Nomisec Exploits

22,832 exploits tracked across all sources.

Sort: Activity Stars
CVE-2022-4896 NOMISEC HIGH
Cyber Control 1.650 - Denial of Service via Pop-up Window Generation
Cyber Control, in its 1.650 version, is affected by a vulnerability in the generation on the server of pop-up windows with the messages "PNTMEDIDAS", "PEDIR", "HAYDISCOA" or "SPOOLER". A complete denial of service can be achieved by sending multiple requests simultaneously on a core.
by sapellaniz
CVSS 8.2
CVE-2022-48474 NOMISEC HIGH
Control de Ciber 1.650 - Denial of Service via Version Function
Control de Ciber, in its 1.650 version, is affected by a Denial of Service condition through the version function. Sending a malicious request could cause the server to check if an unrecognized component is up to date, causing a memory failure error that shuts down the process.
by sapellaniz
1 stars
CVSS 8.2
CVE-2022-42889 NOMISEC CRITICAL
Apache Commons Text 1.5-1.9 - Remote Code Execution via String Interpolation
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
by necroteddy
CVSS 9.8
CVE-2023-2033 NOMISEC HIGH
Google Chrome < 112.0.5615.121 - Remote Code Execution via V8 Type Confusion
Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
by insoxin
4 stars
CVSS 8.8
CVE-2022-42889 NOMISEC CRITICAL
Apache Commons Text 1.5-1.9 - Remote Code Execution via String Interpolation
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
by tulhan
1 stars
CVSS 9.8
CVE-2021-21425 NOMISEC CRITICAL
Grav Admin Plugin < 1.10.8 - Unauthenticated Arbitrary YAML Write via Administrator Controller
Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. This vulnerability is fixed in version 1.10.8. Blocking access to the `/admin` path from untrusted sources can be applied as a workaround.
by CsEnox
11 stars
CVSS 9.3
CVE-2021-24741 NOMISEC CRITICAL
Support Board WordPress <3.3.4 - SQL Injection
The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.
by dldygnl
2 stars
CVSS 9.8
CVE-2022-42889 NOMISEC CRITICAL
Apache Commons Text 1.5-1.9 - Remote Code Execution via String Interpolation
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
by Dima2021
CVSS 9.8
CVE-2022-22965 NOMISEC CRITICAL
Spring Framework - Remote Code Execution via Data Binding
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
by DDuarte
19 stars
CVSS 9.8
CVE-2010-1622 NOMISEC
Oracle Fusion Middleware < 2.5.7 - Code Injection
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
by DDuarte
19 stars
CVE-2017-1000486 NOMISEC CRITICAL
Primefaces Remote Code Execution Exploit
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
by 0xdsm
18 stars
CVSS 9.8
CVE-2022-34527 NOMISEC HIGH
D-Link DSL-3782 <= v1.03 - OS Command Injection via byte_4C0160 Function
D-Link DSL-3782 v1.03 and below was discovered to contain a command injection vulnerability via the function byte_4C0160.
by FzBacon
CVSS 8.8
CVE-2023-27216 NOMISEC HIGH
D-Link DSL-3782 1.03 - Authenticated Root Code Execution via Network Settings
An issue found in D-Link DSL-3782 v.1.03 allows remote authenticated users to execute arbitrary code as root via the network settings page.
by FzBacon
2 stars
CVSS 8.8
CVE-2020-9484 NOMISEC HIGH
Apache Tomcat < 7.0.108 - Insecure Deserialization
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
by d3fudd
16 stars
CVSS 7.0
CVE-2022-22963 NOMISEC CRITICAL
Spring Cloud Function < 3.1.6 - Remote Code Execution via SpEL Routing Expression
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
by randallbanner
4 stars
CVSS 9.8
CVE-2021-0586 NOMISEC HIGH
Android - Tapjacking/Overlay Attack via DevicePickerFragment
In onCreate of DevicePickerFragment.java, there is a possible way to trick the user to select an unwanted bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-182584940
by nanopathi
CVSS 7.8
CVE-2021-39692 NOMISEC HIGH
Android - Local Privilege Escalation via Tapjacking Overlay Attack
In onCreate of SetupLayoutActivity.java, there is a possible way to setup a work profile bypassing user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-209611539
by nanopathi
CVSS 7.8
CVE-2023-29084 NOMISEC HIGH
ManageEngine ADManager Plus ChangePasswordAction Authenticated Command Injection
Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.
by ohnonoyesyes
4 stars
CVSS 7.2
CVE-2023-21716 NOMISEC CRITICAL
Microsoft Word - Remote Code Execution via Integer Overflow
Microsoft Word Remote Code Execution Vulnerability
by JMousqueton
9 stars
CVSS 9.8
CVE-2020-8193 NOMISEC MEDIUM
Citrix ADC/Gateway <13.0-58.30 - Info Disclosure
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.
by PR3R00T
8 stars
CVSS 6.5
CVE-2018-19518 NOMISEC HIGH
University of Washington IMAP Toolkit 2007f - Command Injection
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
by houqe
4 stars
CVSS 7.5
CVE-2018-25031 NOMISEC MEDIUM
Swagger UI < 4.1.3 - Server-Side Request Forgery via OpenAPI Definition URL
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.
by rafaelcintralopes
2 stars
CVSS 4.3
CVE-2022-22620 NOMISEC HIGH
Safari < 15.3 - Use-After-Free via Malicious Web Content
A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..
by kmeps4
2 stars
CVSS 8.8
CVE-2022-41099 NOMISEC MEDIUM
Microsoft Windows BitLocker - Security Feature Bypass
BitLocker Security Feature Bypass Vulnerability
by dsn1321
CVSS 4.6
CVE-2021-35250 NOMISEC HIGH
SolarWinds Serv-U 15.3 - Path Traversal
A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.
by rissor41
8 stars
CVSS 7.5