Nomisec Exploits

22,770 exploits tracked across all sources.

Sort: Activity Stars
CVE-2020-1472 NOMISEC MEDIUM
Netlogon Weak Cryptographic Authentication
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
by logg-1
CVSS 5.5
CVE-2023-51073 NOMISEC HIGH
Buffalo LS210D v.1.78-0.03 - Remote Code Execution via Firmware Update Script
An issue in Buffalo LS210D v.1.78-0.03 allows a remote attacker to execute arbitrary code via the Firmware Update Script at /etc/init.d/update_notifications.sh.
by christopher-pace
CVSS 8.1
CVE-2023-27163 NOMISEC MEDIUM
request-baskets < 1.2.1 - Server-Side Request Forgery via /api/baskets/{name} Endpoint
request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.
by madhavmehndiratta
CVSS 6.5
CVE-2023-31446 NOMISEC CRITICAL
Cassia Gateway firmware - Code Injection
In Cassia Gateway firmware XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to injecting Bash code and executing it with root privileges on device startup.
by Dodge-MPTC
4 stars
CVSS 9.8
CVE-2023-51467 NOMISEC CRITICAL
Apache OFBiz XML-RPC Java Deserialization
The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code
by ImuSpirit
39 stars
CVSS 9.8
CVE-2018-18778 NOMISEC MEDIUM
ACME mini-httpd < 1.30 - Unauthenticated Arbitrary File Read
ACME mini_httpd before 1.30 lets remote users read arbitrary files.
by auk0x01
1 stars
CVSS 6.5
CVE-2023-40084 NOMISEC HIGH
Android - Use-After-Free in MDnsSdListener.cpp
In run of MDnsSdListener.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
by Trinadh465
CVSS 7.8
CVE-2022-42889 NOMISEC CRITICAL
Apache Commons Text 1.5-1.9 - Remote Code Execution via String Interpolation
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
by aaronm-sysdig
CVSS 9.8
CVE-2020-11110 NOMISEC MEDIUM
Grafana < 6.7.1 - Stored Cross-Site Scripting via OriginalUrl Field
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
by AVE-Stoik
2 stars
CVSS 5.4
CVE-2023-51764 NOMISEC MEDIUM
Postfix < 3.5.23 - SMTP Smuggling via Bare Newline Injection
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.
by Double-q1015
CVSS 5.3
CVE-2022-45688 NOMISEC HIGH
hutool-json 5.8.10 - Denial of Service via XML.toJSONObject Stack Overflow
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
by scabench
CVSS 7.5
CVE-2022-45688 NOMISEC HIGH
hutool-json 5.8.10 - Denial of Service via XML.toJSONObject Stack Overflow
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
by scabench
CVSS 7.5
CVE-2022-45688 NOMISEC HIGH
hutool-json 5.8.10 - Denial of Service via XML.toJSONObject Stack Overflow
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
by scabench
CVSS 7.5
CVE-2022-24442 NOMISEC CRITICAL
JetBrains YouTrack <2021.4.40426 - SSRF
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
by mbadanoiu
CVSS 9.8
CVE-2021-26855 NOMISEC CRITICAL
Microsoft Exchange ProxyLogon RCE
Microsoft Exchange Server Remote Code Execution Vulnerability
by timb-machine-mirrors
CVSS 9.1
CVE-2023-30367 NOMISEC HIGH
mRemoteNG <= 1.76.20 and <= 1.77.3-dev - Cleartext Storage of Sensitive Information in Memory
Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to store and manage multi-protocol connection configurations to remotely connect to systems. mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up, even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text through a memory dump and thus compromise user credentials when no custom password encryption key has been set. This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.
by S1lkys
16 stars
CVSS 7.5
CVE-2021-44228 NOMISEC CRITICAL
Log4Shell HTTP Header Injection
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
by puzzlepeaches
164 stars
CVSS 10.0
CVE-2023-27163 NOMISEC MEDIUM
request-baskets < 1.2.1 - Server-Side Request Forgery via /api/baskets/{name} Endpoint
request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.
by apaz-dev
2 stars
CVSS 6.5
CVE-2022-21661 NOMISEC HIGH
WordPress 3.7-3.7.36 - SQL Injection via WP_Query
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
by p4ncontomat3
CVSS 8.0
CVE-2023-51467 NOMISEC CRITICAL
Apache OFBiz XML-RPC Java Deserialization
The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code
by Subha-BOO7
CVSS 9.8
CVE-2021-4034 NOMISEC HIGH
Local Privilege Escalation in polkits pkexec
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
by cdxiaodong
1 stars
CVSS 7.8
CVE-2023-51764 NOMISEC MEDIUM
Postfix < 3.5.23 - SMTP Smuggling via Bare Newline Injection
Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.
by d4op
1 stars
CVSS 5.3
CVE-2023-51385 NOMISEC MEDIUM
OpenSSH < 9.6 - OS Command Injection via Shell Metacharacters in Username or Hostname
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
by julienbrs
CVSS 6.5
CVE-2023-51385 NOMISEC MEDIUM
OpenSSH < 9.6 - OS Command Injection via Shell Metacharacters in Username or Hostname
In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
by julienbrs
CVSS 6.5
CVE-2018-25031 NOMISEC MEDIUM
Swagger UI < 4.1.3 - Server-Side Request Forgery via OpenAPI Definition URL
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.
by hev0x
CVSS 4.3