Nomisec Exploits

22,035 exploits tracked across all sources.

Sort: Activity Stars
CVE-2017-10617 NOMISEC MEDIUM
Juniper Contrail 2.2-2.21.3, 3.0-3.0.3.3, 3.1-3.1.3.9, 3.2-3.2.4.9 - XML External Entity Injection via ifmap Service
The ifmap service that comes bundled with Contrail has an XML External Entity (XXE) vulnerability that may allow an attacker to retrieve sensitive system files. Affected releases are Juniper Networks Contrail 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).
by gteissier
4 stars
CVSS 5.0
CVE-2017-7525 NOMISEC CRITICAL
jackson-databind <2.6.7.1, <2.7.9.1, <2.8.9 - Code Injection
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
by JavanXD
18 stars
CVSS 9.8
CVE-2018-13410 NOMISEC CRITICAL
Info-ZIP Zip 3.0 - Use-After-Free via -T and -TT Command-Line Options
Info-ZIP Zip 3.0, when the -T and -TT command-line options are used, allows attackers to cause a denial of service (invalid free and application crash) or possibly have unspecified other impact because of an off-by-one error. NOTE: it is unclear whether there are realistic scenarios in which an untrusted party controls the -TT value, given that the entire purpose of -TT is execution of arbitrary commands
by shinecome
1 stars
CVSS 9.8
CVE-2019-5736 NOMISEC HIGH
Docker Container Escape Via runC Overwrite
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
by q3k
208 stars
CVSS 8.6
CVE-2012-6636 NOMISEC
Android API < 16.0 - Remote Code Execution via WebView.addJavascriptInterface
The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.
by xckevin
1 stars
CVE-2019-5736 NOMISEC HIGH
Docker Container Escape Via runC Overwrite
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
by b3d3c
1 stars
CVSS 8.6
CVE-2018-4087 NOMISEC HIGH
Apple tvOS < 11.2.5 - Memory Corruption in Core Bluetooth
An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Core Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
by rani-i
59 stars
CVSS 7.8
CVE-2018-14847 NOMISEC CRITICAL
MikroTik RouterOS <6.42 - Path Traversal
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
by Tr33-He11
1 stars
CVSS 9.1
CVE-2018-20162 NOMISEC CRITICAL
Digi TransPort LR54 <4.4.0.26 - Privilege Escalation
Digi TransPort LR54 4.4.0.26 and possible earlier devices have Improper Input Validation that allows users with 'super' CLI access privileges to bypass a restricted shell and execute arbitrary commands as root.
by stigtsp
CVSS 9.9
CVE-2019-8389 NOMISEC HIGH
Musicloud 1.6 - Unauthenticated Path Traversal and Arbitrary File Read via Wi-Fi Transfer Feature
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) to the download.script endpoint. This will create a MusicPlayerArchive.zip archive that is publicly accessible and includes the content of any requested file (such as the /etc/passwd file).
by shawarkhanethicalhacker
10 stars
CVSS 8.1
CVE-2016-4655 NOMISEC MEDIUM
WebKit not_number defineProperties UAF
The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.
by Cryptiiiic
10 stars
CVSS 5.5
CVE-2019-5736 NOMISEC HIGH
Docker Container Escape Via runC Overwrite
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
by agppp
7 stars
CVSS 8.6
CVE-2019-7304 NOMISEC CRITICAL
Canonical snapd <2.37.1 - Command Injection
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1.
by SecuritySi
6 stars
CVSS 9.8
CVE-2019-3462 NOMISEC HIGH
advanced_package_tool <= 1.4.8 - Remote Code Execution via HTTP Redirect Field Injection
Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.
by atilacastro
CVSS 8.1
CVE-2019-5736 NOMISEC HIGH
Docker Container Escape Via runC Overwrite
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
by likekabin
CVSS 8.6
CVE-2019-5736 NOMISEC HIGH
Docker Container Escape Via runC Overwrite
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
by likekabin
1 stars
CVSS 8.6
CVE-2019-5736 NOMISEC HIGH
Docker Container Escape Via runC Overwrite
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
by jas502n
15 stars
CVSS 8.6
CVE-2018-4193 NOMISEC HIGH
macOS < 10.13.5 - Memory Corruption in Windows Server Component
An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Windows Server" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
by Synacktiv-contrib
69 stars
CVSS 7.8
CVE-2018-10933 NOMISEC CRITICAL
libssh Authentication Bypass Scanner
A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.
by Kurlee
CVSS 9.1
CVE-2018-20343 NOMISEC HIGH
Ken Silverman Build Engine 1 - Buffer Overflow via Crafted Map File
Multiple buffer overflow vulnerabilities have been found in Ken Silverman Build Engine 1. An attacker could craft a special map file to execute arbitrary code when the map file is loaded.
by Alexandre-Bartel
6 stars
CVSS 7.8
CVE-2018-6961 NOMISEC HIGH
VMware NSX SD-WAN by VeloCloud < 3.1.0 - Remote Code Execution via Local Web UI Command Injection
VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be removing this service from the product in future releases. Successful exploitation of this issue could result in remote code execution.
by r3dxpl0it
5 stars
CVSS 8.1
CVE-2019-1652 NOMISEC HIGH
Cisco RV320 and RV325 Firmware 1.4.2.15-1.4.2.21 - Authenticated Remote Code Execution via HTTP POST Request
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability.
by 0x27
227 stars
CVSS 7.2
CVE-2019-7216 NOMISEC HIGH
FileChucker 4.99e-free-e02 - Filter Bypass
An issue was discovered in FileChucker 4.99e-free-e02. filechucker.cgi has a filter bypass that allows a malicious user to upload any type of file by using % characters within the extension, e.g., file.%ph%p becomes file.php.
by Ekultek
10 stars
CVSS 7.8
CVE-2018-16509 NOMISEC HIGH
Artifex Ghostscript <9.24 - Privilege Escalation
An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction.
by knqyf263
3 stars
CVSS 7.8
CVE-2015-9251 NOMISEC MEDIUM
jQuery < 3.0.0 - Cross-Site Scripting via Cross-Domain Ajax Request
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
by halkichi0308
9 stars
CVSS 6.1
By Source
All 22,035 Writeup 60,946 Exploitdb 50,031 Nomisec 22,035 Metasploit 3,243 Github 3,059 Vulncheck_xdb 909 Inthewild 514 Gitlab 462 Gitee 415 Patchapalooza 312
By Language
text 31,353 python 6,273 ruby 5,933 c 3,604 perl 2,849 html 2,058 php 1,327 bash 460 java 364 c++ 253 javascript 221 shell 108 go 65 postscript 25 xml 24