Nomisec Exploits
22,770 exploits tracked across all sources.
PMB 7.4.8 - Remote Code Execution via start_import.php File Upload
File Upload vulnerability PMB v.7.4.8 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted PHP file uploaded to the start_import.php file.
by Xn2
CVSS 7.2
LearnPress <4.2.5.7 - SQL Injection
The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_by’ parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
by mimiloveexe
CVSS 9.8
AMD EPYC 7003 Series Firmware < milanpi_1.0.0.d - Memory Corruption via SNP Firmware Write Operations
Improper restriction of write operations in SNP firmware could allow a malicious hypervisor to potentially overwrite a guest's memory or UMC seed resulting in loss of confidentiality and integrity.
by Freax13
Alinto SOGo < 5.9.1 - HTML Injection
Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.
by E1tex
CVSS 6.1
jeecg-boot 3.5.0 - SQL Injection via apiSelectId Parameter
A vulnerability classified as critical has been found in jeecg-boot 3.5.0. This affects an unknown part of the file jmreport/qurestSql. The manipulation of the argument apiSelectId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223299.
by shad0w0sec
request-baskets < 1.2.1 - Server-Side Request Forgery via /api/baskets/{name} Endpoint
request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.
by MasterCode112
Anyscale Ray 2.6.3 and 2.8.0 - Remote Code Execution via Job Submission API
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment. (Also, within that environment, customers at version 2.52.0 and later can choose to use token authentication.)
by 0x656565
MLflow < 2.2.1 - Path Traversal via Backslash Sequence
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.
by hh-hunter
CVSS 9.3
Windows Common Log File System Driver - Privilege Escalation
Windows Common Log File System Driver Elevation of Privilege Vulnerability
by RomanRybachek
AMD EPYC Firmware - Debug Exception Delivery Failure
A privileged attacker
can prevent delivery of debug exceptions to SEV-SNP guests potentially
resulting in guests not receiving expected debug information.
by Freax13
Webmin <= 1.920 - OS Command Injection via password_change.cgi Old Parameter
An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.
by K3ysTr0K3R
OpenSSH < 9.6 - OS Command Injection via Shell Metacharacters in Username or Hostname
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
by Sonicrrrr
CVSS 6.5
Google Chrome <116.0.5845.96 - Auth Bypass
Insufficient validation of untrusted input in XML in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to bypass file access restrictions via a crafted HTML page. (Chromium security severity: Medium)
by WinnieZy
CVSS 8.8
Log4Shell HTTP Header Injection
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
by scabench
CVSS 10.0
Java OpenWire - Deserialization RCE
The Java OpenWire protocol marshaller is vulnerable to Remote Code
Execution. This vulnerability may allow a remote attacker with network
access to either a Java-based OpenWire broker or client to run arbitrary
shell commands by manipulating serialized class types in the OpenWire
protocol to cause either the client or the broker (respectively) to
instantiate any class on the classpath.
Users are recommended to upgrade
both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3
which fixes this issue.
by hh-hunter
CVSS 10.0
Hytec Inter HWL-2511-SS <v1.05 - Command Injection
Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.
by 0xNslabs
Airspan AirSpot 5410 <0.3.4.1-4 - Command Injection
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.
by 0xNslabs
JetBrains TeamCity < 2023.05.4 - Unauthenticated Remote Code Execution
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
by johnossawy
CVSS 9.8
HTTP/2 - Denial of Service via Rapid Stream Reset
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
by bcdannyboy
Ivanti Avalanche <6.3.4.153 - Path Traversal
Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component.
by JBalanza
Windows CNG Key Isolation Service - Privilege Escalation
Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
by Y3A
apktool < 2.9.2 - Path Traversal via Resource File Output Path Manipulation
Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue.
by 0x33c0unt
Minio <RELEASE.2023-03-20T20-16-18Z - Info Disclosure
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY`
and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
by netuseradministrator
Linux kernel <6.5.9 - Privilege Escalation
An issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it.
by Freax13
Raw Image Extension < 1.0.32861.0 - Remote Code Execution
Raw Image Extension Remote Code Execution Vulnerability
by T81oub
CVSS 7.8
By Source