Nomisec Exploits

22,699 exploits tracked across all sources.

Sort: Activity Stars
CVE-2023-46818 NOMISEC HIGH
ISPConfig language_edit.php PHP Code Injection
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
by bipbopbup
17 stars
CVSS 7.2
CVE-2024-7029 NOMISEC HIGH
AVTECH AVM1203 Firmware < fullimg-1023-1007-1011-1009 - Unauthenticated OS Command Injection
Commands can be injected over the network and executed without authentication.
by geniuszly
8 stars
CVSS 8.8
CVE-2024-1207 NOMISEC CRITICAL
WP Booking Calendar <= 9.9 - Unauthenticated SQL Injection via calendar_request_params[dates_ddmmyy_csv]
The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
by sahar042
CVSS 9.8
CVE-2024-43363 NOMISEC HIGH
Cacti < 1.2.28 - Authenticated Remote Code Execution via Log Poisoning
Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
by p33d
4 stars
CVSS 7.2
CVE-2024-47176 NOMISEC MEDIUM
OpenPrinting cups-browsed - Attacker-Controlled IPP Request Server-Side Request Forgery
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
by lkarlslund
7 stars
CVSS 5.3
CVE-2024-47176 NOMISEC MEDIUM
OpenPrinting cups-browsed - Attacker-Controlled IPP Request Server-Side Request Forgery
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
by GO0dspeed
7 stars
CVSS 5.3
CVE-2017-7269 NOMISEC CRITICAL
Internet Information Services 6.0 - Remote Code Execution via WebDAV PROPFIND Request
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
by geniuszly
4 stars
CVSS 9.8
CVE-2024-24590 NOMISEC HIGH
Allegro AI's ClearML <1.14.2 - Code Injection
Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with.
by j3r1ch0123
CVSS 8.0
CVE-2024-47176 NOMISEC MEDIUM
OpenPrinting cups-browsed - Attacker-Controlled IPP Request Server-Side Request Forgery
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
by MalwareTech
66 stars
CVSS 5.3
CVE-2022-2414 NOMISEC HIGH
Dogtag PKI - XML External Entity File Disclosure via Crafted HTTP Request
Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.
by geniuszly
3 stars
CVSS 7.5
CVE-2020-6287 NOMISEC CRITICAL
SAP NetWeaver AS JAVA - Missing Authentication Check
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
by dylvie
1 stars
CVSS 10.0
CVE-2024-45409 NOMISEC CRITICAL
ruby-saml <=1.12.2 and 1.13.0-1.16.0 - Unauthenticated SAML Signature Verification Bypass
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
by synacktiv
83 stars
CVSS 10.0
CVE-2023-35985 NOMISEC HIGH
Foxit Reader 12.1.3.15356 - Code Injection
An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to a failure to properly validate a dangerous extension. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted malicious site if the browser plugin extension is enabled.
by SpiralBL0CK
4 stars
CVSS 8.8
CVE-2023-3519 NOMISEC CRITICAL
Citrix NetScaler ADC and Gateway - Unauthenticated Remote Code Execution
Unauthenticated remote code execution
by dhammerg
5 stars
CVSS 9.8
CVE-2019-9193 NOMISEC HIGH
PostgreSQL 9.3-11.2 - Authenticated OS Command Injection via COPY TO/FROM PROGRAM
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.
by geniuszly
4 stars
CVSS 7.2
CVE-2020-9484 NOMISEC HIGH
Apache Tomcat < 7.0.108 - Insecure Deserialization
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
by savsch
1 stars
CVSS 7.0
CVE-2019-0217 NOMISEC HIGH
Apache HTTP Server < 2.4.38 - Authentication Bypass via Race Condition in mod_auth_digest
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
by savsch
CVSS 7.5
CVE-2024-46278 NOMISEC HIGH
Teedy 1.11 - Cross-Site Scripting via Management Console
Teedy 1.11 is vulnerable to Cross Site Scripting (XSS) via the management console.
by ayato-shitomi
1 stars
CVSS 8.4
CVE-2024-8309 NOMISEC CRITICAL
langchain-ai/langchain <0.2.5 - SQL Injection
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.
by liadlevy
3 stars
CVSS 9.8
CVE-2024-38472 NOMISEC HIGH
Apache HTTP Server 2.4.0-2.4.59 - Server-Side Request Forgery via UNC Path Handling
SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue.  Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.
by mrmtwoj
123 stars
CVSS 7.5
CVE-2023-38709 NOMISEC HIGH
Apache HTTP Server <= 2.4.58 - HTTP Response Splitting via Faulty Input Validation
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.
by mrmtwoj
123 stars
CVSS 7.3
CVE-2021-43798 NOMISEC HIGH
Grafana Plugin Path Traversal
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
by 0xSAZZAD
2 stars
CVSS 7.5
CVE-2023-35854 NOMISEC CRITICAL
ManageEngine ADSelfService Plus <= 6113 - Authentication Bypass via Session Token Theft
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."
by bluestarry33
1 stars
CVSS 9.8
CVE-2024-28116 NOMISEC HIGH
Grav < 1.7.45 - Authenticated Server-Side Template Injection
Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.
by geniuszly
7 stars
CVSS 8.8
CVE-2024-47176 NOMISEC MEDIUM
OpenPrinting cups-browsed - Attacker-Controlled IPP Request Server-Side Request Forgery
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
by gumerzzzindo
CVSS 5.3