Nomisec Exploits

22,697 exploits tracked across all sources.

Sort: Activity Stars
CVE-2021-44228 NOMISEC CRITICAL
Log4Shell HTTP Header Injection
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
by AhmedMansour93
CVSS 10.0
CVE-2024-51665 NOMISEC MEDIUM
Noor alam Magical Addons For Elementor <1.2.1 - SSRF
Server-Side Request Forgery (SSRF) vulnerability in Noor Alam Magical Addons For Elementor magical-addons-for-elementor allows Server Side Request Forgery.This issue affects Magical Addons For Elementor: from n/a through <= 1.2.1.
by RandomRobbieBF
1 stars
CVSS 4.9
CVE-2024-10586 NOMISEC CRITICAL
Debug Tool < 2.2 - Unauthenticated Arbitrary File Creation via dbt_pull_image()
The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to to create arbitrary files such as .php files that can be leveraged for remote code execution. CVE-2024-52416 may be a duplicate of this issue.
by RandomRobbieBF
1 stars
CVSS 9.8
CVE-2024-50493 NOMISEC CRITICAL
Automatic Translation <= 1.0.4 - Arbitrary File Upload
Unrestricted Upload of File with Dangerous Type vulnerability in masterhomepage Automatic Translation automatic-translation allows Upload a Web Shell to a Web Server.This issue affects Automatic Translation: from n/a through <= 1.0.4.
by RandomRobbieBF
CVSS 10.0
CVE-2023-25813 NOMISEC CRITICAL
Sequelize < 6.19.1 - SQL Injection via Replacements
Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.
by numbbvi
CVSS 10.0
CVE-2024-4367 NOMISEC HIGH
Firefox < 126 and ESR < 115.11 - Arbitrary JavaScript Execution in PDF.js via Missing Type Check
A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.
by clarkio
4 stars
CVSS 8.8
CVE-2024-10914 NOMISEC HIGH
D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L - OS Command Injection via cgi_user_add name Parameter
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.
by imnotcha0s
12 stars
CVSS 8.1
CVE-2017-1235 NOMISEC MEDIUM
IBM WebSphere MQ 8.0 - Authenticated Denial of Service
IBM WebSphere MQ 8.0 could allow an authenticated user to cause a premature termination of a client application thread which could potentially cause denial of service. IBM X-Force ID: 123914.
by 11k4r
CVSS 6.5
CVE-2023-38408 NOMISEC CRITICAL
OpenSSH < 9.3p2 - Remote Code Execution via PKCS#11 Untrusted Search Path
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
by kali-mx
48 stars
CVSS 9.8
CVE-2024-49607 NOMISEC CRITICAL
Redwan Hilali WP Dropbox Dropins - Unrestricted Upload
Unrestricted Upload of File with Dangerous Type vulnerability in redhopit WP Dropbox Dropins wp-dropbox-dropins allows Upload a Web Shell to a Web Server.This issue affects WP Dropbox Dropins: from n/a through <= 1.0.
by RandomRobbieBF
CVSS 10.0
CVE-2024-49681 NOMISEC CRITICAL
SWIT WP Sessions Time Monitoring Full Automatic <1.0.9 - SQL Injection
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows SQL Injection.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <= 1.0.9.
by RandomRobbieBF
3 stars
CVSS 9.3
CVE-2024-23334 NOMISEC MEDIUM
aiohttp - Directory Traversal
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
by Arc4he
1 stars
CVSS 5.9
CVE-2024-48322 NOMISEC HIGH
Run.codes <= 1.5.2 - Time-of-check Time-of-use Race Condition in UsersController.php
UsersController.php in Run.codes 1.5.2 and older has a reset password race condition vulnerability.
by trqt
1 stars
CVSS 8.1
CVE-2023-25813 NOMISEC CRITICAL
Sequelize < 6.19.1 - SQL Injection via Replacements
Sequelize is a Node.js ORM tool. In versions prior to 6.19.1 a SQL injection exploit exists related to replacements. Parameters which are passed through replacements are not properly escaped which can lead to arbitrary SQL injection depending on the specific queries in use. The issue has been fixed in Sequelize 6.19.1. Users are advised to upgrade. Users unable to upgrade should not use the `replacements` and the `where` option in the same query.
by sea-middle
CVSS 10.0
CVE-2024-9926 NOMISEC MEDIUM
Jetpack WordPress - Info Disclosure
The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form
by m3ssap0
3 stars
CVSS 4.3
CVE-2024-9926 NOMISEC MEDIUM
Jetpack WordPress - Info Disclosure
The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form
by m3ssap0
2 stars
CVSS 4.3
CVE-2024-50488 NOMISEC HIGH
Token Login <= 1.0.3 - Authentication Bypass
Authentication Bypass Using an Alternate Path or Channel vulnerability in yespbs Token Login token-login allows Authentication Bypass.This issue affects Token Login: from n/a through <= 1.0.3.
by RandomRobbieBF
CVSS 8.8
CVE-2024-51132 NOMISEC CRITICAL
HAPI FHIR < 6.4.0 - XML External Entity Injection via Crafted XML Request
An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities.
by JAckLosingHeart
1 stars
CVSS 9.8
CVE-2024-50473 NOMISEC CRITICAL
Ajar in5 Embed <= 3.1.3 - Unauthenticated Arbitrary File Upload
Unrestricted Upload of File with Dangerous Type vulnerability in Ajar Productions Ajar in5 Embed ajar-productions-in5-embed allows Upload a Web Shell to a Web Server.This issue affects Ajar in5 Embed: from n/a through <= 3.1.3.
by RandomRobbieBF
CVSS 10.0
CVE-2024-10470 NOMISEC CRITICAL
WPLMS Learning Management System for WordPress <= 4.962 - Arbitrary File Read/Deletion via Path Validation
The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions in all versions up to, and including, 4.962. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The theme is vulnerable even when it is not activated.
by RandomRobbieBF
CVSS 9.8
CVE-2024-50477 NOMISEC CRITICAL
Stacks Mobile App Builder <= 5.2.3 - Authentication Bypass
Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App Builder: from n/a through <= 5.2.3.
by RandomRobbieBF
CVSS 9.8
CVE-2024-50340 NOMISEC HIGH
symfony/runtime 5.3.0-5.4.45, 6.0.0-6.4.13, 7.0.0-7.1.6 - Environment Manipulation via Crafted Query String
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.
by Nyamort
12 stars
CVSS 7.3
CVE-2024-21626 NOMISEC HIGH
runc (docker) File Descriptor Leak Privilege Escalation
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
by Sk3pper
CVSS 8.6
CVE-2022-29078 NOMISEC CRITICAL
ejs 3.1.6 - Server-Side Template Injection via outputFunctionName Option
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
by l0n3m4n
3 stars
CVSS 9.8
CVE-2024-9890 NOMISEC HIGH
WordPress User Toolkit <1.2.3 - Auth Bypass
The User Toolkit plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.3. This is due to an improper capability check in the 'switchUser' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator. CVE-2024-50503 may be a duplicate.
by RandomRobbieBF
CVSS 8.8