Nomisec Exploits

22,738 exploits tracked across all sources.

Sort: Activity Stars
CVE-2018-14716 NOMISEC HIGH
nystudio107 SEOmatic < 3.1.4 - Server-Side Template Injection via Canonical URL Generation
A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code.
by 0xB455
1 stars
CVSS 7.5
CVE-2021-34646 NOMISEC CRITICAL
Booster for WooCommerce <= 5.4.3 - Authentication Bypass via Email Verification Token Weakness
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Email Verification module to be active in the plugin and the Login User After Successful Verification setting to be enabled, which it is by default.
by 0xB455
1 stars
CVSS 9.8
CVE-2024-4761 NOMISEC HIGH
Google Chrome < 124.0.6367.207 - Out-of-bounds Write in V8
Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
by michredteam
4 stars
CVSS 8.8
CVE-2021-3156 NOMISEC HIGH
Sudo Heap-Based Buffer Overflow
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
by lypd0
1 stars
CVSS 7.8
CVE-2024-27804 NOMISEC MEDIUM
iPadOS < 17.5 - Denial of Service via Improper Memory Handling
The issue was addressed with improved memory handling. This issue is fixed in iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, tvOS 17.5, visionOS 1.3, watchOS 10.5. An app may be able to cause unexpected system termination.
by R00tkitSMM
139 stars
CVSS 5.5
CVE-2024-27460 NOMISEC MEDIUM
Plantronics Hub <3.25.1 - Privilege Escalation
A privilege escalation exists in the updater for Plantronics Hub 3.25.1 and below.
by Alaatk
4 stars
CVSS 6.7
CVE-2023-26360 NOMISEC HIGH
Adobe ColdFusion <2018 Update 15, 2021 Update 5 - RCE
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
by jakabakos
5 stars
CVSS 8.6
CVE-2023-24203 NOMISEC MEDIUM
Simple Customer Relationship Management System 1.0 - Cross-Site Scripting via Company or Query Parameter
Cross Site Scripting vulnerability in SourceCodester Simple Customer Relationship Management System v1.0 allows attacker to execute arbitary code via the company or query parameter(s).
by momo1239
CVSS 5.4
CVE-2024-26026 NOMISEC HIGH
F5 BIG-IP Next Central Manager 20.0.1-20.1.x - SQL Injection via API URI
An SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI).  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
by GRTMALDET
CVSS 7.5
CVE-2023-4863 NOMISEC HIGH
Google Chrome <116.0.5845.187 - Buffer Overflow
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
by LiveOverflow
52 stars
CVSS 8.8
CVE-2024-4040 NOMISEC CRITICAL
CrushFTP < 10.7.1 - Unauthenticated Server-Side Template Injection
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
by 1ncendium
CVSS 9.8
CVE-2018-10583 NOMISEC HIGH
LibreOffice 6.0.3 - Apache OpenOffice Writer 4.1.5 - Info Disclosure
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document.
by octodi
1 stars
CVSS 7.5
CVE-2023-40000 NOMISEC HIGH
LiteSpeed Cache < 5.7 - Unauthenticated Stored Cross-Site Scripting
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7.
by iveresk
1 stars
CVSS 8.3
CVE-2024-4701 NOMISEC CRITICAL
Genie < 4.3.18 - Path Traversal and Remote Code Execution
A path traversal issue potentially leading to remote code execution in Genie for all versions prior to 4.3.18
by JoeBeeton
2 stars
CVSS 9.9
CVE-2021-44228 NOMISEC CRITICAL
Log4Shell HTTP Header Injection
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
by inettgmbh
4 stars
CVSS 10.0
CVE-2024-1561 NOMISEC HIGH
gradio-app/gradio - Info Disclosure
An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.
by DiabloHTB
3 stars
CVSS 7.5
CVE-2024-31771 NOMISEC HIGH
TotalAV <6.0.740 - Privilege Escalation
Insecure Permission vulnerability in TotalAV v.6.0.740 allows a local attacker to escalate privileges via a crafted file
by restdone
CVSS 7.8
CVE-2024-3400 NOMISEC CRITICAL
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
by andrelia-hacks
CVSS 10.0
CVE-2024-34351 NOMISEC HIGH
Next.js 13.4.0-14.1.1 - Server-Side Request Forgery via Server Actions Redirect
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.
by Voorivex
11 stars
CVSS 7.5
CVE-2024-22393 NOMISEC CRITICAL
Apache Answer < 1.2.5 - Authenticated Denial of Service via Large Pixel File Upload
Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image when posting content. Users are recommended to upgrade to version [1.2.5], which fixes the issue.
by omranisecurity
CVSS 9.1
CVE-2023-40000 NOMISEC HIGH
LiteSpeed Cache < 5.7 - Unauthenticated Stored Cross-Site Scripting
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through 5.7.
by quantiom
5 stars
CVSS 8.3
CVE-2024-32523 NOMISEC HIGH
EverPress Mailster <4.0.6 - Path Traversal
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EverPress Mailster mailster.This issue affects Mailster: from n/a through <= 4.0.6.
by tucommenceapousser
CVSS 8.1
CVE-2023-3460 NOMISEC CRITICAL
Ultimate Member <2.6.7 - Privilege Escalation
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
by Rajneeshkarya
1 stars
CVSS 9.8
CVE-2024-1561 NOMISEC HIGH
gradio-app/gradio - Info Disclosure
An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.
by DiabloHTB
4 stars
CVSS 7.5
CVE-2024-31497 NOMISEC MEDIUM
PuTTY 0.68-0.80 - Cryptographically Weak PRNG in ECDSA Nonce Generation
In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.
by HugoBond
11 stars
CVSS 5.9