Nomisec Exploits

22,778 exploits tracked across all sources.

Sort: Activity Stars
CVE-2022-46395 NOMISEC HIGH
Arm Mali GPU Kernel Driver - Memory Corruption
An issue was discovered in the Arm Mali GPU Kernel Driver. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. This affects Midgard r0p0 through r32p0, Bifrost r0p0 through r41p0 before r42p0, Valhall r19p0 through r41p0 before r42p0, and Avalon r41p0 before r42p0.
by Pro-me3us
CVSS 8.8
CVE-2022-44268 NOMISEC MEDIUM
ImageMagick 7.1.0-49 - Info Disclosure
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
by jnschaeffer
5 stars
CVSS 6.5
CVE-2023-1326 NOMISEC HIGH
apport < 2.26.0 - Privilege Escalation via Terminal Size Manipulation
A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to CVE-2023-26604. If a system is specially configured to allow unprivileged users to run sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local attacker can escalate privilege. It is extremely unlikely that a system administrator would configure sudo to allow unprivileged users to perform this class of exploit.
by diego-tella
21 stars
CVSS 7.7
CVE-2023-26136 NOMISEC MEDIUM
Tough-Cookie <4.1.3 - Prototype Pollution
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
by CUCUMBERanOrSNCompany
1 stars
CVSS 6.5
CVE-2021-38297 NOMISEC CRITICAL
Go <1.16.9, <1.17.2 - Buffer Overflow
Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
by gkrishnan724
6 stars
CVSS 9.8
CVE-2023-21839 NOMISEC HIGH
Oracle WebLogic Server <14.1.1.0.0 - RCE
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
by Romanc9
2 stars
CVSS 7.5
CVE-2022-39197 NOMISEC MEDIUM
HelpSystems Cobalt Strike <= 4.7 - Cross-Site Scripting via Payload Username Field
An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7 that allowed a remote attacker to execute HTML on the Cobalt Strike teamserver. To exploit the vulnerability, one must first inspect a Cobalt Strike payload, and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).
by Romanc9
2 stars
CVSS 6.1
CVE-2021-44790 NOMISEC CRITICAL
Apache HTTP Server < 2.4.52 - Buffer Overflow in mod_lua Multipart Parser
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
by nuPacaChi
4 stars
CVSS 9.8
CVE-2023-25690 NOMISEC CRITICAL
Apache HTTP Server 2.4.0-2.4.55 - HTTP Request Smuggling via mod_proxy RewriteRule
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
by thanhlam-attt
4 stars
CVSS 9.8
CVE-2022-28672 NOMISEC HIGH
Foxit PDF Reader 11.2.1.53537 - RCE
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16640.
by hacksysteam
121 stars
CVSS 7.8
CVE-2023-21608 NOMISEC HIGH
Adobe Acrobat Reader <22.003.20282 - Use After Free
Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
by hacksysteam
283 stars
CVSS 7.8
CVE-2023-49105 NOMISEC CRITICAL
ownCloud <10.13.1 - Info Disclosure
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
by ambionics
36 stars
CVSS 9.8
CVE-2023-35080 NOMISEC HIGH
Ivanti Secure Access Client < 22.6 - Incorrect Default Permissions
A vulnerability has been identified in the Ivanti Secure Access Windows client, which could allow a locally authenticated attacker to exploit a vulnerable configuration, potentially leading to various security risks, including the escalation of privileges, denial of service, or information disclosure.
by tijme
2 stars
CVSS 7.8
CVE-2023-48849 NOMISEC CRITICAL
Ruijie EG Series Routers <EG_3.0(1)B11P216 - RCE
Ruijie EG Series Routers version EG_3.0(1)B11P216 and before allows unauthenticated attackers to remotely execute arbitrary code due to incorrect filtering.
by delsploit
CVSS 9.8
CVE-2017-7921 NOMISEC CRITICAL
Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530 - Improper Authentication
An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.
by JrDw0
100 stars
CVSS 9.8
CVE-2022-44268 NOMISEC MEDIUM
ImageMagick 7.1.0-49 - Info Disclosure
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
by CygnusX-26
CVSS 6.5
CVE-2023-23752 NOMISEC MEDIUM
Joomla! 4.0.0-4.2.7 - Unauthenticated Improper Access Control in Webservice Endpoints
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
by Fernando-olv
4 stars
CVSS 5.3
CVE-2020-14179 NOMISEC MEDIUM
Atlassian Jira Server/Data Center <8.5.8, 8.6.0-8.11.1 - Unauthenticated Info Disclosure
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from version 8.6.0 before 8.11.1.
by mrnazu
4 stars
CVSS 5.3
CVE-2023-48842 NOMISEC CRITICAL
D-Link Go-RT-AC750 - Command Injection
D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at hedwig.cgi.
by creacitysec
6 stars
CVSS 9.8
CVE-2022-31692 NOMISEC CRITICAL
Spring Security 5.6.0-5.6.8 and 5.7.0-5.7.4 - Authorization Bypass via Forward or Include Dispatcher Types
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)
by hotblac
CVSS 9.8
CVE-2017-18019 NOMISEC HIGH
K7 Total Security < 15.1.0.305 - Arbitrary Memory Read via K7Sentry Device Input
In K7 Total Security before 15.1.0.305, user-controlled input to the K7Sentry device is not sufficiently sanitized: the user-controlled input can be used to compare an arbitrary memory address with a fixed value, which in turn can be used to read the contents of arbitrary memory. Similarly, the product crashes upon a \\.\K7Sentry DeviceIoControl call with an invalid kernel pointer.
by SpiralBL0CK
1 stars
CVSS 7.1
CVE-2023-49103 NOMISEC CRITICAL
ownCloud Phpinfo Reader
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
by creacitysec
30 stars
CVSS 10.0
CVE-2023-34468 NOMISEC HIGH
Apache NiFi 0.0.2-1.21.0 - Authenticated Remote Code Execution via H2 JDBC Database URL
The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC locations. You are recommended to upgrade to version 1.22.0 or later which fixes this issue.
by mbadanoiu
5 stars
CVSS 8.8
CVE-2022-40635 NOMISEC MEDIUM
Crafter CMS 3.1.0-3.1.22 - Authenticated Remote Code Execution via Groovy Sandbox Bypass
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.
by mbadanoiu
2 stars
CVSS 6.4
CVE-2022-40634 NOMISEC MEDIUM
Crafter CMS 3.1.0-3.1.22 - Authenticated Remote Code Execution via FreeMarker SSTI
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.
by mbadanoiu
CVSS 6.4