflow when parsing the MNOTE entry data of the input file. This can cause Denial-of-Service (DoS) and Information Disclosure (disclosing some critical heap chunk metadata, even other applications' private data).
by Pazhanivelmani
CVSS 8.1
CVE-2023-2603 NOMISEC HIGH
libcap < 2.69 - Integer Overflow in _libcap_strdup()
A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.
by Pazhanivelmani
CVSS 7.8
CVE-2024-49368 NOMISEC CRITICAL
nginxui/nginx_ui < 2.0.0-beta.36 - OS Command Injection via Logrotate Configuration
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.
by Aashay221999
CVSS 9.8
CVE-2024-3400 NOMISEC CRITICAL
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
by workshop748
CVSS 10.0
CVE-2019-16278 NOMISEC CRITICAL
nostromo_nhttpd <= 1.9.6 - Remote Code Execution via Directory Traversal in http_verify
Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.
by cancela24
1 stars
CVSS 9.8
CVE-2024-51026 NOMISEC MEDIUM
NetAdmin IAM 4.0.30319 - Cross-Site Scripting via BalloonSave.ashx Content Parameter
The NetAdmin IAM system (version 4.0.30319) has a Cross Site Scripting (XSS) vulnerability in the /BalloonSave.ashx endpoint, where it is possible to inject a malicious payload into the Content= field.
by BrotherOfJhonny
CVSS 5.4
CVE-2023-4220 NOMISEC HIGH
Chamilo v1.11.24 Unrestricted File Upload PHP Webshell
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
by oxapavan
1 stars
CVSS 8.1
CVE-2024-21626 NOMISEC HIGH
runc (docker) File Descriptor Leak Privilege Escalation
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
by Sk3pper
2 stars
CVSS 8.6
CVE-2024-40443 NOMISEC MEDIUM
Simple Laboratory Management System 1.0 - SQL Injection
SQL Injection vulnerability in Simple Laboratory Management System using PHP and MySQL v.1.0 allows a remote attacker to cause a denial of service via the delete_users function in the Useres.php
by Yuma-Tsushima07
CVSS 4.3
CVE-2022-33679 NOMISEC HIGH
Windows Kerberos - Privilege Escalation
Windows Kerberos Elevation of Privilege Vulnerability
by Bdenneu
415 stars
CVSS 8.1
CVE-2024-10958 NOMISEC HIGH
WP Photo Album Plus <= 8.8.08.007 - Unauthenticated Shortcode Execution via getshortcoderenderedfenodelay
The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
by reinh3rz
1 stars
CVSS 7.3
CVE-2015-1427 NOMISEC CRITICAL
Elasticsearch <1.3.8, <1.4.3 - Command Injection
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
by Sebikea
CVSS 9.8