Nomisec Exploits
22,706 exploits tracked across all sources.
netconsd < 0.2 - Heap Memory Corruption via Integer Overflow in parse_packet
netconsd prior to v0.2 was vulnerable to an integer overflow in its parse_packet function. A malicious individual could leverage this overflow to create heap memory corruption with attacker controlled data.
by pingjuiliao
CVSS 9.8
FUXA 1.1.13 - Remote Code Execution via /api/runscript Endpoint
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
by btar1gan
CVSS 9.8
TuomoKu SPx-GC <= 1.3.0 child_process.js - Remote Code Execution
An issue in TuomoKu SPx-GC v.1.3.0 and before allows a remote attacker to execute arbitrary code via the child_process.js function.
by merbinr
CVSS 9.8
todesk 1.1 - SQL Injection via News Parameter
SQL Injection vulnerability in todesk v.1.1 allows a remote attacker to execute arbitrary code via the /todesk.com/news.html parameter.
by sshipanoo
CVSS 9.8
Apache OFBiz XML-RPC Java Deserialization
The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code
by AhmedMansour93
CVSS 9.8
sqlpad < 6.10.1 - Remote Code Execution via Template Injection in Connection Test Endpoint
Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1.
by Robocopsita
Cisco IOX XE Unauthenticated RCE Chain
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
by AhmedMansour93
CVSS 10.0
Java OpenWire - Deserialization RCE
The Java OpenWire protocol marshaller is vulnerable to Remote Code
Execution. This vulnerability may allow a remote attacker with network
access to either a Java-based OpenWire broker or client to run arbitrary
shell commands by manipulating serialized class types in the OpenWire
protocol to cause either the client or the broker (respectively) to
instantiate any class on the classpath.
Users are recommended to upgrade
both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3
which fixes this issue.
by Arlenhiack
Sudo Heap-Based Buffer Overflow
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
by acidburn2049
CVSS 7.8
ServiceNow Vancouver and Washington DC - Unauthenticated Remote Code Execution
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
by 0xWhoami35
CVSS 9.8
ConnectWise ScreenConnect < 23.9.8 - Authentication Bypass
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel
vulnerability, which may allow an attacker direct access to confidential information or
critical systems.
by AhmedMansour93
CVSS 10.0
PHP CGI Argument Injection Remote Code Execution
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
by phirojshah
PHP CGI Argument Injection Remote Code Execution
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
by AhmedMansour93
CVSS 9.8
Sharepoint Dynamic Proxy Generator Unauth RCE
Microsoft SharePoint Server Elevation of Privilege Vulnerability
by AhmedMansour93
CVSS 9.8
F5 BIG-IP iControl RCE via REST Authentication Bypass
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
by impost0r
CVSS 9.8
macOS 12.0-12.7.0 - Unprotected User Data Exposure via Path Handling Issue
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.1, macOS Monterey 12.7.1, macOS Ventura 13.6.1. An app may be able to modify protected parts of the file system.
by Trigii
WooCommerce Photo Reviews Premium <1.3.13.2 - Auth Bypass
The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully.
by PolatBey
CVSS 9.8
flusity-CMS 2.33 - Remote Code Execution via edit_addon_post.php
An issue in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via a crafted script to the edit_addon_post.php component.
by hapa3
CVSS 9.8
Anji-plus AJ-Report <1.4.1 - SQL Injection
A vulnerability, which was classified as critical, was found in anji-plus AJ-Report up to 1.4.1. Affected is an unknown function of the file /dataSet/testTransform;swagger-ui. The manipulation of the argument dynSentence leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-266268.
by droyuu
Apache OFBiz <18.12.16 - SSRF/Code Injection
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 18.12.16.
Users are recommended to upgrade to version 18.12.16, which fixes the issue.
by Avento
CVSS 9.8
Apache Struts 2.3.x < 2.3.32 and 2.5.x < 2.5.10.1 - Remote Code Execution via Jakarta Multipart Parser
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
by kloutkake
Qualitor <= 8.24 - Remote Code Execution via Arbitrary File Upload in checkAcesso.php
Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.
by extencil
Havoc 0.7 - Unauthenticated Server-Side Request Forgery via Demon Callback
An Unauthenticated Server-Side Request Forgery (SSRF) in demon callback handling in Havoc 2 0.7 allows attackers to send arbitrary network traffic originating from the team server.
by chebuya
Spring Cloud Data Flow < 2.11.4 - Authenticated Arbitrary File Write via Skipper Server API
In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server
by vuhz
Log4Shell HTTP Header Injection
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
by safeer-accuknox
CVSS 10.0
By Source