Exploit Database
125,805 exploits tracked across all sources.
Remote Code Execution in h2oai/h2o-3
A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.
CVSS 5.9
CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking
CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking.
The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed a per-object PRNG state in their constructors and reuse it without fork detection. A Crypt::PK::* object created before `fork()` shares byte-identical PRNG state with every child process, and any randomized operation they perform can produce identical output, including key generation. Two ECDSA or DSA signatures from different processes are enough to recover the signing private key through nonce-reuse key recovery.
This affects preforking services such as the Starman web server, where a Crypt::PK::* object loaded at startup is inherited by every worker process.
CVSS 7.5
Laravel Framework <5.6.30 - RCE
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
by Ståle Pettersen, aushack
CVSS 8.1
Linux kernel <4.14.13 - Memory Corruption
In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.
by Mohamed Ghannam, Jann Horn, wbowling, bcoles, nstarke
CVSS 5.5
Linux kernel <3.19.0-21.21 - Privilege Escalation
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.
by h00die <[email protected]>, rebel
CVSS 7.8
Linux Kernel 4.6.3 Netfilter Privilege Escalation
The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.
by h00die <[email protected]>, vnik, Jesse Hertz, Tim Newsham
CVSS 7.8
libuser <0.56.13-8 & 0.60 <0.60-7 - DoS
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges.
by Qualys, bcoles
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.
by Tavis Ormandy, zx2c4, I Can, t Race You Either, Marco Ivaldi, Todor Donev, bcoles
2021 Ubuntu Overlayfs LPE
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.
by g1vi, h00die, bwatters-r7, gardnerapp
CVSS 8.8
GameOver(lay) Privilege Escalation and Container Escape
On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
by g1vi, h00die, bwatters-r7, gardnerapp
CVSS 7.8
Zimbra Collaboration Suite <8.6-8.8 - SSRF
Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.
by An Trinh, Khanh Viet Pham, Jacob Robles
CVSS 7.5
vRealize Operations Manager <8.4 - Privilege Escalation
Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.
by Egor Dimitrenko, wvu
CVSS 6.5
Vinchin Backup And Recovery < 7.0 - Command Injection
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain a command injection vulnerability.
by Gregory Boddin (LeakIX), Valentin Lobstein
CVSS 9.8
Arris Vap2500 Firmware < 08.41 - Authentication Bypass
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.
by HeadlessZeke
Unraid 6.8.0 - Auth Bypass
Unraid 6.8.0 allows authentication bypass.
by Nicolas CHATELAIN <[email protected]>
CVSS 7.5
Kaseya Unitrends Backup < 10.1 - Authentication Bypass
It was discovered that the Unitrends Backup (UB) before 10.1.0 user interface was exposed to an authentication bypass, which then could allow an unauthenticated user to inject arbitrary commands into its /api/hosts parameters using backquotes.
by Cale Smith, Benny Husted, Jared Arave, h00die
CVSS 9.8
Billion 5200w-t Firmware - OS Command Injection
The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is only accessible by an authenticated user. The vulnerability is in the logSet.asp page and can be exploited through the ServerIP parameter. Authentication can be achieved by exploiting CVE-2017-18371.
by Pedro Ribeiro <[email protected]>
CVSS 8.8
Trendmicro Interscan Web Security Virtual Appliance - Path Traversal
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to disclose sensitive informatoin on affected installations.
by Mehmet Ince <[email protected]>
CVSS 7.5
Trend Micro InterScan Web Security Virtual Appliance 6.5 - RCE
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability.
by Mehmet Ince <[email protected]>
CVSS 8.8
Trendmicro Interscan Messaging Securi... - Command Injection
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the "T" parameter within modTMCSS Proxy. Formerly ZDI-CAN-4745.
by mr_me <[email protected]>, Mehmet Ince <[email protected]>
CVSS 8.8
Trendmicro Interscan Messaging Security Virtual Appliance < 9.1 - XSS
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS.
by mr_me <[email protected]>, Mehmet Ince <[email protected]>
CVSS 6.1
Traccar - Unrestricted File Upload
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.
by Michael Heinzl, yiliufeng168, Naveen Sunkavally
CVSS 8.5
TerraMaster TOS 4.2.29 or lower - Unauthenticated RCE chaining CVE-2022-24990 and CVE-2022-24989
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
CVSS 7.5
TerraMaster TOS 4.2.15 or lower - RCE chain from unauthenticated to root via session crafting.
It is possible to execute arbitrary commands as root in Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517) by sending a specifically crafted input to /tos/index.php?app/del.
CVSS 9.8
Terramaster F4-210, F2-210 TOS 4.2.X - Info Disclosure
In Terramaster F4-210, F2-210 TOS 4.2.X (4.2.15-2107141517), an attacker can self-sign session cookies by knowing the target's MAC address and the user's password hash. Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker to login as guest.
CVSS 8.1
By Source