Nomisec Exploits

22,720 exploits tracked across all sources.

Sort: Activity Stars
CVE-2024-27198 NOMISEC CRITICAL
TeamCity < 2023.11.4 - Authentication Bypass
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
by HPT-Intern-Task-Submission
CVSS 9.8
CVE-2022-37706 NOMISEC HIGH
Ubuntu Enlightenment Mount Priv Esc
enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.
by TACTICAL-HACK
CVSS 7.8
CVE-2024-32002 NOMISEC CRITICAL
Git <2.45.1-2.39.4 - Code Injection
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
by TSY244
CVSS 9.0
CVE-2024-32002 NOMISEC CRITICAL
Git <2.45.1-2.39.4 - Code Injection
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
by TSY244
CVSS 9.0
CVE-2024-27198 NOMISEC CRITICAL
TeamCity < 2023.11.4 - Authentication Bypass
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
by Stuub
34 stars
CVSS 9.8
CVE-2023-20872 NOMISEC HIGH
VMware Fusion and Workstation - Out-of-bounds Write in SCSI CD/DVD Device Emulation
VMware Workstation and Fusion contain an out-of-bounds read/write vulnerability in SCSI CD/DVD device emulation.
by ze0r
25 stars
CVSS 8.8
CVE-2023-22960 NOMISEC HIGH
Lexmark B2236 Firmware < mslsg.081.233 - Improper Access Control
Lexmark products through 2023-01-10 have Improper Control of Interaction Frequency.
by t3l3machus
90 stars
CVSS 7.5
CVE-2024-40725 NOMISEC MEDIUM
Apache HTTP Server <2.4.61 - Info Disclosure
A partial fix for  CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.
by TAM-K592
83 stars
CVSS 5.3
CVE-2016-6187 NOMISEC HIGH
Linux kernel <4.6.5 - Privilege Escalation
The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.
by Milo-D
7 stars
CVSS 7.8
CVE-2015-1397 NOMISEC
Magento CE/EE 1.9.1.0-1.14.1.0 - SQL Injection
SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary SQL commands via the popularity[field_expr] parameter when the popularity[from] or popularity[to] parameter is set.
by Wytchwulf
CVE-2021-21239 NOMISEC MEDIUM
PySAML2 <6.5.0 - Improper Signature Verification
PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0.
by RyanBoomer30
CVSS 6.5
CVE-2023-1389 NOMISEC HIGH
TP-Link Archer AX21 Firmware < 1.1.4 - Unauthenticated Command Injection via Country Parameter
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
by Voyag3r-Security
16 stars
CVSS 8.8
CVE-2014-1266 NOMISEC HIGH
Apple iOS 6.x-7.0.5, macOS 10.9.x, tvOS 6.x - Improper Certificate Validation
The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by (1) using an arbitrary private key for the signing step or (2) omitting the signing step.
by meetlight942
CVSS 7.4
CVE-2022-30780 NOMISEC HIGH
lighttpd 1.4.56-1.4.58 - Denial of Service via Large Header Processing
Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.
by xiw1ll
CVSS 7.5
CVE-2022-0155 NOMISEC MEDIUM
follow-redirects < 1.14.7 - Exposure of Private Personal Information to an Unauthorized Actor
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
by coana-tech
CVSS 6.5
CVE-2024-22274 NOMISEC HIGH
VMware vCenter Server - Authenticated Appliance Shell Command Execution
The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system.
by Mustafa1986
CVSS 7.2
CVE-2021-3773 NOMISEC CRITICAL
Linux Kernel < 5.14 - Exposure of Sensitive Information via netfilter
A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.
by d0rb
CVSS 9.8
CVE-2024-5084 NOMISEC CRITICAL
Hash Form - Drag & Drop Form Builder <= 1.1.0 - Unauthenticated Arbitrary File Upload via file_upload_action Function
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
by Chocapikk
8 stars
CVSS 9.8
CVE-2018-7600 NOMISEC CRITICAL
Drupal Drupalgeddon 2 Forms API Property Injection
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
by raytran54
CVSS 9.8
CVE-2023-24871 NOMISEC HIGH
Windows 10 20H2-22H2 and Windows 11 21H2-22H2 - Remote Code Execution via Bluetooth Service Integer Overflow
Windows Bluetooth Service Remote Code Execution Vulnerability
by ynwarcs
50 stars
CVSS 8.8
CVE-2023-23388 NOMISEC HIGH
Windows Bluetooth Driver - Privilege Escalation
Windows Bluetooth Driver Elevation of Privilege Vulnerability
by ynwarcs
7 stars
CVSS 8.8
CVE-2024-41640 NOMISEC MEDIUM
AML Surety Eco <= 3.5 - Cross-Site Scripting via ID Parameter
Cross Site Scripting (XSS) vulnerability in AML Surety Eco up to 3.5 allows an attacker to run arbitrary code via crafted GET request using the id parameter.
by alemusix
CVSS 6.1
CVE-2023-30800 NOMISEC HIGH
MikroTik RouterOS 6.0-6.49.9 - Unauthenticated Denial of Service via HTTP Request
The web server used by MikroTik RouterOS version 6 is affected by a heap memory corruption issue. A remote and unauthenticated attacker can corrupt the server's heap memory by sending a crafted HTTP request. As a result, the web interface crashes and is immediately restarted. The issue was fixed in RouterOS 6.49.10 stable. RouterOS version 7 is not affected.
by griffinsectio
CVSS 7.5
CVE-2024-40119 NOMISEC HIGH
Nepstech Wifi Router xpon NTPL-Xpon1GFEVN v.1.0 Firmware V2.0.1 - Cross-Site Request Forgery in Password Change Function
Nepstech Wifi Router xpon (terminal) model NTPL-Xpon1GFEVN v.1.0 Firmware V2.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the password change function, which allows remote attackers to change the admin password without the user's consent, leading to a potential account takeover.
by baroi-ai
CVSS 8.8
CVE-2023-38408 NOMISEC CRITICAL
OpenSSH < 9.3p2 - Remote Code Execution via PKCS#11 Untrusted Search Path
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
by mrtacojr
1 stars
CVSS 9.8