PoC in GitHub

2024

2023

2022

CVE-2022-0185 (2022-02-11)

A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.

• Crusaders-of-Rust/CVE-2022-0185
• chenaotian/CVE-2022-0185
• veritas501/CVE-2022-0185-PipeVersion
• featherL/CVE-2022-0185-exploit

CVE-2022-0265 (2022-03-03)

Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1.

• achuna33/CVE-2022-0265

CVE-2022-0337 (2023-01-02)

Inappropriate implementation in File System API in Google Chrome on Windows prior to 97.0.4692.71 allowed a remote attacker to obtain potentially sensitive information via a crafted HTML page. (Chrome security severity: High)

• Puliczek/CVE-2022-0337-PoC-Google-Chrome-Microsoft-Edge-Opera

CVE-2022-0441 (2022-03-07)

The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin

• biulove0x/CVE-2022-0441

CVE-2022-0482 (2022-03-09)

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.

• Acceis/exploit-CVE-2022-0482

CVE-2022-0486 (2022-05-17)

Improper file permissions in the CommandPost, Collector, Sensor, and Sandbox components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected files and enable escalation of privileges equivalent to the root user. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.

• henryreed/CVE-2022-0486

CVE-2022-0492 (2022-03-03)

A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

• Trinadh465/device_renesas_kernel_AOSP10_r33_CVE-2022-0492

CVE-2022-0540 (2022-04-20)

A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.

• Pear1y/CVE-2022-0540-RCE

CVE-2022-0543 (2022-02-18)

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

• 0x7eTeam/CVE-2022-0543

CVE-2022-0778 (2022-03-15)

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

• yywing/cve-2022-0778
• jkakavas/CVE-2022-0778-POC
• 0xUhaw/CVE-2022-0778

CVE-2022-0824 (2022-03-02)

Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990.

• honypot/CVE-2022-0824

CVE-2022-0847 (2022-03-07)

A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

• r1is/CVE-2022-0847
• basharkey/CVE-2022-0847-dirty-pipe-checker
• DataDog/dirtypipe-container-breakout-poc
• arttnba3/CVE-2022-0847
• AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
• jpts/CVE-2022-0847-DirtyPipe-Container-Breakout
• LudovicPatho/CVE-2022-0847_dirty-pipe
• tmoneypenny/CVE-2022-0847
• mhanief/dirtypipe
• tufanturhan/CVE-2022-0847-L-nux-PrivEsc
• rexpository/linux-privilege-escalation
• CPT-Jack-A-Castle/CVE-2022-0847
• isaiahsimeone/COMP3320-VAPT
• VinuKalana/DirtyPipe-CVE-2022-0847
• ih3na/debian11-dirty_pipe-patcher
• greenhandatsjtu/CVE-2022-0847-Container-Escape
• jxpsx/CVE-2022-0847-DirtyPipe-Exploits
• Asbatel/CBDS_CVE-2022-0847_POC

CVE-2022-0918 (2022-03-16)

A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service. The denial of service is triggered by a single message sent over a TCP connection, no bind or other authentication is required. The message triggers a segmentation fault that results in slapd crashing.\n\n

• NathanMulbrook/CVE-2022-0918

CVE-2022-0997 (2022-05-17)

Improper file permissions in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected script files, which could result in arbitrary commands being run as root upon subsequent logon by a root user. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.

• henryreed/CVE-2022-0997

CVE-2022-1015 (2022-04-29)

A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.

• zanezhub/CVE-2022-1015-1016

CVE-2022-1040 (2022-03-25)

An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.

• killvxk/CVE-2022-1040

CVE-2022-1051 (2022-05-16)

The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks.

• V35HR4J/CVE-2022-1051

CVE-2022-1077 (2022-03-29)

A vulnerability was found in TEM FLEX-1080 and FLEX-1085 1.6.0. It has been declared as problematic. This vulnerability log.cgi of the component Log Handler. A direct request leads to information disclosure of hardware information. The attack can be initiated remotely and does not require any form of authentication.

• brosck/CVE-2022-1077

CVE-2022-1162 (2022-04-04)

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts

• Greenwolf/CVE-2022-1162

CVE-2022-1175 (2022-04-04)

Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.

• Greenwolf/CVE-2022-1175

CVE-2022-1292 (2022-05-03)

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).

• li8u99/CVE-2022-1292
• alcaparra/CVE-2022-1292
• rama291041610/CVE-2022-1292

CVE-2022-1329 (2022-04-19)

The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.

• AkuCyberSec/CVE-2022-1329-WordPress-Elementor-3.6.0-3.6.1-3.6.2-Remote-Code-Execution-Exploit
• mcdulltii/CVE-2022-1329
• Grazee/CVE-2022-1329-WordPress-Elementor-RCE

CVE-2022-1388 (2022-05-05)

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

• numanturle/CVE-2022-1388
• jheeree/CVE-2022-1388-checker
• MrCl0wnLab/Nuclei-Template-CVE-2022-1388-BIG-IP-iControl-REST-Exposed
• Osyanina/westone-CVE-2022-1388-scanner
• doocop/CVE-2022-1388-EXP
• blind-intruder/CVE-2022-1388-RCE-checker-and-POC-Exploit
• Hudi233/CVE-2022-1388
• sherlocksecurity/CVE-2022-1388-Exploit-POC
• yukar1z0e/CVE-2022-1388
• 0xf4n9x/CVE-2022-1388
• alt3kx/CVE-2022-1388_PoC
• Vulnmachines/F5-Big-IP-CVE-2022-1388
• ZephrFish/F5-CVE-2022-1388-Exploit
• horizon3ai/CVE-2022-1388
• Al1ex/CVE-2022-1388
• Henry4E36/CVE-2022-1388
• savior-only/CVE-2022-1388
• saucer-man/CVE-2022-1388
• superzerosec/CVE-2022-1388
• Stonzyy/Exploit-F5-CVE-2022-1388
• MrCl0wnLab/Nuclei-Template-Exploit-F5-BIG-IP-iControl-REST-Auth-Bypass-RCE-Command-Parameter
• qusaialhaddad/F5-BigIP-CVE-2022-1388
• chesterblue/CVE-2022-1388
• Angus-Team/F5-BIG-IP-RCE-CVE-2022-1388
• LinJacck/CVE-2022-1388-EXP
• iveresk/cve-2022-1388-1veresk
• shamo0/CVE-2022-1388
• vesperp/CVE-2022-1388-F5-BIG-IP
• thatonesecguy/CVE-2022-1388-Exploit
• bandit92/CVE2022-1388_TestAPI
• 0x7eTeam/CVE-2022-1388-PocExp
• 0xAgun/CVE-2022-1388
• AmirHoseinTangsiriNET/CVE-2022-1388-Scanner
• EvilLizard666/CVE-2022-1388
• mr-vill4in/CVE-2022-1388
• omnigodz/CVE-2022-1388
• pauloink/CVE-2022-1388
• SecTheBit/CVE-2022-1388
• Zeyad-Azima/CVE-2022-1388
• justakazh/CVE-2022-1388
• PsychoSec2/CVE-2022-1388-POC
• iveresk/cve-2022-1388-iveresk-command-shell
• Wrin9/CVE-2022-1388
• aancw/CVE-2022-1388-rs
• west9b/F5-BIG-IP-POC
• sashka3076/F5-BIG-IP-exploit
• Chocapikk/CVE-2022-1388
• li8u99/CVE-2022-1388
• electr0lulz/Mass-CVE-2022-1388

CVE-2022-1597 (2022-06-06)

The WPQA Builder WordPress plugin before 5.4, used as a companion for the Discy and Himer , does not sanitise and escape a parameter on its reset password form which makes it possible to perform Reflected Cross-Site Scripting attacks

• V35HR4J/CVE-2022-1597

CVE-2022-1598 (2022-06-06)

The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site.

• V35HR4J/CVE-2022-1598

CVE-2022-1609 (2024-01-16)

The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.

• savior-only/CVE-2022-1609
• 0xSojalSec/CVE-2022-1609
• 0xSojalSec/-CVE-2022-1609

CVE-2022-1903 (2022-06-27)

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username

• biulove0x/CVE-2022-1903

CVE-2022-1966

• ASkyeye/CVE-2022-1966

CVE-2022-1972

• randorisec/CVE-2022-1972-infoleak-PoC

CVE-2022-2333 (2022-09-16)

If an attacker manages to trick a valid user into loading a malicious DLL, the attacker may be able to achieve code execution in Honeywell SoftMaster version 4.51 application’s context and permissions.

• shirouQwQ/CVE-2022-2333

CVE-2022-5561

• Kvi74/CVE-2022-5561

CVE-2022-8475

• Kvi74/CVE-2022-8475

CVE-2022-20004 (2022-05-10)

In checkSlicePermission of SliceManagerService.java, it is possible to access any slice URI due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-179699767

• Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20004

CVE-2022-20005 (2022-05-10)

In validateApkInstallLocked of PackageInstallerSession.java, there is a way to force a mismatch between running code and a parsed APK . This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-219044664

• Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20005

CVE-2022-20007 (2022-05-10)

In startActivityForAttachedApplicationIfNeeded of RootWindowContainer.java, there is a possible way to overlay an app that believes it's still in the foreground, when it is not, due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-211481342

• Trinadh465/frameworks_base_AOSP10_r33_CVE-2022-20007

CVE-2022-20829 (2022-06-24)

A vulnerability in the packaging of Cisco Adaptive Security Device Manager (ASDM) images and the validation of those images by Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker with administrative privileges to upload an ASDM image that contains malicious code to a device that is running Cisco ASA Software. This vulnerability is due to insufficient validation of the authenticity of an ASDM image during its installation on a device that is running Cisco ASA Software. An attacker could exploit this vulnerability by installing a crafted ASDM image on the device that is running Cisco ASA Software and then waiting for a targeted user to access that device using ASDM. A successful exploit could allow the attacker to execute arbitrary code on the machine of the targeted user with the privileges of that user on that machine. Notes: To successfully exploit this vulnerability, the attacker must have administrative privileges on the device that is running Cisco ASA Software. Potential targets are limited to users who manage the same device that is running Cisco ASA Software using ASDM. Cisco has released and will release software updates that address this vulnerability.

• jbaines-r7/theway

CVE-2022-21449 (2022-04-19)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

• jfrog/jfrog-CVE-2022-21449
• jmiettinen/CVE-2022-21449-vuln-test
• notkmhn/CVE-2022-21449-TLS-PoC
• marschall/psychic-signatures
• thack1/CVE-2022-21449
• Damok82/SignChecker
• fundaergn/CVE-2022-21449

CVE-2022-21661 (2022-01-06)

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

• TAPESH-TEAM/CVE-2022-21661-WordPress-Core-5.8.2-WP_Query-SQL-Injection
• 0x4E0x650x6F/Wordpress-cve-CVE-2022-21661

CVE-2022-21728 (2022-02-03)

Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for ReverseSequence does not fully validate the value of batch_dim and can result in a heap OOB read. There is a check to make sure the value of batch_dim does not go over the rank of the input, but there is no check for negative values. Negative dimensions are allowed in some cases to mimic Python's negative indexing (i.e., indexing from the end of the array), however if the value is too negative then the implementation of Dim would access elements before the start of an array. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

• mwina/CVE-2022-21728-test

CVE-2022-21789 (2022-08-01)

In audio ipi, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06478101; Issue ID: ALPS06478101.

• docfate111/CVE-2022-21789

CVE-2022-21907 (2022-01-11)

HTTP Protocol Stack Remote Code Execution Vulnerability

• corelight/cve-2022-21907
• p0dalirius/CVE-2022-21907-http.sys
• polakow/CVE-2022-21907
• gpiechnik2/nmap-CVE-2022-21907
• iveresk/cve-2022-21907-http.sys
• iveresk/cve-2022-21907

CVE-2022-21971 (2022-02-09)

Windows Runtime Remote Code Execution Vulnerability

• tufanturhan/CVE-2022-21971-Windows-Runtime-RCE

CVE-2022-21984 (2022-02-09)

Windows DNS Server Remote Code Execution Vulnerability

• u201424348/CVE-2022-21984

CVE-2022-22620 (2022-03-18)

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

• kmeps4/CVE-2022-22620

CVE-2022-22639 (2022-03-18)

A logic issue was addressed with improved state management. This issue is fixed in iOS 15.4 and iPadOS 15.4, macOS Monterey 12.3. An application may be able to gain elevated privileges.

• jhftss/CVE-2022-22639

CVE-2022-22718 (2022-02-09)

Windows Print Spooler Elevation of Privilege Vulnerability

• ahmetfurkans/CVE-2022-22718

CVE-2022-22814 (2022-03-10)

The System Diagnosis service of MyASUS before 3.1.2.0 allows privilege escalation.

• DShankle/CVE-2022-22814_PoC

CVE-2022-22822 (2022-01-08)

addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

• nanopathi/external_expat_AOSP10_r33_CVE-2022-22822toCVE-2022-22827

CVE-2022-22909 (2022-03-02)

HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module.

• 0z09e/CVE-2022-22909

CVE-2022-22916 (2022-02-17)

O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke.

• 0x7eTeam/CVE-2022-22916

CVE-2022-22947 (2022-03-03)

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

• Axx8/CVE-2022-22947_Rce_Exp
• k3rwin/spring-cloud-gateway-rce
• Enokiy/cve-2022-22947-spring-cloud-gateway
• aesm1p/CVE-2022-22947-POC-Reproduce
• 4nNns/CVE-2022-22947
• expzhizhuo/Burp_VulPscan
• twseptian/cve-2022-22947
• whwlsfb/cve-2022-22947-godzilla-memshell
• 0730Nophone/CVE-2022-22947-
• anansec/CVE-2022-22947_EXP
• Wrong-pixel/CVE-2022-22947-exp
• stayfoolish777/CVE-2022-22947-POC
• B0rn2d/Spring-Cloud-Gateway-Nacos

CVE-2022-22948 (2022-03-29)

The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.

• PenteraIO/CVE-2022-22948

CVE-2022-22954 (2022-04-11)

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

• axingde/CVE-2022-22954-POC
• sherlocksecurity/VMware-CVE-2022-22954
• Vulnmachines/VMWare_CVE-2022-22954
• aniqfakhrul/CVE-2022-22954
• jax7sec/CVE-2022-22954
• bb33bb/CVE-2022-22954-VMware-RCE
• lucksec/VMware-CVE-2022-22954
• mumu2020629/-CVE-2022-22954-scanner
• MSeymenD/CVE-2022-22954-Testi
• corelight/cve-2022-22954
• DrorDvash/CVE-2022-22954_VMware_PoC
• Jun-5heng/CVE-2022-22954
• tunelko/CVE-2022-22954-PoC
• bewhale/CVE-2022-22954
• emilyastranova/VMware-CVE-2022-22954-Command-Injector
• MLX15/CVE-2022-22954
• mhurts/CVE-2022-22954-POC
• nguyenv1nK/CVE-2022-22954
• Chocapikk/CVE-2022-22954
• secfb/CVE-2022-22954
• orwagodfather/CVE-2022-22954
• b4dboy17/CVE-2022-22954
• arzuozkan/CVE-2022-22954

CVE-2022-22963 (2022-04-01)

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

• hktalent/spring-spel-0day-poc
• darryk10/CVE-2022-22963
• SealPaPaPa/SpringCloudFunction-Research
• G01d3nW01f/CVE-2022-22963
• k3rwin/spring-cloud-function-rce

CVE-2022-22965 (2022-04-01)

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

• BobTheShoplifter/Spring4Shell-POC
• TheGejr/SpringShell
• reznok/Spring4Shell-POC
• DDuarte/springshell-rce-poc
• k3rwin/spring-core-rce
• liangyueliangyue/spring-core-rce
• Kirill89/CVE-2022-22965-PoC
• FourCoreLabs/spring4shell-exploit-poc
• alt3kx/CVE-2022-22965_PoC
• GuayoyoCyber/CVE-2022-22965
• colincowie/Safer_PoC_CVE-2022-22965
• viniciuspereiras/CVE-2022-22965-poc
• likewhite/CVE-2022-22965
• snicoll-scratches/spring-boot-cve-2022-22965
• nu0l/CVE-2022-22965
• helsecert/CVE-2022-22965
• zer0yu/CVE-2022-22965
• me2nuk/CVE-2022-22965
• gpiechnik2/nmap-spring4shell
• daniel0x00/Invoke-CVE-2022-22965-SafeCheck
• fracturelabs/spring4shell_victim
• sunnyvale-it/CVE-2022-22965-PoC
• twseptian/cve-2022-22965
• netcode/Spring4shell-CVE-2022-22965-POC
• fracturelabs/go-scan-spring
• Snip3R69/spring-shell-vuln
• luoqianlin/CVE-2022-22965
• 0xrobiul/CVE-2022-22965
• LudovicPatho/CVE-2022-22965_Spring4Shell
• irgoncalves/irule-cve-2022-22965
• datawiza-inc/spring-rec-demo
• alt3kx/CVE-2022-22965
• wikiZ/springboot_CVE-2022-22965
• 4nth0ny1130/spring4shell_behinder
• t3amj3ff/Spring4ShellPoC
• CalumHutton/CVE-2022-22965-PoC_Payara
• fransvanbuul/CVE-2022-22965-susceptibility
• te5t321/Spring4Shell-CVE-2022-22965.py
• Loneyers/Spring4Shell
• p1ckzi/CVE-2022-22965
• Omaraitbenhaddi/-Spring4Shell-CVE-2022-22965-
• c4mx/CVE-2022-22965_PoC
• mariomamo/CVE-2022-22965
• khidottrivi/CVE-2022-22965
• Enokiy/spring-RCE-CVE-2022-22965
• cxzero/CVE-2022-22965-spring4shell
• tpt11fb/SpringVulScan

CVE-2022-22968 (2022-04-14)

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

• MarcinGadz/spring-rce-poc

CVE-2022-22972 (2022-05-20)

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

• horizon3ai/CVE-2022-22972
• Dghpi9/CVE-2022-22972
• bengisugun/CVE-2022-22972-

CVE-2022-22976 (2022-05-19)

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

• spring-io/cve-2022-22976-bcrypt-skips-salt

CVE-2022-22978 (2022-05-19)

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

• DeEpinGh0st/CVE-2022-22978
• ducluongtran9121/CVE-2022-22978-PoC

CVE-2022-22980 (2022-06-22)

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

• trganda/CVE-2022-22980
• kuron3k0/Spring-Data-Mongodb-Example
• li8u99/Spring-Data-Mongodb-Demo
• jweny/cve-2022-22980
• murataydemir/CVE-2022-22980

CVE-2022-23046 (2022-01-19)

PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php

• hadrian3689/phpipam_1.4.4
• bernauers/CVE-2022-23046

CVE-2022-23131 (2022-01-13)

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).

• Mr-xn/cve-2022-23131

CVE-2022-23222 (2022-01-14)

kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows local users to gain privileges because of the availability of pointer arithmetic via certain *_OR_NULL pointer types.

• tr3ee/CVE-2022-23222
• PenteraIO/CVE-2022-23222-POC

CVE-2022-23253 (2022-03-09)

Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability

• nettitude/CVE-2022-23253-PoC

CVE-2022-23270 (2022-05-10)

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

• corelight/CVE-2022-23270-PPTP

CVE-2022-23305 (2022-01-18)

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

• HynekPetrak/log4shell-finder

CVE-2022-23342 (2022-06-21)

The Hyland Onbase Application Server releases prior to 20.3.58.1000 and OnBase releases 21.1.1.1000 through 21.1.15.1000 are vulnerable to a username enumeration vulnerability. An attacker can obtain valid users based on the response returned for invalid and valid users by sending a POST login request to the /mobilebroker/ServiceToBroker.svc/Json/Connect endpoint. This can lead to user enumeration against the underlying Active Directory integrated systems.

• InitRoot/CVE-2022-23342

CVE-2022-23642 (2022-02-18)

Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the gitserver service. The service acts as a git exec proxy, and fails to properly restrict calling git config. This allows an attacker to set the git core.sshCommand option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected.

• Altelus1/CVE-2022-23642

CVE-2022-23808 (2022-01-22)

An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection.

• dipakpanchal05/CVE-2022-23808

CVE-2022-23852 (2022-01-24)

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

• Satheesh575555/external_expat_AOSP10_r33_CVE-2022-23852

CVE-2022-23909 (2022-04-05)

There is an unquoted service path in Sherpa Connector Service (SherpaConnectorService.exe) 2020.2.20328.2050. This might allow a local user to escalate privileges by creating a "C:\Program Files\Sherpa Software\Sherpa.exe" file.

• netsectuna/CVE-2022-23909

CVE-2022-23990 (2022-01-26)

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

• Satheesh575555/external_expat_AOSP10_r33_CVE-2022-23990

CVE-2022-24086 (2022-02-16)

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

• Mr-xn/CVE-2022-24086
• oK0mo/CVE-2022-24086-RCE-PoC
• seymanurmutlu/CVE-2022-24086-CVE-2022-24087

CVE-2022-24087

• Neimar47574/CVE-2022-24087

CVE-2022-24124 (2022-01-29)

The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.

• 0xAbbarhSF/CVE-2022-24124

CVE-2022-24125 (2022-03-20)

The matchmaking servers of Bandai Namco FromSoftware Dark Souls III through 2022-03-19 allow remote attackers to send arbitrary push requests to clients via a RequestSendMessageToPlayers request. For example, ability to send a push message to hundreds of thousands of machines is only restricted on the client side, and can thus be bypassed with a modified client.

• tremwil/ds3-nrssr-rce

CVE-2022-24181 (2022-04-01)

Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header.

• cyberhawk000/CVE-2022-24181

CVE-2022-24348 (2022-02-04)

Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.

• jkroepke/CVE-2022-24348-2

CVE-2022-24449 (2022-04-28)

Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.

• jet-pentest/CVE-2022-24449

CVE-2022-24483 (2022-04-15)

Windows Kernel Information Disclosure Vulnerability

• waleedassar/CVE-2022-24483

CVE-2022-24491 (2022-04-15)

Windows Network File System Remote Code Execution Vulnerability

• corelight/CVE-2022-24491

CVE-2022-24494 (2022-04-15)

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

• vportal/AFD

CVE-2022-24497 (2022-04-15)

Windows Network File System Remote Code Execution Vulnerability

• corelight/CVE-2022-24497

CVE-2022-24611 (2022-05-17)

Denial of Service (DoS) in the Z-Wave S0 NonceGet protocol specification in Silicon Labs Z-Wave 500 series allows local attackers to block S0/S2 protected Z-Wave network via crafted S0 NonceGet Z-Wave packages, utilizing included but absent NodeIDs.

• ITSecLab-HSEL/CVE-2022-24611

CVE-2022-24644 (2022-03-07)

ZZ Inc. KeyMouse Windows 3.08 and prior is affected by a remote code execution vulnerability during an unauthenticated update. To exploit this vulnerability, a user must trigger an update of an affected installation of KeyMouse.

• gerr-re/cve-2022-24644
• ThanhThuy2908/ATHDH_CVE_2022_24644

CVE-2022-24675 (2022-04-20)

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.

• jfrog/jfrog-CVE-2022-24675

CVE-2022-24693 (2022-03-30)

Baicells Nova436Q and Neutrino 430 devices with firmware through QRTB 2.7.8 have hardcoded credentials that are easily discovered, and can be used by remote attackers to authenticate via ssh. (The credentials are stored in the firmware, encrypted by the crypt function.)

• lukejenkins/CVE-2022-24693

CVE-2022-24706 (2022-04-26)

In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.

• sadshade/CVE-2022-24706-CouchDB-Exploit
• ahmetsabrimert/Apache-CouchDB-CVE-2022-24706-RCE-Exploits-Blog-post-

CVE-2022-24707 (2022-02-23)

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input.

• Altelus1/CVE-2022-24707

CVE-2022-24713 (2022-03-08)

regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.

• ItzSwirlz/CVE-2022-24713-POC

CVE-2022-24734 (2022-03-09)

MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type php with PHP code, executed on on Change Settings pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the Can manage settings? permission. MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds.

• Altelus1/CVE-2022-24734
• lavclash75/mybb-CVE-2022-24734

CVE-2022-24853 (2022-04-14)

Metabase is an open source business intelligence and analytics application. Metabase has a proxy to load arbitrary URLs for JSON maps as part of our GeoJSON support. While we do validation to not return contents of arbitrary URLs, there is a case where a particularly crafted request could result in file access on windows, which allows enabling an NTLM relay attack, potentially allowing an attacker to receive the system password hash. If you use Windows and are on this version of Metabase, please upgrade immediately. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.

• secure-77/CVE-2022-24853

CVE-2022-24924 (2022-02-11)

An improper access control in LiveWallpaperService prior to versions 3.0.9.0 allows to create a specific named system directory without a proper permission.

• heegong/CVE-2022-24924

CVE-2022-24934 (2022-03-23)

wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.

• webraybtl/CVE-2022-24934
• MagicPiperSec/WPS-CVE-2022-24934

CVE-2022-24990 (2023-02-07)

TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.

• 0xf4n9x/CVE-2022-24990
• ZZ-SOCMAP/CVE-2022-24990

CVE-2022-24999 (2022-11-26)

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

• n8tz/CVE-2022-24999

CVE-2022-25089 (2022-03-02)

Printix Secure Cloud Print Management through 1.3.1106.0 incorrectly uses Privileged APIs to modify values in HKEY_LOCAL_MACHINE via UITasks.PersistentRegistryData.

• ComparedArray/printix-CVE-2022-25089

CVE-2022-25090 (2022-03-09)

Printix Secure Cloud Print Management through 1.3.1106.0 creates a temporary temp.ini file in a directory with insecure permissions, leading to privilege escalation because of a race condition.

• ComparedArray/printix-CVE-2022-25090

CVE-2022-25235 (2022-02-16)

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

• Satheesh575555/external_expat_AOSP10_r33_CVE-2022-25235

CVE-2022-25236 (2022-02-16)

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

• Satheesh575555/external_expat_AOSP10_r33_CVE-2022-25236

CVE-2022-25256 (2022-02-19)

SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonAndRender.do has two parameters: saspfs_request_backlabel_list and saspfs_request_backurl_list. The first one affects the content of the button placed in the top left. The second affects the page to which the user is directed after pressing the button, e.g., a malicious web page. In addition, the second parameter executes JavaScript, which means XSS is possible by adding a javascript: URL.

• RobertDra/CVE-2022-25256

CVE-2022-25262 (2022-02-25)

In JetBrains Hub before 2022.1.14434, SAML request takeover was possible.

• yuriisanin/CVE-2022-25262

CVE-2022-25313 (2022-02-18)

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.

• ShaikUsaf/external_expact_AOSP10_r33_CVE-2022-25313

CVE-2022-25314 (2022-02-18)

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.

• ShaikUsaf/external_expact_AOSP10_r33_CVE-2022-25314

CVE-2022-25315 (2022-02-18)

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

• ShaikUsaf/external_expact_AOSP10_r33_CVE-2022-25315

CVE-2022-25636 (2022-02-22)

net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nf_tables_offload.

• veritas501/CVE-2022-25636-PipeVersion

CVE-2022-25943 (2022-03-09)

The installer of WPS Office for Windows versions prior to v11.2.0.10258 fails to configure properly the ACL for the directory where the service program is installed.

• webraybtl/CVE-2022-25943

CVE-2022-26133 (2022-04-20)

SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.

• Pear1y/CVE-2022-26133
• 0xAbbarhSF/CVE-2022-26133

CVE-2022-26134 (2022-06-03)

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.

• W01fh4cker/Serein
• offlinehoster/CVE-2022-26134
• ma1am/CVE-2022-26134-Exploit-Detection
• jbaines-r7/through_the_wire
• crowsec-edtech/CVE-2022-26134
• kyxiaxiang/CVE-2022-26134
• Brucetg/CVE-2022-26134
• shamo0/CVE-2022-26134
• SNCKER/CVE-2022-26134
• Vulnmachines/Confluence-CVE-2022-26134
• axingde/CVE-2022-26134
• 0xAgun/CVE-2022-26134
• abhishekmorla/CVE-2022-26134
• hev0x/CVE-2022-26134
• archanchoudhury/Confluence-CVE-2022-26134
• SIFalcon/confluencePot
• CatAnnaDev/CVE-2022-26134
• vesperp/CVE-2022-26134-Confluence
• li8u99/CVE-2022-26134
• reubensammut/cve-2022-26134
• BeichenDream/CVE-2022-26134-Godzilla-MEMSHELL
• alcaparra/CVE-2022-26134
• whokilleddb/CVE-2022-26134-Confluence-RCE
• Habib0x0/CVE-2022-26134
• Y000o/Confluence-CVE-2022-26134
• redhuntlabs/ConfluentPwn
• cai-niao98/CVE-2022-26134
• sunny-kathuria/exploit_CVE-2022-26134
• KeepWannabe/BotCon
• Chocapikk/CVE-2022-26134
• AmoloHT/CVE-2022-26134
• kh4sh3i/CVE-2022-26134
• ColdFusionX/CVE-2022-26134
• Luchoane/CVE-2022-26134_conFLU

CVE-2022-26135 (2022-06-30)

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.

• assetnote/jira-mobile-ssrf-exploit

CVE-2022-26159 (2022-02-28)

The auto-completion plugin in Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/<domain>/en.xml (and similar pathnames for other languages), which contain all characters typed by all users, including the content of private pages. For example, a private page may contain usernames, e-mail addresses, and possibly passwords.

• p0dalirius/CVE-2022-26159-Ametys-Autocompletion-XML

CVE-2022-26269 (2022-03-29)

Suzuki Connect v1.0.15 allows attackers to tamper with displayed messages via spoofed CAN messages.

• nsbogam/CVE-2022-26269

CVE-2022-26318 (2022-03-04)

On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.

• h3llk4t3/Watchguard-RCE-POC-CVE-2022-26318
• BabyTeam1024/CVE-2022-26318

CVE-2022-26717 (2022-11-01)

A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.5, watchOS 8.6, iOS 15.5 and iPadOS 15.5, macOS Monterey 12.4, Safari 15.5, iTunes 12.12.4 for Windows. Processing maliciously crafted web content may lead to arbitrary code execution.

• theori-io/CVE-2022-26717-Safari-WebGL-Exploit

CVE-2022-26726 (2022-05-26)

This issue was addressed with improved checks. This issue is fixed in Security Update 2022-004 Catalina, watchOS 8.6, macOS Monterey 12.4, macOS Big Sur 11.6.6. An app may be able to capture a user's screen.

• acheong08/CVE-2022-26726-POC
• acheong08/CVE-2022-26726-POC2

CVE-2022-26757 (2022-05-26)

A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, Security Update 2022-004 Catalina, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. An application may be able to execute arbitrary code with kernel privileges.

• Dylbin/flow_divert

CVE-2022-26809 (2022-04-15)

Remote Procedure Call Runtime Remote Code Execution Vulnerability

• sherlocksecurity/Microsoft-CVE-2022-26809-The-Little-Boy
• websecnl/CVE-2022-26809
• auduongxuan/CVE-2022-26809
• corelight/cve-2022-26809
• quijadajose/CVE-2022-26809-RCE
• oppongjohn/CVE-2022-26809-RCE
• yuanLink/CVE-2022-26809
• s1ckb017/PoC-CVE-2022-26809

CVE-2022-26923 (2022-05-10)

Active Directory Domain Services Elevation of Privilege Vulnerability

• r1skkam/TryHackMe-CVE-2022-26923
• LudovicPatho/CVE-2022-26923_AD-Certificate-Services

CVE-2022-26927 (2022-05-10)

Windows Graphics Component Remote Code Execution Vulnerability

• CrackerCat/CVE-2022-26927

CVE-2022-26937 (2022-05-10)

Windows Network File System Remote Code Execution Vulnerability

• corelight/CVE-2022-26937
• omair2084/CVE-2022-26937

CVE-2022-27134 (2022-05-12)

EOSIO batdappboomx v327c04cf has an Access-control vulnerability in the transfer function of the smart contract which allows remote attackers to win the cryptocurrency without paying ticket fee via the std::string memo parameter.

• Kenun99/CVE-batdappboomx

CVE-2022-27434 (2022-07-17)

UNIT4 TETA Mobile Edition (ME) before 29.5.HF17 was discovered to contain a SQL injection vulnerability via the ProfileName parameter in the errorReporting page.

• LongWayHomie/CVE-2022-27434

CVE-2022-27438 (2022-06-06)

Caphyon Ltd Advanced Installer 19.3 and earlier and many products that use the updater from Advanced Installer (Advanced Updater) are affected by a remote code execution vulnerability via the CustomDetection parameter in the update check function. To exploit this vulnerability, a user must start an affected installation to trigger the update check.

• gerr-re/cve-2022-27438

CVE-2022-27665 (2023-04-03)

Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.

• dievus/CVE-2022-27665

CVE-2022-27772 (2022-03-30)

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer

• puneetbehl/grails3-cve-2022-27772

CVE-2022-28077 (2022-05-11)

Home Owners Collection Management v1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the Admin panel via the $_GET['s'] parameter.

• bigzooooz/CVE-2022-28077

CVE-2022-28078 (2022-05-11)

Home Owners Collection Management v1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the Admin panel via the $_GET['page'] parameter.

• bigzooooz/CVE-2022-28078

CVE-2022-28099 (2022-05-04)

Poultry Farm Management System v1.0 was discovered to contain a SQL injection vulnerability via the Item parameter at /farm/store.php.

• IbrahimEkimIsik/CVE-2022-28099

CVE-2022-28113 (2022-04-15)

An issue in upload.csp of FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows attackers to write files and reset the user passwords without having a valid session cookie.

• code-byter/CVE-2022-28113

CVE-2022-28117 (2022-04-28)

A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter.

• cheshireca7/CVE-2022-28117

CVE-2022-28132 (-)

The T-Soft E-Commerce 4 web application is susceptible to SQL injection (SQLi) attacks when authenticated as an admin or privileged user. This vulnerability allows attackers to access and manipulate the database through crafted requests. By exploiting this flaw, attackers can bypass authentication mechanisms, view sensitive information stored in the database, and potentially exfiltrate data.

• alpernae/CVE-2022-28132

CVE-2022-28219 (2022-04-05)

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.

• horizon3ai/CVE-2022-28219

CVE-2022-28281 (2022-12-22)

If a compromised content process sent an unexpected number of WebAuthN Extensions in a Register command to the parent process, an out of bounds write would have occurred leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

• 0vercl0k/CVE-2022-28281

CVE-2022-28346 (2022-04-12)

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

• YouGina/CVE-2022-28346
• DeEpinGh0st/CVE-2022-28346
• ahsentekd/CVE-2022-28346

CVE-2022-28452 (2022-04-29)

Red Planet Laundry Management System 1.0 is vulnerable to SQL Injection.

• YavuzSahbaz/Red-Planet-Laundry-Management-System-1.0-is-vulnerable-to-SQL

CVE-2022-28454 (2022-04-28)

Limbas 4.3.36.1319 is vulnerable to Cross Site Scripting (XSS).

• YavuzSahbaz/Limbas-4.3.36.1319-is-vulnerable-to-Cross-Site-Scripting-XSS-

CVE-2022-28508 (2022-05-04)

An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.

• YavuzSahbaz/CVE-2022-28508

CVE-2022-28590 (2022-05-03)

A Remote Code Execution (RCE) vulnerability exists in Pixelimity 1.0 via admin/admin-ajax.php?action=install_theme.

• jcarabantes/CVE-2022-28590

CVE-2022-28598 (2022-08-22)

Frappe ERPNext 12.29.0 is vulnerable to XSS where the software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users.

• patrickdeanramos/CVE-2022-28598

CVE-2022-28601 (2022-05-10)

A Two-Factor Authentication (2FA) bypass vulnerability in "Simple 2FA Plugin for Moodle" by LMS Doctor allows remote attackers to overwrite the phone number used for confirmation via the profile.php file. Therefore, allowing them to bypass the phone verification mechanism.

• FlaviuPopescu/CVE-2022-28601

CVE-2022-28943

• zhefox/CVE-2022-28943

CVE-2022-28944 (2022-05-23)

Certain EMCO Software products are affected by: CWE-494: Download of Code Without Integrity Check. This affects MSI Package Builder for Windows 9.1.4 and Remote Installer for Windows 6.0.13 and Ping Monitor for Windows 8.0.18 and Remote Shutdown for Windows 7.2.2 and WakeOnLan 2.0.8 and Network Inventory for Windows 5.8.22 and Network Software Scanner for Windows 2.0.8 and UnLock IT for Windows 6.1.1. The impact is: execute arbitrary code (remote). The component is: Updater. The attack vector is: To exploit this vulnerability, a user must trigger an update of an affected installation of EMCO Software. ¶¶ Multiple products from EMCO Software are affected by a remote code execution vulnerability during the update process.

• gerr-re/cve-2022-28944

CVE-2022-28986 (2022-05-10)

LMS Doctor Simple 2 Factor Authentication Plugin For Moodle Affected: 2021072900 has an Insecure direct object references (IDOR) vulnerability, which allows remote attackers to update sensitive records such as email, password and phone number of other user accounts.

• FlaviuPopescu/CVE-2022-28986

CVE-2022-29004 (2022-05-23)

Diary Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name parameter in search-result.php.

• sudoninja-noob/CVE-2022-29004

CVE-2022-29005 (2022-05-23)

Multiple cross-site scripting (XSS) vulnerabilities in the component /obcs/user/profile.php of Online Birth Certificate System v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname or lname parameters.

• sudoninja-noob/CVE-2022-29005

CVE-2022-29006 (2022-05-11)

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Directory Management System v1.0 allows attackers to bypass authentication.

• sudoninja-noob/CVE-2022-29006

CVE-2022-29007 (2022-05-11)

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Dairy Farm Shop Management System v1.0 allows attackers to bypass authentication.

• sudoninja-noob/CVE-2022-29007

CVE-2022-29008 (2022-05-11)

An insecure direct object reference (IDOR) vulnerability in the viewid parameter of Bus Pass Management System v1.0 allows attackers to access sensitive information.

• sudoninja-noob/CVE-2022-29008

CVE-2022-29009 (2022-05-11)

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Cyber Cafe Management System Project v1.0 allows attackers to bypass authentication.

• sudoninja-noob/CVE-2022-29009

CVE-2022-29072 (2022-04-15)

7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process. NOTE: multiple third parties have reported that no privilege escalation can occur

• kagancapar/CVE-2022-29072
• tiktb8/CVE-2022-29072
• sentinelblue/CVE-2022-29072

CVE-2022-29221 (2022-05-24)

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.

• sbani/CVE-2022-29221-PoC

CVE-2022-29303 (2022-05-12)

SolarView Compact ver.6.00 was discovered to contain a command injection vulnerability via conf_mail.php.

• Chocapikk/CVE-2022-29303
• 1f3lse/CVE-2022-29303

CVE-2022-29337 (2022-05-24)

C-DATA FD702XW-X-R430 v2.1.13_X001 was discovered to contain a command injection vulnerability via the va_cmd parameter in formlanipv6. This vulnerability allows attackers to execute arbitrary commands via a crafted HTTP request.

• exploitwritter/CVE-2022-29337

CVE-2022-29359 (2022-05-24)

A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs/application_form&id=7 of School Club Application System v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.

• ZSECURE/CVE-2022-29359

CVE-2022-29383 (2022-05-13)

NETGEAR ProSafe SSL VPN firmware FVS336Gv2 and FVS336Gv3 was discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi.

• badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383
• cxaqhq/netgear-to-CVE-2022-29383

CVE-2022-29455 (2022-06-13)

DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions.

• GULL2100/Wordpress_xss-CVE-2022-29455

CVE-2022-29464 (2022-04-18)

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.

• hakivvi/CVE-2022-29464
• tufanturhan/wso2-rce-cve-2022-29464
• mr-r3bot/WSO2-CVE-2022-29464
• Lidong-io/cve-2022-29464
• hev0x/CVE-2022-29464
• gpiechnik2/nmap-CVE-2022-29464
• 0xAgun/CVE-2022-29464
• oppsec/WSOB
• n3rdh4x0r/CVE-2022-29464
• lowkey0808/cve-2022-29464
• superzerosec/CVE-2022-29464
• axin2019/CVE-2022-29464
• LinJacck/CVE-2022-29464
• Inplex-sys/CVE-2022-29464-loader
• Chocapikk/CVE-2022-29464
• jimidk/Better-CVE-2022-29464
• electr0lulz/Mass-exploit-CVE-2022-29464
• g0dxing/CVE-2022-29464

CVE-2022-29465 (2022-08-05)

An out-of-bounds write vulnerability exists in the PSD Header processing memory allocation functionality of Accusoft ImageGear 20.0. A specially-crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

• badguy233/CVE-2022-29465

CVE-2022-29548 (2022-04-21)

A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.

• cxosmo/CVE-2022-29548

CVE-2022-29551

• ComparedArray/printix-CVE-2022-29551

CVE-2022-29552

• ComparedArray/printix-CVE-2022-29552

CVE-2022-29553

• ComparedArray/printix-CVE-2022-29553

CVE-2022-29554

• ComparedArray/printix-CVE-2022-29554

CVE-2022-29593 (2022-07-14)

relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1.276A allows an attacker to replay HTTP post requests without the need for authentication or a valid signed/authorized request.

• 9lyph/CVE-2022-29593

CVE-2022-29597 (2022-06-02)

Solutions Atlantic Regulatory Reporting System (RRS) v500 is vulnerable to Local File Inclusion (LFI). Any authenticated user has the ability to reference internal system files within requests made to the RRSWeb/maint/ShowDocument/ShowDocument.aspx page. The server will successfully respond with the file contents of the internal system file requested. This ability could allow for adversaries to extract sensitive data and/or files from the underlying file system, gain knowledge about the internal workings of the system, or access source code of the application.

• TheGetch/CVE-2022-29597

CVE-2022-29598 (2022-05-27)

Solutions Atlantic Regulatory Reporting System (RRS) v500 is vulnerable to an reflected Cross-Site Scripting (XSS) vulnerability via RRSWeb/maint/ShowDocument/ShowDocument.aspx .

• TheGetch/CVE-2022-29598

CVE-2022-29622 (2022-05-16)

An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled. Strapi does not consider this to be a valid vulnerability.

• keymandll/CVE-2022-29622

CVE-2022-29778 (2022-06-03)

D-Link DIR-890L 1.20b01 allows attackers to execute arbitrary code due to the hardcoded option Wake-On-Lan for the parameter 'descriptor' at SetVirtualServerSettings.php

• TyeYeah/DIR-890L-1.20-RCE

CVE-2022-29885 (2022-05-12)

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

• quynhlab/CVE-2022-29885

CVE-2022-29932 (2022-05-11)

The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 (File Transfer) allows an unauthenticated attacker to obtain sensitive data (related to the content of transferred files) via a crafted HTTP request.

• Off3nS3c/CVE-2022-29932

CVE-2022-29968 (2022-05-02)

An issue was discovered in the Linux kernel through 5.17.5. io_rw_init_file in fs/io_uring.c lacks initialization of kiocb->private.

• jprx/CVE-2022-29968

CVE-2022-30006

• ComparedArray/printix-CVE-2022-30006

CVE-2022-30023 (2022-06-16)

Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function.

• Haniwa0x01/CVE-2022-30023

CVE-2022-30040 (2022-05-11)

Tenda AX1803 v1.0.0.1_2890 is vulnerable to Buffer Overflow. The vulnerability lies in rootfs_ In / goform / setsystimecfg of / bin / tdhttpd in ubif file system, attackers can access http://ip/goform/SetSysTimeCfg, and by setting the ntpserve parameter, the stack buffer overflow can be caused to achieve the effect of router denial of service.

• Le1a/CVE-2022-30040

CVE-2022-30075 (2022-06-09)

In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote code execution due to improper validation.

• aaronsvk/CVE-2022-30075
• SAJIDAMINE/CVE-2022-30075

CVE-2022-30190 (2022-06-01)

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.\nPlease see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.

• JMousqueton/PoC-CVE-2022-30190
• zkl21hoang/msdt-follina-office-rce
• onecloudemoji/CVE-2022-30190
• 2867a0/CVE-2022-30190
• doocop/CVE-2022-30190
• archanchoudhury/MSDT_CVE-2022-30190
• rickhenderson/cve-2022-30190
• DOV3Y/CVE-2022-30190-ASR-Senintel-Process-Pickup
• kdk2933/msdt-CVE-2022-30190
• sentinelblue/CVE-2022-30190
• aymankhder/MSDT_CVE-2022-30190-follina-
• PaddlingCode/cve-2022-30190
• dwisiswant0/gollina
• hscorpion/CVE-2022-30190
• drgreenthumb93/CVE-2022-30190-follina
• mitespsoc/CVE-2022-30190-POC
• Vaisakhkm2625/MSDT-0-Day-CVE-2022-30190-Poc
• rouben/CVE-2022-30190-NSIS
• Cosmo121/Follina-Remediation
• rayorole/CVE-2022-30190
• ImproveCybersecurityJaro/2022_PoC-MSDT-Follina-CVE-2022-30190
• sudoaza/CVE-2022-30190
• gamingwithevets/msdt-disable
• ErrorNoInternet/FollinaScanner
• ITMarcin2211/CVE-2022-30190
• derco0n/mitigate-folina
• komomon/CVE-2022-30190-follina-Office-MSDT-Fixed
• gyaansastra/CVE-2022-30190
• swaiist/CVE-2022-30190-Fix
• suenerve/CVE-2022-30190-Follina-Patch
• castlesmadeofsand/ms-msdt-vulnerability-pdq-package
• WesyHub/CVE-2022-30190---Follina---Poc-Exploit
• 0xflagplz/MS-MSDT-Office-RCE-Follina
• arozx/CVE-2022-30190
• Noxtal/follina
• droidrzrlover/CVE-2022-30190
• hilt86/cve-2022-30190-mitigate
• SrikeshMaharaj/CVE-2022-30190
• AbdulRKB/Follina
• DerZiad/CVE-2022-30190
• tej7gandhi/CVE-2022-30190-Zero-Click-Zero-Day-in-msdt
• ItsNee/Follina-CVE-2022-30190-POC
• IamVSM/msdt-follina
• Rojacur/FollinaPatcherCLI
• joshuavanderpoll/CVE-2022-30190
• abhirules27/Follina
• dsibilio/follina-spring
• Malwareman007/Deathnote
• sentrium-security/Follina-Workaround-CVE-2022-30190
• Hrishikesh7665/Follina_Exploiter_CLI
• b401/Clickstudio-compromised-certificate
• k508/CVE-2022-30190
• amitniz/follina_cve_2022-30190
• Abdibimantara/CVE-2022-30190-Analysis-With-LetsDefends-Lab
• SrCroqueta/CVE-2022-30190_Temporary_Fix
• SrCroqueta/CVE-2022-30190_Temporary_Fix_Source_Code
• SonicWave21/Follina-CVE-2022-30190-Unofficial-patch
• nanaao/PicusSecurity4.Week.Repo
• XxToxicScriptxX/CVE-2022-30190
• ernestak/CVE-2022-30190
• ernestak/Sigma-Rule-for-CVE-2022-30190
• MalwareTech/FollinaExtractor
• notherealhazard/follina-CVE-2022-30190
• Cerebrovinny/follina-CVE-2022-30190
• Lucaskrell/go_follina
• Gra3s/CVE-2022-30190_EXP_PowerPoint

CVE-2022-30292 (2022-05-04)

Heap-based buffer overflow in sqbaselib.cpp in SQUIRREL 3.2 due to lack of a certain sq_reservestack call.

• sprushed/CVE-2022-30292

CVE-2022-30489 (2022-05-13)

WAVLINK WN535 G3 was discovered to contain a cross-site scripting (XSS) vulnerability via the hostname parameter at /cgi-bin/login.cgi.

• badboycxcc/XSS-CVE-2022-30489

CVE-2022-30510 (2022-05-27)

School Dormitory Management System 1.0 is vulnerable to SQL Injection via reports/daily_collection_report.php:59.

• bigzooooz/CVE-2022-30510

CVE-2022-30511 (2022-05-27)

School Dormitory Management System 1.0 is vulnerable to SQL Injection via accounts/view_details.php:4.

• bigzooooz/CVE-2022-30511

CVE-2022-30512 (2022-05-27)

School Dormitory Management System 1.0 is vulnerable to SQL Injection via accounts/payment_history.php:31.

• bigzooooz/CVE-2022-30512

CVE-2022-30513 (2022-05-27)

School Dormitory Management System v1.0 is vulnerable to reflected cross-site scripting (XSS) via admin/inc/navigation.php:125

• bigzooooz/CVE-2022-30513

CVE-2022-30514 (2022-05-27)

School Dormitory Management System v1.0 is vulnerable to reflected cross-site scripting (XSS) via admin/inc/navigation.php:126.

• bigzooooz/CVE-2022-30514

CVE-2022-30525 (2022-05-12)

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

• jbaines-r7/victorian_machinery
• Henry4E36/CVE-2022-30525
• shuai06/CVE-2022-30525
• savior-only/CVE-2022-30525
• M4fiaB0y/CVE-2022-30525
• k0sf/CVE-2022-30525
• superzerosec/CVE-2022-30525
• Chocapikk/CVE-2022-30525-Reverse-Shell
• 160Team/CVE-2022-30525
• iveresk/cve-2022-30525
• west9b/CVE-2022-30525
• furkanzengin/CVE-2022-30525
• ProngedFork/CVE-2022-30525

CVE-2022-30591 (2022-07-06)

quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. This occurs because mtu_discoverer.go misparses the MTU Discovery service and consequently overflows the probe timer. NOTE: the vendor's position is that this behavior should not be listed as a vulnerability on the CVE List

• efchatz/QUIC-attacks

CVE-2022-30778

• kang8/CVE-2022-30778

CVE-2022-30780 (2022-06-11)

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.

• p0dalirius/CVE-2022-30780-lighttpd-denial-of-service

CVE-2022-30781 (2022-05-16)

Gitea before 1.16.7 does not escape git fetch remote.

• wuhan005/CVE-2022-30781

CVE-2022-31245 (2022-05-20)

mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

• ly1g3/Mailcow-CVE-2022-31245

CVE-2022-31294 (2022-06-16)

An issue in the save_users() function of Online Discussion Forum Site 1 allows unauthenticated attackers to arbitrarily create or update user accounts.

• bigzooooz/CVE-2022-31294

CVE-2022-31295 (2022-06-16)

An issue in the delete_post() function of Online Discussion Forum Site 1 allows unauthenticated attackers to arbitrarily delete posts.

• bigzooooz/CVE-2022-31295

CVE-2022-31296 (2022-06-17)

Online Discussion Forum Site 1 was discovered to contain a blind SQL injection vulnerability via the component /odfs/posts/view_post.php.

• bigzooooz/CVE-2022-31296

CVE-2022-31297

• bigzooooz/CVE-2022-31297

CVE-2022-31298 (2022-06-16)

A cross-site scripting vulnerability in the ads comment section of Haraj v3.7 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

• bigzooooz/CVE-2022-31298

CVE-2022-31299 (2022-06-16)

Haraj v3.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the User Upgrade Form.

• bigzooooz/CVE-2022-31299

CVE-2022-31300 (2022-06-16)

A cross-site scripting vulnerability in the DM Section component of Haraj v3.7 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

• bigzooooz/CVE-2022-31300

CVE-2022-31301 (2022-06-16)

Haraj v3.7 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Post Ads component.

• bigzooooz/CVE-2022-31301

CVE-2022-31402 (2022-06-10)

ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php.

• YavuzSahbaz/CVE-2022-31402

CVE-2022-31403 (2022-06-14)

ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/pages/ajax.render.php.

• IbrahimEkimIsik/CVE-2022-31403

CVE-2022-31749

• jbaines-r7/hook

CVE-2022-31983 (2022-06-01)

Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=requests/manage_request&id=.

• mel1huc4r/CVE-2022-31983

CVE-2022-32013 (2022-06-02)

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via eris/admin/category/index.php?view=edit&id=.

• heavenswill/CVE-2022-32013

CVE-2022-32114 (2022-07-13)

An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XSS attacks via a crafted PDF file. NOTE: the project documentation suggests that a user with the Media Library "Create (upload)" permission is supposed to be able to upload PDF files containing JavaScript, and that all files in a public assets folder are accessible to the outside world (unless the filename begins with a dot character). The administrator can choose to allow only image, video, and audio files (i.e., not PDF) if desired.

• bypazs/CVE-2022-32114

CVE-2022-32118 (2022-07-15)

Arox School ERP Pro v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the dispatchcategory parameter in backoffice.inc.php.

• JC175/CVE-2022-32118

CVE-2022-32119 (2022-07-15)

Arox School ERP Pro v1.0 was discovered to contain multiple arbitrary file upload vulnerabilities via the Add Photo function at photogalleries.inc.php and the import staff excel function at 1finance_master.inc.php.

• JC175/CVE-2022-32119

CVE-2022-32532 (2022-06-28)

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

• Lay0us/CVE-2022-32532

CVE-2022-32988 (2022-06-30)

Cross Site Scripting (XSS) vulnerability in router Asus DSL-N14U-B1 1.1.2.3_805 via the "*list" parameters (e.g. filter_lwlist, keyword_rulelist, etc) in every ".asp" page containing a list of stored strings. The following asp files are affected: (1) cgi-bin/APP_Installation.asp, (2) cgi-bin/Advanced_ACL_Content.asp, (3) cgi-bin/Advanced_ADSL_Content.asp, (4) cgi-bin/Advanced_ASUSDDNS_Content.asp, (5) cgi-bin/Advanced_AiDisk_ftp.asp, (6) cgi-bin/Advanced_AiDisk_samba.asp, (7) cgi-bin/Advanced_DSL_Content.asp, (8) cgi-bin/Advanced_Firewall_Content.asp, (9) cgi-bin/Advanced_FirmwareUpgrade_Content.asp, (10) cgi-bin/Advanced_GWStaticRoute_Content.asp, (11) cgi-bin/Advanced_IPTV_Content.asp, (12) cgi-bin/Advanced_IPv6_Content.asp, (13) cgi-bin/Advanced_KeywordFilter_Content.asp, (14) cgi-bin/Advanced_LAN_Content.asp, (15) cgi-bin/Advanced_Modem_Content.asp, (16) cgi-bin/Advanced_PortTrigger_Content.asp, (17) cgi-bin/Advanced_QOSUserPrio_Content.asp, (18) cgi-bin/Advanced_QOSUserRules_Content.asp, (19) cgi-bin/Advanced_SettingBackup_Content.asp, (20) cgi-bin/Advanced_System_Content.asp, (21) cgi-bin/Advanced_URLFilter_Content.asp, (22) cgi-bin/Advanced_VPN_PPTP.asp, (23) cgi-bin/Advanced_VirtualServer_Content.asp, (24) cgi-bin/Advanced_WANPort_Content.asp, (25) cgi-bin/Advanced_WAdvanced_Content.asp, (26) cgi-bin/Advanced_WMode_Content.asp, (27) cgi-bin/Advanced_WWPS_Content.asp, (28) cgi-bin/Advanced_Wireless_Content.asp, (29) cgi-bin/Bandwidth_Limiter.asp, (30) cgi-bin/Guest_network.asp, (31) cgi-bin/Main_AccessLog_Content.asp, (32) cgi-bin/Main_AdslStatus_Content.asp, (33) cgi-bin/Main_Spectrum_Content.asp, (34) cgi-bin/Main_WebHistory_Content.asp, (35) cgi-bin/ParentalControl.asp, (36) cgi-bin/QIS_wizard.asp, (37) cgi-bin/QoS_EZQoS.asp, (38) cgi-bin/aidisk.asp, (39) cgi-bin/aidisk/Aidisk-1.asp, (40) cgi-bin/aidisk/Aidisk-2.asp, (41) cgi-bin/aidisk/Aidisk-3.asp, (42) cgi-bin/aidisk/Aidisk-4.asp, (43) cgi-bin/blocking.asp, (44) cgi-bin/cloud_main.asp, (45) cgi-bin/cloud_router_sync.asp, (46) cgi-bin/cloud_settings.asp, (47) cgi-bin/cloud_sync.asp, (48) cgi-bin/device-map/DSL_dashboard.asp, (49) cgi-bin/device-map/clients.asp, (50) cgi-bin/device-map/disk.asp, (51) cgi-bin/device-map/internet.asp, (52) cgi-bin/error_page.asp, (53) cgi-bin/index.asp, (54) cgi-bin/index2.asp, (55) cgi-bin/qis/QIS_PTM_manual_setting.asp, (56) cgi-bin/qis/QIS_admin_pass.asp, (57) cgi-bin/qis/QIS_annex_setting.asp, (58) cgi-bin/qis/QIS_bridge_cfg_tmp.asp, (59) cgi-bin/qis/QIS_detect.asp, (60) cgi-bin/qis/QIS_finish.asp, (61) cgi-bin/qis/QIS_ipoa_cfg_tmp.asp, (62) cgi-bin/qis/QIS_manual_setting.asp, (63) cgi-bin/qis/QIS_mer_cfg.asp, (64) cgi-bin/qis/QIS_mer_cfg_tmp.asp, (65) cgi-bin/qis/QIS_ppp_cfg.asp, (66) cgi-bin/qis/QIS_ppp_cfg_tmp.asp, (67) cgi-bin/qis/QIS_wireless.asp, (68) cgi-bin/query_wan_status.asp, (69) cgi-bin/query_wan_status2.asp, and (70) cgi-bin/start_apply.asp.

• FedericoHeichou/CVE-2022-32988

CVE-2022-34024 (2022-07-19)

Barangay Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via the resident module editing function at /bmis/pages/resident/resident.php.

• sorabug/bug_report

CVE-2022-34298 (2022-06-22)

The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack."

• watchtowrlabs/CVE-2022-34298

CVE-2022-34961 (2022-07-25)

OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Users Timeline module.

• bypazs/CVE-2022-34961

CVE-2022-34962 (2022-07-25)

OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Group Timeline module.

• bypazs/CVE-2022-34962

CVE-2022-34963 (2022-07-25)

OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain a stored cross-site scripting (XSS) vulnerability via the News Feed module.

• bypazs/CVE-2022-34963

CVE-2022-41032 (2022-10-11)

NuGet Client Elevation of Privilege Vulnerability

• ethomson/cve-2022-41032

CVE-2022-41540 (2022-10-18)

The web app client of TP-Link AX10v1 V1_211117 uses hard-coded cryptographic keys when communicating with the router. Attackers who are able to intercept the communications between the web client and router through a man-in-the-middle attack can then obtain the sequence key via a brute-force attack, and access sensitive information.

• efchatz/easy-exploits

CVE-2022-46638

• naonymous101/CVE-2022-46638

2021

CVE-2021-0302 (2021-02-10)

In PackageInstaller, there is a possible tapjacking attack due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-155287782

• ShaikUsaf/packages_apps_PackageInstaller_AOSP10_r33_CVE-2021-0302

CVE-2021-0306 (2021-01-11)

In addAllPermissions of PermissionManagerService.java, there is a possible permissions bypass when upgrading major Android versions which allows an app to gain the android.permission.ACTIVITY_RECOGNITION permission without user confirmation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11, Android-8.0, Android-8.1, Android-9, Android-10; Android ID: A-154505240.

• nanopathi/framework_base_AOSP10_r33_CVE-2021-0306_CVE-2021-0317

CVE-2021-0308 (2021-01-11)

In ReadLogicalParts of basicmbr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-8.1, Android-9, Android-10, Android-11, Android-8.0; Android ID: A-158063095.

• Trinadh465/platform_external_gptfdisk_AOSP10_r33_CVE-2021-0308

CVE-2021-0313 (2021-01-11)

In isWordBreakAfter of LayoutUtils.cpp, there is a possible way to slow or crash a TextView due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-9, Android-10, Android-11, Android-8.0, Android-8.1; Android ID: A-170968514.

• Satheesh575555/frameworks_minikin_AOSP10_r33_CVE-2021-0313

CVE-2021-0314 (2021-02-10)

In onCreate of UninstallerActivity, there is a possible way to uninstall an all without informed user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-171221302

• nanopathi/framework_base_AOSP10_r33_CVE-2021-0314

CVE-2021-0315 (2021-01-11)

In onCreate of GrantCredentialsPermissionActivity.java, there is a possible way to convince the user to grant an app access to an account due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-8.1, Android-9, Android-10, Android-11, Android-8.0; Android ID: A-169763814.

• nanopathi/framework_base_AOSP10_r33_CVE-2021-0315
• pazhanivel07/frameworks_base_Aosp10_r33_CVE-2021-0315
• nanopathi/frameworks_base1_CVE-2021-0315

CVE-2021-0316 (2021-01-11)

In avrc_pars_vendor_cmd of avrc_pars_tg.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11, Android-8.0, Android-8.1, Android-9, Android-10; Android ID: A-168802990.

• Satheesh575555/system_bt_AOSP_10_r33_CVE-2021-0316

CVE-2021-0318 (2021-01-11)

In appendEventsToCacheLocked of SensorEventConnection.cpp, there is a possible out of bounds write due to a use-after-free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-9, Android-8.1, Android-10, Android-11; Android ID: A-168211968.

• nanopathi/frameworks_native_AOSP10_r33_CVE-2021-0318

CVE-2021-0319 (2021-01-11)

In checkCallerIsSystemOr of CompanionDeviceManagerService.java, there is a possible way to get a nearby Bluetooth device's MAC address without appropriate permissions due to a permissions bypass. This could lead to local escalation of privilege that grants access to nearby MAC addresses, with User execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-8.0, Android-8.1, Android-9, Android-10, Android-11; Android ID: A-167244818.

• Satheesh575555/frameworks_base_AOSP10_r33_CVE-2021-0319

CVE-2021-0325 (2021-02-10)

In ih264d_parse_pslice of ih264d_parse_pslice.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-174238784

• nanopathi/external_libavc_AOSP10_r33_CVE-2021-0325

CVE-2021-0326 (2021-02-10)

In p2p_copy_client_info of p2p.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution if the target device is performing a Wi-Fi Direct search, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-172937525

• aemmitt-ns/skeleton
• nanopathi/wpa_supplicant_8_CVE-2021-0326.
• Satheesh575555/external_wpa_supplicant_8_AOSP10_r33_CVE-2021-0326
• nanopathi/Packages_wpa_supplicant8_CVE-2021-0326
• ShaikUsaf/external_wpa_supplicant_8_AOSP10_r33CVE-2021-0326

CVE-2021-0327 (2021-02-10)

In getContentProviderImpl of ActivityManagerService.java, there is a possible permission bypass due to non-restored binder identities. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-172935267

• nanopathi/framework_base_AOSP10_r33_CVE-2021-0327

CVE-2021-0328 (2021-02-10)

In onBatchScanReports and deliverBatchScan of GattService.java, there is a possible way to retrieve Bluetooth scan results without permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-172670415

• ShaikUsaf/packages_apps_Bluetooth_AOSP10_r33_CVE-2021-0328

CVE-2021-0329 (2021-02-10)

In several native functions called by AdvertiseManager.java, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege in the Bluetooth server with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-171400004

• ShaikUsaf/packages_apps_Bluetooth_AOSP10_r33_CVE-2021-0329

CVE-2021-0330 (2021-02-10)

In add_user_ce and remove_user_ce of storaged.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in storaged with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-170732441

• Satheesh575555/system_core_AOSP10_r33-CVE-2021-0330

CVE-2021-0331 (2021-02-10)

In onCreate of NotificationAccessConfirmationActivity.java, there is a possible overlay attack due to an insecure default value. This could lead to local escalation of privilege and notification access with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-170731783

• Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2021-0331

CVE-2021-0332 (2021-02-10)

In bootFinished of SurfaceFlinger.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-169256435

• Satheesh575555/frameworks_native_AOSP10_r33_CVE-2021-0332

CVE-2021-0333 (2021-02-10)

In onCreate of BluetoothPermissionActivity.java, there is a possible permissions bypass due to a tapjacking overlay that obscures the phonebook permissions dialog when a Bluetooth device is connecting. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-168504491

• Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2021-0333

CVE-2021-0334 (2021-02-10)

In onTargetSelected of ResolverActivity.java, there is a possible settings bypass allowing an app to become the default handler for arbitrary domains. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-163358811

• ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2021-0334

CVE-2021-0336 (2021-02-10)

In onReceive of BluetoothPermissionRequest.java, there is a possible permissions bypass due to a mutable PendingIntent. This could lead to local escalation of privilege that bypasses a permission check, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-158219161

• Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2021-0336

CVE-2021-0337 (2021-02-10)

In moveInMediaStore of FileSystemProvider.java, there is a possible file exposure due to stale metadata. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-157474195

• ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2021-0337

CVE-2021-0339 (2021-02-10)

In loadAnimation of WindowContainer.java, there is a possible way to keep displaying a malicious app while a target app is brought to the foreground. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-8.1 Android-9Android ID: A-145728687

• nanopathi/framework_base_AOSP10_r33_CVE-2021-0339

CVE-2021-0340 (2021-02-10)

In parseNextBox of IsoInterface.java, there is a possible leak of unredacted location information due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-134155286

• Satheesh575555/packages_providers_MediaProvider_AOSP10_r33_CVE-2021-0340
• nanopathi/packages_providers_MediaProvider_AOSP10_r33_CVE-2021-0340

CVE-2021-0390 (2021-03-10)

In various methods of WifiNetworkSuggestionsManager.java, there is a possible modification of suggested networks due to a missing permission check. This could lead to local escalation of privilege by a background user on the same device with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174749461

• uthrasri/frameworks_opt_net_wifi_CVE-2021-0390

CVE-2021-0391 (2021-03-10)

In onCreate() of ChooseTypeAndAccountActivity.java, there is a possible way to learn the existence of an account, without permissions, due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-172841550

• nanopathi/framework_base_AOSP10_r33_CVE-2021-0391

CVE-2021-0392 (2021-03-10)

In main of main.cpp, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-175124730

• uthrasri/System_Connectivity_Wificond_CVE-2021-0392

CVE-2021-0393 (2021-03-10)

In Scanner::LiteralBuffer::NewCapacity of scanner.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if an attacker can supply a malicious PAC file, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-168041375

• Trinadh465/external_v8_AOSP10_r33_CVE-2021-0393

CVE-2021-0394 (2021-03-10)

In android_os_Parcel_readString8 of android_os_Parcel.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-172655291

• nanopathi/packages_apps_Settings_CVE-2021-0394
• Trinadh465/platform_art_CVE-2021-0394

CVE-2021-0396 (2021-03-10)

In Builtins::Generate_ArgumentsAdaptorTrampoline of builtins-arm.cc and related files, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-160610106

• Satheesh575555/external_v8_AOSP10_r33_CVE-2021-0396

CVE-2021-0397 (2021-03-10)

In sdp_copy_raw_data of sdp_discovery.cc, there is a possible system compromise due to a double free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174052148

• Satheesh575555/System_bt_AOSP10-r33_CVE-2021-0397

CVE-2021-0399 (2021-03-10)

In qtaguid_untag of xt_qtaguid.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-176919394References: Upstream kernel

• nipund513/Exploiting-UAF-by-Ret2bpf-in-Android-Kernel-CVE-2021-0399-

CVE-2021-0431 (2021-04-13)

In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a paired device with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174149901

• ShaikUsaf/system_bt_AOSP10_r33_CVE-2021-0431
• nanopathi/system_bt_AOSP10_r33_CVE-2021-0431

CVE-2021-0433 (2021-04-13)

In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege and pairing malicious devices with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171221090

• Trinadh465/frameworks_base_AOSP10_r33_CVE-2021-0433

CVE-2021-0435 (2021-04-13)

In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak of heap data due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174150451

• nanopathi/system_bt_AOSP10_r33_CVE-2021-0435
• ShaikUsaf/system_bt_AOSP10_r33_CVE-2021-0435

CVE-2021-0437 (2021-04-13)

In setPlayPolicy of DrmPlugin.cpp, there is a possible double free. This could lead to local escalation of privilege in a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-176168330

• nanopathi/frameworks_av_AOSP10_r33_CVE-2021-0437

CVE-2021-0466 (2021-06-11)

In startIpClient of ClientModeImpl.java, there is a possible identifier which could be used to track a device. This could lead to remote information disclosure to a proximal attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-154114734

• uthrasri/frameworks_opt_net_wifi_CVE-2021-0466

CVE-2021-0472 (2021-06-11)

In shouldLockKeyguard of LockTaskController.java, there is a possible way to exit App Pinning without a PIN due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-9 Android-10Android ID: A-176801033

• nanopathi/framework_base_AOSP10_r33_CVE-2021-0472

CVE-2021-0474 (2021-06-11)

In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-177611958

• pazhanivel07/system_bt_A10-r33_CVE-2021-0474
• pazhanivel07/system_bt_A10_r33_CVE-2021-0474

CVE-2021-0475 (2021-06-11)

In on_l2cap_data_ind of btif_sock_l2cap.cc, there is possible memory corruption due to a use after free. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-175686168

• ShaikUsaf/system_bt_AOSP10_r33_CVE-2021-0475

CVE-2021-0476 (2021-06-11)

In FindOrCreatePeer of btif_av.cc, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-9 Android-10Android ID: A-169252501

• nanopathi/system_bt_AOSP10_r33_CVE-2021-0476

CVE-2021-0478 (2021-06-21)

In updateDrawable of StatusBarIconView.java, there is a possible permission bypass due to an uncaught exception. This could lead to local escalation of privilege by running foreground services without notifying the user, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-169255797

• Satheesh575555/frameworks_base_AOSP10_r33_CVE-2021-0478

CVE-2021-0481 (2021-06-11)

In onActivityResult of EditUserPhotoController.java, there is a possible access of unauthorized files due to an unexpected URI handler. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-172939189

• ShaikUsaf/packages_apps_settings_AOSP10_r33_CVE-2021-0481

CVE-2021-0506 (2021-06-21)

In ActivityPicker.java, there is a possible bypass of user interaction in intent resolution due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-181962311

• Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2021-0506

CVE-2021-0507 (2021-06-21)

In handle_rc_metamsg_cmd of btif_rc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-181860042

• nanopathi/system_bt_AOSP10_r33_CVE-2021-0507

CVE-2021-0508 (2021-06-21)

In various functions of DrmPlugin.cpp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-176444154

• nanopathi/frameworks_av_AOSP10_r33_CVE-2021-0508

CVE-2021-0509 (2021-06-21)

In various functions of CryptoPlugin.cpp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-176444161

• Trinadh465/frameworks_av_AOSP10_r33_CVE-2021-0509

CVE-2021-0510 (2021-06-21)

In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-176444622

• pazhanivel07/hardware_interfaces-A10_r33_CVE-2021-0510

CVE-2021-0511 (2021-06-21)

In Dex2oat of dex2oat.cc, there is a possible way to inject bytecode into an app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-178055795

• Trinadh465/platform_art_AOSP10_r33_CVE-2021-0511

CVE-2021-0513 (2021-06-21)

In deleteNotificationChannel and related functions of NotificationManagerService.java, there is a possible permission bypass due to improper state validation. This could lead to local escalation of privilege via hidden services with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-156090809

• nanopathi/framework_base_AOSP10_r33_CVE-2021-0513

CVE-2021-0516 (2021-06-21)

In p2p_process_prov_disc_req of p2p_pd.c, there is a possible out of bounds read and write due to a use after free. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-181660448

• Satheesh575555/external_wpa_supplicant_8_AOSP10_r33_CVE-2021-0516

CVE-2021-0519 (2021-08-17)

In BITSTREAM_FLUSH of ih264e_bitstream.h, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-176533109

• nanopathi/external_libavc_AOSP10_r33_CVE-2021-0519

CVE-2021-0520 (2021-06-21)

In several functions of MemoryFileSystem.cpp and related files, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-176237595

• nanopathi/frameworks_av_AOSP10_r33_CVE-2021-0520
• ShaikUsaf/frameworks_av_AOSP10_r33_CVE-2021-0520

CVE-2021-0522 (2021-06-21)

In ConnectionHandler::SdpCb of connection_handler.cc, there is a possible out of bounds read due to a use after free. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-9 Android-10Android ID: A-174182139

• nanopathi/system_bt_AOSP10_r33_CVE-2021-0522

CVE-2021-0586 (2021-07-14)

In onCreate of DevicePickerFragment.java, there is a possible way to trick the user to select an unwanted bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-182584940

• nanopathi/packages_apps_Settings_CVE-2021-0586

CVE-2021-0589 (2021-07-14)

In BTM_TryAllocateSCN of btm_scn.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-180939982

• Trinadh465/System_bt_AOSP10_r33_CVE-2021-0589
• Satheesh575555/system_bt_AOSP10_r33_CVE-2021-0589

CVE-2021-0594 (2021-07-14)

In onCreate of ConfirmConnectActivity, there is a possible remote bypass of user consent due to improper input validation. This could lead to remote (proximal, NFC) escalation of privilege allowing an attacker to deceive a user into allowing a Bluetooth connection with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-176445224

• Satheesh575555/packages_apps_Nfc_AOSP10_r33_CVE-2021-0594

CVE-2021-0595 (2021-10-06)

In lockAllProfileTasks of RootWindowContainer.java, there is a possible way to access the work profile without the profile PIN, after logging in. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-177457096

• pazhanivel07/Settings-CVE-2021-0595
• pazhanivel07/frameworks_base_Aosp10_r33_CVE-2021-0595

CVE-2021-0600 (2021-07-14)

In onCreate of DeviceAdminAdd.java, there is a possible way to mislead a user to activate a device admin app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-179042963

• Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2021-0600

CVE-2021-0640 (2021-08-17)

In noteAtomLogged of StatsdStats.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-187957589

• Trinadh465/frameworks_base_AOSP10_r33_CVE-2021-0640

CVE-2021-0652 (2021-10-22)

In VectorDrawable::VectorDrawable of VectorDrawable.java, there is a possible way to introduce a memory corruption due to sharing of not thread-safe objects. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-185178568

• Satheesh575555/frameworks_base_AOSP10_r33_CVE-2021-0652

CVE-2021-0683 (2021-10-06)

In runTraceIpcStop of ActivityManagerShellCommand.java, there is a possible deletion of system files due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-185398942

• nanopathi/framework_base_AOSP10_r33_CVE-2021-0683_CVE-2021-0708

CVE-2021-0688 (2021-10-06)

In lockNow of PhoneWindowManager.java, there is a possible lock screen bypass due to a race condition. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-161149543

• Satheesh575555/frameworks_base_AOSP10_r33_CVE-2021-0688

CVE-2021-0705 (2021-10-22)

In sanitizeSbn of NotificationManagerService.java, there is a possible way to keep service running in foreground and keep granted permissions due to Bypass of Background Service Restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-185388103

• ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2021-0705
• Trinadh465/frameworks_base_AOSP10_r33_CVE-2021-0705

CVE-2021-0928 (2021-12-15)

In createFromParcel of OutputConfiguration.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-188675581

• michalbednarski/ReparcelBug2

CVE-2021-0954 (2021-12-15)

In ResolverActivity, there is a possible user interaction bypass due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-143559931

• nanopathi/framework_base_AOSP10_r33_CVE-2021-0954

CVE-2021-0963 (2021-12-15)

In onCreate of KeyChainActivity.java, there is a possible way to use an app certificate stored in keychain due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-199754277

• Trinadh465/packages_apps_KeyChain_AOSP10_r33_CVE-2021-0963

CVE-2021-22

• LingerANR/CVE-2021-22-555

CVE-2021-403

• rhysmcneill/CVE-2021-403

CVE-2021-521

• NagendraPittu/CVE-2021-521-Exploit

CVE-2021-1056 (2021-01-08)

NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidia.ko) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure.

• pokerfaceSad/CVE-2021-1056

CVE-2021-1366 (2021-02-17)

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the VPN Posture (HostScan) Module is installed on the AnyConnect client. This vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.

• koztkozt/CVE-2021-1366

CVE-2021-1480 (2021-04-08)

Multiple vulnerabilities in Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to execute arbitrary code or allow an authenticated, local attacker to gain escalated privileges on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.

• xmco/sdwan-cve-2021-1480

CVE-2021-1497 (2021-05-06)

Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

• 34zY/APT-Backpack

CVE-2021-1585 (2021-07-08)

A vulnerability in the Cisco Adaptive Security Device Manager (ASDM) Launcher could allow an unauthenticated, remote attacker to execute arbitrary code on a user's operating system. This vulnerability is due to a lack of proper signature verification for specific code exchanged between the ASDM and the Launcher. An attacker could exploit this vulnerability by leveraging a man-in-the-middle position on the network to intercept the traffic between the Launcher and the ASDM and then inject arbitrary code. A successful exploit could allow the attacker to execute arbitrary code on the user's operating system with the level of privileges assigned to the ASDM Launcher. A successful exploit may require the attacker to perform a social engineering attack to persuade the user to initiate communication from the Launcher to the ASDM.

• jbaines-r7/staystaystay

CVE-2021-1636 (2021-01-12)

Microsoft SQL Elevation of Privilege Vulnerability

• Nate0634034090/bug-free-memory

CVE-2021-1647 (2021-01-12)

Microsoft Defender Remote Code Execution Vulnerability

• findcool/cve-2021-1647

CVE-2021-1656 (2021-01-12)

TPM Device Driver Information Disclosure Vulnerability

• waleedassar/CVE-2021-1656

CVE-2021-1675 (2021-06-08)

Windows Print Spooler Remote Code Execution Vulnerability

• yu2u/CVE-2021-1675
• cube0x0/CVE-2021-1675
• LaresLLC/CVE-2021-1675
• kondah/patch-cve-2021-1675
• evilashz/CVE-2021-1675-LPE-EXP
• hlldz/CVE-2021-1675-LPE
• puckiestyle/CVE-2021-1675
• cybersecurityworks553/CVE-2021-1675_PrintNightMare
• tanarchytan/CVE-2021-1675
• calebstewart/CVE-2021-1675
• Leonidus0x10/CVE-2021-1675-SCANNER
• thomasgeens/CVE-2021-1675
• mrezqi/CVE-2021-1675_CarbonBlack_HuntingQuery
• killtr0/CVE-2021-1675-PrintNightmare
• corelight/CVE-2021-1675
• kougyokugentou/CVE-2021-1675
• ptter23/CVE-2021-1675
• initconf/cve-2021-1675-printnightmare
• ozergoker/PrintNightmare
• exploitblizzard/PrintNightmare-CVE-2021-1675
• edsonjt81/CVE-2021-1675
• sailay1996/PrintNightmare-LPE
• JumpsecLabs/PrintNightmare
• bartimusprimed/CVE-2021-1675-Yara
• k8gege/cve-2021-1675
• galoget/PrintNightmare-CVE-2021-1675-CVE-2021-34527
• thalpius/Microsoft-CVE-2021-1675
• zha0/Microsoft-CVE-2021-1675
• Winter3un/CVE-2021-1675
• hahaleyile/my-CVE-2021-1675
• mstxq17/CVE-2021-1675_RDL_LPE
• ly4k/PrintNightmare
• Wra7h/SharpPN
• OppressionBreedsResistance/CVE-2021-1675-PrintNightmare
• eversinc33/NimNightmare
• AndrewTrube/CVE-2021-1675
• TheJoyOfHacking/cube0x0-CVE-2021-1675
• TheJoyOfHacking/calebstewart-CVE-2021-1675
• jj4152/cve-2021-1675
• r1skkam/PrintNightmare
• peckre/PNCVE-Win10-20H2-Exploit
• whoami-chmod777/CVE-2021-1675-CVE-2021-34527
• whoami-chmod777/CVE-2021-1675---PrintNightmare-LPE-PowerShell-
• 0xSs0rZ/Windows_Exploit

CVE-2021-1678 (2021-01-12)

Windows Print Spooler Spoofing Vulnerability

• alvaciroliveira/RpcAuthnLevelPrivacyEnabled

CVE-2021-1699 (2021-01-12)

Windows (modem.sys) Information Disclosure Vulnerability

• waleedassar/CVE-2021-1699

CVE-2021-1732 (2021-02-25)

Windows Win32k Elevation of Privilege Vulnerability

• KaLendsi/CVE-2021-1732-Exploit
• k-k-k-k-k/CVE-2021-1732
• oneoy/CVE-2021-1732-Exploit
• linuxdy/CVE-2021-1732_exp
• Pai-Po/CVE-2021-1732
• exploitblizzard/Windows-Privilege-Escalation-CVE-2021-1732
• BeneficialCode/CVE-2021-1732
• ExploitCN/CVE-2021-1732-EXP-
• r1l4-i3pur1l4/CVE-2021-1732
• fenalik/CVE-2021-1732
• 4dp/CVE-2021-1732
• yangshifan-git/CVE-2021-1732
• asepsaepdin/CVE-2021-1732

CVE-2021-1748 (2021-04-02)

A validation issue was addressed with improved input sanitization. This issue is fixed in tvOS 14.4, watchOS 7.3, iOS 14.4 and iPadOS 14.4. Processing a maliciously crafted URL may lead to arbitrary javascript code execution.

• Ivanhoe76zzzz/itmsBlock
• ChiChou/mistune-patch-backport

CVE-2021-1782 (2021-04-02)

A race condition was addressed with improved locking. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited..

• raymontag/cve-2021-1782
• synacktiv/CVE-2021-1782

CVE-2021-1883 (2021-09-08)

This issue was addressed with improved checks. This issue is fixed in Security Update 2021-004 Mojave, iOS 14.5 and iPadOS 14.5, watchOS 7.4, Security Update 2021-003 Catalina, tvOS 14.5, macOS Big Sur 11.3. Processing maliciously crafted server messages may lead to heap corruption.

• gabe-k/CVE-2021-1883

CVE-2021-1905 (2021-05-07)

Possible use after free due to improper handling of memory mapping of multiple processes simultaneously. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

• TAKIANFIF/CVE-2021-1905-CVE-2021-1906-CVE-2021-28663-CVE-2021-28664

CVE-2021-1961 (2021-09-09)

Possible buffer overflow due to lack of offset length check while updating the buffer value in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

• tamirzb/CVE-2021-1961

CVE-2021-1965 (2021-07-13)

Possible buffer overflow due to lack of parameter length check during MBSSID scan IE parse in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking

• sqrtrev/CVE-2021-1965
• foxtrot/CVE-2021-1965

CVE-2021-1994 (2021-01-20)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• somatrasss/weblogic2021

CVE-2021-2021 (2021-01-20)

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

• TheCryingGame/CVE-2021-2021good

CVE-2021-2109 (2021-01-20)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

• Al1ex/CVE-2021-2109
• rabbitsafe/CVE-2021-2109
• yuaneuro/CVE-2021-2109_poc
• dinosn/CVE-2021-2109
• lnwza0x0a/CVE-2021-2109
• Vulnmachines/oracle-weblogic-CVE-2021-2109

CVE-2021-2119 (2021-01-20)

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

• Sauercloud/RWCTF21-VirtualBox-61-escape
• chatbottesisgmailh/Sauercloude
• shi10587s/Sauercloude

CVE-2021-2173 (2021-04-22)

Vulnerability in the Recovery component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA Level Account privilege with network access via Oracle Net to compromise Recovery. While the vulnerability is in Recovery, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Recovery accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N).

• emad-almousa/CVE-2021-2173

CVE-2021-2175 (2021-04-22)

Vulnerability in the Database Vault component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any View, Select Any View privilege with network access via Oracle Net to compromise Database Vault. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Database Vault accessible data. CVSS 3.1 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).

• emad-almousa/CVE-2021-2175

CVE-2021-2302 (2021-04-22)

Vulnerability in the Oracle Platform Security for Java product of Oracle Fusion Middleware (component: OPSS). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Platform Security for Java. Successful attacks of this vulnerability can result in takeover of Oracle Platform Security for Java. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• quynhle7821/CVE-2021-2302

CVE-2021-2394 (2021-07-20)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• lz2y/CVE-2021-2394
• freeide/CVE-2021-2394
• BabyTeam1024/CVE-2021-2394
• fasanhlieu/CVE-2021-2394

CVE-2021-2456 (2021-07-20)

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Web General). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• peterjson31337/CVE-2021-2456

CVE-2021-2471 (2021-10-20)

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

• SecCoder-Security-Lab/jdbc-sqlxml-xxe
• cckuailong/CVE-2021-2471
• DrunkenShells/CVE-2021-2471

CVE-2021-3007 (2021-01-04)

Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized

• Vulnmachines/ZF3_CVE-2021-3007

CVE-2021-3019 (2021-01-05)

ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet.

• B1anda0/CVE-2021-3019
• 0xf4n9x/CVE-2021-3019
• Maksim-venus/CVE-2021-3019
• murataydemir/CVE-2021-3019
• Aoyuh/cve-2021-3019
• givemefivw/CVE-2021-3019
• qiezi-maozi/CVE-2021-3019-Lanproxy
• a1665454764/CVE-2021-3019

CVE-2021-3060 (2021-11-10)

An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue.

• timb-machine-mirrors/rqu1-cve-2021-3060.py
• anmolksachan/CVE-2021-3060

CVE-2021-3064 (2021-11-10)

A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue.

• 0xhaggis/CVE-2021-3064

CVE-2021-3122 (2021-02-07)

CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."

• acquiredsecurity/CVE-2021-3122-Details

CVE-2021-3129 (2021-01-12)

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

• ambionics/laravel-exploits
• SNCKER/CVE-2021-3129
• SecPros-Team/laravel-CVE-2021-3129-EXP
• crisprss/Laravel_CVE-2021-3129_EXP
• nth347/CVE-2021-3129_exploit
• FunPhishing/Laravel-8.4.2-rce-CVE-2021-3129
• zhzyker/CVE-2021-3129
• Y0s9/CVE-2021-3129
• idea-oss/laravel-CVE-2021-3129-EXP
• knqyf263/CVE-2021-3129
• cuongtop4598/CVE-2021-3129-Script
• joshuavanderpoll/CVE-2021-3129
• shadowabi/Laravel-CVE-2021-3129
• JacobEbben/CVE-2021-3129
• hupe1980/CVE-2021-3129
• 0nion1/CVE-2021-3129
• MadExploits/Laravel-debug-Checker
• ajisai-babu/CVE-2021-3129-exp
• keyuan15/CVE-2021-3129
• qaisarafridi/cve-2021-3129
• Zoo1sondv/CVE-2021-3129
• miko550/CVE-2021-3129
• wmasday/CVE-2021-3129
• banyaksepuh/Mass-CVE-2021-3129-Scanner
• Axianke/CVE-2021-3129
• cc3305/CVE-2021-3129
• piperpwn/CVE-2021-3129-
• 0x0d3ad/CVE-2021-3129
• GodOfServer/CVE-2021-3129
• Prabesh01/hoh4

CVE-2021-3130 (2021-01-20)

Within the Open-AudIT up to version 3.5.3 application, the web interface hides SSH secrets, Windows passwords, and SNMP strings from users using HTML 'password field' obfuscation. By using Developer tools or similar, it is possible to change the obfuscation so that the credentials are visible.

• jet-pentest/CVE-2021-3130

CVE-2021-3131 (2021-01-13)

The Web server in 1C:Enterprise 8 before 8.3.17.1851 sends base64 encoded credentials in the creds URL parameter.

• jet-pentest/CVE-2021-3131

CVE-2021-3138 (2021-01-14)

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.

• Mesh3l911/CVE-2021-3138

CVE-2021-3156 (2021-01-26)

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.

• mr-r3b00t/CVE-2021-3156
• nexcess/sudo_cve-2021-3156
• reverse-ex/CVE-2021-3156
• unauth401/CVE-2021-3156
• ymrsmns/CVE-2021-3156
• elbee-cyber/CVE-2021-3156-PATCHER
• kernelzeroday/CVE-2021-3156-Baron-Samedit
• yaunsky/cve-2021-3156
• baka9moe/CVE-2021-3156-Exp
• ph4ntonn/CVE-2021-3156
• binw2018/CVE-2021-3156-SCRIPT
• freeFV/CVE-2021-3156
• mbcrump/CVE-2021-3156
• stong/CVE-2021-3156
• nobodyatall648/CVE-2021-3156
• blasty/CVE-2021-3156
• teamtopkarl/CVE-2021-3156
• Q4n/CVE-2021-3156
• kal1gh0st/CVE-2021-3156
• apogiatzis/docker-CVE-2021-3156
• voidlsd/CVE-2021-3156
• Ashish-dawani/CVE-2021-3156-Patch
• SantiagoSerrao/ScannerCVE-2021-3156
• DanielAzulayy/CTF-2021
• cdeletre/Serpentiel-CVE-2021-3156
• dinhbaouit/CVE-2021-3156
• CptGibbon/CVE-2021-3156
• perlun/sudo-1.8.3p1-patched
• 1N53C/CVE-2021-3156-PoC
• 0xdevil/CVE-2021-3156
• gmldbd94/cve-2021-3156
• jm33-m0/CVE-2021-3156
• Rvn0xsy/CVE-2021-3156-plus
• r3k4t/how-to-solve-sudo-heap-based-bufferoverflow-vulnerability
• oneoy/CVE-2021-3156
• worawit/CVE-2021-3156
• lmol/CVE-2021-3156
• BearCat4/CVE-2021-3156
• ZTK-009/CVE-2021-3156
• capturingcats/CVE-2021-3156
• LiveOverflow/pwnedit
• ajtech-hue/CVE-2021-3156-Mitigation-ShellScript-Build
• donghyunlee00/CVE-2021-3156
• TheFlash2k/CVE-2021-3156
• Exodusro/CVE-2021-3156
• CyberCommands/CVE-2021-3156
• 0x7183/CVE-2021-3156
• redhawkeye/sudo-exploit
• d3c3ptic0n/CVE-2021-3156
• musergi/CVE-2021-3156
• halissha/CVE-2021-3156
• sharkmoos/Baron-Samedit
• chenaotian/CVE-2021-3156
• ret2basic/SudoScience
• puckiestyle/CVE-2021-3156
• barebackbandit/CVE-2021-3156
• RodricBr/CVE-2021-3156
• ypl6/heaplens
• q77190858/CVE-2021-3156
• arvindshima/CVE-2021-3156
• Mhackiori/CVE-2021-3156
• PhuketIsland/CVE-2021-3156-centos7
• 0x4ndy/clif
• hycheng15/CVE-2021-3156
• mutur4/CVE-2021-3156
• PurpleOzone/PE_CVE-CVE-2021-3156
• asepsaepdin/CVE-2021-3156
• DDayLuong/CVE-2021-3156
• DASICS-ICT/DASICS-CVE-2021-3156
• wurwur/CVE-2021-3156
• SamTruss/LMU-CVE-2021-3156
• lypd0/CVE-2021-3156-checker
• Typical0day/CVE-2021-3156
• acidburn2049/CVE-2021-3156
• Bad3r/CVE-2021-3156-without-ip-command
• Sebastianbedoya25/CVE-2021-3156

CVE-2021-3157

• CrackerCat/cve-2021-3157

CVE-2021-3164 (2021-01-21)

ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php.

• rmccarth/cve-2021-3164

CVE-2021-3166 (2021-01-18)

An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, resulting in a persistent outage of those services.

• kaisersource/CVE-2021-3166

CVE-2021-3229 (2021-02-05)

Denial of service in ASUSWRT ASUS RT-AX3000 firmware versions 3.0.0.4.384_10177 and earlier versions allows an attacker to disrupt the use of device setup services via continuous login error.

• fullbbadda1208/CVE-2021-3229

CVE-2021-3279 (2021-07-19)

sz.chat version 4 allows injection of web scripts and HTML in the message box.

• rafaelchriss/CVE-2021-3279

CVE-2021-3281 (2021-02-02)

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

• lwzSoviet/CVE-2021-3281

CVE-2021-3291 (2021-01-26)

Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.

• ImHades101/CVE-2021-3291

CVE-2021-3310 (2021-03-10)

Western Digital My Cloud OS 5 devices before 5.10.122 mishandle Symbolic Link Following on SMB and AFP shares. This can lead to code execution and information disclosure (by reading local files).

• piffd0s/CVE-2021-3310

CVE-2021-3317 (2021-01-26)

KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.

• Al1ex/CVE-2021-3317

CVE-2021-3345 (2021-01-29)

_gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later.

• MLGRadish/CVE-2021-3345
• SpiralBL0CK/CVE-2021-3345

CVE-2021-3347 (2021-01-29)

An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458.

• nanopathi/linux-4.19.72_CVE-2021-3347

CVE-2021-3360

• tcbutler320/CVE-2021-3360

CVE-2021-3378 (2021-02-01)

FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp.

• erberkan/fortilogger_arbitrary_fileupload

CVE-2021-3395 (2021-02-02)

A cross-site scripting (XSS) vulnerability in Pryaniki 6.44.3 allows remote authenticated users to upload an arbitrary file. The JavaScript code will execute when someone visits the attachment.

• jet-pentest/CVE-2021-3395

CVE-2021-3438 (2021-05-20)

A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege.

• TobiasS1402/CVE-2021-3438
• CrackerCat/CVE-2021-3438

CVE-2021-3441 (2021-10-29)

A potential security vulnerability has been identified for the HP OfficeJet 7110 Wide Format ePrinter that enables Cross-Site Scripting (XSS).

• tcbutler320/CVE-2021-3441-check

CVE-2021-3449 (2021-03-25)

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

• riptl/cve-2021-3449

CVE-2021-3490 (2021-06-04)

The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).

• chompie1337/Linux_LPE_eBPF_CVE-2021-3490
• pivik271/CVE-2021-3490

CVE-2021-3492 (2021-04-17)

Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (kernel memory exhaustion) or gain privileges via executing arbitrary code. AKA ZDI-CAN-13562.

• synacktiv/CVE-2021-3492

CVE-2021-3493 (2021-04-17)

The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivileged overlay mounts, an attacker could use this to gain elevated privileges.

• briskets/CVE-2021-3493
• oneoy/CVE-2021-3493
• Abdennour-py/CVE-2021-3493
• inspiringz/CVE-2021-3493
• derek-turing/CVE-2021-3493
• cerodah/overlayFS-CVE-2021-3493
• puckiestyle/CVE-2021-3493
• fei9747/CVE-2021-3493
• pmihsan/OverlayFS-CVE-2021-3493
• smallkill/CVE-2021-3493
• ptkhai15/OverlayFS---CVE-2021-3493
• iamz24/CVE-2021-3493_CVE-2022-3357
• fathallah17/OverlayFS-CVE-2021-3493

CVE-2021-3516 (2021-06-01)

There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.

• dja2TaqkGEEfA45/CVE-2021-3516

CVE-2021-3560 (2022-02-16)

It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

• aancw/polkit-auto-exploit
• swapravo/polkadots
• hakivvi/CVE-2021-3560
• iSTAR-Lab/CVE-2021-3560_PoC
• secnigma/CVE-2021-3560-Polkit-Privilege-Esclation
• curtishoughton/CVE-2021-3560
• Almorabea/Polkit-exploit
• AssassinUKG/Polkit-CVE-2021-3560
• cpu0x00/CVE-2021-3560
• BizarreLove/CVE-2021-3560
• 0dayNinja/CVE-2021-3560
• admin-079/CVE-2021-3560
• chenaotian/CVE-2021-3560
• NeonWhiteRabbit/CVE-2021-3560
• f4T1H21/CVE-2021-3560-Polkit-DBus
• innxrmxst/CVE-2021-3560
• RicterZ/CVE-2021-3560-Authentication-Agent
• WinMin/CVE-2021-3560
• UNICORDev/exploit-CVE-2021-3560
• asepsaepdin/CVE-2021-3560
• pashayogi/ROOT-CVE-2021-3560
• TieuLong21Prosper/CVE-2021-3560
• LucasPDiniz/CVE-2021-3560
• markyu0401/CVE-2021-3560-Polkit-Privilege-Escalation
• Kyyomaa/CVE-2021-3560-EXPLOIT

CVE-2021-3572 (2021-11-10)

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

• frenzymadness/CVE-2021-3572

CVE-2021-3625 (2021-10-05)

Buffer overflow in Zephyr USB DFU DNLOAD. Zephyr versions >= v2.5.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c3gr-hgvr-f363

• szymonh/zephyr_cve-2021-3625

CVE-2021-3656 (2022-03-04)

A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.

• rami08448/CVE-2021-3656-Demo

CVE-2021-3679 (2021-08-05)

A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.

• aegistudio/RingBufferDetonator

CVE-2021-3707 (2021-08-16)

D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3708, to execute any OS commands on the vulnerable device.

• HadiMed/DSL-2750U-Full-chain

CVE-2021-3749 (2021-08-31)

axios is vulnerable to Inefficient Regular Expression Complexity

• T-Guerrero/axios-redos

CVE-2021-3754 (2022-08-26)

A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.

• 7Ragnarok7/CVE-2021-3754

CVE-2021-3773 (2022-02-16)

A flaw in netfilter could allow a network-connected attacker to infer openvpn connection endpoint information for further use in traditional network attacks.

• d0rb/CVE-2021-3773

CVE-2021-3831 (2021-12-14)

gnuboard5 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

• aratane/CVE-2021-3831

CVE-2021-3864 (2022-08-26)

A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.

• walac/cve-2021-3864

CVE-2021-3899 (2024-06-03)

There is a race condition in the 'replaced executable' detection that, with the correct local configuration, allow an attacker to execute arbitrary code as root.

• liumuqing/CVE-2021-3899_PoC

CVE-2021-3929 (2022-08-25)

A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.

• QiuhaoLi/CVE-2021-3929-3947

CVE-2021-3972 (2022-04-22)

A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices' BIOS that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

• killvxk/CVE-2021-3972

CVE-2021-4034 (2022-01-28)

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

• ryaagard/CVE-2021-4034
• berdav/CVE-2021-4034
• clubby789/CVE-2021-4034
• gbrsh/CVE-2021-4034
• arthepsy/CVE-2021-4034
• JohnHammond/CVE-2021-4034
• Audiobahn/CVE-2021-4034
• dzonerzy/poc-cve-2021-4034
• nikaiw/CVE-2021-4034
• mebeim/CVE-2021-4034
• Ayrx/CVE-2021-4034
• Y3A/CVE-2021-4034
• An00bRektn/CVE-2021-4034
• ayypril/CVE-2021-4034
• wongwaituck/CVE-2021-4034
• 0x05a/my-cve-2021-4034-poc
• silocityit/cve-2021-4034-playground
• zhzyker/CVE-2021-4034
• J0hnbX/CVE-2021-4034-new
• Immersive-Labs-Sec/CVE-2021-4034
• kimusan/pkwner
• N1et/CVE-2021-4034
• Nero22k/CVE-2021-4034
• LukeGix/CVE-2021-4034
• aus-mate/CVE-2021-4034-POC
• chenaotian/CVE-2021-4034
• moldabekov/CVE-2021-4034
• jostmart/-CVE-2021-4034
• c3l3si4n/pwnkit
• n3rdh4x0r/CVE-2021-4034
• ly4k/PwnKit
• san3ncrypt3d/CVE-2021-4034-POC
• fdellwing/CVE-2021-4034
• xcanwin/CVE-2021-4034-UniontechOS
• azminawwar/CVE-2021-4034
• PeterGottesman/pwnkit-exploit
• sunny0day/CVE-2021-4034
• artemis-mike/cve-2021-4034
• whokilleddb/CVE-2021-4034
• dadvlingd/CVE-2021-4034
• zcrosman/cve-2021-4034
• robemmerson/CVE-2021-4034
• joeammond/CVE-2021-4034
• luijait/PwnKit-Exploit
• Anonymous-Family/CVE-2021-4034
• phvilasboas/CVE-2021-4034
• hackingyseguridad/CVE-2021-4034
• vilasboasph/CVE-2021-4034
• nobelh/CVE-2021-4034
• callrbx/pkexec-lpe-poc
• cd80-ctf/CVE-2021-4034
• Al1ex/CVE-2021-4034
• ashutoshrohilla/CVE-2021-4034
• nikip72/CVE-2021-4034
• NiS3x/CVE-2021-4034
• thatstraw/CVE-2021-4034
• luckythandel/CVE-2021-4034
• Plethore/CVE-2021-4034
• evdenis/lsm_bpf_check_argc0
• tahaafarooq/poppy
• DosAmp/pkwned
• PwnFunction/CVE-2021-4034
• NULL0B/CVE-2021-4034
• locksec/CVE-2021-4034
• deoxykev/CVE-2021-4034-Rust
• c3c/CVE-2021-4034
• Fato07/Pwnkit-exploit
• EstamelGG/CVE-2021-4034-NoGCC
• pengalaman-1t/CVE-2021-4034
• NeonWhiteRabbit/CVE-2021-4034-BASH-One-File-Exploit
• jpmcb/pwnkit-go
• JoyGhoshs/CVE-2021-4034
• galoget/PwnKit-CVE-2021-4034
• Yakumwamba/POC-CVE-2021-4034
• ayoub-elbouzi/CVE-2021-4034-Pwnkit
• Sakura-nee/CVE-2021-4034
• oreosec/pwnkit
• CYB3RK1D/CVE-2021-4034-POC
• Rvn0xsy/CVE-2021-4034
• Kirill89/CVE-2021-4034
• qq224015/CVE-2021-4034
• NeonWhiteRabbit/CVE-2021-4034
• glowbase/PwnKit-CVE-2021-4034
• sofire/polkit-0.96-CVE-2021-4034
• codiobert/pwnkit-scanner
• v-rzh/CVE-2021-4034
• TW-D/PwnKit-Vulnerability_CVE-2021-4034
• OXDBXKXO/ez-pwnkit
• milot/dissecting-pkexec-cve-2021-4034
• 0x01-sec/CVE-2021-4034-
• navisec/CVE-2021-4034-PwnKit
• Almorabea/pkexec-exploit
• teelrabbit/Polkit-pkexec-exploit-for-Linux
• scent2d/PoC-CVE-2021-4034
• HrishitJoshi/CVE-2021-4034
• Ankit-Ojha16/CVE-2021-4034
• G01d3nW01f/CVE-2021-4034
• drapl0n/pwnKit
• rvizx/CVE-2021-4034
• Joffr3y/Polkit-CVE-2021-4034-HLP
• ziadsaleemi/polkit_CVE-2021-4034
• FDlucifer/Pwnkit-go
• cspshivam/cve-2021-4034
• an0n7os/CVE-2021-4034
• DanaEpp/pwncat_pwnkit
• x04000/CVE-2021-4034
• x04000/AutoPwnkit
• hohn/codeql-sample-polkit
• ck00004/CVE-2021-4034
• LJP-TW/CVE-2021-4034
• fnknda/CVE-2021-4034_POC
• Tanmay-N/CVE-2021-4034
• hahaleyile/CVE-2021-4034
• movvamrocks/PwnKit-CVE-2021-4034
• Squirre17/CVE-2021-4034
• Jesrat/make_me_root
• defhacks/cve-2021-4034
• ITMarcin2211/Polkit-s-Pkexec-CVE-2021-4034
• edsonjt81/CVE-2021-4034-Linux
• nel0x/pwnkit-vulnerability
• TomSgn/CVE-2021-4034
• battleoverflow/CVE-2021-4034
• TheJoyOfHacking/berdav-CVE-2021-4034
• tzwlhack/CVE-2021-4034
• jcatala/f_poc_cve-2021-4034
• Nosferatuvjr/PwnKit
• TotallyNotAHaxxer/CVE-2021-4034
• rhin0cer0s/CVE-2021-4034
• 0x4ndy/CVE-2021-4034-PoC
• antoinenguyen-09/CVE-2021-4034
• wudicainiao/cve-2021-4034
• TanmoyG1800/CVE-2021-4034
• CronoX1/CVE-2021-4034
• supportingmx/cve-2021-4034
• A1vinSmith/CVE-2021-4034
• HellGateCorp/pwnkit
• Silencecyber/cve-2021-4034
• Geni0r/cve-2021-4034-poc
• zxc2007/CVE-2021-4034
• Pixailz/CVE-2021-4034
• toecesws/CVE-2021-4034
• jehovah2002/CVE-2021-4034-pwnkit
• fei9747/CVE-2021-4034
• pyhrr0/pwnkit
• mutur4/CVE-2021-4034
• n3rdh4x0r/CVE-2021-4034_Python3
• TheSermux/CVE-2021-4034
• ps-interactive/lab_cve-2021-4034-polkit-emulation-and-detection
• asepsaepdin/CVE-2021-4034
• JohnGilbert57/CVE-2021-4034-Capture-the-flag
• Part01-Pai/Polkit-Permission-promotion-compiled
• cdxiaodong/CVE-2021-4034-touch
• LucasPDiniz/CVE-2021-4034
• Pol-Ruiz/CVE-2021-4034
• cerodah/CVE-2021-4034
• FancySauce/PwnKit-CVE-2021-4034
• wechicken456/CVE-2021-4034-CTF-writeup
• ASG-CASTLE/CVE-2021-4034
• X-Projetion/Exploiting-PwnKit-CVE-2021-4034-
• evkl1d/CVE-2021-4034
• Typical0day/CVE-2021-4034
• lsclsclsc/CVE-2021-4034
• EuJin03/CVE-2021-4034-PoC

CVE-2021-4043 (2022-02-04)

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 1.1.0.

• cyberark/PwnKit-Hunter

CVE-2021-4044 (2021-12-14)

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).

• phirojshah/CVE-2021-4044

CVE-2021-4045 (2022-03-07)

TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of this vulnerability allows an attacker to take full control of the camera.

• hacefresko/CVE-2021-4045
• jeffbezosispogg/CVE-2021-4045
• 0xbinder/CVE-2021-4045

CVE-2021-4104 (2021-12-14)

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

• cckuailong/log4shell_1.x

CVE-2021-4154 (2022-02-04)

A use-after-free flaw was found in cgroup1_parse_param in kernel/cgroup/cgroup-v1.c in the Linux kernel's cgroup v1 parser. A local attacker with a user privilege could cause a privilege escalation by exploiting the fsconfig syscall parameter leading to a container breakout and a denial of service on the system.

• Markakd/CVE-2021-4154
• veritas501/CVE-2021-4154

CVE-2021-4191 (2022-03-28)

An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API.

• Adelittle/CVE-2021-4191_Exploits
• K3ysTr0K3R/CVE-2021-4191-EXPLOIT

CVE-2021-4204 (2022-08-24)

An out-of-bounds (OOB) memory access flaw was found in the Linux kernel's eBPF due to an Improper Input Validation. This flaw allows a local attacker with a special privilege to crash the system or leak internal information.

• tr3ee/CVE-2021-4204

CVE-2021-4428 (2023-07-18)

In what3words Autosuggest Plugin bis 4.0.0 für WordPress wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Betroffen ist die Funktion enqueue_scripts der Datei w3w-autosuggest/public/class-w3w-autosuggest-public.php der Komponente Setting Handler. Mit der Manipulation mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Ein Aktualisieren auf die Version 4.0.1 vermag dieses Problem zu lösen. Der Patch wird als dd59cbac5f86057d6a73b87007c08b8bfa0c32ac bezeichnet. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

• CERT-hr/Log4Shell

CVE-2021-6857

• zi0n8/CVE-2021-6857

CVE-2021-6901

• mooneee/cve-2021-6901

CVE-2021-10086

• AK-blank/CVE-2021-10086

CVE-2021-20021 (2021-04-09)

A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.

• SUPRAAA-1337/CVE-2021-20021

CVE-2021-20038 (2021-12-08)

A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.

• vesperp/CVE-2021-20038-SonicWall-RCE

CVE-2021-20138 (2021-12-09)

An unauthenticated command injection vulnerability exists in multiple parameters in the Gryphon Tower router’s web interface at /cgi-bin/luci/rc. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the web interface.

• ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2021-20138

CVE-2021-20233 (2021-03-03)

A flaw was found in grub2 in versions prior to 2.06. Setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters which allows an attacker to corrupt memory by one byte for each quote in the input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

• pauljrowland/BootHoleFix

CVE-2021-20253 (2021-03-09)

A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

• mbadanoiu/CVE-2021-20253

CVE-2021-20294 (2021-04-29)

A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.

• tin-z/CVE-2021-20294-POC

CVE-2021-20323 (2022-03-25)

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.

• ndmalc/CVE-2021-20323
• Cappricio-Securities/CVE-2021-20323
• cscpwn0sec/CVE-2021-20323

CVE-2021-20717 (2021-05-10)

Cross-site scripting vulnerability in EC-CUBE 4.0.0 to 4.0.5 allows a remote attacker to inject a specially crafted script in the specific input field of the EC web site which is created using EC-CUBE. As a result, it may lead to an arbitrary script execution on the administrator's web browser.

• s-index/CVE-2021-20717

CVE-2021-20837 (2021-10-26)

Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability.

• ghost-nemesis/cve-2021-20837-poc
• orangmuda/CVE-2021-20837
• Cosemz/CVE-2021-20837
• bb33bb/CVE-2021-20837
• lamcodeofpwnosec/CVE-2021-20837

CVE-2021-21014 (2021-02-11)

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

• HoangKien1020/CVE-2021-21014

CVE-2021-21017 (2021-02-11)

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a heap-based buffer overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

• ZeusBox/CVE-2021-21017
• tzwlhack/CVE-2021-21017

CVE-2021-21042 (2021-02-11)

Acrobat Reader DC versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Read vulnerability that could lead to arbitrary disclosure of information in the memory stack. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

• NattiSamson/CVE-2021-21042
• r1l4-i3pur1l4/CVE-2021-21042

CVE-2021-21086 (2021-09-02)

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an Out-of-bounds Write vulnerability in the CoolType library. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

• infobyte/Exploit-CVE-2021-21086

CVE-2021-21110 (2021-01-08)

Use after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

• Gh0st0ne/CVE-2021-21110

CVE-2021-21123 (2021-02-09)

Insufficient data validation in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page.

• Puliczek/CVE-2021-21123-PoC-Google-Chrome

CVE-2021-21148 (2021-02-09)

Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• Grayhaxor/CVE-2021-21148

CVE-2021-21193 (2021-03-16)

Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• mehrzad1994/CVE-2021-21193

CVE-2021-21220 (2021-04-26)

Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• security-dbg/CVE-2021-21220

CVE-2021-21234 (2021-01-05)

spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that filename=../somefile would not work), the base folder parameter was not sufficiently checked, so that filename=somefile&base=../ could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release. There is no workaround to fix the vulnerability other than updating or removing the dependency. However, removing read access of the user the application is run with to any directory not required for running the application can limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy.

• PwCNO-CTO/CVE-2021-21234
• xiaojiangxl/CVE-2021-21234

CVE-2021-21239 (2021-01-21)

PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only x509 certificates for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0.

• RyanBoomer30/CVE-2021-21239-Exploit

CVE-2021-21300 (2021-03-09)

Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. before cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.

• AlkenePan/CVE-2021-21300
• Faisal78123/CVE-2021-21300
• erranfenech/CVE-2021-21300
• Maskhe/CVE-2021-21300
• 1uanWu/CVE-2021-21300
• Kirill89/CVE-2021-21300
• ETOCheney/cve-2021-21300
• fengzhouc/CVE-2021-21300
• danshuizhangyu/CVE-2021-21300
• 0ahu/CVE-2021-21300
• macilin/CVE-2021-21300
• Roboterh/CVE-2021-21300
• henry861010/Network_Security_NYCU
• Saboor-Hakimi-23/CVE-2021-21300

CVE-2021-21311 (2021-02-11)

Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. adminer.php) are affected. This is fixed in version 4.7.9.

• llhala/CVE-2021-21311
• omoknooni/CVE-2021-21311

CVE-2021-21315 (2021-02-16)

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation before version 5.3.1 there is a command injection vulnerability. Problem was fixed in version 5.3.1. As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() ... do only allow strings, reject any arrays. String sanitation works as expected.

• ForbiddenProgrammer/CVE-2021-21315-PoC
• cherrera0001/CVE-2021-21315v2
• MazX0p/CVE-2021-21315-exploit
• alikarimi999/CVE-2021-21315
• G01d3nW01f/CVE-2021-21315
• xMohamed0/CVE-2021-21315-POC

CVE-2021-21341 (2021-03-22)

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

• s-index/CVE-2021-21341
• Mani1325/ka-cve-2021-21341

CVE-2021-21349 (2021-03-22)

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

• s-index/CVE-2021-21349

CVE-2021-21380 (2021-03-23)

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. The problem has been patched in XWiki 12.9RC1. The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager.

• rvermeulen/codeql-workshop-cve-2021-21380

CVE-2021-21389 (2021-03-26)

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.

• HoangKien1020/CVE-2021-21389
• mynameSumin/CVE-2021-21389

CVE-2021-21401 (2021-03-23)

Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free() or realloc() calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed. This has been fixed in versions 0.3.9.8 and 0.4.5. See referenced GitHub Security Advisory for more information including workarounds.

• uthrasri/CVE-2021-21401_nanopb-c_AOSP10_R33
• HimanshuS67/external_nanopb-c_AOSP10_CVE-2021-21401

CVE-2021-21402 (2021-03-23)

Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.

• jiaocoll/CVE-2021-21402-Jellyfin
• somatrasss/CVE-2021-21402
• givemefivw/CVE-2021-21402

CVE-2021-21425 (2021-04-07)

Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. This vulnerability is fixed in version 1.10.8. Blocking access to the /admin path from untrusted sources can be applied as a workaround.

• CsEnox/CVE-2021-21425
• frknktlca/GravCMS_Nmap_Script
• bluetoothStrawberry/cve-2021-21425

CVE-2021-21514 (2021-03-02)

Dell EMC OpenManage Server Administrator (OMSA) versions 9.5 and prior contain a path traversal vulnerability. A remote user with admin privileges could potentially exploit this vulnerability to view arbitrary files on the target system by sending a specially crafted URL request.

• und3sc0n0c1d0/AFR-in-OMSA

CVE-2021-21551 (2021-05-04)

Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.

• waldo-irc/CVE-2021-21551
• ch3rn0byl/CVE-2021-21551
• arnaudluti/PS-CVE-2021-21551
• mathisvickie/CVE-2021-21551
• mzakocs/CVE-2021-21551-POC
• ihack4falafel/Dell-Driver-EoP-CVE-2021-21551
• tijme/kernel-mii
• nanabingies/CVE-2021-21551
• Eap2468/CVE-2021-21551

CVE-2021-21716

• MojithaR/CVE-2023-21716-EXPLOIT.py

CVE-2021-21772 (2021-03-10)

A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

• 3dluvr/New-lib3mf.dll-for-MeshMixer

CVE-2021-21809 (2021-06-23)

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

• anldori/CVE-2021-21809

CVE-2021-21972 (2021-02-24)

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

• psc4re/NSE-scripts
• QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC
• NS-Sp4ce/CVE-2021-21972
• yaunsky/CVE-2021-21972
• horizon3ai/CVE-2021-21972
• Osyanina/westone-CVE-2021-21972-scanner
• alt3kx/CVE-2021-21972
• milo2012/CVE-2021-21972
• conjojo/VMware_vCenter_UNAuthorized_RCE_CVE-2021-21972
• L-pin/CVE-2021-21972
• B1anda0/CVE-2021-21972
• renini/CVE-2021-21972
• GuayoyoCyber/CVE-2021-21972
• JMousqueton/Detect-CVE-2021-21972
• robwillisinfo/VMware_vCenter_CVE-2021-21972
• Ma1Dong/vcenter_rce
• d3sh1n/cve-2021-21972
• ByZain/CVE-2021-21972
• TaroballzChen/CVE-2021-21972
• ZTK-009/CVE-2021-21972
• murataydemir/CVE-2021-21972
• pettyhacks/vSphereyeeter
• haidv35/CVE-2021-21972
• TAI-REx/CVE-2021-21972
• orangmuda/CVE-2021-21972
• user16-et/cve-2021-21972_PoC
• Schira4396/VcenterKiller

CVE-2021-21973 (2021-02-24)

The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

• freakanonymous/CVE-2021-21973-Automateme

CVE-2021-21974 (2021-02-24)

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

• Shadow0ps/CVE-2021-21974
• n2x4/Feb2023-CVE-2021-21974-OSINT
• CYBERTHREATANALYSIS/ESXi-Ransomware-Scanner-mi
• hateme021202/cve-2021-21974

CVE-2021-21975 (2021-03-31)

Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.

• Henry4E36/VMWare-vRealize-SSRF
• dorkerdevil/CVE-2021-21975
• Al1ex/CVE-2021-21975
• TheTh1nk3r/exp_hub
• GuayoyoCyber/CVE-2021-21975
• murataydemir/CVE-2021-21975
• rabidwh0re/REALITY_SMASHER
• Vulnmachines/VMWare-CVE-2021-21975

CVE-2021-21978 (2021-03-03)

VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.

• GreyOrder/CVE-2021-21978
• me1ons/CVE-2021-21978
• skytina/CVE-2021-21978

CVE-2021-21980 (2021-11-24)

The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

• Osyanina/westone-CVE-2021-21980-scanner
• Osyanina/westone-CVE-2022-1388-scanner

CVE-2021-21983 (2021-03-31)

Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.

• murataydemir/CVE-2021-21983

CVE-2021-21985 (2021-05-26)

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

• bigbroke/CVE-2021-21985
• alt3kx/CVE-2021-21985_PoC
• onSec-fr/CVE-2021-21985-Checker
• mauricelambert/CVE-2021-21985
• xnianq/cve-2021-21985_exp
• daedalus/CVE-2021-21985
• testanull/Project_CVE-2021-21985_PoC
• haidv35/CVE-2021-21985
• aristosMiliaressis/CVE-2021-21985
• sknux/CVE-2021-21985_PoC

CVE-2021-22005 (2021-09-23)

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.

• 1ZRR4H/CVE-2021-22005
• pisut4152/Sigma-Rule-for-CVE-2021-22005-scanning-activity
• Jeromeyoung/VMWare-CVE-Check
• 5gstudent/CVE-2021-22005-
• RedTeamExp/CVE-2021-22005_PoC
• rwincey/CVE-2021-22005
• TaroballzChen/CVE-2021-22005-metasploit
• tiagob0b/CVE-2021-22005
• Jun-5heng/CVE-2021-22005
• shmilylty/cve-2021-22005-exp
• InventorMAO/cve-2021-22005

CVE-2021-22006 (2021-09-23)

The vCenter Server contains a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to access restricted endpoints.

• CrackerCat/CVE-2021-22006

CVE-2021-22015 (2021-09-23)

The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance.

• PenteraIO/vScalation-CVE-2021-22015

CVE-2021-22053 (2021-11-19)

Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor;[user-provided data], the path elements following hystrix/monitor are being evaluated as SpringEL expressions, which can lead to code execution.

• SecCoder-Security-Lab/spring-cloud-netflix-hystrix-dashboard-cve-2021-22053
• Vulnmachines/CVE-2021-22053

CVE-2021-22054 (2021-12-17)

VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.

• MKSx/CVE-2021-22054

CVE-2021-22119 (2021-06-29)

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.

• mari6274/oauth-client-exploit

CVE-2021-22123 (2021-06-01)

An OS command injection vulnerability in FortiWeb's management interface 6.3.7 and below, 6.2.3 and below, 6.1.x, 6.0.x, 5.9.x may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.

• murataydemir/CVE-2021-22123

CVE-2021-22145 (2021-07-21)

A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.

• niceeeeeeee/CVE-2021-22145-poc

CVE-2021-22146 (2021-07-21)

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

• magichk/cve-2021-22146

CVE-2021-22192 (2021-03-24)

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.

• EXP-Docs/CVE-2021-22192
• PetrusViet/Gitlab-RCE

CVE-2021-22201 (2021-04-02)

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.

• exp1orer/CVE-2021-22201

CVE-2021-22204 (2021-04-23)

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

• convisolabs/CVE-2021-22204-exiftool
• se162xg/CVE-2021-22204
• bilkoh/POC-CVE-2021-22204
• PenTestical/CVE-2021-22204
• AssassinUKG/CVE-2021-22204
• ph-arm/CVE-2021-22204-Gitlab
• Asaad27/CVE-2021-22204-RSE
• trganda/CVE-2021-22204
• 0xBruno/CVE-2021-22204
• mr-tuhin/CVE-2021-22204-exiftool
• UNICORDev/exploit-CVE-2021-22204
• Akash7350/CVE-2021-22204
• battleofthebots/dejavu
• cc3305/CVE-2021-22204

CVE-2021-22205 (2021-04-23)

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

• mr-r3bot/Gitlab-CVE-2021-22205
• XTeam-Wing/CVE-2021-22205
• r0eXpeR/CVE-2021-22205
• ZZ-SOCMAP/CVE-2021-22205
• Al1ex/CVE-2021-22205
• whwlsfb/CVE-2021-22205
• findneo/GitLab-preauth-RCE_CVE-2021-22205
• Seals6/CVE-2021-22205
• c0okB/CVE-2021-22205
• shang159/CVE-2021-22205-getshell
• devdanqtuan/CVE-2021-22205
• hh-hunter/cve-2021-22205
• runsel/GitLab-CVE-2021-22205-
• faisalfs10x/GitLab-CVE-2021-22205-scanner
• inspiringz/CVE-2021-22205
• pizza-power/Golang-CVE-2021-22205-POC
• DIVD-NL/GitLab-cve-2021-22205-nse
• w0x68y/Gitlab-CVE-2021-22205
• al4xs/CVE-2021-22205-gitlab
• honypot/CVE-2021-22205
• momika233/cve-2021-22205-GitLab-13.10.2---Remote-Code-Execution-RCE-Unauthenticated-
• keven1z/CVE-2021-22205
• hhhotdrink/CVE-2021-22205
• sei-fish/CVE-2021-22205
• overgrowncarrot1/DejaVu-CVE-2021-22205
• Hikikan/CVE-2021-22205
• NukingDragons/gitlab-cve-2021-22205
• cc3305/CVE-2021-22205

CVE-2021-22206 (2021-05-06)

An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,

• dannymas/CVE-2021-22206

CVE-2021-22214 (2021-06-08)

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited

• aaminin/CVE-2021-22214
• Vulnmachines/gitlab-cve-2021-22214
• ZZ-SOCMAP/CVE-2021-22214

CVE-2021-22555 (2021-07-07)

A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space

• JoneyJunior/cve-2021-22555
• xyjl-ly/CVE-2021-22555-Exploit
• cgwalters/container-cve-2021-22555
• daletoniris/CVE-2021-22555-esc-priv
• veritas501/CVE-2021-22555-PipeVersion
• masjohncook/netsec-project
• tukru/CVE-2021-22555
• pashayogi/CVE-2021-22555
• letsr00t/-2021-LOCALROOT-CVE-2021-22555
• letsr00t/CVE-2021-22555

CVE-2021-22569 (2022-01-07)

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

• Mario-Kart-Felix/A-potential-Denial-of-Service-issue-in-protobuf-java

CVE-2021-22873 (2021-01-21)

Revive Adserver before 5.1.0 is vulnerable to open redirects via the dest, oadest, and/or ct0 parameters of the lg.php and ck.php delivery scripts. Such open redirects had previously been available by design to allow third party ad servers to track such metrics when delivering ads. However, third party click tracking via redirects is not a viable option anymore, leading to such open redirect functionality being removed and reclassified as a vulnerability.

• K3ysTr0K3R/CVE-2021-22873-EXPLOIT

CVE-2021-22880 (2021-02-11)

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

• halkichi0308/CVE-2021-22880

CVE-2021-22893 (2021-04-23)

Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.

• ZephrFish/CVE-2021-22893_HoneyPoC2
• Mad-robot/CVE-2021-22893
• orangmuda/CVE-2021-22893

CVE-2021-22911 (2021-05-27)

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.

• CsEnox/CVE-2021-22911
• optionalCTF/Rocket.Chat-Automated-Account-Takeover-RCE-CVE-2021-22911
• jayngng/CVE-2021-22911
• ChrisPritchard/CVE-2021-22911-rust
• MrDottt/CVE-2021-22911
• overgrowncarrot1/CVE-2021-22911
• Weisant/CVE-2021-22911-EXP
• yoohhuu/Rocket-Chat-3.12.1-PoC-CVE-2021-22911-

CVE-2021-22924 (2021-08-05)

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths case insensitively,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

• Trinadh465/external_curl_AOSP10_r33_CVE-2021-22924

CVE-2021-22941 (2021-09-23)

Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.

• hoavt184/CVE-2021-22941

CVE-2021-22986 (2021-03-31)

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

• dorkerdevil/CVE-2021-22986-Poc
• S1xHcL/f5_rce_poc
• Osyanina/westone-CVE-2021-22986-scanner
• safesword/F5_RCE
• microvorld/CVE-2021-22986
• Al1ex/CVE-2021-22986
• kiri-48/CVE-2021-22986
• ZephrFish/CVE-2021-22986_Check
• yaunsky/CVE-202122986-EXP
• Tas9er/CVE-2021-22986
• dotslashed/CVE-2021-22986
• DDestinys/CVE-2021-22986
• west9b/F5-BIG-IP-POC
• amitlttwo/CVE-2021-22986
• huydung26/CVE-2021-22986

CVE-2021-23017 (2021-06-01)

A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.

• niandy/nginx-patch
• M507/CVE-2021-23017-PoC
• lakshit1212/CVE-2021-23017-PoC
• ShivamDey/CVE-2021-23017
• z3usx01/CVE-2021-23017-POC

CVE-2021-23132 (2021-03-04)

An issue was discovered in Joomla! 3.0.0 through 3.9.24. com_media allowed paths that are not intended for image uploads

• HoangKien1020/CVE-2021-23132

CVE-2021-23358 (2021-03-29)

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

• EkamSinghWalia/Detection-script-for-cve-2021-23358
• MehdiBoukhobza/SandBox_CVE-2021-23358

CVE-2021-23369 (2021-04-12)

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

• fazilbaig1/CVE-2021-23369

CVE-2021-23383 (2021-05-04)

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

• dn9uy3n/Check-CVE-2021-23383
• fazilbaig1/CVE-2021-23383

CVE-2021-23410

• azu/msgpack-CVE-2021-23410-test

CVE-2021-23639 (2021-12-10)

The package md-to-pdf before 5.0.0 are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.

• MohandAcherir/CVE-2021-23639

CVE-2021-23758 (2021-12-03)

All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.

• numanturle/CVE-2021-23758-POC

CVE-2021-23840 (2021-02-16)

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

• Trinadh465/openssl-1.1.1g_CVE-2021-23840

CVE-2021-23841 (2021-02-16)

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

• Trinadh465/external_boringssl_openssl_1.1.0g_CVE-2021-23841
• Satheesh575555/Openssl_1_1_0_CVE-2021-23841

CVE-2021-24027 (2021-04-06)

A cache configuration issue prior to WhatsApp for Android v2.21.4.18 and WhatsApp Business for Android v2.21.4.18 may have allowed a third party with access to the device’s external storage to read cached TLS material.

• CENSUS/whatsapp-mitd-mitm

CVE-2021-24084 (2021-02-25)

Windows Mobile Device Management Information Disclosure Vulnerability

• Jeromeyoung/CVE-2021-24084
• exploitblizzard/WindowsMDM-LPE-0Day

CVE-2021-24085 (2021-02-25)

Microsoft Exchange Server Spoofing Vulnerability

• sourceincite/CVE-2021-24085

CVE-2021-24086 (2021-02-25)

Windows TCP/IP Denial of Service Vulnerability

• 0vercl0k/CVE-2021-24086
• lisinan988/CVE-2021-24086-exp

CVE-2021-24096 (2021-02-25)

Windows Kernel Elevation of Privilege Vulnerability

• FunPhishing/CVE-2021-24096

CVE-2021-24098 (2021-02-25)

Windows Console Driver Denial of Service Vulnerability

• waleedassar/CVE-2021-24098

CVE-2021-24145 (2021-03-18)

Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.

• dnr6419/CVE-2021-24145

CVE-2021-24155 (2021-04-05)

The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.

• 0dayNinja/CVE-2021-24155.rb

CVE-2021-24160 (2021-04-05)

In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, subscribers could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further infect a WordPress site.

• hnthuan1998/CVE-2021-24160
• hnthuan1998/Exploit-CVE-2021-24160

CVE-2021-24356 (2021-06-14)

In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activate_plugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites.

• RandomRobbieBF/CVE-2021-24356

CVE-2021-24499 (2021-08-09)

The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.

• j4k0m/CVE-2021-24499
• hh-hunter/cve-2021-24499
• jytmX/CVE-2021-24499

CVE-2021-24507 (2021-08-09)

The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST parameters from the astra_pagination_infinite and astra_shop_pagination_infinite AJAX action (available to both unauthenticated and authenticated user) before using them in SQL statement, leading to an SQL Injection issues

• RandomRobbieBF/CVE-2021-24507

CVE-2021-24545 (2021-10-11)

The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.

• V35HR4J/CVE-2021-24545
• dnr6419/CVE-2021-24545

CVE-2021-24563 (2021-10-11)

The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly

• V35HR4J/CVE-2021-24563

CVE-2021-24647 (2021-11-08)

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username

• RandomRobbieBF/CVE-2021-24647

CVE-2021-24741 (2021-09-20)

The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.

• dldygnl/CVE-2021-24741

CVE-2021-24750 (2021-12-21)

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

• fimtow/CVE-2021-24750

CVE-2021-24807 (2021-11-08)

The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any authenticated user go to the chat the XSS will be automatically executed.

• dldygnl/CVE-2021-24807

CVE-2021-24884 (2021-10-25)

The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited.

• S1lkys/CVE-2021-24884

CVE-2021-24917 (2021-12-06)

The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.

• dikalasenjadatang/CVE-2021-24917
• Cappricio-Securities/CVE-2021-24917

CVE-2021-24959 (2022-03-14)

The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.

• RandomRobbieBF/CVE-2021-24959

CVE-2021-25003 (2022-03-14)

The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE

• biulove0x/CVE-2021-25003

CVE-2021-25032 (2022-01-10)

The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.

• RandomRobbieBF/CVE-2021-25032

CVE-2021-25076 (2022-01-24)

The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting

• 0xAbbarhSF/CVE-2021-25076

CVE-2021-25094 (2022-04-25)

The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

• darkpills/CVE-2021-25094-tatsu-preauth-rce
• TUANB4DUT/typehub-exploiter
• xdx57/CVE-2021-25094
• experimentalcrow1/TypeHub-Exploiter

CVE-2021-25162 (2021-03-30)

A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.

• twentybel0w/CVE-2021-25162

CVE-2021-25253 (2021-04-13)

An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

• msd0pe-1/CVE-2021-25253

CVE-2021-25281 (2021-02-27)

An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.

• Immersive-Labs-Sec/CVE-2021-25281

CVE-2021-25374 (2021-04-09)

An improper authorization vulnerability in Samsung Members "samsungrewards" scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account.

• WithSecureLabs/CVE-2021-25374_Samsung-Account-Access

CVE-2021-25461 (2021-09-09)

An improper length check in APAService prior to SMR Sep-2021 Release 1 results in stack based Buffer Overflow.

• bkojusner/CVE-2021-25461

CVE-2021-25641 (2021-05-29)

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.

• Dor-Tumarkin/CVE-2021-25641-Proof-of-Concept
• l0n3rs/CVE-2021-25641

CVE-2021-25642 (2022-08-25)

ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.

• safe3s/CVE-2021-25642

CVE-2021-25646 (2021-01-29)

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.

• yaunsky/cve-2021-25646
• lp008/CVE-2021-25646
• Ormicron/CVE-2021-25646-GUI
• Vulnmachines/Apache-Druid-CVE-2021-25646
• 1n7erface/PocList
• givemefivw/CVE-2021-25646
• j2ekim/CVE-2021-25646
• luobai8/CVE-2021-25646-exp

CVE-2021-25679 (2021-04-20)

The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only version 10.8.1 was able to be confirmed during primary research. NOTE: The affected appliances NetVanta 7060 and NetVanta 7100 are considered End of Life and as such this issue will not be patched

• 3ndG4me/AdTran-Personal-Phone-Manager-Vulns

CVE-2021-25735 (2021-09-06)

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

• darryk10/CVE-2021-25735

CVE-2021-25741 (2021-09-20)

A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.

• Betep0k/CVE-2021-25741
• cdxiaodong/CVE-2021-25741

CVE-2021-25790 (2021-07-23)

Multiple stored cross site scripting (XSS) vulnerabilities in the "Register" module of House Rental and Property Listing 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in all text fields except for Phone Number and Alternate Phone Number.

• MrCraniums/CVE-2021-25790-Multiple-Stored-XSS

CVE-2021-25791 (2021-07-23)

Multiple stored cross site scripting (XSS) vulnerabilities in the "Update Profile" module of Online Doctor Appointment System 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in the First Name, Last Name, and Address text fields.

• MrCraniums/CVE-2021-25791-Multiple-Stored-XSS

CVE-2021-25801 (2021-07-26)

A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.

• DShankle/VLC_CVE-2021-25801_Analysis

CVE-2021-25804 (2021-07-26)

A NULL-pointer dereference in "Open" in avi.c of VideoLAN VLC Media Player 3.0.11 can a denial of service (DOS) in the application.

• DShankle/VLC_CVE-2021-25804_Analysis

CVE-2021-25837 (2021-02-08)

Cosmos Network Ethermint <= v0.4.0 is affected by cache lifecycle inconsistency in the EVM module. Due to the inconsistency between the Storage caching cycle and the Tx processing cycle, Storage changes caused by a failed transaction are improperly reserved in memory. Although the bad storage cache data will be discarded at EndBlock, it is still valid in the current block, which enables many possible attacks such as an "arbitrary mint token".

• iczc/Ethermint-CVE-2021-25837

CVE-2021-26084 (2021-08-30)

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.

• crowsec-edtech/CVE-2021-26084
• alt3kx/CVE-2021-26084_PoC
• dinhbaouit/CVE-2021-26084
• JKme/CVE-2021-26084
• hev0x/CVE-2021-26084_Confluence
• prettyrecon/CVE-2021-26084_Confluence
• 0xf4n9x/CVE-2021-26084
• Vulnmachines/Confluence_CVE-2021-26084
• Osyanina/westone-CVE-2021-26084-scanner
• CrackerCat/CVE-2021-26084
• b1gw00d/CVE-2021-26084
• taythebot/CVE-2021-26084
• bcdannyboy/CVE-2021-26084_GoPOC
• smallpiggy/cve-2021-26084-confluence
• maskerTUI/CVE-2021-26084
• BeRserKerSec/CVE-2021-26084-Nuclei-template
• p0nymc1/CVE-2021-26084
• Loneyers/CVE-2021-26084
• Xc1Ym/cve_2021_26084
• wolf1892/confluence-rce-poc
• smadi0x86/CVE-2021-26084
• 1ZRR4H/CVE-2021-26084
• GlennPegden2/cve-2021-26084-confluence
• toowoxx/docker-confluence-patched
• nizar0x1f/CVE-2021-26084-patch-
• attacker-codeninja/CVE-2021-26084
• ludy-dev/CVE-2021-26084_PoC
• wdjcy/CVE-2021-26084
• orangmuda/CVE-2021-26084
• TheclaMcentire/CVE-2021-26084_Confluence
• Jun-5heng/CVE-2021-26084
• lleavesl/CVE-2021-26084
• quesodipesto/conflucheck
• 30579096/Confluence-CVE-2021-26084
• vpxuser/CVE-2021-26084-EXP
• nahcusira/CVE-2021-26084
• BBD-YZZ/Confluence-RCE

CVE-2021-26085 (2021-08-03)

Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.

• ColdFusionX/CVE-2021-26085

CVE-2021-26086 (2021-08-16)

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.

• Jeromeyoung/CVE-2021-26086
• ColdFusionX/CVE-2021-26086

CVE-2021-26088 (2021-07-12)

An improper authentication vulnerability in FSSO Collector version 5.0.295 and below may allow an unauthenticated user to bypass a FSSO firewall policy and access the protected network via sending specifically crafted UDP login notification packets.

• theogobinet/CVE-2021-26088

CVE-2021-26102 (2024-12-19)

A relative path traversal vulnerability (CWE-23) in FortiWAN version 4.5.7 and below, 4.4 all versions may allow a remote non-authenticated attacker to delete files on the system by sending a crafted POST request. In particular, deleting specific configuration files will reset the Admin password to its default value.

• SleepyCofe/CVE-2021-26102

CVE-2021-26121

• sourceincite/CVE-2021-26121

CVE-2021-26258 (2022-05-12)

Improper access control for the Intel(R) Killer(TM) Control Center software before version 2.4.3337.0 may allow an authorized user to potentially enable escalation of privilege via local access.

• zwclose/CVE-2021-26258

CVE-2021-26295 (2021-03-22)

Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

• yumusb/CVE-2021-26295
• rakjong/CVE-2021-26295-Apache-OFBiz
• dskho/CVE-2021-26295
• coolyin001/CVE-2021-26295--
• yuaneuro/ofbiz-poc

CVE-2021-26411 (2021-03-11)

Internet Explorer Memory Corruption Vulnerability

• CrackerCat/CVE-2021-26411

CVE-2021-26414 (2021-06-08)

Windows DCOM Server Security Feature Bypass

• Nels2/dcom_10036_Solver

CVE-2021-26415 (2021-04-13)

Windows Installer Elevation of Privilege Vulnerability

• adenkiewicz/CVE-2021-26415

CVE-2021-26690 (2021-06-10)

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service

• dja2TaqkGEEfA45/CVE-2021-26690
• 7own/CVE-2021-26690---Apache-mod_session
• 0xdeviner/CVE-2021-26690
• danielduan2002/CVE-2021-26690

CVE-2021-26691 (2021-06-10)

In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow

• dja2TaqkGEEfA45/CVE-2021-26691

CVE-2021-26700 (2021-02-25)

Visual Studio Code npm-script Extension Remote Code Execution Vulnerability

• jackadamson/CVE-2021-26700
• june-in-exile/CVE-2021-26700

CVE-2021-26708 (2021-02-05)

A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions in the AF_VSOCK implementation are caused by wrong locking in net/vmw_vsock/af_vsock.c. The race conditions were implicitly introduced in the commits that added VSOCK multi-transport support.

• jordan9001/vsock_poc
• azpema/CVE-2021-26708

CVE-2021-26714 (2021-03-29)

The Enterprise License Manager portal in Mitel MiContact Center Enterprise before 9.4 could allow a user to access restricted files and folders due to insufficient access control. A successful exploit could allow an attacker to view and modify application data via Directory Traversal.

• PwCNO-CTO/CVE-2021-26714

CVE-2021-26814 (2021-03-06)

Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service script.

• WickdDavid/CVE-2021-26814
• CYS4srl/CVE-2021-26814
• paolorabbito/Internet-Security-Project---CVE-2021-26814

CVE-2021-26828 (2021-06-11)

OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.

• hev0x/CVE-2021-26828_ScadaBR_RCE

CVE-2021-26832 (2021-04-14)

Cross Site Scripting (XSS) in the "Reset Password" page form of Priority Enterprise Management System v8.00 allows attackers to execute javascript on behalf of the victim by sending a malicious URL or directing the victim to a malicious site.

• NagliNagli/CVE-2021-26832

CVE-2021-26855 (2021-03-02)

Microsoft Exchange Server Remote Code Execution Vulnerability

• sgnls/exchange-0days-202103
• soteria-security/HAFNIUM-IOC
• cert-lv/exchange_webshell_detection
• conjojo/Microsoft_Exchange_Server_SSRF_CVE-2021-26855
• pussycat0x/CVE-2021-26855-SSRF
• La3B0z/CVE-2021-26855-SSRF-Exchange
• mekhalleh/exchange_proxylogon
• Yt1g3r/CVE-2021-26855_SSRF
• hackerxj007/CVE-2021-26855
• dwisiswant0/proxylogscan
• mauricelambert/ExchangeWeaknessTest
• DCScoder/Exchange_IOC_Hunter
• srvaccount/CVE-2021-26855-PoC
• h4x0r-dz/CVE-2021-26855
• alt3kx/CVE-2021-26855_PoC
• r0xdeadbeef/CVE-2021-26855
• hackerschoice/CVE-2021-26855
• SCS-Labs/HAFNIUM-Microsoft-Exchange-0day
• KotSec/CVE-2021-26855-Scanner
• hakivvi/proxylogon
• ZephrFish/Exch-CVE-2021-26855
• mil1200/ProxyLogon-CVE-2021-26855
• evilashz/ExchangeSSRFtoRCEExploit
• ZephrFish/Exch-CVE-2021-26855_Priv
• Mr-xn/CVE-2021-26855-d
• RickGeex/ProxyLogon
• Immersive-Labs-Sec/ProxyLogon
• shacojx/Scan-Vuln-CVE-2021-26855
• TaroballzChen/ProxyLogon-CVE-2021-26855-metasploit
• p0wershe11/ProxyLogon
• shacojx/CVE-2021-26855-exploit-Exchange
• catmandx/CVE-2021-26855-Exchange-RCE
• hictf/CVE-2021-26855-CVE-2021-27065
• praetorian-inc/proxylogon-exploit
• Flangvik/SharpProxyLogon
• hosch3n/ProxyVulns
• Nick-Yin12/106362522
• yaoxiaoangry3/Flangvik
• thau0x01/poc_proxylogon
• 1342486672/Flangvik
• TheDudeD6/ExchangeSmash
• kh4sh3i/ProxyLogon
• ssrsec/Microsoft-Exchange-RCE
• glen-pearson/ProxyLogon-CVE-2021-26855
• MacAsure/cve-2021-26855
• timb-machine-mirrors/testanull-CVE-2021-26855_read_poc.txt

CVE-2021-26856

• avi8892/CVE-2021-26856

CVE-2021-26857 (2021-03-02)

Microsoft Exchange Server Remote Code Execution Vulnerability

• sirpedrotavares/Proxylogon-exploit

CVE-2021-26868 (2021-03-11)

Windows Graphics Component Elevation of Privilege Vulnerability

• KangD1W2/CVE-2021-26868

CVE-2021-26871 (2021-03-11)

Windows WalletService Elevation of Privilege Vulnerability

• fr4nkxixi/CVE-2021-26871_POC

CVE-2021-26882 (2021-03-11)

Remote Access API Elevation of Privilege Vulnerability

• taiji-xo/CVE-2021-26882

CVE-2021-26903 (2021-02-26)

LMA ISIDA Retriever 5.2 is vulnerable to XSS via query['text'].

• Security-AVS/CVE-2021-26903

CVE-2021-26904 (2021-02-26)

LMA ISIDA Retriever 5.2 allows SQL Injection.

• Security-AVS/-CVE-2021-26904

CVE-2021-26943 (2021-03-31)

The UX360CA BIOS through 303 on ASUS laptops allow an attacker (with the ring 0 privilege) to overwrite nearly arbitrary physical memory locations, including SMRAM, and execute arbitrary code in the SMM (issue 3 of 3).

• tandasat/SmmExploit

CVE-2021-27065 (2021-03-02)

Microsoft Exchange Server Remote Code Execution Vulnerability

• adamrpostjr/cve-2021-27065

CVE-2021-27180 (2021-04-14)

An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.

• chudyPB/MDaemon-Advisories

CVE-2021-27187 (2021-02-12)

The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 stores authentication credentials in cleartext in login.sav when the Save Password box is checked.

• jet-pentest/CVE-2021-27187

CVE-2021-27188 (2021-02-12)

The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 allows attackers to cause a denial of service (access suspended for five hours) by making five invalid login attempts to a victim's account.

• jet-pentest/CVE-2021-27188

CVE-2021-27190 (2021-02-12)

A Stored Cross Site Scripting(XSS) Vulnerability was discovered in PEEL SHOPPING 9.3.0 and 9.4.0, which are publicly available. The user supplied input containing polyglot payload is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.

• anmolksachan/CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS

CVE-2021-27198 (2021-02-26)

An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.

• rwincey/CVE-2021-27198

CVE-2021-27211 (2021-02-15)

steghide 0.5.1 relies on a certain 32-bit seed value, which makes it easier for attackers to detect hidden data.

• b4shfire/stegcrack

CVE-2021-27246 (2021-04-14)

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 AC1750 1.0.15 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of MAC addresses by the tdpServer endpoint. A crafted TCP message can write stack pointers to the stack. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-12306.

• synacktiv/CVE-2021-27246_Pwn2Own2020

CVE-2021-27285 (2025-01-06)

An issue was discovered in Inspur ClusterEngine v4.0 that allows attackers to gain escalated Local privileges and execute arbitrary commands via /opt/tsce4/torque6/bin/getJobsByShell.

• fjh1997/CVE-2021-27285

CVE-2021-27328 (2021-02-19)

Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Traversal. An authenticated user can decrypt firmware and can read sensitive information, such as a password or decryption key.

• SQSamir/CVE-2021-27328

CVE-2021-27338 (2021-07-20)

Faraday Edge before 3.7 allows XSS via the network/create/ page and its network name parameter.

• Pho03niX/CVE-2021-27338

CVE-2021-27342 (2021-05-17)

An authentication brute-force protection mechanism bypass in telnetd in D-Link Router model DIR-842 firmware version 3.0.2 allows a remote attacker to circumvent the anti-brute-force cool-down delay period via a timing-based side-channel attack

• mavlevin/D-Link-CVE-2021-27342-exploit

CVE-2021-27403 (2021-02-19)

Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow cgi-bin/te_acceso_router.cgi curWebPage XSS.

• bokanrb/CVE-2021-27403

CVE-2021-27404 (2021-02-19)

Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow injection of a Host HTTP header.

• bokanrb/CVE-2021-27404

CVE-2021-27513 (2021-02-21)

The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside."

• ArianeBlow/CVE-2021-27513-CVE-2021-27514
• ArianeBlow/CVE-2021-27513

CVE-2021-27651 (2021-04-29)

In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.

• samwcyo/CVE-2021-27651-PoC
• Vulnmachines/CVE-2021-27651
• orangmuda/CVE-2021-27651

CVE-2021-27850 (2021-04-15)

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file AppModule.class by requesting the URL http://localhost:8080/assets/something/services/AppModule.class which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with .class, .properties or .xml. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a / at the end of the URL: http://localhost:8080/assets/something/services/AppModule.class/ The slash is stripped after the blacklist check and the file AppModule.class is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.

• kahla-sec/CVE-2021-27850_POC
• dorkerdevil/CVE-2021-27850_POC
• Ovi3/CVE_2021_27850_POC
• novysodope/CVE-2021-27850

CVE-2021-27890 (2021-03-15)

SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.

• xiaopan233/Mybb-XSS_SQL_RCE-POC

CVE-2021-27905 (2021-04-13)

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.

• Henry4E36/Solr-SSRF
• W2Ning/Solr-SSRF
• murataydemir/CVE-2021-27905
• pdelteil/CVE-2021-27905.POC

CVE-2021-27928 (2021-03-19)

A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.

• Al1ex/CVE-2021-27928
• shamo0/CVE-2021-27928-POC
• LalieA/CVE-2021-27928

CVE-2021-27963 (2021-03-05)

SonLogger before 6.4.1 is affected by user creation with any user permissions profile (e.g., SuperAdmin). An anonymous user can send a POST request to /User/saveUser without any authentication or session header.

• erberkan/SonLogger-vulns

CVE-2021-27965 (2021-03-05)

The MsIo64.sys driver before 1.1.19.1016 in MSI Dragon Center before 2.0.98.0 has a buffer overflow that allows privilege escalation via a crafted 0x80102040, 0x80102044, 0x80102050, or 0x80102054 IOCTL request.

• mathisvickie/CVE-2021-27965
• Jeromeyoung/CVE-2021-27965
• fengjixuchui/CVE-2021-27965

CVE-2021-28079 (2021-04-26)

Jamovi <=1.6.18 is affected by a cross-site scripting (XSS) vulnerability. The column-name is vulnerable to XSS in the ElectronJS Framework. An attacker can make a .omv (Jamovi) document containing a payload. When opened by victim, the payload is triggered.

• g33xter/CVE-2021-28079

CVE-2021-28164 (2021-04-01)

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

• jammy0903/-jettyCVE-2021-28164-

CVE-2021-28165 (2021-04-01)

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

• uthrasri/CVE-2021-28165
• hshivhare67/Jetty_v9.4.31_CVE-2021-28165

CVE-2021-28310 (2021-04-13)

Win32k Elevation of Privilege Vulnerability

• Rafael-Svechinskaya/IOC_for_CVE-2021-28310

CVE-2021-28312 (2021-04-13)

Windows NTFS Denial of Service Vulnerability

• shubham0d/CVE-2021-28312

CVE-2021-28378 (2021-03-15)

Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations.

• pandatix/CVE-2021-28378

CVE-2021-28476 (2021-05-11)

Windows Hyper-V Remote Code Execution Vulnerability

• 0vercl0k/CVE-2021-28476
• bluefrostsecurity/CVE-2021-28476
• LaCeeKa/CVE-2021-28476-tools-env
• australeo/CVE-2021-28476
• 2273852279qqs/0vercl0k
• dengyang123x/0vercl0k

CVE-2021-28480 (2021-04-13)

Microsoft Exchange Server Remote Code Execution Vulnerability

• ZephrFish/CVE-2021-28480_HoneyPoC3
• Threonic/CVE-2021-28480

CVE-2021-28482 (2021-04-13)

Microsoft Exchange Server Remote Code Execution Vulnerability

• Shadow0ps/CVE-2021-28482-Exchange-POC
• KevinWorst/CVE-2021-28482_Exploit

CVE-2021-28663 (2021-05-10)

The Arm Mali GPU kernel driver allows privilege escalation or information disclosure because GPU memory operations are mishandled, leading to a use-after-free. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0.

• lntrx/CVE-2021-28663

CVE-2021-29002 (2021-03-24)

A stored cross-site scripting (XSS) vulnerability in Plone CMS 5.2.3 exists in site-controlpanel via the "form.widgets.site_title" parameter.

• miguelc49/CVE-2021-29002-1

CVE-2021-29003 (2021-04-13)

Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI.

• jaysharma786/CVE-2021-29003

CVE-2021-29155 (2021-04-20)

An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.

• benschlueter/CVE-2021-29155

CVE-2021-29156 (2021-03-25)

ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.

• guidepointsecurity/CVE-2021-29156
• 5amu/CVE-2021-29156

CVE-2021-29200 (2021-04-27)

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

• freeide/CVE-2021-29200

CVE-2021-29267 (2021-03-29)

Sherlock SherlockIM through 2021-03-29 allows Cross Site Scripting (XSS) by leveraging the api/Files/Attachment URI to attack help-desk staff via the chatbot feature.

• Security-AVS/CVE-2021-29267

CVE-2021-29337 (2021-06-21)

MODAPI.sys in MSI Dragon Center 2.0.104.0 allows low-privileged users to access kernel memory and potentially escalate privileges via a crafted IOCTL 0x9c406104 call. This IOCTL provides the MmMapIoSpace feature for mapping physical memory.

• rjt-gupta/CVE-2021-29337

CVE-2021-29349 (2021-03-31)

Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php pieform_delete_all_notifications request, which leads to removing all messages from a mailbox.

• 0xBaz/CVE-2021-29349
• Vulnmachines/CVE-2021-29349

CVE-2021-29440 (2021-04-13)

Grav is a file based Web-platform. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. The issue was addressed in version 1.7.11.

• CsEnox/CVE-2021-29440

CVE-2021-29441 (2021-04-27)

Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed. This issue may allow any user to carry out any administrative tasks on the Nacos server.

• hh-hunter/nacos-cve-2021-29441
• bysinks/CVE-2021-29441
• azhao1981/CVE-2021-29441

CVE-2021-29442 (2021-04-27)

Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)

• VictorShem/QVD-2024-26473
• XiaomingX/cve-2021-29442-Nacos-Derby-rce-exp

CVE-2021-29447 (2021-04-15)

Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.

• motikan2010/CVE-2021-29447
• Vulnmachines/wordpress_cve-2021-29447
• dnr6419/CVE-2021-29447
• AssassinUKG/CVE-2021-29447
• b-abderrahmane/CVE-2021-29447-POC
• elf1337/blind-xxe-controller-CVE-2021-29447
• Val-Resh/CVE-2021-29447-POC
• M3l0nPan/wordpress-cve-2021-29447
• mega8bit/exploit_cve-2021-29447
• thomas-osgood/CVE-2021-29447
• Abdulazizalsewedy/CVE-2021-29447
• G01d3nW01f/CVE-2021-29447
• viardant/CVE-2021-29447
• 0xRar/CVE-2021-29447-PoC
• andyhsu024/CVE-2021-29447
• specializzazione-cyber-security/demo-CVE-2021-29447-lezione

CVE-2021-29505 (2021-05-28)

XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.

• MyBlackManba/CVE-2021-29505

CVE-2021-29627 (2021-04-07)

In FreeBSD 13.0-STABLE before n245050, 12.2-STABLE before r369525, 13.0-RC4 before p0, and 12.2-RELEASE before p6, listening socket accept filters implementing the accf_create callback incorrectly freed a process supplied argument string. Additional operations on the socket can lead to a double free or use after free.

• raymontag/cve-2021-29627

CVE-2021-30005 (2021-05-11)

In JetBrains PyCharm before 2020.3.4, local code execution was possible because of insufficient checks when getting the project from VCS.

• atorralba/CVE-2021-30005-POC

CVE-2021-30109 (2021-04-05)

Froala Editor 3.2.6 is affected by Cross Site Scripting (XSS). Under certain conditions, a base64 crafted string leads to persistent Cross-site scripting (XSS) vulnerability within the hyperlink creation module.

• Hackdwerg/CVE-2021-30109

CVE-2021-30128 (2021-04-27)

Apache OFBiz has unsafe deserialization prior to 17.12.07 version

• LioTree/CVE-2021-30128-EXP

CVE-2021-30146 (2021-04-06)

Seafile 7.0.5 (2019) allows Persistent XSS via the "share of library functionality."

• Security-AVS/CVE-2021-30146

CVE-2021-30357 (2021-06-08)

SSL Network Extender Client for Linux before build 800008302 reveals part of the contents of the configuration file supplied, which allows partially disclosing files to which the user did not have access.

• joaovarelas/CVE-2021-30357_CheckPoint_SNX_VPN_PoC

CVE-2021-30461 (2021-05-29)

A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php.

• daedalus/CVE-2021-30461
• Vulnmachines/CVE-2021-30461
• Al1ex/CVE-2021-30461
• puckiestyle/CVE-2021-30461

CVE-2021-30481 (2021-04-10)

Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.

• floesen/CVE-2021-30481
• JHVIW/jhviw.github.io

CVE-2021-30551 (2021-06-15)

Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• xmzyshypnc/CVE-2021-30551

CVE-2021-30573 (2021-08-03)

Use after free in GPU in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• s4eio/CVE-2021-30573-PoC-Google-Chrome
• orangmuda/CVE-2021-30573
• kh4sh3i/CVE-2021-30573

CVE-2021-30632 (2021-10-08)

Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• Phuong39/PoC-CVE-2021-30632
• CrackerCat/CVE-2021-30632
• maldev866/ChExp_CVE-2021-30632
• paulsery/CVE-2021-30632

CVE-2021-30641 (2021-06-10)

Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

• dja2TaqkGEEfA45/CVE-2021-30641

CVE-2021-30657 (2021-09-08)

A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina. A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited..

• shubham0d/CVE-2021-30657

CVE-2021-30682 (2021-09-08)

A logic issue was addressed with improved restrictions. This issue is fixed in tvOS 14.6, iOS 14.6 and iPadOS 14.6, Safari 14.1.1, macOS Big Sur 11.4, watchOS 7.5. A malicious application may be able to leak sensitive user information.

• threatnix/csp-playground

CVE-2021-30731 (2021-09-08)

This issue was addressed with improved checks. This issue is fixed in macOS Big Sur 11.4, Security Update 2021-004 Catalina. An unprivileged application may be able to capture USB devices.

• osy/WebcamViewer

CVE-2021-30807 (2021-10-19)

A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.5.1, iOS 14.7.1 and iPadOS 14.7.1, watchOS 7.6.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

• jsherman212/iomfb-exploit
• 30440r/gex

CVE-2021-30858 (2021-08-24)

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

• kmeps4/CVEREV3
• Jeromeyoung/ps4_8.00_vuln_poc

CVE-2021-30860 (2021-08-24)

An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

• Levilutz/CVE-2021-30860
• jeffssh/CVE-2021-30860

CVE-2021-30937 (2021-08-24)

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in macOS Big Sur 11.6.2, tvOS 15.2, macOS Monterey 12.1, Security Update 2021-008 Catalina, iOS 15.2 and iPadOS 15.2, watchOS 8.3. A malicious application may be able to execute arbitrary code with kernel privileges.

• realrodri/ExploiteameEsta

CVE-2021-30955 (2021-08-24)

A race condition was addressed with improved state handling. This issue is fixed in macOS Monterey 12.1, watchOS 8.3, iOS 15.2 and iPadOS 15.2, tvOS 15.2. A malicious application may be able to execute arbitrary code with kernel privileges.

• timb-machine-mirrors/jakeajames-CVE-2021-30955
• nickorlow/CVE-2021-30955-POC
• verygenericname/CVE-2021-30955-POC-IPA
• b1n4r1b01/desc_race
• markie-dev/desc_race_A15
• Dylbin/desc_race
• GeoSn0w/Pentagram-exploit-tester

CVE-2021-30956 (2021-08-24)

A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. This issue is fixed in iOS 15.2 and iPadOS 15.2. An attacker with physical access to a device may be able to see private contact information.

• fordsham/CVE-2021-30956

CVE-2021-31159 (2021-06-16)

Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.

• ricardojoserf/CVE-2021-31159

CVE-2021-31166 (2021-05-11)

HTTP Protocol Stack Remote Code Execution Vulnerability

• 0vercl0k/CVE-2021-31166
• zha0gongz1/CVE-2021-31166
• mvlnetdev/CVE-2021-31166-detection-rules
• corelight/CVE-2021-31166
• zecopro/CVE-2021-31166
• bgsilvait/WIn-CVE-2021-31166
• y0g3sh-99/CVE-2021-31166-Exploit
• ZZ-SOCMAP/CVE-2021-31166
• imikoYa/CVE-2021-31166-exploit
• mauricelambert/CVE-2021-31166
• 0xmaximus/Home-Demolisher

CVE-2021-31184 (2021-05-11)

Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability

• waleedassar/CVE-2021-31184

CVE-2021-31233 (2023-05-31)

SQL Injection vulnerability found in Fighting Cock Information System v.1.0 allows a remote attacker to obtain sensitive information via the edit_breed.php parameter.

• gabesolomon/CVE-2021-31233

CVE-2021-31290

• qaisarafridi/cve-2021-31290

CVE-2021-31589 (2022-01-05)

A cross-site scripting (XSS) vulnerability has been reported and confirmed for BeyondTrust Secure Remote Access Base Software version 6.0.1 and older, which allows the injection of unauthenticated, specially-crafted web requests without proper sanitization.

• karthi-the-hacker/CVE-2021-31589

CVE-2021-31630 (2021-08-03)

Command Injection in Open PLC Webserver v3 allows remote attackers to execute arbitrary code via the "Hardware Layer Code Box" component on the "/hardware" page of the application.

• hev0x/CVE-2021-31630-OpenPLC_RCE
• Hunt3r0x/CVE-2021-31630-HTB
• thewhiteh4t/cve-2021-31630
• behindsecurity/htb-wifinetictwo-exploit
• mind2hex/CVE-2021-31630
• sealldeveloper/CVE-2021-31630-PoC
• junnythemarksman/CVE-2021-31630
• ttps-byte/cve-2021-31630
• manuelsantosiglesias/CVE-2021-31630
• FlojBoj/CVE-2021-31630

CVE-2021-31728 (2021-05-17)

Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 allows a non-privileged process to open a handle to .\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook with IOCTL 0x80002044 and execute the executable memory using this hook with IOCTL 0x80002014 or 0x80002018, this exposes ring 0 code execution in the context of the driver allowing the non-privileged process to elevate privileges.

• irql/CVE-2021-31728

CVE-2021-31760 (2021-04-25)

Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running process feature.

• Mesh3l911/CVE-2021-31760
• electronicbots/CVE-2021-31760

CVE-2021-31761 (2021-04-25)

Webmin 1.973 is affected by reflected Cross Site Scripting (XSS) to achieve Remote Command Execution through Webmin's running process feature.

• Mesh3l911/CVE-2021-31761
• electronicbots/CVE-2021-31761

CVE-2021-31762 (2021-04-25)

Webmin 1.973 is affected by Cross Site Request Forgery (CSRF) to create a privileged user through Webmin's add users feature, and then get a reverse shell through Webmin's running process feature.

• Mesh3l911/CVE-2021-31762
• electronicbots/CVE-2021-31762

CVE-2021-31796 (2021-09-02)

An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36.

• unmanarc/CACredDecoder

CVE-2021-31800 (2021-05-05)

Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key.

• p0dalirius/CVE-2021-31800-Impacket-SMB-Server-Arbitrary-file-read-write
• Louzogh/CVE-2021-31800

CVE-2021-31805 (2022-04-12)

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

• pyroxenites/s2-062
• Wrin9/CVE-2021-31805
• Axx8/Struts2_S2-062_CVE-2021-31805
• jax7sec/S2-062
• aeyesec/CVE-2021-31805
• fleabane1/CVE-2021-31805-POC
• z92g/CVE-2021-31805
• nth347/CVE-2021-31805

CVE-2021-31856 (2021-04-28)

A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 allows an attacker to execute arbitrary SQL commands via the /experimental/patternfiles endpoint (order parameter in GetMesheryPatterns in models/meshery_pattern_persister.go).

• ssst0n3/CVE-2021-31856

CVE-2021-31862 (2021-10-29)

SysAid 20.4.74 allows XSS via the KeepAlive.jsp stamp parameter without any authentication.

• RobertDra/CVE-2021-31862

CVE-2021-31955 (2021-06-08)

Windows Kernel Information Disclosure Vulnerability

• freeide/CVE-2021-31955-POC

CVE-2021-31956 (2021-06-08)

Windows NTFS Elevation of Privilege Vulnerability

• hzshang/CVE-2021-31956
• Y3A/CVE-2021-31956
• hoangprod/CVE-2021-31956-POC

CVE-2021-32099 (2021-05-07)

A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass.

• l3eol3eo/CVE-2021-32099_SQLi
• akr3ch/CVE-2021-32099

CVE-2021-32156 (2022-04-11)

A cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.

• Mesh3l911/CVE-2021-32156

CVE-2021-32157 (2022-04-11)

A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.

• Mesh3l911/CVE-2021-32157
• dnr6419/CVE-2021-32157

CVE-2021-32158 (2022-04-11)

A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Upload and Download feature.

• Mesh3l911/CVE-2021-32158

CVE-2021-32159 (2022-04-11)

A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Upload and Download feature.

• Mesh3l911/CVE-2021-32159

CVE-2021-32160 (2022-04-11)

A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the Add Users feature.

• Mesh3l911/CVE-2021-32160

CVE-2021-32161 (2022-04-11)

A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the File Manager feature.

• Mesh3l911/CVE-2021-32161

CVE-2021-32162 (2022-04-11)

A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 through the File Manager feature.

• Mesh3l911/CVE-2021-32162

CVE-2021-32305 (2021-05-18)

WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.

• sz-guanx/CVE-2021-32305
• FredBrave/CVE-2021-32305-websvn-2.6.0

CVE-2021-32399 (2021-05-10)

net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for removal of the HCI controller.

• nanopathi/linux-4.19.72_CVE-2021-32399

CVE-2021-32471 (2021-05-10)

Insufficient input validation in the Marvin Minsky 1967 implementation of the Universal Turing Machine allows program users to execute arbitrary code via crafted data. For example, a tape head may have an unexpected location after the processing of input composed of As and Bs (instead of 0s and 1s). NOTE: the discoverer states "this vulnerability has no real-world implications."

• intrinsic-propensity/turing-machine

CVE-2021-32537 (2021-07-07)

Realtek HAD contains a driver crashed vulnerability which allows local side attackers to send a special string to the kernel driver in a user’s mode. Due to unexpected commands, the kernel driver will cause the system crashed.

• 0vercl0k/CVE-2021-32537

CVE-2021-32644 (2021-06-22)

Ampache is an open source web based audio/video streaming application and file manager. Due to a lack of input filtering versions 4.x.y are vulnerable to code injection in random.php. The attack requires user authentication to access the random.php page unless the site is running in demo mode. This issue has been resolved in 4.4.3.

• dnr6419/CVE-2021-32644

CVE-2021-32648 (2021-08-26)

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

• daftspunk/CVE-2021-32648

CVE-2021-32682 (2021-06-14)

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.

• nickswink/CVE-2021-32682

CVE-2021-32708 (2021-06-24)

Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.

• fazilbaig1/CVE-2021-32708

CVE-2021-32724 (2021-09-09)

check-spelling is a github action which provides CI spell checking. In affected versions and for a repository with the check-spelling action enabled that triggers on pull_request_target (or schedule), an attacker can send a crafted Pull Request that causes a GITHUB_TOKEN to be exposed. With the GITHUB_TOKEN, it's possible to push commits to the repository bypassing standard approval processes. Commits to the repository could then steal any/all secrets available to the repository. As a workaround users may can either: Disable the workflow until you've fixed all branches or Set repository to Allow specific actions. check-spelling isn't a verified creator and it certainly won't be anytime soon. You could then explicitly add other actions that your repository uses. Set repository Workflow permissions to Read repository contents permission. Workflows using check-spelling/check-spelling@main will get the fix automatically. Workflows using a pinned sha or tagged version will need to change the affected workflows for all repository branches to the latest version. Users can verify who and which Pull Requests have been running the action by looking up the spelling.yml action in the Actions tab of their repositories, e.g., https://github.com/check-spelling/check-spelling/actions/workflows/spelling.yml - you can filter PRs by adding ?query=event%3Apull_request_target, e.g., https://github.com/check-spelling/check-spelling/actions/workflows/spelling.yml?query=event%3Apull_request_target.

• MaximeSchlegel/CVE-2021-32724-Target

CVE-2021-32789 (2021-07-26)

woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the wc/store/products/collection-data?calculate_attribute_counts[][taxonomy] endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.

• and0x00/CVE-2021-32789
• DonVorrin/CVE-2021-32789

CVE-2021-32804 (2021-08-03)

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

• yamory/CVE-2021-32804

CVE-2021-32819 (2021-05-14)

Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. This issue is fixed in version 9.0.0. For complete details refer to the referenced GHSL-2021-023.

• Abady0x1/CVE-2021-32819

CVE-2021-32849 (2022-01-26)

Gerapy is a distributed crawler management framework. Prior to version 0.9.9, an authenticated user could execute arbitrary commands. This issue is fixed in version 0.9.9. There are no known workarounds.

• bb33bb/CVE-2021-32849
• lowkey0808/cve-2021-32849

CVE-2021-33026 (2021-05-13)

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision

• CarlosG13/CVE-2021-33026
• Agilevatester/FlaskCache_CVE-2021-33026_POC

CVE-2021-33034 (2021-05-14)

In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.

• Trinadh465/device_renesas_kernel_AOSP10_r33_CVE-2021-33034

CVE-2021-33044 (2021-09-15)

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

• bp2008/DahuaLoginBypass
• Spy0x7/CVE-2021-33044
• Alonzozzz/alonzzzo
• haingn/LoHongCam-CVE-2021-33044

CVE-2021-33045 (2021-09-15)

The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.

• dongpohezui/cve-2021-33045

CVE-2021-33104 (2023-02-16)

Improper access control in the Intel(R) OFU software before version 14.1.28 may allow an authenticated user to potentially enable denial of service via local access.

• rjt-gupta/CVE-2021-33104

CVE-2021-33558 (2021-05-27)

Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. NOTE: multiple third parties report that this is a site-specific issue because those files are not part of Boa.

• mdanzaruddin/CVE-2021-33558.
• anldori/CVE-2021-33558

CVE-2021-33560 (2021-06-08)

Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.

• IBM/PGP-client-checker-CVE-2021-33560

CVE-2021-33564 (2021-05-29)

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

• mlr0p/CVE-2021-33564
• dorkerdevil/CVE-2021-33564

CVE-2021-33624 (2021-06-23)

In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.

• benschlueter/CVE-2021-33624

CVE-2021-33690 (2021-09-15)

Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.

• redrays-io/CVE-2021-33690

CVE-2021-33699 (2021-08-10)

Task Hijacking is a vulnerability that affects the applications running on Android devices due to a misconfiguration in their AndroidManifest.xml with their Task Control features. This allows an unauthorized attacker or malware to takeover legitimate apps and to steal user's sensitive information.

• naroSEC/CVE-2021-33699_Task_Hijacking

CVE-2021-33739 (2021-06-08)

Microsoft DWM Core Library Elevation of Privilege Vulnerability

• freeide2017/CVE-2021-33739-POC
• giwon9977/CVE-2021-33739_PoC_Analysis

CVE-2021-33766 (2021-07-14)

Microsoft Exchange Server Information Disclosure Vulnerability

• bhdresh/CVE-2021-33766
• demossl/CVE-2021-33766-ProxyToken

CVE-2021-33831 (2021-09-07)

api/account/register in the TH Wildau COVID-19 Contact Tracing application through 2021-09-01 has Incorrect Access Control. An attacker can interfere with tracing of infection chains by creating 500 random users within 2500 seconds.

• lanmarc77/CVE-2021-33831

CVE-2021-33879 (2021-06-06)

Tencent GameLoop before 4.1.21.90 downloaded updates over an insecure HTTP connection. A malicious attacker in an MITM position could spoof the contents of an XML document describing an update package, replacing a download URL with one pointing to an arbitrary Windows executable. Because the only integrity check would be a comparison of the downloaded file's MD5 checksum to the one contained within the XML document, the downloaded executable would then be executed on the victim's machine.

• mmiszczyk/cve-2021-33879

CVE-2021-33909 (2021-07-20)

fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05.

• Liang2580/CVE-2021-33909
• baerwolf/cve-2021-33909
• bbinfosec43/CVE-2021-33909
• ChrisTheCoolHut/CVE-2021-33909

CVE-2021-33959 (2023-01-18)

Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service.

• lixiang957/CVE-2021-33959

CVE-2021-34045

• Al1ex/CVE-2021-34045
• kenuosec/CVE-2021-34045

CVE-2021-34371 (2021-08-05)

Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.

• zwjjustdoit/CVE-2021-34371.jar

CVE-2021-34428 (2021-06-22)

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

• Trinadh465/jetty_9.4.31_CVE-2021-34428

CVE-2021-34429 (2021-07-15)

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

• ColdFusionX/CVE-2021-34429

CVE-2021-34470 (2021-07-14)

Microsoft Exchange Server Elevation of Privilege Vulnerability

• technion/CVE-2021-34470scanner

CVE-2021-34473 (2021-07-14)

Microsoft Exchange Server Remote Code Execution Vulnerability

• cyberheartmi9/Proxyshell-Scanner
• RaouzRouik/CVE-2021-34473-scanner
• p2-98/CVE-2021-34473
• horizon3ai/proxyshell
• je6k/CVE-2021-34473-Exchange-ProxyShell
• learningsurface/ProxyShell-CVE-2021-34473.py
• kh4sh3i/ProxyShell
• ipsBruno/CVE-2021-34473-NMAP-SCANNER
• f4alireza/CVE

CVE-2021-34481 (2021-07-16)

<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p>\n<p><strong>UPDATE</strong> August 10, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. This security update changes the Point and Print default behavior; please see <a href="https://support.microsoft.com/help/5005652">KB5005652</a>.</p>\n

• vpn28/CVE-2021-34481

CVE-2021-34486 (2021-08-12)

Windows Event Tracing Elevation of Privilege Vulnerability

• KaLendsi/CVE-2021-34486
• b1tg/CVE-2021-34486-exp

CVE-2021-34496 (2021-07-14)

Windows GDI Information Disclosure Vulnerability

• dja2TaqkGEEfA45/CVE-2021-34496

CVE-2021-34523 (2021-07-14)

Microsoft Exchange Server Elevation of Privilege Vulnerability

• mithridates1313/ProxyShell_POC
• SUPRAAA-1337/CVE-2021-34523

CVE-2021-34527 (2021-07-02)

<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p>\n<p>UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.</p>\n<p>In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (<strong>Note</strong>: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):</p>\n<ul>\n<li>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint</li>\n<li>NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)</li>\n<li>UpdatePromptSettings = 0 (DWORD) or not defined (default setting)</li>\n</ul>\n<p><strong>Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.</strong></p>\n<p>UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also <a href="https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7">KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates</a>.</p>\n<p>Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.</p>\n

• DenizSe/CVE-2021-34527
• thomas-lauer/PrintNightmare
• JohnHammond/CVE-2021-34527
• nemo-wq/PrintNightmare-CVE-2021-34527
• CnOxx1/CVE-2021-34527-1675
• rdboboia/disable-RegisterSpoolerRemoteRpcEndPoint
• geekbrett/CVE-2021-34527-PrintNightmare-Workaround
• byt3bl33d3r/ItWasAllADream
• vinaysudheer/Disable-Spooler-Service-PrintNightmare-CVE-2021-34527
• powershellpr0mpt/PrintNightmare-CVE-2021-34527
• WidespreadPandemic/CVE-2021-34527_ACL_mitigation
• glorisonlai/printnightmare
• dywhoami/CVE-2021-34527-Scanner-Based-On-cube0x0-POC
• Eutectico/Printnightmare
• syntaxbearror/PowerShell-PrintNightmare
• 0xirison/PrintNightmare-Patcher
• Tomparte/PrintNightmare
• Amaranese/CVE-2021-34527
• cyb3rpeace/CVE-2021-34527
• m8sec/CVE-2021-34527
• hackerhouse-opensource/cve-2021-34527
• d0rb/CVE-2021-34527
• TieuLong21Prosper/detect_bruteforce
• Hirusha-N/CVE-2021-34527-CVE-2023-38831-and-CVE-2023-32784

CVE-2021-34558 (2021-07-15)

The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.

• alexzorin/cve-2021-34558

CVE-2021-34600 (2022-01-20)

Telenot CompasX versions prior to 32.0 use a weak seed for random number generation leading to predictable AES keys used in the NFC tags used for local authorization of users. This may lead to total loss of trustworthiness of the installation.

• x41sec/CVE-2021-34600

CVE-2021-34621 (2021-07-07)

A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. .

• RandomRobbieBF/CVE-2021-34621
• K3ysTr0K3R/CVE-2021-34621-EXPLOIT
• navreet1425/CVE-2021-34621

CVE-2021-34646 (2021-08-30)

Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Email Verification module to be active in the plugin and the Login User After Successful Verification setting to be enabled, which it is by default.

• motikan2010/CVE-2021-34646
• 0xB455/CVE-2021-34646

CVE-2021-34730 (2021-08-18)

A vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition. Cisco has not released software updates that address this vulnerability.

• badmonkey7/CVE-2021-34730

CVE-2021-34767 (2021-09-23)

A vulnerability in IPv6 traffic processing of Cisco IOS XE Wireless Controller Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, adjacent attacker to cause a Layer 2 (L2) loop in a configured VLAN, resulting in a denial of service (DoS) condition for that VLAN. The vulnerability is due to a logic error when processing specific link-local IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet that would flow inbound through the wired interface of an affected device. A successful exploit could allow the attacker to cause traffic drops in the affected VLAN, thus triggering the DoS condition.

• lukejenkins/CVE-2021-34767

CVE-2021-34824 (2021-06-29)

Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.

• rsalmond/CVE-2021-34824

CVE-2021-35042 (2021-07-02)

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

• YouGina/CVE-2021-35042
• mrlihd/CVE-2021-35042
• r4vi/CVE-2021-35042
• zer0qs/CVE-2021-35042
• LUUANHDUC/CVE-2021-35042

CVE-2021-35064 (2021-07-12)

KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands, including unzip, systemctl and dpkg.

• Chocapikk/CVE-2021-35064

CVE-2021-35211 (2021-07-14)

Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.

• NattiSamson/Serv-U-CVE-2021-35211
• 0xhaggis/CVE-2021-35211

CVE-2021-35215 (2021-09-01)

Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.

• Y4er/CVE-2021-35215

CVE-2021-35250 (2022-04-25)

A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.

• rissor41/SolarWinds-CVE-2021-35250

CVE-2021-35296 (2021-10-04)

An issue in the administrator authentication panel of PTCL HG150-Ub v3.0 allows attackers to bypass authentication via modification of the cookie value and Response Path.

• afaq1337/CVE-2021-35296

CVE-2021-35464 (2021-07-22)

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

• Y4er/openam-CVE-2021-35464
• rood8008/CVE-2021-35464

CVE-2021-35475 (2021-06-25)

SAS Environment Manager 2.5 allows XSS through the Name field when creating/editing a server. The XSS will prompt when editing the Configuration Properties.

• saitamang/CVE-2021-35475

CVE-2021-35492 (2021-10-05)

Wowza Streaming Engine through 4.8.11+5 could allow an authenticated, remote attacker to exhaust filesystem resources via the /enginemanager/server/vhost/historical.jsdata vhost parameter. This is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability through the Virtual Host Monitoring section by requesting random virtual-host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. (Manual intervention is required to free filesystem resources and return the application to an operational state.)

• N4nj0/CVE-2021-35492

CVE-2021-35576 (2021-10-20)

Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).

• emad-almousa/CVE-2021-35576

CVE-2021-35587 (2022-01-19)

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• ZZ-SOCMAP/CVE-2021-35587

CVE-2021-35616 (2021-10-20)

Vulnerability in the Oracle Transportation Management product of Oracle Supply Chain (component: UI Infrastructure). The supported version that is affected is 6.4.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Transportation Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Transportation Management accessible data as well as unauthorized read access to a subset of Oracle Transportation Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

• Ofirhamam/OracleOTM

CVE-2021-35956 (2021-06-30)

Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.

• tcbutler320/CVE-2021-35956

CVE-2021-35958 (2021-06-30)

TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils.get_file is not intended for untrusted archives

• miguelc49/CVE-2021-35958-2
• miguelc49/CVE-2021-35958-1

CVE-2021-36260 (2021-09-22)

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.

• rabbitsafe/CVE-2021-36260
• Aiminsun/CVE-2021-36260
• TaroballzChen/CVE-2021-36260-metasploit
• tuntin9x/CheckHKRCE
• Cuerz/CVE-2021-36260
• TakenoSite/Simple-CVE-2021-36260
• r3t4k3r/hikvision_brute
• haingn/HIK-CVE-2021-36260-Exploit
• aengussong/hikvision_probe

CVE-2021-36393 (2023-03-06)

In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.

• StackOverflowExcept1on/CVE-2021-36393

CVE-2021-36394 (2023-03-06)

In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.

• dinhbaouit/CVE-2021-36394
• lavclash75/CVE-2021-36394-Pre-Auth-RCE-in-Moodle

CVE-2021-36396 (2023-03-06)

In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.

• T0X1Cx/CVE-2021-36396-Exploit

CVE-2021-36460 (2022-04-25)

VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.

• martinfrancois/CVE-2021-36460

CVE-2021-36563 (2021-07-26)

The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts), the XSS payload will be triggered when the user accesses some specific sections of the application. In the same sense a very dangerous potential way would be when an attacker who has the monitor role (not administrator) manages to get a stored XSS to steal the secretAutomation (for the use of the API in administrator mode) and thus be able to create another administrator user who has high privileges on the CheckMK monitoring web console. Another way is that persistent XSS allows an attacker to modify the displayed content or change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session.

• Edgarloyola/CVE-2021-36563

CVE-2021-36593

• mir-hossein/Statement

CVE-2021-36630 (2023-01-18)

DDOS reflection amplification vulnerability in eAut module of Ruckus Wireless SmartZone controller that allows remote attackers to perform DOS attacks via crafted request.

• lixiang957/CVE-2021-36630

CVE-2021-36747 (2021-07-20)

Blackboard Learn through 9.1 allows XSS by an authenticated user via the Feedback to Learner form.

• cseasholtz/CVE-2021-36747

CVE-2021-36749 (2021-09-24)

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.

• sma11new/PocList
• BrucessKING/CVE-2021-36749
• zwlsix/apache_druid_CVE-2021-36749
• Jun-5heng/CVE-2021-36749

CVE-2021-36750 (2021-12-22)

ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, making it easier for attackers to determine the passwords of all DataVault users (across USB drives sold under multiple brand names).

• mamba-4-ever/CVE-2021-36750

CVE-2021-36782 (2022-09-07)

A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.

• fe-ax/tf-cve-2021-36782

CVE-2021-36798 (2021-08-09)

A Denial-of-Service (DoS) vulnerability was discovered in Team Server in HelpSystems Cobalt Strike 4.2 and 4.3. It allows remote attackers to crash the C2 server thread and block beacons' communication with it.

• M-Kings/CVE-2021-36798
• JamVayne/CobaltStrikeDos
• sponkmonk/CobaltSploit

CVE-2021-36799 (2021-07-19)

KNX ETS5 through 5.7.6 uses the hard-coded password ETS5Password, with a salt value of Ivan Medvedev, allowing local users to read project information. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

• robertguetzkow/ets5-password-recovery

CVE-2021-36808 (2021-10-30)

A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115.

• ctuIhu/CVE-2021-36808

CVE-2021-36934 (2021-07-22)

<p>An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p>\n<p>An attacker must have the ability to execute code on a victim system to exploit this vulnerability.</p>\n<p>After installing this security update, you <em>must</em> manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. <strong>Simply installing this security update will not fully mitigate this vulnerability.</strong> See <a href="https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7">KB5005357- Delete Volume Shadow Copies</a>.</p>\n

• HuskyHacks/ShadowSteal
• JoranSlingerland/CVE-2021-36934
• n3tsurge/CVE-2021-36934
• Wh04m1001/VSSCopy
• WiredPulse/Invoke-HiveNightmare
• romarroca/SeriousSam
• WiredPulse/Invoke-HiveDreams
• tda90/CVE-2021-36934
• VertigoRay/CVE-2021-36934
• bytesizedalex/CVE-2021-36934
• Preventions/CVE-2021-36934
• Sp00p64/PyNightmare
• jmaddington/Serious-Sam---CVE-2021-36934-Mitigation-for-Datto-RMM
• 0x0D1n/CVE-2021-36934
• exploitblizzard/CVE-2021-36934
• irissentinel/CVE-2021-36934
• websecnl/CVE-2021-36934
• grishinpv/poc_CVE-2021-36934
• shaktavist/SeriousSam
• OlivierLaflamme/CVE-2021-36934-export-shadow-volume-POC
• chron1k/oxide_hive

CVE-2021-36949 (2021-08-12)

Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability

• Maxwitat/Check-AAD-Connect-for-CVE-2021-36949-vulnerability

CVE-2021-36955 (2021-09-15)

Windows Common Log File System Driver Elevation of Privilege Vulnerability

• JiaJinRong12138/CVE-2021-36955-EXP

CVE-2021-36981 (2021-08-31)

In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code.

• 0xBrAinsTorM/CVE-2021-36981

CVE-2021-37152 (2021-08-10)

Multiple XSS issues exist in Sonatype Nexus Repository Manager 3 before 3.33.0. An authenticated attacker with the ability to add HTML files to a repository could redirect users to Nexus Repository Manager’s pages with code modifications.

• SecurityAnalysts/CVE-2021-37152

CVE-2021-37580 (2021-11-16)

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0

• rabbitsafe/CVE-2021-37580
• fengwenhua/CVE-2021-37580
• Osyanina/westone-CVE-2021-37580-scanner
• ZororoZ/CVE-2021-37580
• Liang2580/CVE-2021-37580
• Wing-song/CVE-2021-37580
• CN016/Apache-ShenYu-Admin-JWT-CVE-2021-37580-

CVE-2021-37624 (2021-10-25)

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the auth-messages parameter to true, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the auth-messages parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication.

• 0xInfection/PewSWITCH

CVE-2021-37678 (2021-08-12)

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The implementation uses yaml.unsafe_load which can perform arbitrary code execution on the input. Given that YAML format support requires a significant amount of work, we have removed it for now. We have patched the issue in GitHub commit 23d6383eb6c14084a8fc3bdf164043b974818012. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

• fran-CICS/ExploitTensorflowCVE-2021-37678

CVE-2021-37740 (2022-04-20)

A denial of service vulnerability exists in MDT's firmware for the KNXnet/IP Secure router SCN-IP100.03 and KNX IP interface SCN-IP000.03 before v3.0.4, that allows a remote attacker to turn the device unresponsive to all requests on the KNXnet/IP Secure layer, until the device is rebooted, via a SESSION_REQUEST frame with a modified total length field.

• robertguetzkow/CVE-2021-37740

CVE-2021-37748 (2021-10-28)

Multiple buffer overflows in the limited configuration shell (/sbin/gs_config) on Grandstream HT801 devices before 1.0.29 allow remote authenticated users to execute arbitrary code as root via a crafted manage_if setting, thus bypassing the intended restrictions of this shell and taking full control of the device. There are default weak credentials that can be used to authenticate.

• SECFORCE/CVE-2021-37748

CVE-2021-37832 (2021-08-03)

A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL commands to the SQLite database through the vulnerable idappartamenti parameter.

• dievus/CVE-2021-37832
• AK-blank/CVE-2021-37832

CVE-2021-37833 (2021-08-03)

A reflected cross-site scripting (XSS) vulnerability exists in multiple pages in version 3.0.2 of the Hotel Druid application that allows for arbitrary execution of JavaScript commands.

• dievus/CVE-2021-37833

CVE-2021-37910 (2021-11-12)

ASUS routers Wi-Fi protected access protocol (WPA2 and WPA3-SAE) has improper control of Interaction frequency vulnerability, an unauthenticated attacker can remotely disconnect other users' connections by sending specially crafted SAE authentication frames.

• efchatz/easy-exploits

CVE-2021-37975 (2021-10-08)

Use after free in V8 in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• ssaroussi/CVE-2021-37975

CVE-2021-37980 (2021-11-02)

Inappropriate implementation in Sandbox in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially bypass site isolation via Windows.

• ZeusBox/CVE-2021-37980

CVE-2021-38001 (2021-11-23)

Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• maldiohead/TFC-Chrome-v8-bug-CVE-2021-38001-poc
• Peterpan0927/TFC-Chrome-v8-bug-CVE-2021-38001-poc

CVE-2021-38003 (2021-11-23)

Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• SpiralBL0CK/Chrome-V8-RCE-CVE-2021-38003

CVE-2021-38149 (2021-08-06)

index.php/admin/add_user in Chikitsa Patient Management System 2.0.0 allows XSS.

• jboogie15/CVE-2021-38149

CVE-2021-38163 (2021-09-14)

SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.\n\n

• core1impact/CVE-2021-38163

CVE-2021-38185 (2021-08-07)

GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.

• fangqyi/cpiopwn

CVE-2021-38295 (2021-10-14)

In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will be executed within the security context of that admin. A similar route is available with the already deprecated _show and _list functionality. This privilege escalation vulnerability allows an attacker to add or remove data in any database or make configuration changes. This issue affected Apache CouchDB prior to 3.1.2

• ProfessionallyEvil/CVE-2021-38295-PoC

CVE-2021-38297 (2021-10-18)

Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.

• gkrishnan724/CVE-2021-38297
• paras98/CVE-2021-38297-Go-wasm-Replication

CVE-2021-38314 (2021-09-02)

The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s AUTH_KEY concatenated with the SECURE_AUTH_KEY.

• orangmuda/CVE-2021-38314
• phrantom/cve-2021-38314
• shubhayu-64/CVE-2021-38314
• twseptian/cve-2021-38314
• c0ff33b34n/CVE-2021-38314
• akhilkoradiya/CVE-2021-38314
• 0xGabe/CVE-2021-38314

CVE-2021-38540 (2021-09-09)

The variable import endpoint was not protected by authentication in Airflow >=2.0.0, <2.1.3. This allowed unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution. This issue affects Apache Airflow >=2.0.0, <2.1.3.

• Captain-v-hook/PoC-for-CVE-2021-38540-

CVE-2021-38560 (2022-02-01)

Ivanti Service Manager 2021.1 allows reflected XSS via the appName parameter associated with ConfigDB calls, such as in RelocateAttachments.aspx.

• os909/iVANTI-CVE-2021-38560

CVE-2021-38583 (2021-08-13)

openBaraza HCM 3.1.6 does not properly neutralize user-controllable input, which allows reflected cross-site scripting (XSS) on multiple pages: hr/subscription.jsp and hr/application.jsp and and hr/index.jsp (with view= and data=).

• charlesbickel/CVE-2021-38583

CVE-2021-38602 (2021-08-12)

PluXML 5.8.7 allows Article Editing stored XSS via Headline or Content.

• KielVaughn/CVE-2021-38602

CVE-2021-38603 (2021-08-12)

PluXML 5.8.7 allows core/admin/profil.php stored XSS via the Information field.

• KielVaughn/CVE-2021-38603

CVE-2021-38619 (2021-08-13)

openBaraza HCM 3.1.6 does not properly neutralize user-controllable input: an unauthenticated remote attacker can conduct a stored cross-site scripting (XSS) attack against an administrative user from hr/subscription.jsp and hr/application.jsp and and hr/index.jsp (with view=).

• charlesbickel/CVE-2021-38619

CVE-2021-38639 (2021-09-15)

Win32k Elevation of Privilege Vulnerability

• DarkSprings/CVE-2021-38639

CVE-2021-38647 (2021-09-15)

Open Management Infrastructure Remote Code Execution Vulnerability

• corelight/CVE-2021-38647
• midoxnet/CVE-2021-38647
• horizon3ai/CVE-2021-38647
• Immersive-Labs-Sec/cve-2021-38647
• marcosimioni/omigood
• craig-m-unsw/omigod-lab
• SimenBai/CVE-2021-38647-POC-and-Demo-environment
• AlteredSecurity/CVE-2021-38647
• abousteif/cve-2021-38647
• Vulnmachines/OMIGOD_cve-2021-38647
• goofsec/omigod
• corelight/CVE-2021-38647-noimages

CVE-2021-38666 (2021-11-10)

Remote Desktop Client Remote Code Execution Vulnerability

• DarkSprings/CVE-2021-38666-poc
• JaneMandy/CVE-2021-38666

CVE-2021-38699 (2021-08-15)

TastyIgniter 3.0.7 allows XSS via /account, /reservation, /admin/dashboard, and /admin/system_logs.

• HuskyHacks/CVE-2021-38699-Reflected-XSS
• HuskyHacks/CVE-2021-38699-Stored-XSS
• Justin-1993/CVE-2021-38699

CVE-2021-38817

• HuskyHacks/CVE-2021-38817-Remote-OS-Command-Injection

CVE-2021-38819 (2022-11-16)

A SQL injection vulnerability exits on the Simple Image Gallery System 1.0 application through "id" parameter on the album page.

• m4sk0ff/CVE-2021-38819

CVE-2021-39115 (2021-09-01)

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.

• PetrusViet/CVE-2021-39115

CVE-2021-39141 (2021-08-23)

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

• zwjjustdoit/Xstream-1.4.17

CVE-2021-39165 (2021-08-26)

Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the SearchableTrait#scopeSearch(). Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <https://github.com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.

• W0rty/CVE-2021-39165
• manbolq/CVE-2021-39165

CVE-2021-39172 (2021-08-27)

Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can exploit a new line injection in the configuration edition feature (e.g. mail settings) and gain arbitrary code execution on the server. This issue was addressed in version 2.5.1 by improving UpdateConfigCommandHandler and preventing the use of new lines characters in new configuration values. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.

• W1ngLess/CVE-2021-39172-RCE

CVE-2021-39174 (2021-08-27)

Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can leak the value of any configuration entry of the dotenv file, e.g. the application secret (APP_KEY) and various passwords (email, database, etc). This issue was addressed in version 2.5.1 by improving UpdateConfigCommandHandler and preventing the use of nested variables in the resulting dotenv configuration file. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.

• n0kovo/CVE-2021-39174-PoC
• hadrian3689/cachet_2.4.0-dev

CVE-2021-39273 (2021-08-19)

In XeroSecurity Sn1per 9.0 (free version), insecure permissions (0777) are set upon application execution, allowing an unprivileged user to modify the application, modules, and configuration files. This leads to arbitrary code execution with root privileges.

• nikip72/CVE-2021-39273-CVE-2021-39274

CVE-2021-39287

• Fearless523/CVE-2021-39287-Stored-XSS

CVE-2021-39377 (2021-09-01)

A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the index.php username parameter.

• security-n/CVE-2021-39377

CVE-2021-39378 (2021-09-01)

A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter.

• security-n/CVE-2021-39378

CVE-2021-39379 (2021-09-01)

A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter.

• security-n/CVE-2021-39379

CVE-2021-39408 (2022-06-24)

Cross Site Scripting (XSS) vulnerability exists in Online Student Rate System 1.0 via the page parameter on the index.php file

• StefanDorresteijn/CVE-2021-39408

CVE-2021-39409 (2022-06-24)

A vulnerability exists in Online Student Rate System v1.0 that allows any user to register as an administrator without needing to be authenticated.

• StefanDorresteijn/CVE-2021-39409

CVE-2021-39433 (2021-10-04)

A local file inclusion (LFI) vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user.

• PinkDraconian/CVE-2021-39433

CVE-2021-39473 (2022-11-04)

Saibamen HotelManager v1.2 is vulnerable to Cross Site Scripting (XSS) due to improper sanitization of comment and contact fields.

• BrunoTeixeira1996/CVE-2021-39473

CVE-2021-39475

• W4RCL0UD/CVE-2021-39475

CVE-2021-39476

• W4RCL0UD/CVE-2021-39476

CVE-2021-39512

• guusec/CVE-2021-39512-BigTreeCMS-v4.4.14-AccountTakeOver

CVE-2021-39670 (2022-05-10)

In setStream of WallpaperManager.java, there is a possible way to cause a permanent DoS due to improper input validation. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-204087139

• Supersonic/Wallbreak

CVE-2021-39685 (2022-03-16)

In various setup methods of the USB gadget subsystem, there is a possible out of bounds write due to an incorrect flag check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-210292376References: Upstream kernel

• szymonh/inspector-gadget

CVE-2021-39692 (2022-03-16)

In onCreate of SetupLayoutActivity.java, there is a possible way to setup a work profile bypassing user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-209611539

• nanopathi/packages_apps_ManagedProvisioning_CVE-2021-39692

CVE-2021-39696 (2022-08-09)

In Task.java, there is a possible escalation of privilege due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-185810717

• nidhihcl/frameworks_base_AOSP_10_r33_CVE-2021-39696

CVE-2021-39704 (2022-03-16)

In deleteNotificationChannelGroup of NotificationManagerService.java, there is a possible way to run foreground service without user notification due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-209965481

• nanopathi/framework_base_AOSP10_r33_CVE-2021-39704

CVE-2021-39706 (2022-03-16)

In onResume of CredentialStorage.java, there is a possible way to cleanup content of credentials storage due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-200164168

• Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2021-39706

CVE-2021-39749 (2022-03-30)

In WindowManager, there is a possible way to start non-exported and protected activities due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-205996115

• michalbednarski/OrganizerTransaction

CVE-2021-39863 (2021-09-29)

Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.30006 (and earlier) and 2017.011.30199 (and earlier) are affected by a Buffer Overflow vulnerability when parsing a specially crafted PDF file. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

• lsw29475/CVE-2021-39863
• WHS-SEGFAULT/CVE-2021-39863

CVE-2021-40101 (2021-11-30)

An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.

• S1lkys/CVE-2021-40101

CVE-2021-40113 (2021-11-04)

Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following actions: Log in with a default credential if the Telnet protocol is enabled Perform command injection Modify the configuration For more information about these vulnerabilities, see the Details section of this advisory.

• karamMahmad/CVE-2021-40113

CVE-2021-40154 (2021-12-01)

NXP LPC55S69 devices before A3 have a buffer over-read via a crafted wlength value in a GET Descriptor Configuration request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory.

• Jeromeyoung/CVE-2021-40154

CVE-2021-40222 (2021-09-09)

Rittal CMC PU III Web management Version affected: V3.11.00_2. Version fixed: V3.17.10 is affected by a remote code execution vulnerablity. It is possible to introduce shell code to create a reverse shell in the PU-Hostname field of the TCP/IP Configuration dialog. Web application fails to sanitize user input on Network TCP/IP configuration page. This allows the attacker to inject commands as root on the device which will be executed once the data is received.

• asang17/CVE-2021-40222

CVE-2021-40223 (2021-09-09)

Rittal CMC PU III Web management (version V3.11.00_2) fails to sanitize user input on several parameters of the configuration (User Configuration dialog, Task Configuration dialog and set logging filter dialog). This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts). The XSS payload will be triggered when the user accesses some specific sections of the application.

• asang17/CVE-2021-40223

CVE-2021-40303 (2022-11-08)

perfex crm 1.10 is vulnerable to Cross Site Scripting (XSS) via /clients/profile.

• zecopro/CVE-2021-40303

CVE-2021-40345 (2021-10-26)

An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.

• ArianeBlow/NagiosXI-RCE-all-version-CVE-2021-40345

CVE-2021-40346 (2021-09-08)

An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.

• knqyf263/CVE-2021-40346
• donky16/CVE-2021-40346-POC
• alikarimi999/CVE-2021-40346
• Vulnmachines/HAProxy_CVE-2021-40346
• alexOarga/CVE-2021-40346

CVE-2021-40352 (2021-09-01)

OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of all users.

• allenenosh/CVE-2021-40352

CVE-2021-40353 (2021-09-01)

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for CVE-2020-6637.

• 5qu1n7/CVE-2021-40353

CVE-2021-40373 (2021-09-10)

playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI.

• maikroservice/CVE-2021-40373

CVE-2021-40374 (2022-04-06)

A stored cross-site scripting (XSS) vulnerability was identified in Apperta Foundation OpenEyes 3.5.1. Updating a patient's details allows remote attackers to inject arbitrary web script or HTML via the Address1 parameter. This JavaScript then executes when the patient profile is loaded, which could be used in a XSS attack.

• DCKento/CVE-2021-40374

CVE-2021-40375 (2022-04-06)

Apperta Foundation OpenEyes 3.5.1 allows remote attackers to view the sensitive information of patients without having the intended level of privilege. Despite OpenEyes returning a Forbidden error message, the contents of a patient's profile are still returned in the server response. This response can be read in an intercepting proxy or by viewing the page source. Sensitive information returned in responses includes patient PII and medication records or history.

• DCKento/CVE-2021-40375

CVE-2021-40438 (2021-09-16)

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

• xiaojiangxl/CVE-2021-40438
• sixpacksecurity/CVE-2021-40438
• BabyTeam1024/CVE-2021-40438
• ericmann/apache-cve-poc
• pisut4152/Sigma-Rule-for-CVE-2021-40438-exploitation-attempt
• Kashkovsky/CVE-2021-40438
• gassara-kys/CVE-2021-40438
• sergiovks/CVE-2021-40438-Apache-2.4.48-SSRF-exploit
• Cappricio-Securities/CVE-2021-40438

CVE-2021-40444 (2021-09-15)

<p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.</p>\n<p>An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p>\n<p>Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.</p>\n<p>Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.</p>\n<p>Please see the <strong>Mitigations</strong> and <strong>Workaround</strong> sections for important information about steps you can take to protect your system from this vulnerability.</p>\n<p><strong>UPDATE</strong> September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.</p>\n

• ozergoker/CVE-2021-40444
• DarkSprings/CVE-2021-40444
• rfcxv/CVE-2021-40444-POC
• bambooqj/CVE-2021-40444_EXP_JS
• Immersive-Labs-Sec/cve-2021-40444-analysis
• vysecurity/CVE-2021-40444
• k4k4/CVE-2021-40444-Sample
• lockedbyte/CVE-2021-40444
• fengjixuchui/CVE-2021-40444-docx-Generate
• KnoooW/CVE-2021-40444-docx-Generate
• mansk1es/Caboom
• jamesrep/cve-2021-40444
• W1kyri3/Exploit-PoC-CVE-2021-40444-inject-ma-doc-vao-docx
• aslitsecurity/CVE-2021-40444_builders
• khoaduynu/CVE-2021-40444
• Jeromeyoung/MSHTMHell
• k8gege/CVE-2021-40444
• klezVirus/CVE-2021-40444
• Phuong39/CVE-2021-40444-CAB
• Edubr2020/CVE-2021-40444--CABless
• kal1gh0st/CVE-2021-40444_CAB_archives
• LazarusReborn/Docx-Exploit-2021
• H0j3n/CVE-2021-40444
• metehangenel/MSHTML-CVE-2021-40444
• Jeromeyoung/TIC4301_Project
• tiagob0b/CVE-2021-40444
• kagura-maru/CVE-2021-40444-POC
• Zeop-CyberSec/word_mshtml
• Alexcot25051999/CVE-2021-40444
• lisinan988/CVE-2021-40444-exp
• 34zY/Microsoft-Office-Word-MSHTML-Remote-Code-Execution-Exploit
• MRacumen/CVE-2021-40444
• RedLeavesChilde/CVE-2021-40444
• nvchungkma/CVE-2021-40444-Microsoft-Office-Word-Remote-Code-Execution-
• hqdat809/CVE-2021-40444
• basim-ahmad/Follina-CVE-and-CVE-2021-40444

CVE-2021-40449 (2021-10-13)

Win32k Elevation of Privilege Vulnerability

• ly4k/CallbackHell
• KaLendsi/CVE-2021-40449-Exploit
• hakivvi/CVE-2021-40449
• Kristal-g/CVE-2021-40449_poc
• CppXL/cve-2021-40449-poc
• BL0odz/CVE-2021-40449-NtGdiResetDC-UAF
• SamuelTulach/voidmap
• toanthang1842002/CVE-2021-40449

CVE-2021-40492 (2021-09-03)

A reflected XSS vulnerability exists in multiple pages in version 22 of the Gibbon application that allows for arbitrary execution of JavaScript (gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents to index.php).

• 5qu1n7/CVE-2021-40492

CVE-2021-40512

• war4uthor/CVE-2021-40512

CVE-2021-40513

• war4uthor/CVE-2021-40513

CVE-2021-40514

• war4uthor/CVE-2021-40514

CVE-2021-40531 (2021-09-06)

Sketch before 75 allows library feeds to be used to bypass file quarantine. Files are automatically downloaded and opened, without the com.apple.quarantine extended attribute. This results in remote code execution, as demonstrated by CommandString in a terminal profile to Terminal.app.

• jonpalmisc/CVE-2021-40531

CVE-2021-40539 (2021-09-07)

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

• DarkSprings/CVE-2021-40539
• synacktiv/CVE-2021-40539
• lpyzds/CVE-2021-40539
• lpyydxs/CVE-2021-40539
• Bu0uCat/ADSelfService-Plus-RCE-CVE-2021-40539

CVE-2021-40822 (2022-05-01)

GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.

• phor3nsic/CVE-2021-40822

CVE-2021-40839 (2021-09-10)

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.

• itlabbet/CVE-2021-40839

CVE-2021-40845 (2021-09-15)

The web part of Zenitel AlphaCom XE Audio Server through 11.2.3.10, called AlphaWeb XE, does not restrict file upload in the Custom Scripts section at php/index.php. Neither the content nor extension of the uploaded files is checked, allowing execution of PHP code under the /cmd directory.

• ricardojoserf/CVE-2021-40845

CVE-2021-40859 (2021-12-07)

Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow attackers with access to the web based management application full administrative access to the device.

• 419066074/CVE-2021-40859
• 0xr001/CVE-2021-40859
• pussycat0x/CVE-2021-40859

CVE-2021-40865 (2021-10-25)

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

• hktalent/CVE-2021-40865

CVE-2021-40870 (2021-09-13)

An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.

• System00-Security/CVE-2021-40870
• 0xAgun/CVE-2021-40870
• orangmuda/CVE-2021-40870
• JoyGhoshs/CVE-2021-40870

CVE-2021-40875 (2021-09-22)

Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.

• SakuraSamuraii/derailed
• Lul/TestRail-files.md5-IAC-scanner

CVE-2021-40903 (2022-06-17)

A vulnerability in Antminer Monitor 0.50.0 exists because of backdoor or misconfiguration inside a settings file in flask server. Settings file has a predefined secret string, which would be randomly generated, however it is static.

• vulnz/CVE-2021-40903

CVE-2021-40904 (2022-03-25)

The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dokuwiki (installed by default), which allows embedded php code. As a result, remote code execution is achieved. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session by a user with the role of administrator.

• Edgarloyola/CVE-2021-40904

CVE-2021-40905 (2022-03-25)

The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uploading of ".mkp" files, which are Extension Packages, making remote code execution possible. Successful exploitation requires access to the web management interface, either with valid credentials or with a hijacked session of a user with administrator role. NOTE: the vendor states that this is the intended behavior: admins are supposed to be able to execute code in this manner

• Edgarloyola/CVE-2021-40905

CVE-2021-40906 (2022-03-25)

CheckMK Raw Edition software (versions 1.5.0 to 1.6.0) does not sanitise the input of a web service parameter that is in an unauthenticated zone. This Reflected XSS allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts) or to steal the session cookies of a user who has previously authenticated via a man in the middle. Successful exploitation requires access to the web service resource without authentication.

• Edgarloyola/CVE-2021-40906

CVE-2021-40978 (2021-10-07)

The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1

• nisdn/CVE-2021-40978

CVE-2021-41073 (2021-09-19)

loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.

• chompie1337/Linux_LPE_io_uring_CVE-2021-41073

CVE-2021-41074

• dillonkirsch/CVE-2021-41074

CVE-2021-41078 (2021-10-26)

Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.

• s-index/CVE-2021-41078

CVE-2021-41081 (2021-11-11)

Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a configuration search.

• sudaiv/CVE-2021-41081

CVE-2021-41091 (2021-10-04)

Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically /var/lib/docker) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.

• UncleJ4ck/CVE-2021-41091
• jrbH4CK/CVE-2021-41091
• SNE-M23-SN/Vulnerable-Docker-Engine

CVE-2021-41117 (2021-10-11)

keypair is a a RSA PEM key generator written in javascript. keypair implements a lot of cryptographic primitives on its own or by borrowing from other libraries where possible, including node-forge. An issue was discovered where this library was generating identical RSA keys used in SSH. This would mean that the library is generating identical P, Q (and thus N) values which, in practical terms, is impossible with RSA-2048 keys. Generating identical values, repeatedly, usually indicates an issue with poor random number generation, or, poor handling of CSPRNG output. Issue 1: Poor random number generation (GHSL-2021-1012). The library does not rely entirely on a platform provided CSPRNG, rather, it uses it's own counter-based CMAC approach. Where things go wrong is seeding the CMAC implementation with "true" random data in the function defaultSeedFile. In order to seed the AES-CMAC generator, the library will take two different approaches depending on the JavaScript execution environment. In a browser, the library will use window.crypto.getRandomValues(). However, in a nodeJS execution environment, the window object is not defined, so it goes down a much less secure solution, also of which has a bug in it. It does look like the library tries to use node's CSPRNG when possible unfortunately, it looks like the crypto object is null because a variable was declared with the same name, and set to null. So the node CSPRNG path is never taken. However, when window.crypto.getRandomValues() is not available, a Lehmer LCG random number generator is used to seed the CMAC counter, and the LCG is seeded with Math.random. While this is poor and would likely qualify in a security bug in itself, it does not explain the extreme frequency in which duplicate keys occur. The main flaw: The output from the Lehmer LCG is encoded incorrectly. The specific [line][https://github.com/juliangruber/keypair/blob/87c62f255baa12c1ec4f98a91600f82af80be6db/index.js#L1008] with the flaw is: b.putByte(String.fromCharCode(next & 0xFF)) The definition of putByte is util.ByteBuffer.prototype.putByte = function(b) {this.data += String.fromCharCode(b);};. Simplified, this is String.fromCharCode(String.fromCharCode(next & 0xFF)). The double String.fromCharCode is almost certainly unintentional and the source of weak seeding. Unfortunately, this does not result in an error. Rather, it results most of the buffer containing zeros. Since we are masking with 0xFF, we can determine that 97% of the output from the LCG are converted to zeros. The only outputs that result in meaningful values are outputs 48 through 57, inclusive. The impact is that each byte in the RNG seed has a 97% chance of being 0 due to incorrect conversion. When it is not, the bytes are 0 through 9. In summary, there are three immediate concerns: 1. The library has an insecure random number fallback path. Ideally the library would require a strong CSPRNG instead of attempting to use a LCG and Math.random. 2. The library does not correctly use a strong random number generator when run in NodeJS, even though a strong CSPRNG is available. 3. The fallback path has an issue in the implementation where a majority of the seed data is going to effectively be zero. Due to the poor random number generation, keypair generates RSA keys that are relatively easy to guess. This could enable an attacker to decrypt confidential messages or gain authorized access to an account belonging to the victim.

• badkeys/keypairvuln

CVE-2021-41160 (2021-10-21)

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send 0 width/height or out of bound rectangles to trigger out of bound writes. With 0 width or heigth the memory allocation will be 0 but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1.

• Jajangjaman/CVE-2021-41160

CVE-2021-41182 (2021-10-26)

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.

• aredspy/CVE-2021-41182
• aredspy/CVE-2021-41182-Tester

CVE-2021-41184 (2021-10-26)

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.

• gabrielolivra/Exploit-Medium-CVE-2021-41184

CVE-2021-41277 (2021-11-17)

Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (admin->settings->maps->custom maps->add a map) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.

• Seals6/CVE-2021-41277
• tahtaciburak/CVE-2021-41277
• Henry4E36/Metabase-cve-2021-41277
• kap1ush0n/CVE-2021-41277
• z3n70/CVE-2021-41277
• kaizensecurity/CVE-2021-41277
• Vulnmachines/Metabase_CVE-2021-41277
• TheLastVvV/CVE-2021-41277
• zer0yu/CVE-2021-41277
• frknktlca/Metabase_Nmap_Script
• chengling-ing/CVE-2021-41277
• RubXkuB/PoC-Metabase-CVE-2021-41277

CVE-2021-41338 (2021-10-13)

Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability

• Mario-Kart-Felix/firewall-cve

CVE-2021-41349 (2021-11-10)

Microsoft Exchange Server Spoofing Vulnerability

• 0xrobiul/CVE-2021-41349

CVE-2021-41351 (2021-11-10)

Microsoft Edge (Chrome based) Spoofing on IE Mode

• JaneMandy/CVE-2021-41351-POC

CVE-2021-41381 (2021-09-23)

Payara Micro Community 5.2021.6 and below allows Directory Traversal.

• Net-hunter121/CVE-2021-41381

CVE-2021-41511 (2021-10-04)

The username and password field of login in Lodging Reservation Management System V1 can give access to any user by using SQL injection to bypass authentication.

• vidvansh/CVE-2021-41511

CVE-2021-41560 (2021-12-15)

OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUtility.php.

• Nickguitar/RevCAT

CVE-2021-41643 (2021-10-29)

Remote Code Execution (RCE) vulnerability exists in Sourcecodester Church Management System 1.0 via the image upload field.

• hax3xploit/CVE-2021-41643

CVE-2021-41644 (2021-10-29)

Remote Code Exection (RCE) vulnerability exists in Sourcecodester Online Food Ordering System 2.0 via a maliciously crafted PHP file that bypasses the image upload filters.

• hax3xploit/CVE-2021-41644

CVE-2021-41645 (2021-10-29)

Remote Code Execution (RCE) vulnerability exists in Sourcecodester Budget and Expense Tracker System 1.0 that allows a remote malicious user to inject arbitrary code via the image upload field. .

• hax3xploit/CVE-2021-41645

CVE-2021-41646 (2021-10-29)

Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters..

• hax3xploit/CVE-2021-41646

CVE-2021-41647 (2021-10-01)

An un-authenticated error-based and time-based blind SQL injection vulnerability exists in Kaushik Jadhav Online Food Ordering Web App 1.0. An attacker can exploit the vulnerable "username" parameter in login.php and retrieve sensitive database information, as well as add an administrative user.

• MobiusBinary/CVE-2021-41647

CVE-2021-41648 (2021-10-01)

An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /action.php prId parameter. Using a post request does not sanitize the user input.

• MobiusBinary/CVE-2021-41648

CVE-2021-41649 (2021-10-01)

An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.

• MobiusBinary/CVE-2021-41649

CVE-2021-41651 (2021-10-04)

A blind SQL injection vulnerability exists in the Raymart DG / Ahmed Helal Hotel-mgmt-system. A malicious attacker can retrieve sensitive database information and interact with the database using the vulnerable cid parameter in process_update_profile.php.

• MobiusBinary/CVE-2021-41651

CVE-2021-41653 (2021-11-13)

The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.

• likeww/CVE-2021-41653

CVE-2021-41703

• Yanoro/CVE-2021-41703

CVE-2021-41730

• yezeting/CVE-2021-41730

CVE-2021-41773 (2021-10-05)

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

• Vulnmachines/cve-2021-41773
• numanturle/CVE-2021-41773
• knqyf263/CVE-2021-41773
• ZephrFish/CVE-2021-41773-PoC
• iilegacyyii/PoC-CVE-2021-41773
• masahiro331/CVE-2021-41773
• j4k0m/CVE-2021-41773
• TishcaTpx/POC-CVE-2021-41773
• lorddemon/CVE-2021-41773-PoC
• Ls4ss/CVE-2021-41773_CVE-2021-42013
• itsecurityco/CVE-2021-41773
• habibiefaried/CVE-2021-41773-PoC
• creadpag/CVE-2021-41773-POC
• TAI-REx/cve-2021-41773-nse
• blasty/CVE-2021-41773
• PentesterGuruji/CVE-2021-41773
• jbovet/CVE-2021-41773
• mohwahyudi/cve-2021-41773
• 1nhann/CVE-2021-41773
• ranggaggngntt/CVE-2021-41773
• BlueTeamSteve/CVE-2021-41773
• Zeop-CyberSec/apache_normalize_path
• r00tVen0m/CVE-2021-41773
• n3k00n3/CVE-2021-41773
• fnatalucci/CVE-2021-41773-RCE
• AssassinUKG/CVE-2021-41773
• jheeree/Simple-CVE-2021-41773-checker
• orangmuda/CVE-2021-41773
• HightechSec/scarce-apache2
• vinhjaxt/CVE-2021-41773-exploit
• sixpacksecurity/CVE-2021-41773
• Hattan515/POC-CVE-2021-41773
• twseptian/cve-2021-41773
• noflowpls/CVE-2021-41773
• McSl0vv/CVE-2021-41773
• shiomiyan/CVE-2021-41773
• justakazh/mass_cve-2021-41773
• shellreaper/CVE-2021-41773
• 0xRar/CVE-2021-41773
• pisut4152/Sigma-Rule-for-CVE-2021-41773-and-CVE-2021-42013-exploitation-attempt
• corelight/CVE-2021-41773
• zeronine9/CVE-2021-41773
• b1tsec/CVE-2021-41773
• superzerosec/CVE-2021-41773
• im-hanzou/apachrot
• inbug-team/CVE-2021-41773_CVE-2021-42013
• 5gstudent/cve-2021-41773-and-cve-2021-42013
• EagleTube/CVE-2021-41773
• apapedulimu/Apachuk
• scarmandef/CVE-2021-41773
• ksanchezcld/httpd-2.4.49
• MrCl0wnLab/SimplesApachePathTraversal
• theLSA/apache-httpd-path-traversal-checker
• LudovicPatho/CVE-2021-41773
• lopqto/CVE-2021-41773_Honeypot
• zerodaywolf/CVE-2021-41773_42013
• LayarKacaSiber/CVE-2021-41773
• BabyTeam1024/CVE-2021-41773
• walnutsecurity/cve-2021-41773
• TheLastVvV/CVE-2021-41773
• MazX0p/CVE-2021-41773
• vida003/Scanner-CVE-2021-41773
• mr-exo/CVE-2021-41773
• wolf1892/CVE-2021-41773
• Hydragyrum/CVE-2021-41773-Playground
• IcmpOff/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution-Exploit
• pirenga/CVE-2021-41773
• kubota/POC-CVE-2021-41773
• xMohamed0/CVE-2021-41773
• i6c/MASS_CVE-2021-41773
• m96dg/CVE-2021-41773-exercise
• skentagon/CVE-2021-41773
• mauricelambert/CVE-2021-41773
• thehackersbrain/CVE-2021-41773
• honypot/CVE-2021-41773
• Fa1c0n35/CVE-2021-41773
• puckiestyle/CVE-2021-41773
• zer0qs/CVE-2021-41773
• DoTuan1/Reserch-CVE-2021-41773
• bernardas/netsec-polygon
• CalfCrusher/Path-traversal-RCE-Apache-2.4.49-2.4.50-Exploit
• vuongnv3389-sec/cve-2021-41773
• Chocapikk/CVE-2021-41773
• wangfly-me/Apache_Penetration_Tool
• anldori/CVE-2021-41773-Scanner
• iosifache/ApacheRCEEssay
• Habib0x0/CVE-2021-41773
• pwn3z/CVE-2021-41773-Apache-RCE
• EkamSinghWalia/Mitigation-Apache-CVE-2021-41773-
• Plunder283/CVE-2021-41773
• mightysai1997/cve-2021-41773
• mightysai1997/CVE-2021-41773h
• mightysai1997/cve-2021-41773-v-
• mightysai1997/CVE-2021-41773-i-
• mightysai1997/CVE-2021-41773-L-
• mightysai1997/CVE-2021-41773-PoC
• mightysai1997/CVE-2021-41773.git1
• mightysai1997/CVE-2021-41773m
• mightysai1997/CVE-2021-41773S
• dileepdkumar/LayarKacaSiber-CVE-2021-41773
• aqiao-jashell/CVE-2021-41773
• aqiao-jashell/py-CVE-2021-41773
• 12345qwert123456/CVE-2021-41773
• blackn0te/Apache-HTTP-Server-2.4.49-2.4.50-Path-Traversal-Remote-Code-Execution
• TheKernelPanic/exploit-apache2-cve-2021-41773
• retrymp3/apache2.4.49VulnerableLabSetup
• MatanelGordon/docker-cve-2021-41773
• 0xGabe/Apache-CVEs
• OfriOuzan/CVE-2021-41773_CVE-2021-42013_Exploits
• belajarqywok/CVE-2021-41773-MSF
• Iris288/CVE-2021-41773
• Maybe4a6f7365/CVE-2021-41773
• Zyx2440/Apache-HTTP-Server-2.4.50-RCE
• 0xc4t/CVE-2021-41773
• jkska23/Additive-Vulnerability-Analysis-CVE-2021-41773
• redspy-sec/CVE-2021-41773
• FakesiteSecurity/CVE-2021-41773
• Taldrid1/cve-2021-41773

CVE-2021-41784 (2022-08-29)

Foxit PDF Reader before 11.1 and PDF Editor before 11.1, and PhantomPDF before 10.1.6, allow attackers to trigger a use-after-free and execute arbitrary code because JavaScript is mishandled.

• Jeromeyoung/CVE-2021-41784

CVE-2021-41805 (2021-12-12)

HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.

• blackm4c/CVE-2021-41805

CVE-2021-41822

• badboycxcc/CVE-2021-41822

CVE-2021-41946 (2022-05-18)

In FiberHome VDSL2 Modem HG150-Ub_V3.0, a stored cross-site scripting (XSS) vulnerability in Parental Control --> Access Time Restriction --> Username field, a user cannot delete the rule due to the XSS.

• afaq1337/CVE-2021-41946

CVE-2021-41962 (2021-12-16)

Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the Owner fullname parameter in a Send Service Request in vehicle_service.

• lohyt/-CVE-2021-41962

CVE-2021-42008 (2021-10-04)

The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel before 5.13.13 has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access.

• numanturle/CVE-2021-42008
• 0xdevil/CVE-2021-42008

CVE-2021-42013 (2021-10-07)

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

• andrea-mattioli/apache-exploit-CVE-2021-42013
• Vulnmachines/cve-2021-42013
• twseptian/cve-2021-42013-docker-lab
• LayarKacaSiber/CVE-2021-42013
• TheLastVvV/CVE-2021-42013
• TheLastVvV/CVE-2021-42013_Reverse-Shell
• walnutsecurity/cve-2021-42013
• robotsense1337/CVE-2021-42013
• xMohamed0/CVE-2021-42013-ApacheRCE
• asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp
• jas9reet/CVE-2021-42013-LAB
• mauricelambert/CVE-2021-42013
• honypot/CVE-2021-42013
• hadrian3689/apache_2.4.50
• viliuspovilaika/cve-2021-42013
• mightysai1997/cve-2021-42013
• mightysai1997/cve-2021-42013L
• mightysai1997/cve-2021-42013.get
• 12345qwert123456/CVE-2021-42013
• cybfar/cve-2021-42013-httpd
• vudala/CVE-2021-42013
• Hamesawian/CVE-2021-42013
• K3ysTr0K3R/CVE-2021-42013-EXPLOIT
• BassoNicolas/CVE-2021-42013
• rafifdna/CVE-2021-42013
• dream434/cve-2021-42013-apache
• bananoname/cve-2021-42013

CVE-2021-42056 (2022-06-24)

Thales Safenet Authentication Client (SAC) for Linux and Windows through 10.7.7 creates insecure temporary hid and lock files allowing a local attacker, through a symlink attack, to overwrite arbitrary files, and potentially achieve arbitrary command execution with high privileges.

• z00z00z00/Safenet_SAC_CVE-2021-42056

CVE-2021-42063 (2021-12-14)

A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data.

• Cappricio-Securities/CVE-2021-42063

CVE-2021-42071 (2021-10-07)

In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header.

• adubaldo/CVE-2021-42071

CVE-2021-42171 (2022-03-14)

Zenario CMS 9.0.54156 is vulnerable to File Upload. The web server can be compromised by uploading and executing a web-shell which can run commands, browse system files, browse local resources, attack other servers, and exploit the local vulnerabilities, and so forth.

• minhnq22/CVE-2021-42171

CVE-2021-42183 (2022-05-05)

MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/.

• 0xRaw/CVE-2021-42183

CVE-2021-42205 (2022-11-07)

ELAN Miniport touchpad Windows driver before 24.21.51.2, as used in PC hardware from multiple manufacturers, allows local users to cause a system crash by sending a certain IOCTL request, because that request is handled twice.

• gmh5225/CVE-2021-42205

CVE-2021-42230 (2022-04-15)

Seowon 130-SLC router all versions as of 2021-09-15 is vulnerable to Remote Code Execution via the queriesCnt parameter.

• TAPESH-TEAM/CVE-2021-42230-Seowon-130-SLC-router-queriesCnt-Remote-Code-Execution-Unauthenticated

CVE-2021-42237 (2021-11-05)

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

• ItsIgnacioPortal/CVE-2021-42237
• vesperp/CVE-2021-42237-SiteCore-XP
• crankyyash/SiteCore-RCE-Detection

CVE-2021-42260 (2021-10-11)

TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.

• vm2mv/tinyxml

CVE-2021-42261 (2021-10-19)

Revisor Video Management System (VMS) before 2.0.0 has a directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of restricted directory on the remote server. This could lead to the disclosure of sensitive data on the vulnerable server.

• jet-pentest/CVE-2021-42261

CVE-2021-42278 (2021-11-10)

Active Directory Domain Services Elevation of Privilege Vulnerability

• safebuffer/sam-the-admin
• Ridter/noPac
• waterrr/noPac
• ly4k/Pachine
• cybersecurityworks553/noPac-detection

CVE-2021-42287 (2021-11-10)

Active Directory Domain Services Elevation of Privilege Vulnerability

• cube0x0/noPac
• ricardojba/Invoke-noPac
• knightswd/NoPacScan
• XiaoliChan/Invoke-sAMSpoofing
• TryA9ain/noPac

CVE-2021-42292 (2021-11-10)

Microsoft Excel Security Feature Bypass Vulnerability

• corelight/CVE-2021-42292

CVE-2021-42321 (2021-11-10)

Microsoft Exchange Server Remote Code Execution Vulnerability

• DarkSprings/CVE-2021-42321
• xnyuq/cve-2021-42321
• 7BitsTeam/exch_CVE-2021-42321

CVE-2021-42325 (2021-10-12)

Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.

• AK-blank/CVE-2021-42325-

CVE-2021-42327 (2021-10-21)

dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c in the Linux kernel through 5.14.14 allows a heap-based buffer overflow by an attacker who can write a string to the AMD GPU display drivers debug filesystem. There are no checks on size within parse_write_buffer_into_params when it uses the size of copy_from_user to copy a userspace buffer into a 40-byte heap buffer.

• docfate111/CVE-2021-42327

CVE-2021-42342 (2021-10-14)

An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the file upload filter, user form variables can be passed to CGI scripts without being prefixed with the CGI prefix. This permits tunneling untrusted environment variables into vulnerable CGI scripts.

• kimusan/goahead-webserver-pre-5.1.5-RCE-PoC-CVE-2021-42342-
• ijh4723/-zeroboo-Gohead-CVE-2021-42342-1

CVE-2021-42362 (2021-11-17)

The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.

• simonecris/CVE-2021-42362-PoC

CVE-2021-42392 (2022-01-07)

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

• cybersecurityworks553/CVE-2021-42392-Detect

CVE-2021-42558 (2022-01-12)

An issue was discovered in CALDERA 2.8.1. It contains multiple reflected, stored, and self XSS vulnerabilities that may be exploited by authenticated and unauthenticated attackers.

• mbadanoiu/CVE-2021-42558

CVE-2021-42559 (2022-01-12)

An issue was discovered in CALDERA 2.8.1. It contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the REST API, an authenticated user can insert arbitrary commands that will execute when the server is restarted.

• mbadanoiu/CVE-2021-42559

CVE-2021-42560 (2022-01-12)

An issue was discovered in CALDERA 2.9.0. The Debrief plugin receives base64 encoded "SVG" parameters when generating a PDF document. These SVG documents are parsed in an unsafe manner and can be leveraged for XXE attacks (e.g., File Exfiltration, Server Side Request Forgery, Out of Band Exfiltration, etc.).

• mbadanoiu/CVE-2021-42560

CVE-2021-42561 (2022-01-12)

An issue was discovered in CALDERA 2.8.1. When activated, the Human plugin passes the unsanitized name parameter to a python "os.system" function. This allows attackers to use shell metacharacters (e.g., backticks "``" or dollar parenthesis "$()" ) in order to escape the current command and execute arbitrary shell commands.

• mbadanoiu/CVE-2021-42561

CVE-2021-42562 (2022-01-12)

An issue was discovered in CALDERA 2.8.1. It does not properly segregate user privileges, resulting in non-admin users having access to read and modify configuration or other components that should only be accessible by admin users.

• mbadanoiu/CVE-2021-42562

CVE-2021-42574 (2021-11-01)

An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.

• shiomiyan/CVE-2021-42574
• hffaust/CVE-2021-42574_and_CVE-2021-42694
• simplylu/CVE-2021-42574
• maweil/bidi_char_detector
• pierDipi/unicode-control-characters-action
• waseeld/CVE-2021-42574
• tin-z/solidity_CVE-2021-42574-POC

CVE-2021-42662 (2021-11-05)

A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the Holiday reason parameter. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.

• 0xDeku/CVE-2021-42662

CVE-2021-42663 (2021-11-05)

An HTML injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clicks on a given link he will display the content of the HTML code of the attacker's choice.

• 0xDeku/CVE-2021-42663

CVE-2021-42664 (2021-11-05)

A Stored Cross Site Scripting (XSS) Vulneraibiilty exists in Sourcecodester Engineers Online Portal in PHP via the (1) Quiz title and (2) quiz description parameters to add_quiz.php. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.

• 0xDeku/CVE-2021-42664

CVE-2021-42665 (2021-11-05)

An SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the login form inside of index.php, which can allow an attacker to bypass authentication.

• 0xDeku/CVE-2021-42665

CVE-2021-42666 (2021-11-05)

A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to quiz_question.php, which could let a malicious user extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server.

• 0xDeku/CVE-2021-42666

CVE-2021-42667 (2021-11-05)

A SQL Injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP in event-management/views. An attacker can leverage this vulnerability in order to manipulate the sql query performed. As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server.

• 0xDeku/CVE-2021-42667

CVE-2021-42668 (2021-11-05)

A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter in the my_classmates.php web page.. As a result, an attacker can extract sensitive data from the web server and in some cases can use this vulnerability in order to get a remote code execution on the remote web server.

• 0xDeku/CVE-2021-42668

CVE-2021-42669 (2021-11-05)

A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboard_teacher.php, which allows changing the avatar through teacher_avatar.php. Once an avatar gets uploaded it is getting uploaded to the /admin/uploads/ directory, and is accessible by all users. By uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" the attacker can execute commands on the web server with - /admin/uploads/php-webshell?cmd=id.

• 0xDeku/CVE-2021-42669

CVE-2021-42670 (2021-11-05)

A SQL injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to the announcements_student.php web page. As a result a malicious user can extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server.

• 0xDeku/CVE-2021-42670

CVE-2021-42671 (2021-11-05)

An incorrect access control vulnerability exists in Sourcecodester Engineers Online Portal in PHP in nia_munoz_monitoring_system/admin/uploads. An attacker can leverage this vulnerability in order to bypass access controls and access all the files uploaded to the web server without the need of authentication or authorization.

• 0xDeku/CVE-2021-42671

CVE-2021-42694 (2021-11-01)

An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms.

• simplylu/CVE-2021-42694

CVE-2021-42697 (2021-11-02)

Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.

• cxosmo/CVE-2021-42697

CVE-2021-42717 (2021-12-07)

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

• EkamSinghWalia/Detection-and-Mitigation-script-for-CVE-2021-42717

CVE-2021-42756 (2023-02-16)

Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.

• 3ndorph1n/CVE-2021-42756

CVE-2021-42835 (2021-12-08)

An issue was discovered in Plex Media Server through 1.24.4.5081-e362dc1ee. An attacker (with a foothold in a endpoint via a low-privileged user account) can access the exposed RPC service of the update service component. This RPC functionality allows the attacker to interact with the RPC functionality and execute code from a path of his choice (local, or remote via SMB) because of a TOCTOU race condition. This code execution is in the context of the Plex update service (which runs as SYSTEM).

• netanelc305/PlEXcalaison

CVE-2021-42913 (2021-12-20)

The SyncThru Web Service on Samsung SCX-6x55X printers allows an attacker to gain access to a list of SMB users and cleartext passwords by reading the HTML source code. Authentication is not required.

• kernel-cyber/CVE-2021-42913

CVE-2021-42948 (2022-09-16)

HotelDruid Hotel Management Software v3.0.3 and below was discovered to have exposed session tokens in multiple links via GET parameters, allowing attackers to access user session id's.

• dhammon/HotelDruid-CVE-2021-42948

CVE-2021-42949 (2022-09-16)

The component controlla_login function in HotelDruid Hotel Management Software v3.0.3 generates a predictable session token, allowing attackers to bypass authentication via bruteforce attacks.

• dhammon/HotelDruid-CVE-2021-42949

CVE-2021-43008 (2022-04-05)

Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.

• p0dalirius/CVE-2021-43008-AdminerRead

CVE-2021-43032 (2021-11-03)

In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.

• SakuraSamuraii/CVE-2021-43032

CVE-2021-43129 (2022-04-19)

A bypass exists for Desire2Learn/D2L Brightspace’s “Disable Right Click” option in the quizzing feature, which allows a quiz-taker to access print and copy functionality via the browser’s right click menu even when “Disable Right Click” is enabled on the quiz.

• Skotizo/CVE-2021-43129

CVE-2021-43141 (2021-11-03)

Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application.

• Jeromeyoung/CVE-2021-43141

CVE-2021-43217 (2021-12-15)

Windows Encrypting File System (EFS) Remote Code Execution Vulnerability

• JolynNgSC/EFS_CVE-2021-43217

CVE-2021-43224 (2021-12-15)

Windows Common Log File System Driver Information Disclosure Vulnerability

• KaLendsi/CVE-2021-43224-POC

CVE-2021-43226 (2021-12-15)

Windows Common Log File System Driver Elevation of Privilege Vulnerability

• Rosayxy/cve-2021-43226PoC

CVE-2021-43229 (2021-12-15)

Windows NTFS Elevation of Privilege Vulnerability

• Citizen13X/CVE-2021-43229

CVE-2021-43258 (2022-11-23)

CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded and interpreted by the server.

• MRvirusIR/CVE-2021-43258

CVE-2021-43267 (2021-11-02)

An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.

• DarkSprings/CVE-2021-43267-POC
• zzhacked/CVE-2021-43267

CVE-2021-43287 (2022-04-14)

An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers.

• Wrin9/CVE-2021-43287

CVE-2021-43297 (2022-01-10)

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

• bitterzzZZ/CVE-2021-43297-POC
• longofo/Apache-Dubbo-Hessian2-CVE-2021-43297

CVE-2021-43326 (2021-12-15)

Automox Agent before 32 on Windows incorrectly sets permissions on a temporary directory.

• gfoss/CVE-2021-43326_Exploit

CVE-2021-43408 (2021-11-19)

The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically be exploited to read, modify and delete SQL table data. In many cases it also possible to exploit features of SQL server to execute system commands and/or access the local file system. This particular vulnerability can be exploited by any authenticated user who has been granted access to use the Duplicate Post plugin. By default, this is limited to Administrators, however the plugin presents the option to permit access to the Editor, Author, Contributor and Subscriber roles.

• tuannq2299/CVE-2021-43408

CVE-2021-43469 (2021-12-06)

VINGA WR-N300U 77.102.1.4853 is affected by a command execution vulnerability in the goahead component.

• badboycxcc/CVE-2021-43469

CVE-2021-43471 (2021-12-06)

In Canon LBP223 printers, the System Manager Mode login does not require an account password or PIN. An attacker can remotely shut down the device after entering the background, creating a denial of service vulnerability.

• cxaqhq/CVE-2021-43471

CVE-2021-43503

• guoyanan1g/Laravel-vul
• kang8/CVE-2021-43503

CVE-2021-43515 (2022-04-08)

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file.

• ixSly/CVE-2021-43515

CVE-2021-43530 (2021-12-08)

A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. This bug only affects Firefox for Android. Other operating systems are unaffected.. This vulnerability affects Firefox < 94.

• hfh86/CVE-2021-43530-UXSS-On-QRcode-Reader-

CVE-2021-43557 (2021-11-22)

The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like //internal/ can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer's custom plugin.

• xvnpw/k8s-CVE-2021-43557-poc

CVE-2021-43609 (2023-11-08)

An issue was discovered in Spiceworks Help Desk Server before 1.3.3. A Blind Boolean SQL injection vulnerability within the order_by_for_ticket function in app/models/reporting/database_query.rb allows an authenticated attacker to execute arbitrary SQL commands via the sort parameter. This can be leveraged to leak local files from the host system, leading to remote code execution (RCE) through deserialization of malicious data.

• d5sec/CVE-2021-43609-POC

CVE-2021-43616 (2021-11-13)

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies. The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI.

• icatalina/CVE-2021-43616

CVE-2021-43617 (2021-11-14)

Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.

• kombat1/CVE-2021-43617
• aweiiy/CVE-2021-43617
• Sybelle03/CVE-2021-43617

CVE-2021-43650 (2022-03-22)

WebRun 3.6.0.42 is vulnerable to SQL Injection via the P_0 parameter used to set the username during the login process.

• OpenXP-Research/CVE-2021-43650

CVE-2021-43657 (2022-12-22)

A Stored Cross-site scripting (XSS) vulnerability via MAster.php in Sourcecodetester Simple Client Management System (SCMS) 1.0 allows remote attackers to inject arbitrary web script or HTML via the vulnerable input fields.

• c0n5n3d/CVE-2021-43657

CVE-2021-43778 (2021-11-24)

Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the front/send.php file.

• AK-blank/CVE-2021-43778

CVE-2021-43789 (2021-12-07)

PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with orderBy and sortOrder parameters. The problem is fixed in version 1.7.8.2.

• numanturle/CVE-2021-43789

CVE-2021-43798 (2021-12-07)

Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: <grafana_host_url>/public/plugins//, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.

• taythebot/CVE-2021-43798
• zer0yu/CVE-2021-43798
• jas502n/Grafana-CVE-2021-43798
• ScorpionsMAX/CVE-2021-43798-Grafana-POC
• Mr-xn/CVE-2021-43798
• asaotomo/CVE-2021-43798-Grafana-Exp
• A-D-Team/grafanaExp
• kenuosec/grafanaExp
• M0ge/CVE-2021-43798-grafana_fileread
• JiuBanSec/Grafana-CVE-2021-43798
• lfz97/CVE-2021-43798-Grafana-File-Read
• s1gh/CVE-2021-43798
• z3n70/CVE-2021-43798
• Mo0ns/Grafana_POC-CVE-2021-43798
• fanygit/Grafana-CVE-2021-43798Exp
• LongWayHomie/CVE-2021-43798
• pedrohavay/exploit-grafana-CVE-2021-43798
• gixxyboy/CVE-2021-43798
• Ryze-T/CVE-2021-43798
• k3rwin/CVE-2021-43798-Grafana
• gps1949/CVE-2021-43798
• halencarjunior/grafana-CVE-2021-43798
• aymenbouferroum/CVE-2021-43798_exploit
• Jroo1053/GrafanaDirInclusion
• yasindce1998/grafana-cve-2021-43798
• hupe1980/CVE-2021-43798
• G01d3nW01f/CVE-2021-43798
• mauricelambert/LabAutomationCVE-2021-43798
• FAOG99/GrafanaDirectoryScanner
• victorhorowitz/grafana-exploit-CVE-2021-43798
• katseyres2/CVE-2021-43798
• Iris288/CVE-2021-43798
• wagneralves/CVE-2021-43798
• K3ysTr0K3R/CVE-2021-43798-EXPLOIT
• ticofookfook/CVE-2021-43798
• topyagyuu/CVE-2021-43798
• MalekAlthubiany/CVE-2021-43798
• Sic4rio/Grafana-Decryptor-for-CVE-2021-43798
• 0xSAZZAD/Grafana-CVE-2021-43798
• wezoomagency/GrafXploit

CVE-2021-43799 (2022-01-25)

Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this includes port 25672, the RabbitMQ distribution port, which is used as a management port. RabbitMQ's default "cookie" which protects this port is generated using a weak PRNG, which limits the entropy of the password to at most 36 bits; in practicality, the seed for the randomizer is biased, resulting in approximately 20 bits of entropy. If other firewalls (at the OS or network level) do not protect port 25672, a remote attacker can brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary execution of code as the rabbitmq user. They can also read all data which is sent through RabbitMQ, which includes all message traffic sent by users. Version 4.9 contains a patch for this vulnerability. As a workaround, ensure that firewalls prevent access to ports 5672 and 25672 from outside the Zulip server.

• scopion/CVE-2021-43799

CVE-2021-43811 (2021-12-08)

Sockeye is an open-source sequence-to-sequence framework for Neural Machine Translation built on PyTorch. Sockeye uses YAML to store model and data configurations on disk. Versions below 2.3.24 use unsafe YAML loading, which can be made to execute arbitrary code embedded in config files. An attacker can add malicious code to the config file of a trained model and attempt to convince users to download and run it. If users run the model, the embedded code will run locally. The issue is fixed in version 2.3.24.

• s-index/CVE-2021-43811

CVE-2021-43821 (2021-12-14)

Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast's host machines and making them available via the web interface. Before Opencast 9.10 and 10.6, Opencast would open and include local files during ingests. Attackers could exploit this to include most local files the process has read access to, extracting secrets from the host machine. An attacker would need to have the privileges required to add new media to exploit this. But these are often widely given. The issue has been fixed in Opencast 10.6 and 11.0. You can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating.

• Jackey0/opencast-CVE-2021-43821-env

CVE-2021-43848 (2022-02-01)

h2o is an open source http server. In code prior to the 8c0eca3 commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o. This internal state includes traffic of other connections in unencrypted form and TLS session tickets. This vulnerability exists in h2o server with HTTP/3 support, between commit 93af138 and d1f0f65. None of the released versions of h2o are affected by this vulnerability. There are no known workarounds. Users of unreleased versions of h2o using HTTP/3 are advised to upgrade immediately.

• neex/hui2ochko

CVE-2021-43857 (2021-12-27)

Gerapy is a distributed crawler management framework. Gerapy prior to version 0.9.8 is vulnerable to remote code execution, and this issue is patched in version 0.9.8.

• lowkey0808/CVE-2021-43857

CVE-2021-43858 (2021-12-27)

MinIO is a Kubernetes native application for cloud storage. Prior to version RELEASE.2021-12-27T07-23-18Z, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version RELEASE.2021-12-27T07-23-18Z changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding an explicit Deny rule to disable the API for users.

• khuntor/CVE-2021-43858-MinIO

CVE-2021-43883 (2021-12-15)

Windows Installer Elevation of Privilege Vulnerability

• jbaines-r7/shakeitoff

CVE-2021-43891 (2021-12-15)

Visual Studio Code Remote Code Execution Vulnerability

• parsiya/code-wsl-rce

CVE-2021-43893 (2021-12-15)

Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability

• jbaines-r7/blankspace

CVE-2021-43908 (2021-12-15)

Visual Studio Code Spoofing Vulnerability

• Sudistark/vscode-rce-electrovolt

CVE-2021-43936 (2021-12-06)

The software allows the attacker to upload or transfer files of dangerous types to the WebHMI portal, that may be automatically processed within the product's environment or lead to arbitrary code execution.

• LongWayHomie/CVE-2021-43936

CVE-2021-44026 (2021-11-19)

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.

• pentesttoolscom/roundcube-cve-2021-44026

CVE-2021-44077 (2021-11-29)

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

• horizon3ai/CVE-2021-44077
• pizza-power/Golang-CVE-2021-44077-POC

CVE-2021-44103

• paulotrindadec/CVE-2021-44103

CVE-2021-44117 (2022-06-10)

A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4.

• warmachine-57/CVE-2021-44117

CVE-2021-44132 (2022-02-25)

A command injection vulnerability in the function formImportOMCIShell of C-DATA ONU4FERW V2.1.13_X139 allows attackers to execute arbitrary commands via a crafted file.

• exploitwritter/CVE-2021-44132

CVE-2021-44142 (2022-02-21)

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

• hrsman/Samba-CVE-2021-44142
• horizon3ai/CVE-2021-44142
• gudyrmik/CVE-2021-44142

CVE-2021-44168 (2022-01-04)

A download of code without integrity check vulnerability in the "execute restore src-vis" command of FortiOS before 7.0.3 may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.

• 0xhaggis/CVE-2021-44168

CVE-2021-44217 (2022-01-18)

In Ericsson CodeChecker through 6.18.0, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.

• Hyperkopite/CVE-2021-44217

CVE-2021-44228 (2021-12-10)

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

• tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce
• Glease/Healer
• jacobtread/L4J-Vuln-Patch
• jas502n/Log4j2-CVE-2021-44228
• HyCraftHD/Log4J-RCE-Proof-Of-Concept
• boundaryx/cloudrasp-log4j2
• dbgee/CVE-2021-44228
• CreeperHost/Log4jPatcher
• DragonSurvivalEU/RCE
• simonis/Log4jPatch
• zlepper/CVE-2021-44228-Test-Server
• christophetd/log4shell-vulnerable-app
• NorthwaveSecurity/log4jcheck
• nkoneko/VictimApp
• lhotari/pulsar-docker-images-patch-CVE-2021-44228
• 1in9e/Apache-Log4j2-RCE
• KosmX/CVE-2021-44228-example
• greymd/CVE-2021-44228
• mubix/CVE-2021-44228-Log4Shell-Hashes
• OopsieWoopsie/mc-log4j-patcher
• wheez-y/CVE-2021-44228-kusto
• izzyacademy/log4shell-mitigation
• Kadantte/CVE-2021-44228-poc
• takito1812/log4j-detect
• winnpixie/log4noshell
• Azeemering/CVE-2021-44228-DFIR-Notes
• Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
• kozmer/log4j-shell-poc
• alexandreroman/cve-2021-44228-workaround-buildpack
• Adikso/minecraft-log4j-honeypot
• racoon-rac/CVE-2021-44228
• TheArqsz/CVE-2021-44228-PoC
• 1lann/log4shelldetect
• binganao/Log4j2-RCE
• phoswald/sample-ldap-exploit
• rakutentech/jndi-ldap-test-server
• uint0/cve-2021-44228--spring-hibernate
• saharNooby/log4j-vulnerability-patcher-agent
• f0ng/log4j2burpscanner
• M1ngGod/CVE-2021-44228-Log4j-lookup-Rce
• byteboycn/CVE-2021-44228-Apache-Log4j-Rce
• lhotari/log4shell-mitigation-tester
• toramanemre/log4j-rce-detect-waf-bypass
• logpresso/CVE-2021-44228-Scanner
• vorburger/Log4j_CVE-2021-44228
• gauthamg/log4j2021_vul_test
• b-abderrahmane/CVE-2021-44228-playground
• leetxyz/CVE-2021-44228-Advisories
• cado-security/log4shell
• WYSIIWYG/Log4J_0day_RCE
• mkhazamipour/log4j-vulnerable-app-cve-2021-44228-terraform
• Sh0ckFR/log4j-CVE-2021-44228-Public-IoCs
• zzzz0317/log4j2-vulnerable-spring-app
• datadavev/test-44228
• LemonCraftRu/JndiRemover
• zhangxvx/Log4j-Rec-CVE-2021-44228
• darkarnium/Log4j-CVE-Detect
• chilliwebs/CVE-2021-44228_Example
• irgoncalves/f5-waf-enforce-sig-CVE-2021-44228
• jeffbryner/log4j-docker-vaccine
• mergebase/log4j-detector
• unlimitedsola/log4j2-rce-poc
• Jeromeyoung/log4j2burpscanner
• corretto/hotpatch-for-apache-log4j2
• alexandre-lavoie/python-log4rce
• RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs
• mzlogin/CVE-2021-44228-Demo
• blake-fm/vcenter-log4j
• creamIcec/CVE-2021-44228-Apache-Log4j-Rce__review
• uint0/cve-2021-44228-helpers
• RK800-DEV/apache-log4j-poc
• sud0x00/log4j-CVE-2021-44228
• DiCanio/CVE-2021-44228-docker-example
• myyxl/cve-2021-44228-minecraft-poc
• RrUZi/Awesome-CVE-2021-44228
• future-client/CVE-2021-44228
• CodeShield-Security/Log4JShell-Bytecode-Detector
• Crane-Mocker/log4j-poc
• dtact/divd-2021-00038--log4j-scanner
• kali-dass/CVE-2021-44228-log4Shell
• pravin-pp/log4j2-CVE-2021-44228
• Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228
• urholaukkarinen/docker-log4shell
• ssl/scan4log4j
• infiniroot/nginx-mitigate-log4shell
• lohanichaten/log4j-cve-2021-44228
• authomize/log4j-log4shell-affected
• guardicode/CVE-2021-44228_IoCs
• fireflyingup/log4j-poc
• qingtengyun/cve-2021-44228-qingteng-patch
• nccgroup/log4j-jndi-be-gone
• qingtengyun/cve-2021-44228-qingteng-online-patch
• tasooshi/horrors-log4shell
• Hydragyrum/evil-rmi-server
• twseptian/spring-boot-log4j-cve-2021-44228-docker-lab
• OlafHaalstra/log4jcheck
• Panyaprach/Prove-CVE-2021-44228
• momos1337/Log4j-RCE
• palominoinc/cve-2021-44228-log4j-mitigation
• cyberxml/log4j-poc
• corneacristian/Log4J-CVE-2021-44228-RCE
• Diverto/nse-log4shell
• dotPY-hax/log4py
• sunnyvale-it/CVE-2021-44228-PoC
• maxant/log4j2-CVE-2021-44228
• atnetws/fail2ban-log4j
• kimobu/cve-2021-44228
• ph0lk3r/anti-jndi
• bigsizeme/Log4j-check
• pedrohavay/exploit-CVE-2021-44228
• 0xRyan/log4j-nullroute
• fireeye/CVE-2021-44228
• fullhunt/log4j-scan
• rubo77/log4j_checker_beta
• thecyberneh/Log4j-RCE-Exploiter
• halibobor/log4j2
• sourcegraph/log4j-cve-code-search-resources
• thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832
• helsecert/CVE-2021-44228
• markuman/aws-log4j-mitigations
• tuyenee/Log4shell
• JiuBanSec/Log4j-CVE-2021-44228
• ycdxsb/Log4Shell-CVE-2021-44228-ENV
• avwolferen/Sitecore.Solr-log4j-mitigation
• kek-Sec/log4j-scanner-CVE-2021-44228
• Camphul/log4shell-spring-framework-research
• lov3r/cve-2021-44228-log4j-exploits
• sinakeshmiri/log4jScan
• 0xDexter0us/Log4J-Scanner
• LutziGoz/Log4J_Exploitation-Vulnerabiliy__CVE-2021-44228
• 0xsyr0/Log4Shell
• 1hakusai1/log4j-rce-CVE-2021-44228
• jeffli1024/log4j-rce-test
• zsolt-halo/Log4J-Log4Shell-CVE-2021-44228-Spring-Boot-Test-Service
• manuel-alvarez-alvarez/log4j-cve-2021-44228
• VNYui/CVE-2021-44228
• flxhaas/Scan-CVE-2021-44228
• justakazh/Log4j-CVE-2021-44228
• irgoncalves/f5-waf-quick-patch-cve-2021-44228
• madCdan/JndiLookup
• Koupah/MC-Log4j-Patcher
• AlexandreHeroux/Fix-CVE-2021-44228
• kossatzd/log4j-CVE-2021-44228-test
• tobiasoed/log4j-CVE-2021-44228
• hackinghippo/log4shell_ioc_ips
• p3dr16k/log4j-1.2.15-mod
• claranet/ansible-role-log4shell
• taurusxin/CVE-2021-44228
• corelight/cve-2021-44228
• rodfer0x80/log4j2-prosecutor
• yanghaoi/CVE-2021-44228_Log4Shell
• lfama/log4j_checker
• threatmonit/Log4j-IOCs
• ben-smash/l4j-info
• strawhatasif/log4j-test
• giterlizzi/nmap-log4shell
• tica506/Siem-queries-for-CVE-2021-44228
• chilit-nl/log4shell-example
• Occamsec/log4j-checker
• snatalius/log4j2-CVE-2021-44228-poc-local
• Contrast-Security-OSS/CVE-2021-44228
• back2root/log4shell-rex
• alexbakker/log4shell-tools
• perryflynn/find-log4j
• alpacamybags118/log4j-cve-2021-44228-sample
• sandarenu/log4j2-issue-check
• roticagas/CVE-2021-44228-Demo
• Woahd/log4j-urlscanner
• faisalfs10x/Log4j2-CVE-2021-44228-revshell
• gcmurphy/chk_log4j
• 0xInfection/LogMePwn
• toramanemre/apache-solr-log4j-CVE-2021-44228
• codiobert/log4j-scanner
• cbuschka/log4j2-rce-recap
• andrii-kovalenko-celonis/log4j-vulnerability-demo
• dark-ninja10/Log4j-CVE-2021-44228
• fox-it/log4j-finder
• 34zY/JNDI-Exploit-1.2-log4shell
• didoatanasov/cve-2021-44228
• ReynerGonzalez/Security-Log4J-Tester
• ShaneKingBlog/org.shaneking.demo.cve.y2021.s44228
• wortell/log4j
• municipalparkingservices/CVE-2021-44228-Scanner
• BinaryDefense/log4j-honeypot-flask
• MalwareTech/Log4jTools
• mufeedvh/log4jail
• guerzon/log4shellpoc
• ab0x90/CVE-2021-44228_PoC
• stripe/log4j-remediation-tools
• xsultan/log4jshield
• HynekPetrak/log4shell-finder
• 0xThiebaut/CVE-2021-44228
• CERTCC/CVE-2021-44228_scanner
• CrackerCat/CVE-2021-44228-Log4j-Payloads
• dbzoo/log4j_scanner
• jeremyrsellars/CVE-2021-44228_scanner
• JustinDPerkins/C1-WS-LOG4SHELL
• VinniMarcon/Log4j-Updater
• bhprin/log4j-vul
• avirahul007/CVE-2021-44228
• rgl/log4j-log4shell-playground
• anuvindhs/how-to-check-patch-secure-log4j-CVE-2021-44228
• KeysAU/Get-log4j-Windows.ps1
• kubearmor/log4j-CVE-2021-44228
• jyotisahu98/logpresso-CVE-2021-44228-Scanner
• gitlab-de/log4j-resources
• redhuntlabs/Log4JHunt
• mss/log4shell-hotfix-side-effect
• MeterianHQ/log4j-vuln-coverage-check
• sebiboga/jmeter-fix-cve-2021-44228-windows
• mitiga/log4shell-cloud-scanner
• isuruwa/Log4j
• honeynet/log4shell-data
• inettgmbh/checkmk-log4j-scanner
• b1tm0n3r/CVE-2021-44228
• VerveIndustrialProtection/CVE-2021-44228-Log4j
• alenazi90/log4j
• pmontesd/log4j-cve-2021-44228
• LiveOverflow/log4shell
• aws-samples/kubernetes-log4j-cve-2021-44228-node-agent
• michaelsanford/Log4Shell-Honeypot
• thomaspatzke/Log4Pot
• ubitech/cve-2021-44228-rce-poc
• rv4l3r3/log4v-vuln-check
• dpomnean/log4j_scanner_wrapper
• roxas-tan/CVE-2021-44228
• shamo0/CVE-2021-44228
• snow0715/log4j-Scan-Burpsuite
• Joefreedy/Log4j-Windows-Scanner
• Nanitor/log4fix
• Gyrfalc0n/scanlist-log4j
• korteke/log4shell-demo
• recanavar/vuln_spring_log4j2
• DXC-StrikeForce/Burp-Log4j-HammerTime
• andalik/log4j-filescan
• lonecloud/CVE-2021-44228-Apache-Log4j
• gyaansastra/CVE-2021-44228
• axisops/CVE-2021-44228
• kal1gh0st/MyLog4Shell
• hozyx/log4shell
• andypitcher/Log4J_checker
• Vulnmachines/log4j-cve-2021-44228
• kannthu/CVE-2021-44228-Apache-Log4j-Rce
• Kr0ff/CVE-2021-44228
• suuhm/log4shell4shell
• wajda/log4shell-test-exploit
• obscuritylabs/log4shell-poc-lab
• Fazmin/vCenter-Server-Workaround-Script-CVE-2021-44228
• Grupo-Kapa-7/CVE-2021-44228-Log4j-PoC-RCE
• rohan-flutterint/CVE-2021-44228_scanner
• sysadmin0815/Fix-Log4j-PowershellScript
• RenYuH/log4j-lookups-vulnerability
• scheibling/py-log4shellscanner
• zaneef/CVE-2021-44228
• metodidavidovic/log4j-quick-scan
• WatchGuard-Threat-Lab/log4shell-iocs
• Aschen/log4j-patched
• Nikolas-Charalambidis/cve-2021-44228
• m0rath/detect-log4j-exploitable
• nu11secur1ty/CVE-2021-44228-VULN-APP
• ankur-katiyar/log4j-docker
• immunityinc/Log4j-JNDIServer
• DANSI/PowerShell-Log4J-Scanner
• suniastar/scan-log4shell
• shivakumarjayaraman/log4jvulnerability-CVE-2021-44228
• j3kz/CVE-2021-44228-PoC
• Apipia/log4j-pcap-activity
• axelcurmi/log4shell-docker-lab
• otaviokr/log4j-2021-vulnerability-study
• kkyehit/log4j_CVE-2021-44228
• trickyearlobe/inspec-log4j
• TheInterception/Log4J-Simulation-Tool
• KeysAU/Get-log4j-Windows-local
• mschmnet/Log4Shell-demo
• Rk-000/Log4j_scan_Advance
• puzzlepeaches/Log4jCenter
• Labout/log4shell-rmi-poc
• TotallyNotAHaxxer/f-for-java
• spasam/log4j2-exploit
• bumheehan/cve-2021-44228-log4j-test
• cergo123/log4j-dork-scanner
• dmitsuo/log4shell-war-fixer
• Y0-kan/Log4jShell-Scan
• julian911015/Log4j-Scanner-Exploit
• intel-xeon/CVE-2021-44228---detection-with-PowerShell
• chandru-gunasekaran/log4j-fix-CVE-2021-44228
• erickrr-bd/TekiumLog4jApp
• snapattack/damn-vulnerable-log4j-app
• sassoftware/loguccino
• xx-zhang/apache-log4j2-CVE-2021-44228
• r00thunter/Log4Shell-Scanner
• mn-io/log4j-spring-vuln-poc
• rejupillai/log4j2-hack-springboot
• lucab85/log4j-cve-2021-44228
• BabooPan/Log4Shell-CVE-2021-44228-Demo
• ossie-git/log4shell_sentinel
• r00thunter/Log4Shell
• asyzdykov/cve-2021-44228-fix-jars
• BJLIYANLIANG/log4j-scanner
• badb33f/Apache-Log4j-POC
• TaroballzChen/CVE-2021-44228-log4jVulnScanner-metasploit
• lucab85/ansible-role-log4shell
• grimch/log4j-CVE-2021-44228-workaround
• cybersecurityworks553/log4j-shell-csw
• Toolsec/log4j-scan
• puzzlepeaches/Log4jUnifi
• many-fac3d-g0d/apache-tomcat-log4j
• marcourbano/CVE-2021-44228
• bsigouin/log4shell-vulnerable-app
• ToxicEnvelope/XSYS-Log4J2Shell-Ex
• felipe8398/ModSec-log4j2
• ceyhuncamli/Log4j_Attacker_IPList
• mazhar-hassan/log4j-vulnerability
• xungzzz/VTI-IOCs-CVE-2021-44228
• s-retlaw/l4s_poc
• Ravid-CheckMarx/CVE-2021-44228-Apache-Log4j-Rce-main
• yesspider-hacker/log4j-payload-generator
• LinkMJB/log4shell_scanner
• NS-Sp4ce/Vm4J
• PoneyClairDeLune/LogJackFix
• MarceloLeite2604/log4j-vulnerability
• romanutti/log4shell-vulnerable-app
• mklinkj/log4j2-test
• 4jfinder/4jfinder.github.io
• alexpena5635/CVE-2021-44228_scanner-main-Modified-
• Vulnmachines/log4jshell_CVE-2021-44228
• mr-vill4in/log4j-fuzzer
• mebibite/log4jhound
• sdogancesur/log4j_github_repository
• jrocia/Search-log4Jvuln-AppScanSTD
• aajuvonen/log4stdin
• arnaudluti/PS-CVE-2021-44228
• ColdFusionX/CVE-2021-44228-Log4Shell-POC
• robrankin/cve-2021-44228-waf-tests
• 0xalwayslucky/log4j-polkit-poc
• y-security/yLog4j
• FeryaelJustice/Log4Shell
• hotpotcookie/CVE-2021-44228-white-box
• s-retlaw/l4srs
• Ananya-0306/Log-4j-scanner
• paulvkitor/log4shellwithlog4j2_13_3
• MiguelM001/vulescanjndilookup
• Jun-5heng/CVE-2021-44228
• honypot/CVE-2021-44228
• honypot/CVE-2021-44228-vuln-app
• manishkanyal/log4j-scanner
• TPower2112/Writing-Sample-1
• Willian-2-0-0-1/Log4j-Exploit-CVE-2021-44228
• r3kind1e/Log4Shell-obfuscated-payloads-generator
• Phineas09/CVE-2021-44228
• yuuki1967/CVE-2021-44228-Apache-Log4j-Rce
• moshuum/tf-log4j-aws-poc
• jaehnri/CVE-2021-44228
• ra890927/Log4Shell-CVE-2021-44228-Demo
• vidrez/Ethical-Hacking-Report-Log4j
• vino-theva/CVE-2021-44228
• tharindudh/tharindudh-Log4j-Vulnerability-in-Ghidra-tool-CVE-2021-44228
• eurogig/jankybank
• digital-dev/Log4j-CVE-2021-44228-Remediation
• ocastel/log4j-shell-poc
• bcdunbar/CVE-2021-44228-poc
• srcporter/CVE-2021-44228
• Nexolanta/log4j2_CVE-2021-44228
• demining/Log4j-Vulnerability
• pierpaolosestito-dev/Log4Shell-CVE-2021-44228-PoC
• Sumitpathania03/LOG4J-CVE-2021-44228
• Sma-Das/Log4j-PoC
• 53buahapel/log4shell-vulnweb
• demonrvm/Log4ShellRemediation
• funcid/log4j-exploit-fork-bomb
• MrHarshvardhan/PY-Log4j-RCE-Scanner
• Muhammad-Ali007/Log4j_CVE-2021-44228
• Tai-e/CVE-2021-44228
• LucasPDiniz/CVE-2021-44228
• felixslama/log4shell-minecraft-demo
• ShlomiRex/log4shell_lab
• dcm2406/CVE-Lab
• scabench/l4j-tp1
• scabench/l4j-fp1
• KtokKawu/l4s-vulnapp
• sec13b/CVE-2021-44228-POC
• KirkDJohnson/Wireshark
• YangHyperData/LOGJ4_PocShell_CVE-2021-44228
• Hoanle396/CVE-2021-44228-demo
• tadash10/Exploiting-CVE-2021-44228-Log4Shell-in-a-Banking-Environment
• asd58584388/CVE-2021-44228
• OtisSymbos/CVE-2021-44228-Log4Shell-
• safeer-accuknox/log4j-shell-poc
• Carlos-Mesquita/TPASLog4ShellPoC
• AhmedMansour93/-Unveiling-the-Lessons-from-Log4Shell-A-Wake-Up-Call-for-Cybersecurity-
• Super-Binary/cve-2021-44228
• JanICT/poc-ldap-cve-2021-44228

CVE-2021-44255 (2022-01-31)

Authenticated remote code execution in MotionEye <= 0.42.1 and MotioneEyeOS <= 20200606 allows a remote attacker to upload a configuration backup file containing a malicious python pickle file which will execute arbitrary code on the server.

• pizza-power/motioneye-authenticated-RCE

CVE-2021-44270

• pinpinsec/CVE-2021-44270

CVE-2021-44428 (2021-11-29)

Pinkie 2.15 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1.

• z3bul0n/log4jtest

CVE-2021-44521 (2022-02-11)

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

• WoodenKlaas/CVE-2021-44521
• Yeyvo/poc-CVE-2021-44521

CVE-2021-44529 (2021-12-08)

A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).

• jkana/CVE-2021-44529
• jax7sec/CVE-2021-44529

CVE-2021-44582 (2022-06-10)

A Privilege Escalation vulnerability exists in Sourcecodester Money Transfer Management System 1.0, which allows a remote malicious user to gain elevated privileges to the Admin role via any URL.

• warmachine-57/CVE-2021-44582

CVE-2021-44593 (2022-01-21)

Simple College Website 1.0 is vulnerable to unauthenticated file upload & remote code execution via UNION-based SQL injection in the username parameter on /admin/login.php.

• Mister-Joe/CVE-2021-44593

CVE-2021-44731 (2022-02-17)

A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1

• deeexcee-io/CVE-2021-44731-snap-confine-SUID

CVE-2021-44733 (2021-12-22)

A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.

• pjlantz/optee-qemu

CVE-2021-44790 (2021-12-20)

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

• nuPacaChi/-CVE-2021-44790

CVE-2021-44827 (2022-03-04)

There is remote authenticated OS command injection on TP-Link Archer C20i 0.9.1 3.2 v003a.0 Build 170221 Rel.55462n devices vie the X_TP_ExternalIPv6Address HTTP parameter, allowing a remote attacker to run arbitrary commands on the router with root privileges.

• full-disclosure/CVE-2021-44827

CVE-2021-44832 (2021-12-28)

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

• cckuailong/log4j_RCE_CVE-2021-44832
• name/log4j-scanner

CVE-2021-44852 (2022-01-01)

An issue was discovered in BS_RCIO64.sys in Biostar RACING GT Evo 2.1.1905.1700. A low-integrity process can open the driver's device object and issue IOCTLs to read or write to arbitrary physical memory locations (or call an arbitrary address), leading to execution of arbitrary code. This is associated with 0x226040, 0x226044, and 0x226000.

• CrackerCat/CVE-2021-44852

CVE-2021-44906 (2022-03-17)

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

• nevermoe/CVE-2021-44906

CVE-2021-44909

• g1thub3r1st4/CVE-2021-44909

CVE-2021-44910

• W000i/CVE-2021-44910_SpringBlade

CVE-2021-44967 (2022-02-22)

A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file.

• D3Ext/LimeSurvey-RCE

CVE-2021-45007 (2022-02-20)

Plesk 18.0.37 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows an attacker to insert data on the user and admin panel. NOTE: the vendor states that this is only a site-specific problem on websites of one or more Plesk users

• AS4mir/CVE-2021-45007

CVE-2021-45008 (2022-02-21)

Plesk CMS 18.0.37 is affected by an insecure permissions vulnerability that allows privilege Escalation from user to admin rights. OTE: the vendor states that this is only a site-specific problem on websites of one or more Plesk users

• AS4mir/CVE-2021-45008

CVE-2021-45010 (2022-03-15)

A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.

• febinrev/CVE-2021-45010-TinyFileManager-Exploit
• BKreisel/CVE-2021-45010
• Syd-SydneyJr/CVE-2021-45010

CVE-2021-45026 (2022-06-17)

ASG technologies ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cross Site Scripting (XSS).

• JetP1ane/Zena-CVE-2021-45026

CVE-2021-45041 (2021-12-19)

SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.

• manuelz120/CVE-2021-45041

CVE-2021-45043 (2021-12-15)

HD-Network Real-time Monitoring System 2.0 allows ../ directory traversal to read /etc/shadow via the /language/lang s_Language parameter.

• crypt0g30rgy/cve-2021-45043

CVE-2021-45046 (2021-12-14)

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

• cckuailong/Log4j_CVE-2021-45046
• BobTheShoplifter/CVE-2021-45046-Info
• tejas-nagchandi/CVE-2021-45046
• pravin-pp/log4j2-CVE-2021-45046
• mergebase/log4j-samples
• lukepasek/log4jjndilookupremove
• ludy-dev/cve-2021-45046
• lijiejie/log4j2_vul_local_scanner
• CaptanMoss/Log4Shell-Sandbox-Signature
• shaily29-eng/CyberSecurity_CVE-2021-45046

CVE-2021-45067 (2022-01-14)

Acrobat Reader DC version 21.007.20099 (and earlier), 20.004.30017 (and earlier) and 17.011.30204 (and earlier) are affected by an Access of Memory Location After End of Buffer vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

• hacksysteam/CVE-2021-45067

CVE-2021-45105 (2021-12-18)

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

• cckuailong/Log4j_dos_CVE-2021-45105
• pravin-pp/log4j2-CVE-2021-45105
• tejas-nagchandi/CVE-2021-45105
• iAmSOScArEd/log4j2_dos_exploit
• dileepdkumar/https-github.com-pravin-pp-log4j2-CVE-2021-45105
• dileepdkumar/https-github.com-dileepdkumar-https-github.com-pravin-pp-log4j2-CVE-2021-45105
• dileepdkumar/https-github.com-dileepdkumar-https-github.com-pravin-pp-log4j2-CVE-2021-45105-v
• dileepdkumar/https-github.com-pravin-pp-log4j2-CVE-2021-45105-1
• name/log4j-remediation

CVE-2021-45232 (2021-12-27)

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework droplet on the basis of framework gin, all APIs and authentication middleware are developed based on framework droplet, but some API directly use the interface of framework gin thus bypassing the authentication.

• Osyanina/westone-CVE-2021-45232-scanner
• badboycxcc/CVE-2021-45232-POC
• LTiDi2000/CVE-2021-45232
• Ilovewomen/cve-2021-45232
• jxpsx/CVE-2021-45232-RCE
• wuppp/cve-2021-45232-exp
• dskho/CVE-2021-45232
• fany0r/CVE-2021-45232-RCE
• YutuSec/Apisix_Crack

CVE-2021-45416 (2022-02-01)

Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 allows attackers to inject arbitrary HTML via the search_term parameter in the modules/Scheduling/Courses.php script.

• 86x/CVE-2021-45416
• dnr6419/CVE-2021-45416

CVE-2021-45428 (2022-01-03)

TLR-2005KSH is affected by an incorrect access control vulnerability. THe PUT method is enabled so an attacker can upload arbitrary files including HTML and CGI formats.

• projectforsix/CVE-2021-45428-Defacer

CVE-2021-45468 (2022-01-14)

Imperva Web Application Firewall (WAF) before 2021-12-23 allows remote unauthenticated attackers to use "Content-Encoding: gzip" to evade WAF security controls and send malicious HTTP POST requests to web servers behind the WAF.

• 0xhaggis/Imperva_gzip_bypass

CVE-2021-45485 (2021-12-25)

In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses.

• Satheesh575555/linux-4.19.72_CVE-2021-45485

CVE-2021-45744 (2022-01-06)

A Stored Cross Site Scripting (XSS) vulnerability exists in bludit 3.13.1 via the TAGS section in login panel.

• plsanu/Bludit-3.13.1-TAGS-Field-Stored-Cross-Site-Scripting-XSS

CVE-2021-45745 (2022-01-06)

A Stored Cross Site Scripting (XSS) vulnerability exists in Bludit 3.13.1 via the About Plugin in login panel.

• plsanu/Bludit-3.13.1-About-Plugin-Stored-Cross-Site-Scripting-XSS

CVE-2021-45897 (2022-01-28)

SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.

• manuelz120/CVE-2021-45897

CVE-2021-45901 (2022-02-10)

The password-reset form in ServiceNow Orlando provides different responses to invalid authentication attempts depending on whether the username exists.

• 9lyph/CVE-2021-45901

CVE-2021-45960 (2022-01-01)

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

• nanopathi/external_expat_AOSP10_r33_CVE-2021-45960
• Trinadh465/external_lib_AOSP10_r33_CVE-2021-45960_CVE-2021-46143-
• hshivhare67/external_expat_v2.2.6_CVE-2021-45960

CVE-2021-46005 (2022-01-18)

Sourcecodester Car Rental Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via vehicalorcview parameter.

• nawed20002/CVE-2021-46005

CVE-2021-46063 (2022-02-18)

MCMS v5.2.5 was discovered to contain a Server Side Template Injection (SSTI) vulnerability via the Template Management module.

• miguelc49/CVE-2021-46063-2
• miguelc49/CVE-2021-46063-1
• miguelc49/CVE-2021-46063-3

CVE-2021-46067 (2022-01-06)

In Vehicle Service Management System 1.0 an attacker can steal the cookies leading to Full Account Takeover.

• plsanu/Vehicle-Service-Management-System-Multiple-Cookie-Stealing-Leads-to-Full-Account-Takeover
• plsanu/CVE-2021-46067

CVE-2021-46068 (2022-01-06)

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the My Account Section in login panel.

• plsanu/Vehicle-Service-Management-System-MyAccount-Stored-Cross-Site-Scripting-XSS
• plsanu/CVE-2021-46068

CVE-2021-46069 (2022-01-06)

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Mechanic List Section in login panel.

• plsanu/Vehicle-Service-Management-System-Mechanic-List-Stored-Cross-Site-Scripting-XSS

CVE-2021-46070 (2022-01-06)

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service Requests Section in login panel.

• plsanu/Vehicle-Service-Management-System-Service-Requests-Stored-Cross-Site-Scripting-XSS
• plsanu/CVE-2021-46070

CVE-2021-46071 (2022-01-06)

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Category List Section in login panel.

• plsanu/Vehicle-Service-Management-System-Category-List-Stored-Cross-Site-Scripting-XSS
• plsanu/CVE-2021-46071

CVE-2021-46072 (2022-01-06)

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service List Section in login panel.

• plsanu/Vehicle-Service-Management-System-Service-List-Stored-Cross-Site-Scripting-XSS
• plsanu/CVE-2021-46072

CVE-2021-46073 (2022-01-06)

A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the User List Section in login panel.

• plsanu/Vehicle-Service-Management-System-User-List-Stored-Cross-Site-Scripting-XSS
• plsanu/CVE-2021-46073

CVE-2021-46074 (2022-01-06)

A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Vehicle Service Management System 1.0 via the Settings Section in login panel.

• plsanu/Vehicle-Service-Management-System-Settings-Stored-Cross-Site-Scripting-XSS
• plsanu/CVE-2021-46074

CVE-2021-46075 (2022-01-06)

A Privilege Escalation vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. Staff account users can access the admin resources and perform CRUD Operations.

• plsanu/Vehicle-Service-Management-System-Multiple-Privilege-Escalation-Leads-to-CRUD-Operations
• plsanu/CVE-2021-46075

CVE-2021-46076 (2022-01-06)

Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution.

• plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Code-Execution
• plsanu/CVE-2021-46076

CVE-2021-46078 (2022-01-06)

An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to a Stored Cross-Site Scripting vulnerability.

• plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Stored-Cross-Site-Scripting
• plsanu/CVE-2021-46078

CVE-2021-46079 (2022-01-06)

An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to Html Injection.

• plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Html-Injection
• plsanu/CVE-2021-46079

CVE-2021-46080 (2022-01-06)

A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.

• plsanu/Vehicle-Service-Management-System-Multiple-Cross-Site-Request-Forgery-CSRF-Leads-to-XSS
• plsanu/CVE-2021-46080

CVE-2021-46108 (2022-02-18)

D-Link DSL-2730E CT-20131125 devices allow XSS via the username parameter to the password page in the maintenance configuration.

• g-rubert/CVE-2021-46108

CVE-2021-46143 (2022-01-06)

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

• nanopathi/external_expat_AOSP10_r33_CVE-2021-46143

CVE-2021-46361 (2022-02-11)

An issue in the Freemark Filter of Magnolia CMS v6.2.11 and below allows attackers to bypass security restrictions and execute arbitrary code via a crafted FreeMarker payload.

• mbadanoiu/CVE-2021-46361

CVE-2021-46362 (2022-02-11)

A Server-Side Template Injection (SSTI) vulnerability in the Registration and Forgotten Password forms of Magnolia v6.2.3 and below allows attackers to execute arbitrary code via a crafted payload entered into the fullname parameter.

• mbadanoiu/CVE-2021-46362

CVE-2021-46363 (2022-02-11)

An issue in the Export function of Magnolia v6.2.3 and below allows attackers to perform Formula Injection attacks via crafted CSV/XLS files. These formulas may result in arbitrary code execution on a victim's computer when opening the exported files with Microsoft Excel.

• mbadanoiu/CVE-2021-46363

CVE-2021-46364 (2022-02-11)

A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and below allows attackers to execute arbitrary code via a crafted YAML file.

• mbadanoiu/CVE-2021-46364

CVE-2021-46365 (2022-02-11)

An issue in the Export function of Magnolia v6.2.3 and below allows attackers to execute XML External Entity attacks via a crafted XLF file.

• mbadanoiu/CVE-2021-46365

CVE-2021-46366 (2022-02-11)

An issue in the Login page of Magnolia CMS v6.2.3 and below allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials.

• mbadanoiu/CVE-2021-46366

CVE-2021-46381 (2022-03-04)

Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].

• JCPpeiqi/-cve-2021-46381

CVE-2021-46398 (2022-02-04)

A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE.

• febinrev/CVE-2021-46398_Chamilo-LMS-RCE
• LalieA/CVE-2021-46398

CVE-2021-46417 (2022-04-07)

Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri Controller Module 1.8.19.8580.

• Henry4E36/CVE-2021-46417

CVE-2021-46422 (2022-04-27)

Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.

• nobodyatall648/CVE-2021-46422
• Chocapikk/CVE-2021-46422
• twoning/CVE-2021-46422_PoC
• Awei507/CVE-RCE
• yigexioabai/CVE-2021-46422_RCE
• ZAxyr/CVE-2021-46422
• xanszZZ/SDT_CW3B1_rce
• latings/CVE-2021-46422
• CJ-0107/cve-2021-46422
• kelemaoya/CVE-2021-46422
• yyqxi/CVE-2021-46422
• polerstar/CVE-2021-46422-poc
• kailing0220/CVE-2021-46422
• tucommenceapousser/CVE-2021-46422

CVE-2021-46702 (2022-02-26)

Tor Browser 9.0.7 on Windows 10 build 10586 is vulnerable to information disclosure. This could allow local attackers to bypass the intended anonymity feature and obtain information regarding the onion services visited by a local user. This can be accomplished by analyzing RAM memory even several hours after the local user used the product. This occurs because the product doesn't properly free memory.

• Exmak-s/CVE-2021-46702

CVE-2021-46703 (2022-03-06)

In the IsolatedRazorEngine component of Antaris RazorEngine through 4.5.1-alpha001, an attacker can execute arbitrary .NET code in a sandboxed environment (if users can externally control template contents). NOTE: This vulnerability only affects products that are no longer supported by the maintainer

• BenEdridge/CVE-2021-46703

CVE-2021-46704 (2022-03-06)

In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check.

• MithatGuner/CVE-2021-46704-POC
• Erenlancaster/CVE-2021-46704

CVE-2021-56789

• DataSurgeon-ds/ds-cve-plugin

CVE-2021-268855

• sikkertech/CVE-2021-268855

2020

CVE-2020-0001 (2020-01-08)

In getProcessRecordLocked of ActivityManagerService.java isolated apps are not handled correctly. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-140055304

• Zachinio/CVE-2020-0001

CVE-2020-0014 (2020-02-13)

It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable. This could lead to a local escalation of privilege with no additional execution privileges needed. User action is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-128674520

• tea9/CVE-2020-0014-Toast

CVE-2020-0022 (2020-02-13)

In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143894715

• leommxj/cve-2020-0022
• k3vinlusec/Bluefrag_CVE-2020-0022
• Polo35/CVE-2020-0022
• 5k1l/cve-2020-0022
• lsw29475/CVE-2020-0022
• devdanqtuan/poc-for-cve-2020-0022
• themmokhtar/CVE-2020-0022

CVE-2020-0023 (2020-02-13)

In setPhonebookAccessPermission of AdapterService.java, there is a possible disclosure of user contacts over bluetooth due to a missing permission check. This could lead to local information disclosure if a malicious app enables contacts over a bluetooth connection, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145130871

• 362902755/CVE-2020-0023

CVE-2020-0041 (2020-03-10)

In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel

• bluefrostsecurity/CVE-2020-0041
• j4nn/CVE-2020-0041
• koharin/CVE-2020-0041
• vaginessa/CVE-2020-0041-Pixel-3a
• jcalabres/root-exploit-pixel3

CVE-2020-0069 (2020-03-10)

In the ioctl handlers of the Mediatek Command Queue driver, there is a possible out of bounds write due to insufficient input sanitization and missing SELinux restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-147882143References: M-ALPS04356754

• R0rt1z2/AutomatedRoot
• TheRealJunior/mtk-su-reverse-cve-2020-0069
• yanglingxi1993/CVE-2020-0069
• quarkslab/CVE-2020-0069_poc
• 0xf15h/mtk_su

CVE-2020-0082 (2020-04-17)

In ExternalVibration of ExternalVibration.java, there is a possible activation of an arbitrary intent due to unsafe deserialization. This could lead to local escalation of privilege to system_server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-140417434

• 0x742/CVE-2020-0082-ExternalVibration

CVE-2020-0096 (2020-05-14)

In startActivities of ActivityStartController.java, there is a possible escalation of privilege due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9Android ID: A-145669109

• wyu0hop/CVE-2020-0096
• liuyun201990/StrandHogg2
• tea9/CVE-2020-0096-StrandHogg2
• nahid0x1/CVE-2020-0096-strandhogg-exploit-p0c

CVE-2020-0108 (2020-08-11)

In postNotification of ServiceRecord.java, there is a possible bypass of foreground process restrictions due to an uncaught exception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.1 Android-9Android ID: A-140108616

• CrackerCat/ServiceCheater

CVE-2020-0113 (2020-06-10)

In sendCaptureResult of Camera3OutputUtils.cpp, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-9Android ID: A-150944913

• XDo0/ServiceCheater

CVE-2020-0114 (2020-06-10)

In onCreateSliceProvider of KeyguardSliceProvider.java, there is a possible confused deputy due to a PendingIntent error. This could lead to local escalation of privilege that allows actions performed as the System UI, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-147606347

• tea9/CVE-2020-0114-systemui

CVE-2020-0121 (2020-06-10)

In updateUidProcState of AppOpsService.java, there is a possible permission bypass due to a logic error. This could lead to local information disclosure of location data with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-148180766

• mooneee/CVE-2020-0121

CVE-2020-0136 (2020-06-11)

In multiple locations of Parcel.cpp, there is a possible out-of-bounds write due to an integer overflow. This could lead to local escalation of privilege in the system server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-120078455

• Satheesh575555/libhwbinder_AOSP10_r33_CVE-2020-0136

CVE-2020-0137 (2020-06-11)

In setIPv6AddrGenMode of NetworkManagementService.java, there is a possible bypass of networking permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-141920289

• nanopathi/framework_base_AOSP10_r33_CVE-2020-0137
• ShaikUsaf/frameworks_base_AOSP10_r33_CVE-2020-0137

CVE-2020-0138 (2020-06-11)

In get_element_attr_rsp of btif_rc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution if bluetoothtbd were used, which it isn't in typical Android platforms, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-142878416

• Satheesh575555/system_bt_AOSP10_r33-CVE-2020-0138

CVE-2020-0155 (2020-06-11)

In phNxpNciHal_send_ese_hal_cmd of phNxpNciHal_ext.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-139736386

• Trinadh465/hardware_nxp_nfc_AOSP10_r33_CVE-2020-0155

CVE-2020-0160 (2020-06-11)

In setSyncSampleParams of SampleTable.cpp, there is possible resource exhaustion due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-124771364

• nanopathi/frameworks_av_AOSP10_r33_CVE-2020-0160

CVE-2020-0181 (2020-06-11)

In exif_data_load_data_thumbnail of exif-data.c, there is a possible denial of service due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145075076

• Trinadh465/external_libexif_AOSP10_r33_CVE-2020-0181

CVE-2020-0183 (2020-06-11)

In handleMessage of BluetoothManagerService, there is an incomplete reset. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-110181479

• nanopathi/packages_apps_Bluetooth_AOSP10_r33_CVE-2020-0183
• hshivhare67/platform_packages_apps_bluetooth_AOSP10_r33_CVE-2020-0183

CVE-2020-0188 (2020-06-11)

In onCreatePermissionRequest of SettingsSliceProvider.java, there is a possible permissions bypass due to a PendingIntent error. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-147355897

• Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2020-0188
• ShaikUsaf/ShaikUsaf-packages_apps_settings_AOSP10_r33_CVE-2020-0188
• Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2020-0188_CVE-0219

CVE-2020-0198 (2020-06-11)

In exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146428941

• Trinadh465/external_libexif_AOSP10_r33_CVE-2020-0198

CVE-2020-0201 (2020-06-11)

In showSecurityFields of WifiConfigController.java there is a possible credential leak due to a confused deputy. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-143601727

• uthrasri/Packages_app_settings_CVE-2020-0201
• Trinadh465/packages_apps_Settings_CVE-2020-0201

CVE-2020-0203 (2020-06-11)

In freeIsolatedUidLocked of ProcessList.java, there is a possible UID reuse due to improper cleanup. This could lead to local escalation of privilege between constrained processes with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146313311

• Trinadh465/frameworks_base_AOSP10_r33_CVE-2020-0203

CVE-2020-0209 (2020-06-11)

In multiple functions of AccountManager.java, there is a possible permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145206842

• pazhanivel07/frameworks_base_CVE-2020-0209

CVE-2020-0215 (2020-06-11)

In onCreate of ConfirmConnectActivity.java, there is a possible leak of Bluetooth information due to a permissions bypass. This could lead to local escalation of privilege that exposes a pairing Bluetooth MAC address with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-9 Android-10 Android-11 Android-8.0 Android-8.1 Android ID: A-140417248

• Trinadh465/packages_apps_Nfc_AOSP10_r33_CVE-2020-0215

CVE-2020-0218 (2020-06-11)

In loadSoundModel and related functions of SoundTriggerHwService.cpp, there is possible out of bounds write due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-136005905

• pazhanivel07/frameworks_av-CVE-2020-0218

CVE-2020-0219 (2020-06-11)

In onCreate of SliceDeepLinkSpringBoard.java there is a possible insecure Intent. This could lead to local elevation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-122836081

• pazhanivel07/Settings_10-r33_CVE-CVE-2020-0219
• Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2020-0219
• Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2020-0219_CVE-2020-0188_old
• Trinadh465/packages_apps_Settings_AOSP10_r33_CVE-2020-0219_CVE-2020-0188_old-one

CVE-2020-0225 (2020-07-17)

In a2dp_vendor_ldac_decoder_decode_packet of a2dp_vendor_ldac_decoder.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-142546668

• nanopathi/system_bt_AOSP10_r33_CVE-2020-0225

CVE-2020-0226 (2020-07-17)

In createWithSurfaceParent of Client.cpp, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege in the graphics server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-150226994

• Trinadh465/frameworks_native_CVE-2020-0226
• ShaikUsaf/frameworks_native_AOSP10_r33_ShaikUsaf-frameworks_native_AOSP10_r33_CVE-2020-0226

CVE-2020-0227 (2020-07-17)

In onCommand of CompanionDeviceManagerService.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege allowing background data usage or launching from the background, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-129476618

• nanopathi/framework_base_AOSP10_r33_CVE-2020-0227

CVE-2020-0240 (2020-08-11)

In NewFixedDoubleArray of factory.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-150706594

• ShaikUsaf/external_v8_AOSP10_r33_CVE-2020-0240

CVE-2020-0241 (2020-08-11)

In NuPlayerStreamListener of NuPlayerStreamListener.cpp, there is possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-151456667

• nanopathi/frameworks_av_AOSP10_r33_CVE-2020-0241

CVE-2020-0242 (2020-08-11)

In reset of NuPlayerDriver.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the media server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-151643722

• pazhanivel07/frameworks_av-10-r33_CVE-2020-0242
• pazhanivel07/frameworks_av-CVE-2020-0242_CVE-2020-0243

CVE-2020-0245 (2020-09-17)

In DecodeFrameCombinedMode of combined_decode.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-152496149

• Satheesh575555/frameworks_av_AOSP10_r33_CVE-2020-0245

CVE-2020-0377 (2020-10-14)

In gatt_process_read_by_type_rsp of gatt_cl.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure in the Bluetooth server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-158833854

• Satheesh575555/system_bt_AOSP10_r33_CVE-2020-0377

CVE-2020-0380 (2020-09-17)

In allocExcessBits of bitalloc.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-146398979

• ShaikUsaf/system_bt_AOSP10_r33_CVE-2020-0380

CVE-2020-0381 (2020-09-17)

In Parse_wave of eas_mdls.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote information disclosure in a highly constrained process with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10 Android-11Android ID: A-150159669

• Trinadh465/external_sonivox_AOSP10_r33_CVE-2020-0381

CVE-2020-0391 (2020-09-17)

In applyPolicy of PackageManagerService.java, there is possible arbitrary command execution as System due to an unenforced protected-broadcast. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-158570769

• nanopathi/framework_base_AOSP10_r33_CVE-2020-0391

CVE-2020-0392 (2020-09-17)

In getLayerDebugInfo of SurfaceFlinger.cpp, there is a possible code execution due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11Android ID: A-150226608

• Satheesh575555/frameworks_native_AOSP10_r33_CVE-2020-0392

CVE-2020-0394 (2020-09-17)

In onCreate of BluetoothPairingDialog.java, there is a possible tapjacking vector due to an insecure default value. This could lead to local escalation of privilege and untrusted devices accessing contact lists with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10 Android-11Android ID: A-155648639

• ShaikUsaf/packages_apps_settings_AOSP10_r33_CVE-2020-0394
• pazhanivel07/Settings_10-r33_CVE-2020-0394
• pazhanivel07/Settings_10-r33_CVE-2020-0394_02

CVE-2020-0401 (2020-09-17)

In setInstallerPackageName of PackageManagerService.java, there is a missing permission check. This could lead to local escalation of privilege and granting spurious permissions with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10 Android-11Android ID: A-150857253

• Satheesh575555/frameworks_base_AOSP10_r33_CVE-2020-0401
• nanopathi/framework_base_AOSP10_r33_CVE-2020-0401

CVE-2020-0409 (2020-11-10)

In create of FileMap.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-8.0 Android-8.1 Android-9Android ID: A-156997193

• nanopathi/system_core_AOSP10_r33_CVE-2020-0409

CVE-2020-0413 (2020-10-14)

In gatt_process_read_by_type_rsp of gatt_cl.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure in the Bluetooth server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-158778659

• Satheesh575555/system_bt_AOSP10_r33_CVE-2020-0413

CVE-2020-0416 (2020-10-14)

In multiple settings screens, there are possible tapjacking attacks due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.0 Android-8.1Android ID: A-155288585

• ShaikUsaf/packages_apps_settings_AOSP10_r33_CVE-2020-0416
• Satheesh575555/packages_apps_Settings_AOSP10_r33_CVE-2020-0416

CVE-2020-0418 (2020-11-10)

In getPermissionInfosForGroup of Utils.java, there is a logic error. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-153879813

• Trinadh465/packages_apps_PackageInstaller_AOSP10_r33_CVE-2020-0418
• fernandodruszcz/CVE-2020-0418

CVE-2020-0421 (2020-10-14)

In appendFormatV of String8.cpp, there is a possible out of bounds write due to incorrect error handling. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-161894517

• nanopathi/system_core_AOSP10_r33_CVE-2020-0421

CVE-2020-0423 (2020-10-14)

In binder_release_work of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-161151868References: N/A

• sparrow-labz/CVE-2020-0423

CVE-2020-0439 (2020-11-10)

In generatePackageInfo of PackageManagerService.java, there is a possible permissions bypass due to an incorrect permission check. This could lead to local escalation of privilege that allows instant apps access to permissions not allowed for instant apps, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-140256621

• Satheesh575555/frameworks_base_AOSP10_r33_CVE-2020-0439

CVE-2020-0443 (2020-11-10)

In LocaleList of LocaleList.java, there is a possible forced reboot due to an uncaught exception. This could lead to local denial of service requiring factory reset to restore with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-152410253

• Supersonic/CVE-2020-0443

CVE-2020-0451 (2020-11-10)

In sbrDecoder_AssignQmfChannels2SbrChannels of sbrdecoder.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9 Android-8.0 Android-8.1Android ID: A-158762825

• nanopathi/external_aac_AOSP10_r33_CVE-2020-0451

CVE-2020-0452 (2020-11-10)

In exif_entry_get_value of exif-entry.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if a third party app used this library to process remote image data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-159625731

• ShaikUsaf/external_libexif_AOSP10_CVE-2020-0452

CVE-2020-0453 (2020-11-10)

In updateNotification of BeamTransferManager.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-8.0 Android-8.1Android ID: A-159060474

• pazhanivel07/Nfc_CVE-2020-0453
• nanopathi/Packages_apps_Nfc_CVE-2020-0453
• Trinadh465/packages_apps_Nfc_AOSP10_r33_CVE-2020-0453

CVE-2020-0458 (2020-12-14)

In SPDIFEncoder::writeBurstBufferBytes and related methods of SPDIFEncoder.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-8.0 Android-8.1Android ID: A-160265164

• nanopathi/system_media_AOSP10_r33_CVE-2020-0458

CVE-2020-0463 (2020-12-14)

In sdp_server_handle_client_req of sdp_server.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure from the bluetooth server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.0 Android-8.1 Android-9Android ID: A-169342531

• nanopathi/system_bt_AOSP10_r33_CVE-2020-0463

CVE-2020-0471 (2021-01-11)

In reassemble_and_dispatch of packet_fragmenter.cc, there is a possible way to inject packets into an encrypted Bluetooth connection due to improper input validation. This could lead to remote escalation of privilege between two Bluetooth devices by a proximal attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-8.0, Android-8.1, Android-9, Android-10, Android-11; Android ID: A-169327567.

• nanopathi/system_bt_AOSP10_r33_CVE-2020-0471

CVE-2020-0551 (2020-03-12)

Load value injection in some Intel(R) Processors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. The list of affected products is provided in intel-sa-00334: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00334.html

• bitdefender/lvi-lfb-attack-poc

CVE-2020-0557 (2020-04-15)

Insecure inherited permissions in Intel(R) PROSet/Wireless WiFi products before version 21.70 on Windows 10 may allow an authenticated user to potentially enable escalation of privilege via local access.

• hessandrew/CVE-2020-0557_INTEL-SA-00338

CVE-2020-0568 (2020-04-15)

Race condition in the Intel(R) Driver and Support Assistant before version 20.1.5 may allow an authenticated user to potentially enable denial of service via local access.

• hessandrew/CVE-2020-0568_INTEL-SA-00344

CVE-2020-0601 (2020-01-14)

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.

• nissan-sudo/CVE-2020-0601
• 0xxon/cve-2020-0601
• SherlockSec/CVE-2020-0601
• JPurrier/CVE-2020-0601
• 0xxon/cve-2020-0601-plugin
• ly4k/CurveBall
• kudelskisecurity/chainoffools
• RrUZi/Awesome-CVE-2020-0601
• BlueTeamSteve/CVE-2020-0601
• saleemrashid/badecparams
• 0xxon/cve-2020-0601-utils
• Doug-Moody/Windows10_Cumulative_Updates_PowerShell
• MarkusZehnle/CVE-2020-0601
• YoannDqr/CVE-2020-0601
• thimelp/cve-2020-0601-Perl
• dlee35/curveball_lua
• IIICTECH/-CVE-2020-0601-ECC---EXPLOIT
• Ash112121/CVE-2020-0601
• gentilkiwi/curveball
• Hans-MartinHannibalLauridsen/CurveBall
• apodlosky/PoC_CurveBall
• ioncodes/Curveball
• amlweems/gringotts
• yanghaoi/CVE-2020-0601
• talbeerysec/CurveBallDetection
• david4599/CurveballCertTool
• eastmountyxz/CVE-2020-0601-EXP
• eastmountyxz/CVE-2018-20250-WinRAR
• gremwell/cve-2020-0601_poc
• bsides-rijeka/meetup-2-curveball
• exploitblizzard/CVE-2020-0601-spoofkey
• ShayNehmad/twoplustwo
• okanulkr/CurveBall-CVE-2020-0601-PoC
• cimashiro/-Awesome-CVE-2020-0601-
• tyj956413282/curveball-plus
• JoelBts/CVE-2020-0601_PoC

CVE-2020-0609 (2020-01-14)

A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0610.

• ruppde/rdg_scanner_cve-2020-0609
• ly4k/BlueGate
• MalwareTech/RDGScanner
• Archi73ct/CVE-2020-0609
• ioncodes/BlueGate

CVE-2020-0618 (2020-02-11)

A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.

• euphrat1ca/CVE-2020-0618
• wortell/cve-2020-0618
• itstarsec/CVE-2020-0618

CVE-2020-0624 (2020-01-14)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0642.

• james0x40/CVE-2020-0624

CVE-2020-0668 (2020-02-11)

An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0669, CVE-2020-0670, CVE-2020-0671, CVE-2020-0672.

• RedCursorSecurityConsulting/CVE-2020-0668
• Nan3r/CVE-2020-0668
• modulexcite/SysTracingPoc
• ycdxsb/CVE-2020-0668
• bypazs/CVE-2020-0668.exe
• 0xSs0rZ/Windows_Exploit

CVE-2020-0674 (2020-02-11)

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767.

• maxpl0it/CVE-2020-0674-Exploit
• Ken-Abruzzi/CVE-2020-0674
• Neko-chanQwQ/CVE-2020-0674-PoC
• Micky-Thongam/Internet-Explorer-UAF

CVE-2020-0683 (2020-02-11)

An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links, aka 'Windows Installer Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0686.

• padovah4ck/CVE-2020-0683

CVE-2020-0688 (2020-02-11)

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

• random-robbie/cve-2020-0688
• Jumbo-WJB/CVE-2020-0688
• Ridter/cve-2020-0688
• Yt1g3r/CVE-2020-0688_EXP
• righter83/CVE-2020-0688
• truongtn/cve-2020-0688
• onSec-fr/CVE-2020-0688-Scanner
• youncyb/CVE-2020-0688
• zcgonvh/CVE-2020-0688
• justin-p/PSForgot2kEyXCHANGE
• cert-lv/CVE-2020-0688
• ravinacademy/CVE-2020-0688
• mahyarx/Exploit_CVE-2020-0688
• ktpdpro/CVE-2020-0688
• w4fz5uck5/cve-2020-0688-webshell-upload-technique
• murataydemir/CVE-2020-0688
• zyn3rgy/ecp_slap
• SLSteff/CVE-2020-0688-Scanner
• MrTiz/CVE-2020-0688
• ann0906/proxylogon
• 7heKnight/CVE-2020-0688
• 1337-llama/CVE-2020-0688-Python3
• chudamax/CVE-2020-0688-Exchange2010
• W01fh4cker/CVE-2020-0688-GUI

CVE-2020-0728 (2020-02-11)

An information vulnerability exists when Windows Modules Installer Service improperly discloses file information, aka 'Windows Modules Installer Service Information Disclosure Vulnerability'.

• irsl/CVE-2020-0728

CVE-2020-0753 (2020-02-11)

An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files, aka 'Windows Error Reporting Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0754.

• afang5472/CVE-2020-0753-and-CVE-2020-0754
• VikasVarshney/CVE-2020-0753-and-CVE-2020-0754

CVE-2020-0787 (2020-03-12)

An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links, aka 'Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability'.

• cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION
• MasterSploit/CVE-2020-0787
• MasterSploit/CVE-2020-0787-BitsArbitraryFileMove-master
• yanghaoi/CVE-2020-0787

CVE-2020-0796 (2020-03-12)

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.

• k8gege/PyLadon
• 0x25bit/CVE-2020-0796-PoC
• technion/DisableSMBCompression
• T13nn3s/CVE-2020-0796
• ly4k/SMBGhost
• joaozietolie/CVE-2020-0796-Checker
• ButrintKomoni/cve-2020-0796
• dickens88/cve-2020-0796-scanner
• kn6869610/CVE-2020-0796
• awareseven/eternalghosttest
• xax007/CVE-2020-0796-Scanner
• Dhoomralochana/Scanners-for-CVE-2020-0796-Testing
• UraSecTeam/smbee
• netscylla/SMBGhost
• eerykitty/CVE-2020-0796-PoC
• wneessen/SMBCompScan
• ioncodes/SMBGhost
• laolisafe/CVE-2020-0796
• gabimarti/SMBScanner
• Almorabea/SMBGhost-WorkaroundApplier
• vysecurity/CVE-2020-0796
• BinaryShadow94/SMBv3.1.1-scan---CVE-2020-0796
• w1ld3r/SMBGhost_Scanner
• wsfengfan/CVE-2020-0796
• GuoKerS/aioScan_CVE-2020-0796
• jiansiting/CVE-2020-0796-Scanner
• maxpl0it/Unauthenticated-CVE-2020-0796-PoC
• ran-sama/CVE-2020-0796
• sujitawake/smbghost
• julixsalas/CVE-2020-0796
• cory-zajicek/CVE-2020-0796-DoS
• tripledd/cve-2020-0796-vuln
• danigargu/CVE-2020-0796
• jamf/CVE-2020-0796-LPE-POC
• TinToSer/CVE-2020-0796-LPE
• f1tz/CVE-2020-0796-LPE-EXP
• tango-j/CVE-2020-0796
• jiansiting/CVE-2020-0796
• eastmountyxz/CVE-2020-0796-SMB
• LabDookhtegan/CVE-2020-0796-EXP
• Rvn0xsy/CVE_2020_0796_CNA
• 0xeb-bp/cve-2020-0796
• intelliroot-tech/cve-2020-0796-Scanner
• jamf/CVE-2020-0796-RCE-POC
• thelostworldFree/CVE-2020-0796
• section-c/CVE-2020-0796
• bacth0san96/SMBGhostScanner
• halsten/CVE-2020-0796
• ysyyrps123/CVE-2020-0796
• ysyyrps123/CVE-2020-0796-exp
• exp-sky/CVE-2020-0796
• Barriuso/SMBGhost_AutomateExploitation
• 1060275195/SMBGhost
• Almorabea/SMBGhost-LPE-Metasploit-Module
• jamf/SMBGhost-SMBleed-scanner
• rsmudge/CVE-2020-0796-BOF
• codewithpradhan/SMBGhost-CVE-2020-0796-
• AaronCaiii/CVE-2020-0796-POC
• datntsec/CVE-2020-0796
• MasterSploit/LPE---CVE-2020-0796
• 1stPeak/CVE-2020-0796-Scanner
• Anonimo501/SMBGhost_CVE-2020-0796_checker
• Opensitoo/cve-2020-0796
• orangmuda/CVE-2020-0796
• Murasame-nc/CVE-2020-0796-LPE-POC
• F6JO/CVE-2020-0796-Batch-scanning
• lisinan988/CVE-2020-0796-exp
• vsai94/ECE9069_SMBGhost_Exploit_CVE-2020-0796-
• arzuozkan/CVE-2020-0796
• SEHandler/CVE-2020-0796
• TweatherQ/CVE-2020-0796
• krizzz07/CVE-2020-0796
• OldDream666/cve-2020-0796
• dungnm24/CVE-2020-0796
• hungdnvp/POC-CVE-2020-0796
• AdamSonov/smbGhostCVE-2020-0796
• z3ena/Exploiting-and-Mitigating-CVE-2020-0796-SMBGhost-and-Print-Spooler-Vulnerabilities

CVE-2020-0887 (2020-03-12)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0788, CVE-2020-0877.

• vinhthp1712/CVE-2020-0887

CVE-2020-0890 (2020-09-11)

<p>A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system.</p>\n<p>To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application.</p>\n<p>The security update addresses the vulnerability by resolving the conditions where Hyper-V would fail to handle these requests.</p>\n

• gerhart01/hyperv_local_dos_poc
• skasanagottu57gmailv/gerhart01
• MarcelloTinocor/gerhart01

CVE-2020-0910 (2020-04-15)

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Remote Code Execution Vulnerability'.

• kfmgang/CVE-2020-0910

CVE-2020-0976 (2020-04-15)

A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint Spoofing Vulnerability'. This CVE ID is unique from CVE-2020-0972, CVE-2020-0975, CVE-2020-0977.

• ericzhong2010/GUI-Check-CVE-2020-0976

CVE-2020-1015 (2020-04-15)

An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0934, CVE-2020-0983, CVE-2020-1009, CVE-2020-1011.

• 0xeb-bp/cve-2020-1015

CVE-2020-1020 (2020-04-15)

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka 'Adobe Font Manager Library Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0938.

• CrackerCat/CVE-2020-1020-Exploit
• KaLendsi/CVE-2020-1020

CVE-2020-1034 (2020-09-11)

<p>An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.</p>\n<p>To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.</p>\n<p>The security update addresses the vulnerability by ensuring the Windows Kernel properly handles objects in memory.</p>\n

• yardenshafir/CVE-2020-1034
• GeorgiiFirsov/CVE-2020-1034

CVE-2020-1048 (2020-05-21)

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system, aka 'Windows Print Spooler Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1070.

• zveriu/CVE-2009-0229-PoC
• shubham0d/CVE-2020-1048
• Ken-Abruzzi/CVE-2020-1048
• Y3A/cve-2020-1048

CVE-2020-1054 (2020-05-21)

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1143.

• 0xeb-bp/cve-2020-1054
• Iamgublin/CVE-2020-1054
• KaLendsi/CVE-2020-1054
• Graham382/CVE-2020-1054

CVE-2020-1066 (2020-05-21)

An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level.To exploit the vulnerability, an attacker would first have to access the local machine, and then run a malicious program.The update addresses the vulnerability by correcting how .NET Framework activates COM objects., aka '.NET Framework Elevation of Privilege Vulnerability'.

• cbwang505/CVE-2020-1066-EXP
• xyddnljydd/cve-2020-1066

CVE-2020-1102 (2020-05-21)

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1023, CVE-2020-1024.

• DanielRuf/snyk-js-jquery-565129

CVE-2020-1206 (2020-06-09)

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Information Disclosure Vulnerability'.

• jamf/CVE-2020-1206-POC
• Info-Security-Solution-Kolkata/CVE-2020-1206-Exploit
• Info-Security-Solution-Kolkata/Smbleed-CVE-2020-1206-Exploit
• datntsec/CVE-2020-1206

CVE-2020-1283 (2020-06-09)

A denial of service vulnerability exists when Windows improperly handles objects in memory, aka 'Windows Denial of Service Vulnerability'.

• RedyOpsResearchLabs/CVE-2020-1283_Windows-Denial-of-Service-Vulnerability

CVE-2020-1301 (2020-06-09)

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests, aka 'Windows SMB Remote Code Execution Vulnerability'.

• shubham0d/CVE-2020-1301

CVE-2020-1313 (2020-06-09)

An elevation of privilege vulnerability exists when the Windows Update Orchestrator Service improperly handles file operations, aka 'Windows Update Orchestrator Service Elevation of Privilege Vulnerability'.

• irsl/CVE-2020-1313

CVE-2020-1337 (2020-08-17)

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application.\nThe update addresses the vulnerability by correcting how the Windows Print Spooler Component writes to the file system.\n

• math1as/CVE-2020-1337-exploit
• VoidSec/CVE-2020-1337
• neofito/CVE-2020-1337
• sailay1996/cve-2020-1337-poc
• ZTK-009/cve-2020-1337-poc

CVE-2020-1349 (2020-07-14)

A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory, aka 'Microsoft Outlook Remote Code Execution Vulnerability'.

• 0neb1n/CVE-2020-1349

CVE-2020-1350 (2020-07-14)

A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka 'Windows DNS Server Remote Code Execution Vulnerability'.

• psc4re/NSE-scripts
• ZephrFish/CVE-2020-1350_HoneyPoC
• mr-r3b00t/CVE-2020-1350
• zoomerxsec/Fake_CVE-2020-1350
• T13nn3s/CVE-2020-1350
• corelight/SIGRed
• jmaddington/dRMM-CVE-2020-1350-response
• maxpl0it/CVE-2020-1350-DoS
• captainGeech42/CVE-2020-1350
• connormcgarr/CVE-2020-1350
• graph-inc/CVE-2020-1350
• CVEmaster/CVE-2020-1350
• gdwnet/cve-2020-1350
• simeononsecurity/CVE-2020-1350-Fix

CVE-2020-1362 (2020-07-14)

An elevation of privilege vulnerability exists in the way that the Windows WalletService handles objects in memory, aka 'Windows WalletService Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1344, CVE-2020-1369.

• Q4n/CVE-2020-1362

CVE-2020-1472 (2020-08-17)

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.\nTo exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.\nMicrosoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.\nFor guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020).\nWhen the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.\n

• Tobey123/CVE-2020-1472-visualizer
• SecuraBV/CVE-2020-1472
• cube0x0/CVE-2020-1472
• dirkjanm/CVE-2020-1472
• VoidSec/CVE-2020-1472
• risksense/zerologon
• bb00/zer0dump
• 0xkami/CVE-2020-1472
• NAXG/CVE-2020-1472
• thatonesecguy/zerologon-CVE-2020-1472
• k8gege/CVE-2020-1472-EXP
• jiushill/CVE-2020-1472
• McKinnonIT/zabbix-template-CVE-2020-1472
• mstxq17/cve-2020-1472
• Fa1c0n35/CVE-2020-1472
• Fa1c0n35/SecuraBV-CVE-2020-1472
• CanciuCostin/CVE-2020-1472
• 0xcccc666/cve-2020-1472_Tool-collection
• murataydemir/CVE-2020-1472
• npocmak/CVE-2020-1472
• victim10wq3/CVE-2020-1472
• zeronetworks/zerologon
• sv3nbeast/CVE-2020-1472
• midpipps/CVE-2020-1472-Easy
• hectorgie/CVE-2020-1472
• johnpathe/zerologon-cve-2020-1472-notes
• t31m0/CVE-2020-1472
• grupooruss/CVE-2020-1472
• striveben/CVE-2020-1472
• Fa1c0n35/CVE-2020-1472-02-
• Whippet0/CVE-2020-1472
• WiIs0n/Zerologon_CVE-2020-1472
• Privia-Security/ADZero
• Ken-Abruzzi/cve-2020-1472
• rhymeswithmogul/Set-ZerologonMitigation
• shanfenglan/cve-2020-1472
• maikelnight/zerologon
• CPO-EH/CVE-2020-1472_ZeroLogonChecker
• puckiestyle/CVE-2020-1472
• mingchen-script/CVE-2020-1472-visualizer
• JayP232/The_big_Zero
• b1ack0wl/CVE-2020-1472
• SaharAttackit/CVE-2020-1472
• wrathfulDiety/zerologon
• YossiSassi/ZeroLogon-Exploitation-Check
• sho-luv/zerologon
• hell-moon/ZeroLogon-Exploit
• Udyz/Zerologon
• itssmikefm/CVE-2020-1472
• B34MR/zeroscan
• TheJoyOfHacking/SecuraBV-CVE-2020-1472
• TheJoyOfHacking/dirkjanm-CVE-2020-1472
• Anonymous-Family/Zero-day-scanning
• Anonymous-Family/CVE-2020-1472
• carlos55ml/zerologon
• Rvn0xsy/ZeroLogon
• guglia001/MassZeroLogon
• likeww/MassZeroLogon
• dr4g0n23/CVE-2020-1472
• RicYaben/CVE-2020-1472-LAB
• Akash7350/CVE-2020-1472
• c3rrberu5/ZeroLogon-to-Shell
• logg-1/0logon
• whoami-chmod777/Zerologon-Attack-CVE-2020-1472-POC
• JolynNgSC/Zerologon_CVE-2020-1472
• blackh00d/zerologon-poc
• TuanCui22/ZerologonWithImpacket-CVE2020-1472

CVE-2020-1493 (2020-08-17)

An information disclosure vulnerability exists when attaching files to Outlook messages. This vulnerability could potentially allow users to share attached files such that they are accessible by anonymous users where they should be restricted to specific users.\nTo exploit this vulnerability, an attacker would have to attach a file as a link to an email. The email could then be shared with individuals that should not have access to the files, ignoring the default organizational setting.\nThe security update addresses the vulnerability by correcting how Outlook handles file attachment links.\n

• 0neb1n/CVE-2020-1493

CVE-2020-1611 (2020-01-15)

A Local File Inclusion vulnerability in Juniper Networks Junos Space allows an attacker to view all files on the target when the device receives malicious HTTP packets. This issue affects: Juniper Networks Junos Space versions prior to 19.4R1.

• Ibonok/CVE-2020-1611

CVE-2020-1764 (2020-03-26)

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.

• jpts/cve-2020-1764-poc

CVE-2020-1937 (2020-02-24)

Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.

• shanika04/apache_kylin

CVE-2020-1938 (2020-02-24)

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

• xindongzhuaizhuai/CVE-2020-1938
• sgdream/CVE-2020-1938
• nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC
• bkfish/CNVD-2020-10487-Tomcat-Ajp-lfi-Scanner
• laolisafe/CVE-2020-1938
• h7hac9/CVE-2020-1938
• sv3nbeast/CVE-2020-1938-Tomact-file_include-file_read
• fairyming/CVE-2020-1938
• dacade/CVE-2020-1938
• woaiqiukui/CVE-2020-1938TomcatAjpScanner
• fatal0/tomcat-cve-2020-1938-check
• delsadan/CNVD-2020-10487-Bulk-verification
• 00theway/Ghostcat-CNVD-2020-10487
• shaunmclernon/ghostcat-verification
• w4fz5uck5/CVE-2020-1938-Clean-Version
• whatboxapp/GhostCat-LFI-exp
• Just1ceP4rtn3r/CVE-2020-1938-Tool
• doggycheng/CNVD-2020-10487
• I-Runtime-Error/CVE-2020-1938
• Umesh2807/Ghostcat
• MateoSec/ghostcatch
• acodervic/CVE-2020-1938-MSF-MODULE
• Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat
• streghstreek/CVE-2020-1938
• Neko-chanQwQ/CVE-2020-1938
• jptr218/ghostcat
• einzbernnn/CVE-2020-1938Scan
• YounesTasra-R4z3rSw0rd/CVE-2020-1938
• tpt11fb/AttackTomcat
• Warelock/cve-2020-1938
• WHtig3r/CVE-2020-1938
• lizhianyuguangming/TomcatScanPro

CVE-2020-1947 (2020-03-11)

In Apache ShardingSphere(incubator) 4.0.0-RC3 and 4.0.0, the ShardingSphere's web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows to unmarshal data to a Java type By using the YAML tag. Unmarshalling untrusted data can lead to security flaws of RCE.

• jas502n/CVE-2020-1947
• wsfengfan/CVE-2020-1947
• shadowsock5/ShardingSphere_CVE-2020-1947
• StarkChristmas/CVE-2020-1947

CVE-2020-1948 (2020-07-14)

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.

• ctlyz123/CVE-2020-1948
• txrw/Dubbo-CVE-2020-1948
• M3g4Byt3/cve-2020-1948-poc
• L0kiii/Dubbo-deserialization

CVE-2020-1956 (2020-05-22)

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

• b510/CVE-2020-1956

CVE-2020-1958 (2020-04-01)

When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user.

• ggolawski/CVE-2020-1958

CVE-2020-1967 (2020-04-21)

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).

• irsl/CVE-2020-1967

CVE-2020-1971 (2020-12-08)

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).

• MBHudson/CVE-2020-1971

CVE-2020-2023 (2020-06-10)

Kata Containers doesn't restrict containers from accessing the guest's root filesystem device. Malicious containers can exploit this to gain code execution on the guest and masquerade as the kata-agent. This issue affects Kata Containers 1.11 versions earlier than 1.11.1; Kata Containers 1.10 versions earlier than 1.10.5; and Kata Containers 1.9 and earlier versions.

• ssst0n3/kata-cve-2020-2023-poc

CVE-2020-2034 (2020-07-08)

An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect portal feature is not enabled. This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1. Prisma Access services are not impacted by this vulnerability.

• blackhatethicalhacking/CVE-2020-2034-POC

CVE-2020-2038 (2020-09-09)

An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 9.0 versions earlier than 9.0.10; PAN-OS 9.1 versions earlier than 9.1.4; PAN-OS 10.0 versions earlier than 10.0.1.

• und3sc0n0c1d0/CVE-2020-2038

CVE-2020-2333

• section-c/CVE-2020-2333

CVE-2020-2501 (2021-02-17)

A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station 5.1.5.4.3 (and later) for ARM CPU NAS (64bit OS) and x86 CPU NAS (64bit OS) Surveillance Station 5.1.5.3.3 (and later) for ARM CPU NAS (32bit OS) and x86 CPU NAS (32bit OS)

• Alonzozzz/alonzzzo

CVE-2020-2509 (2021-04-17)

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later

• jbaines-r7/overkill

CVE-2020-2546 (2020-01-15)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Application Container - JavaEE). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• hktalent/CVE_2020_2546

CVE-2020-2551 (2020-01-15)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• 0xn0ne/weblogicScanner
• jas502n/CVE-2020-2551
• hktalent/CVE-2020-2551
• Y4er/CVE-2020-2551
• zzwlpx/weblogicPoc
• Dido1960/Weblogic-CVE-2020-2551-To-Internet
• DaMinGshidashi/CVE-2020-2551
• LTiDi2000/CVE-2020-2551
• 0xAbbarhSF/CVE-Exploit

CVE-2020-2555 (2020-01-15)

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• Hu3sky/CVE-2020-2555
• wsfengfan/CVE-2020-2555
• Y4er/CVE-2020-2555
• Maskhe/cve-2020-2555
• Uvemode/CVE-2020-2555
• Qynklee/POC_CVE-2020-2555

CVE-2020-2655 (2020-01-15)

Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

• RUB-NDS/CVE-2020-2655-DemoServer

CVE-2020-2733 (2020-04-15)

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• anmolksachan/CVE-2020-2733

CVE-2020-2883 (2020-04-15)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• Y4er/CVE-2020-2883
• MagicZer0/Weblogic_CVE-2020-2883_POC
• ZZZWD/CVE-2020-2883
• Y4er/WebLogic-Shiro-shell
• FancyDoesSecurity/CVE-2020-2883
• Al1ex/CVE-2020-2883
• Qynklee/POC_CVE-2020-2883

CVE-2020-2950 (2020-04-15)

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Web General). Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• tuo4n8/CVE-2020-2950

CVE-2020-2969 (2020-07-15)

Vulnerability in the Data Pump component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Data Pump. Successful attacks of this vulnerability can result in takeover of Data Pump. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

• emad-almousa/CVE-2020-2969

CVE-2020-2978 (2020-07-15)

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

• emad-almousa/CVE-2020-2978

CVE-2020-3153 (2020-02-19)

A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges. This could include DLL pre-loading, DLL hijacking, and other related attacks. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.

• shubham0d/CVE-2020-3153
• raspberry-pie/CVE-2020-3153
• goichot/CVE-2020-3153

CVE-2020-3161 (2020-04-15)

A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.

• abood05972/CVE-2020-3161

CVE-2020-3187 (2020-05-06)

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences. An exploit could allow the attacker to view or delete arbitrary files on the targeted system. When the device is reloaded after exploitation of this vulnerability, any files that were deleted are restored. The attacker can only view and delete files within the web services file system. This file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability can not be used to obtain access to ASA or FTD system files or underlying operating system (OS) files. Reloading the affected device will restore all files within the web services file system.

• CrackerCat/CVE-2020-3187
• 1337in/CVE-2020-3187
• sujaygr8/CVE-2020-3187
• sunyyer/CVE-2020-3187-Scanlist
• Cappricio-Securities/CVE-2020-3187

CVE-2020-3433 (2020-08-17)

A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to the AnyConnect process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.

• goichot/CVE-2020-3433

CVE-2020-3452 (2020-07-22)

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.

• XDev05/CVE-2020-3452-PoC
• Loneyers/cve-2020-3452
• PR3R00T/CVE-2020-3452-Cisco-Scanner
• mr-r3b00t/CVE-2020-3452
• foulenzer/CVE-2020-3452
• Gh0st0ne/http-vuln-cve2020-3452.nse
• 0x5ECF4ULT/CVE-2020-3452
• paran0id34/CVE-2020-3452
• murataydemir/CVE-2020-3452
• ludy-dev/Cisco-ASA-LFI
• 3ndG4me/CVE-2020-3452-Exploit
• grim3/CVE-2020-3452
• cygenta/CVE-2020-3452
• darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
• fuzzlove/Cisco-ASA-FTD-Web-Services-Traversal
• faisalfs10x/Cisco-CVE-2020-3452-shodan-scanner
• sujaygr8/CVE-2020-3452
• Aviksaikat/CVE-2020-3452
• Veids/CVE-2020-3452_auto
• iveresk/cve-2020-3452
• Cappricio-Securities/CVE-2020-3452

CVE-2020-3580 (2020-10-21)

Multiple vulnerabilities in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web services interface of an affected device. The vulnerabilities are due to insufficient validation of user-supplied input by the web services interface of an affected device. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive, browser-based information. Note: These vulnerabilities affect only specific AnyConnect and WebVPN configurations. For more information, see the Vulnerable Products section.

• Hudi233/CVE-2020-3580
• adarshvs/CVE-2020-3580
• cruxN3T/CVE-2020-3580
• catatonicprime/CVE-2020-3580

CVE-2020-3766 (2020-03-25)

Adobe Genuine Integrity Service versions Version 6.4 and earlier have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.

• hessandrew/CVE-2020-3766_APSB20-12

CVE-2020-3952 (2020-04-10)

Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

• chronoloper/CVE-2020-3952
• bb33bb/CVE-2020-3952
• guardicore/vmware_vcenter_cve_2020_3952
• gelim/CVE-2020-3952
• Fa1c0n35/vmware_vcenter_cve_2020_3952

CVE-2020-3956 (2020-05-20)

VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.

• aaronsvk/CVE-2020-3956

CVE-2020-3992 (2020-10-20)

OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

• HynekPetrak/CVE-2019-5544_CVE-2020-3992
• dgh05t/VMware_ESXI_OpenSLP_PoCs

CVE-2020-4040 (2020-06-08)

Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview. This has been fixed in Bolt 3.7.1

• jpvispo/RCE-Exploit-Bolt-3.7.0-CVE-2020-4040-4041

CVE-2020-4276 (2020-03-26)

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. X-Force ID: 175984.

• mekoko/CVE-2020-4276

CVE-2020-4463 (2020-07-29)

IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181484.

• Ibonok/CVE-2020-4463

CVE-2020-4464 (2020-07-17)

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to execute arbitrary code on a system with a specially-crafted sequence of serialized objects over the SOAP connector. IBM X-Force ID: 181489.

• silentsignal/WebSphere-WSIF-gadget
• yonggui-li/CVE-2020-4464-and-CVE-2020-4450

CVE-2020-5014 (2021-03-08)

IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack. IBM X-Force ID: 193247.

• copethomas/datapower-redis-rce-exploit

CVE-2020-5236 (2020-02-04)

Waitress version 1.4.2 allows a DOS attack When waitress receives a header that contains invalid characters. When a header like "Bad-header: xxxxxxxxxxxxxxx\x10" is received, it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This allows an attacker to send a single request with an invalid header and take the service offline. This issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behaviour required by errata associated with RFC7230. The regular expression that is used to validate incoming headers has been updated in version 1.4.3, it is recommended that people upgrade to the new version of Waitress as soon as possible.

• motikan2010/CVE-2020-5236

CVE-2020-5245 (2020-02-24)

Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.\n\nThe issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.

• LycsHub/CVE-2020-5245

CVE-2020-5248 (2020-05-12)

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.

• indevi0us/CVE-2020-5248
• Mkway/CVE-2020-5248

CVE-2020-5250 (2020-03-05)

In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4.

• drkbcn/lblfixer_cve2020_5250

CVE-2020-5254 (2020-03-10)

In NetHack before 3.6.6, some out-of-bound values for the hilite_status option can be exploited. NetHack 3.6.6 resolves this issue.

• dpmdpm2/CVE-2020-5254

CVE-2020-5260 (2020-04-14)

Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.

• brompwnie/cve-2020-5260
• Asgavar/CVE-2020-5260
• sv3nbeast/CVE-2020-5260

CVE-2020-5267 (2020-03-19)

In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escape_javascript methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.

• GUI/legacy-rails-CVE-2020-5267-patch

CVE-2020-5377 (2020-07-28)

Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station.

• und3sc0n0c1d0/AFR-in-OMSA
• n3rdh4x0r/CVE-2020-5377

CVE-2020-5398 (2020-01-16)

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

• motikan2010/CVE-2020-5398

CVE-2020-5410 (2020-06-02)

Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.

• dead5nd/config-demo
• osamahamad/CVE-2020-5410-POC

CVE-2020-5421 (2020-09-19)

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

• pandaMingx/CVE-2020-5421

CVE-2020-5504 (2020-01-09)

In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.

• xMohamed0/CVE-2020-5504-phpMyAdmin

CVE-2020-5752 (2020-05-21)

Relative path traversal in Druva inSync Windows Client 6.6.3 allows a local, unauthenticated attacker to execute arbitrary operating system commands with SYSTEM privileges.

• yevh/CVE-2020-5752-Druva-inSync-Windows-Client-6.6.3---Local-Privilege-Escalation-PowerShell-

CVE-2020-5837 (2020-05-11)

Symantec Endpoint Protection, prior to 14.3, may not respect file permissions when writing to log files that are replaced by symbolic links, which can lead to a potential elevation of privilege.

• RedyOpsResearchLabs/SEP-14.2-Arbitrary-Write

CVE-2020-5839 (2020-07-08)

Symantec Endpoint Detection And Response, prior to 4.4, may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data.

• nasbench/CVE-2020-5839

CVE-2020-5842 (2020-01-07)

Codoforum 4.8.3 allows XSS in the user registration page: via the username field to the index.php?u=/user/register URI. The payload is, for example, executed on the admin/index.php?page=users/manage page.

• prasanthc41m/codoforum

CVE-2020-5844 (2020-03-16)

index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.

• TheCyberGeek/CVE-2020-5844
• UNICORDev/exploit-CVE-2020-5844

CVE-2020-5902 (2020-07-01)

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

• dwisiswant0/CVE-2020-5902
• aqhmal/CVE-2020-5902-Scanner
• jas502n/CVE-2020-5902
• ar0dd/CVE-2020-5902
• yassineaboukir/CVE-2020-5902
• rwincey/CVE-2020-5902-NSE
• un4gi/CVE-2020-5902
• nsflabs/CVE-2020-5902
• yasserjanah/CVE-2020-5902
• JSec1337/RCE-CVE-2020-5902
• dunderhay/CVE-2020-5902
• r0ttenbeef/cve-2020-5902
• sv3nbeast/CVE-2020-5902_RCE
• cybersecurityworks553/scanner-CVE-2020-5902
• lijiaxing1997/CVE-2020-5902-POC-EXP
• qlkwej/poc-CVE-2020-5902
• Zinkuth/F5-BIG-IP-CVE-2020-5902
• 0xAbdullah/CVE-2020-5902
• jinnywc/CVE-2020-5902
• GoodiesHQ/F5-Patch
• jiansiting/CVE-2020-5902
• wdlid/CVE-2020-5902-fix
• Any3ite/CVE-2020-5902-F5BIG
• k3nundrum/CVE-2020-5902
• inho28/CVE-2020-5902-F5-BIGIP
• cristiano-corrado/f5_scanner
• ajdumanhug/CVE-2020-5902
• zhzyker/CVE-2020-5902
• GovindPalakkal/EvilRip
• dnerzker/CVE-2020-5902
• renanhsilva/checkvulnCVE20205902
• halencarjunior/f5scan
• deepsecurity-pe/GoF5-CVE-2020-5902
• Shu1L/CVE-2020-5902-fofa-scan
• d4rk007/F5-Big-IP-CVE-2020-5902-mass-exploiter
• TheCyberViking/CVE-2020-5902-Vuln-Checker
• MrCl0wnLab/checker-CVE-2020-5902
• qiong-qi/CVE-2020-5902-POC
• theLSA/f5-bigip-rce-cve-2020-5902
• flyopenair/CVE-2020-5902
• Al1ex/CVE-2020-5902
• freeFV/CVE-2020-5902-fofa-scan
• momika233/cve-2020-5902
• rockmelodies/CVE-2020-5902-rce-gui
• f5devcentral/cve-2020-5902-ioc-bigip-checker
• corelight/CVE-2020-5902-F5BigIP
• PushpenderIndia/CVE-2020-5902-Scanner
• murataydemir/CVE-2020-5902
• superzerosec/cve-2020-5902
• ludy-dev/BIG-IP-F5-TMUI-RCE-Vulnerability
• faisalfs10x/F5-BIG-IP-CVE-2020-5902-shodan-scanner
• haisenberg/CVE-2020-5902
• west9b/F5-BIG-IP-POC
• z3n70/CVE-2020-5902
• 34zY/APT-Backpack
• amitlttwo/CVE-2020-5902

CVE-2020-5903 (2020-07-01)

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, a Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility.

• ltvthang/CVE-2020-5903

CVE-2020-6207 (2020-03-10)

SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.

• chipik/SAP_EEM_CVE-2020-6207

CVE-2020-6286 (2020-07-14)

The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.

• murataydemir/CVE-2020-6286

CVE-2020-6287 (2020-07-14)

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

• chipik/SAP_RECON
• duc-nt/CVE-2020-6287-exploit
• Onapsis/CVE-2020-6287_RECON-scanner
• ynsmroztas/CVE-2020-6287-Sap-Add-User
• murataydemir/CVE-2020-6287
• qmakake/SAP_CVE-2020-6287_find_mandate
• dylvie/CVE-2020-6287_SAP-NetWeaver-bypass-auth

CVE-2020-6308 (2020-10-20)

SAP BusinessObjects Business Intelligence Platform (Web Services) versions - 410, 420, 430, allows an unauthenticated attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure and gather information for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.

• InitRoot/CVE-2020-6308-PoC
• freeFV/CVE-2020-6308-mass-exploiter
• TheMMMdev/CVE-2020-6308
• MachadoOtto/sap_bo_launchpad-ssrf-timing_attack

CVE-2020-6364 (2020-10-15)

SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection. With this, the attacker is able to read and modify all system files and also impact system availability.

• gquere/CVE-2020-6364

CVE-2020-6418 (2020-02-27)

Type confusion in V8 in Google Chrome prior to 80.0.3987.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• ChoKyuWon/CVE-2020-6418
• Goyotan/CVE-2020-6418-PoC
• ulexec/ChromeSHELFLoader
• SivaPriyaRanganatha/CVE-2020-6418

CVE-2020-6468 (2020-05-21)

Type confusion in V8 in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• Goyotan/CVE-2020-6468-PoC
• kiks7/CVE-2020-6468-Chrome-Exploit

CVE-2020-6514 (2020-07-22)

Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a privileged network position to potentially exploit heap corruption via a crafted SCTP stream.

• hasan-khalil/CVE-2020-6514

CVE-2020-6516 (2020-07-22)

Policy bypass in CORS in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

• CENSUS/whatsapp-mitd-mitm

CVE-2020-6519 (2020-07-22)

Policy bypass in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass content security policy via a crafted HTML page.

• PerimeterX/CVE-2020-6519

CVE-2020-6650 (2020-03-23)

UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed.

• RavSS/Eaton-UPS-Companion-Exploit

CVE-2020-6861 (2020-05-06)

A flawed protocol design in the Ledger Monero app before 1.5.1 for Ledger Nano and Ledger S devices allows a local attacker to extract the master spending key by sending crafted messages to this app selected on a PIN-entered Ledger connected to a host PC.

• ph4r05/ledger-app-monero-1.42-vuln

CVE-2020-6888

• section-c/CVE-2020-6888

CVE-2020-7048 (2020-01-16)

The WordPress plugin, WP Database Reset through 3.1, contains a flaw that allowed any unauthenticated user to reset any table in the database to the initial WordPress set-up state (deleting all site content stored in that table), as demonstrated by a wp-admin/admin-post.php?db-reset-tables[]=comments URI.

• ElmouradiAmine/CVE-2020-7048

CVE-2020-7115 (2020-06-03)

The ClearPass Policy Manager web interface is affected by a vulnerability that leads to authentication bypass. Upon successful bypass an attacker could then execute an exploit that would allow to remote command execution in the underlying operating system. Resolution: Fixed in 6.7.13-HF, 6.8.5-HF, 6.8.6, 6.9.1 and higher.

• Retr02332/CVE-2020-7115

CVE-2020-7200 (2020-12-18)

A potential security vulnerability has been identified in HPE Systems Insight Manager (SIM) version 7.6. The vulnerability could be exploited to allow remote code execution.

• alexfrancow/CVE-2020-7200

CVE-2020-7246 (2020-01-21)

A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.

• j0hn30n/CVE-2020-7246
• arafatansari/SecAssignment
• pswalia2u/CVE-2020-7246

CVE-2020-7247 (2020-01-29)

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

• FiroSolutions/cve-2020-7247-exploit
• superzerosec/cve-2020-7247
• r0lh/CVE-2020-7247
• QTranspose/CVE-2020-7247-exploit
• bytescrappers/CVE-2020-7247
• f4T1H21/CVE-2020-7247
• SimonSchoeni/CVE-2020-7247-POC
• presentdaypresenttime/shai_hulud

CVE-2020-7283 (2020-07-03)

Privilege Escalation vulnerability in McAfee Total Protection (MTP) before 16.0.R26 allows local users to create and edit files via symbolic link manipulation in a location they would otherwise not have access to. This is achieved through running a malicious script or program on the target machine.

• RedyOpsResearchLabs/CVE-2020-7283-McAfee-Total-Protection-MTP-16.0.R26-EoP

CVE-2020-7352 (2020-08-06)

The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permissions can effectively send any operating system command to the service for execution in this elevated context. The service listens for such commands on a locally-bound network port, localhost:9978. A Metasploit module has been published which exploits this vulnerability. This issue affects the 2.0.x branch of the software (2.0.12 and earlier) as well as the 1.2.x branch (1.2.64 and earlier). A fix was issued for the 2.0.x branch of the affected software.

• szerszen199/PS-CVE-2020-7352

CVE-2020-7378 (2020-11-24)

CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.

• ruthvikvegunta/openCRX-CVE-2020-7378

CVE-2020-7384 (2020-10-29)

Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.

• nikhil1232/CVE-2020-7384
• 0xCarsonS/CVE-2020-7384

CVE-2020-7388 (2021-07-22)

Sage X3 Unauthenticated Remote Command Execution (RCE) as SYSTEM in AdxDSrv.exe component. By editing the client side authentication request, an attacker can bypass credential validation. While exploiting this does require knowledge of the installation path, that information can be learned by exploiting CVE-2020-7387. This issue was fixed in AdxAdmin 93.2.53, which ships with updates for on-premises versions of Sage X3 including Version 9 (components shipped with Syracuse 9.22.7.2 and later), Sage X3 HR & Payroll Version 9 (those components that ship with Syracuse 9.24.1.3), Version 11 (components shipped with Syracuse 11.25.2.6 and later), and Version 12 (components shipped with Syracuse 12.10.2.8 and later) of Sage X3. Other on-premises versions of Sage X3 are unsupported by the vendor.

• ac3lives/sagex3-cve-2020-7388-poc

CVE-2020-7461 (2021-03-26)

In FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient(8) fails to handle certain malformed input related to handling of DHCP option 119 resulting a heap overflow. The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit.

• knqyf263/CVE-2020-7461
• 0xkol/freebsd-dhclient-poc

CVE-2020-7471 (2020-02-03)

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

• Saferman/CVE-2020-7471
• secoba/DjVul_StringAgg
• SNCKER/CVE-2020-7471
• Tempuss/CTF_CVE-2020-7471
• victomteng1997/cve-2020-7471-Time_Blind_SQLi-
• huzaifakhan771/CVE-2020-7471-Django
• mrlihd/CVE-2020-7471

CVE-2020-7473 (2020-05-07)

In certain situations, all versions of Citrix ShareFile StorageZones (aka storage zones) Controller, including the most recent 5.10.x releases as of May 2020, allow unauthenticated attackers to access the documents and folders of ShareFile users. NOTE: unlike most CVEs, exploitability depends on the product version that was in use when a particular setup step was performed, NOT the product version that is in use during a current assessment of a CVE consumer's product inventory. Specifically, the vulnerability can be exploited if a storage zone was created by one of these product versions: 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, or earlier. This CVE differs from CVE-2020-8982 and CVE-2020-8983 but has essentially the same risk.

• DimitriNL/CTX-CVE-2020-7473

CVE-2020-7661 (2020-06-04)

all versions of url-regex are vulnerable to Regular Expression Denial of Service. An attacker providing a very long string in String.test can cause a Denial of Service.

• spamscanner/url-regex-safe

CVE-2020-7693 (2020-07-09)

Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20.

• andsnw/sockjs-dos-py

CVE-2020-7699 (2020-07-30)

This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.

• hemaoqi-Tom/CVE-2020-7699_reproduce

CVE-2020-7740 (2020-10-06)

This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack.

• CS4239-U6/node-pdf-generator-ssrf

CVE-2020-7799 (2020-01-28)

An issue was discovered in FusionAuth before 1.11.0. An authenticated user, allowed to edit e-mail templates (Home -> Settings -> Email Templates) or themes (Home -> Settings -> Themes), can execute commands on the underlying operating system by abusing freemarker.template.utility.Execute in the Apache FreeMarker engine that processes custom templates.

• Pikaqi/cve-2020-7799
• ianxtianxt/CVE-2020-7799

CVE-2020-7897

• mooneee/cve-2020-7897

CVE-2020-7931 (2020-01-23)

In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modifying a .ssh/authorized_keys file. Patches are available for various versions between 5.11.8 and 6.16.0. The issue exists because use of the DefaultObjectWrapper class makes certain Java functions accessible to a template.

• gquere/CVE-2020-7931

CVE-2020-7934 (2020-01-28)

In LifeRay Portal CE 7.1.0 through 7.2.1 GA2, the First Name, Middle Name, and Last Name fields for user accounts in MyAccountPortlet are all vulnerable to a persistent XSS issue. Any user can modify these fields with a particular XSS payload, and it will be stored in the database. The payload will then be rendered when a user utilizes the search feature to search for other users (i.e., if a user with modified fields occurs in the search results). This issue was fixed in Liferay Portal CE version 7.3.0 GA1.

• 3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934
• Sergio235705/audit-xss-cve-2020-7934

CVE-2020-7961 (2020-03-20)

Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).

• mzer0one/CVE-2020-7961-POC
• wcxxxxx/CVE-2020-7961
• thelostworldFree/CVE-2020-7961-payloads
• shacojx/LifeRCEJsonWSTool-POC-CVE-2020-7961-Gui
• shacojx/GLiferay-CVE-2020-7961-golang
• shacojx/POC-CVE-2020-7961-Token-iterate
• ShutdownRepo/CVE-2020-7961
• CrackerCat/CVE-2020-7961-Mass
• pashayogi/CVE-2020-7961-Mass
• manrop2702/CVE-2020-7961
• NMinhTrung/LIFERAY-CVE-2020-7961

CVE-2020-7980 (2020-01-25)

Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.

• Xh4H/Satellian-CVE-2020-7980

CVE-2020-8004 (2020-04-06)

STMicroelectronics STM32F1 devices have Incorrect Access Control.

• wuxx/CVE-2020-8004

CVE-2020-8012 (2020-02-18)

CA Unified Infrastructure Management (Nimsoft/UIM) 20.1, 20.3.x, and 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.

• wetw0rk/Exploit-Development

CVE-2020-8103 (2020-06-05)

A vulnerability in the improper handling of symbolic links in Bitdefender Antivirus Free can allow an unprivileged user to substitute a quarantined file, and restore it to a privileged location. This issue affects Bitdefender Antivirus Free versions prior to 1.0.17.178.

• RedyOpsResearchLabs/-CVE-2020-8103-Bitdefender-Antivirus-Free-EoP

CVE-2020-8163 (2020-07-02)

The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the locals argument of a render call to perform a RCE.

• lucasallan/CVE-2020-8163
• h4ms1k/CVE-2020-8163
• RedPhantomRoot/CVE-2020-8163

CVE-2020-8165 (2020-06-19)

A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.

• masahiro331/CVE-2020-8165
• umiterkol/CVE-2020-8165--Auto-Shell
• taipansec/CVE-2020-8165
• hybryx/CVE-2020-8165
• AssassinUKG/CVE-2020-8165
• progfay/CVE-2020-8165
• danielklim/cve-2020-8165-demo

CVE-2020-8175 (2020-07-24)

Uncontrolled resource consumption in jpeg-js before 0.4.0 may allow attacker to launch denial of service attacks using specially a crafted JPEG image.

• knokbak/get-pixels-updated
• knokbak/save-pixels-updated

CVE-2020-8193 (2020-07-10)

Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.

• jas502n/CVE-2020-8193
• Airboi/Citrix-ADC-RCE-CVE-2020-8193
• Zeop-CyberSec/citrix_adc_netscaler_lfi
• PR3R00T/CVE-2020-8193-Citrix-Scanner
• ctlyz123/CVE-2020-8193

CVE-2020-8209 (2020-08-17)

Improper access control in Citrix XenMobile Server 10.12 before RP2, Citrix XenMobile Server 10.11 before RP4, Citrix XenMobile Server 10.10 before RP6 and Citrix XenMobile Server before 10.9 RP5 and leads to the ability to read arbitrary files.

• B1anda0/CVE-2020-8209

CVE-2020-8218 (2020-07-30)

A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.

• withdk/pulse-gosecure-rce-poc

CVE-2020-8241 (2020-10-28)

A vulnerability in the Pulse Secure Desktop Client < 9.1R9 could allow the attacker to perform a MITM Attack if end users are convinced to connect to a malicious server.

• withdk/pulse-secure-vpn-mitm-research

CVE-2020-8248 (2020-10-28)

A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege.

• mbadanoiu/CVE-2020-8248

CVE-2020-8249 (2020-10-28)

A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to perform buffer overflow.

• mbadanoiu/CVE-2020-8249

CVE-2020-8250 (2020-10-28)

A vulnerability in the Pulse Secure Desktop Client (Linux) < 9.1R9 could allow local attackers to escalate privilege.

• mbadanoiu/CVE-2020-8250

CVE-2020-8254 (2020-10-28)

A vulnerability in the Pulse Secure Desktop Client < 9.1R9 has Remote Code Execution (RCE) if users can be convinced to connect to a malicious server. This vulnerability only affects Windows PDC.To improve the security of connections between Pulse clients and Pulse Connect Secure, see below recommendation(s):Disable Dynamic certificate trust for PDC.

• mbadanoiu/CVE-2020-8254

CVE-2020-8277 (2020-11-19)

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.

• masahiro331/CVE-2020-8277
• AndrewIjano/CVE-2020-8277

CVE-2020-8287 (2021-01-06)

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

• progfay/nodejs-http-transfer-encoding-smuggling-poc

CVE-2020-8289 (2020-12-27)

Backblaze for Windows before 7.0.1.433 and Backblaze for macOS before 7.0.1.434 suffer from improper certificate validation in bztransmit helper due to hardcoded whitelist of strings in URLs where validation is disabled leading to possible remote code execution via client update functionality.

• geffner/CVE-2020-8289

CVE-2020-8290 (2020-12-27)

Backblaze for Windows and Backblaze for macOS before 7.0.0.439 suffer from improper privilege management in bztransmit helper due to lack of permission handling and validation before creation of client update directories allowing for local escalation of privilege via rogue client update binary.

• geffner/CVE-2020-8290

CVE-2020-8300 (2021-06-16)

Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must be configured as a SAML SP or a SAML IdP for this to be possible.

• stuartcarroll/CitrixADC-CVE-2020-8300

CVE-2020-8321 (2020-06-09)

A potential vulnerability in the SMI callback function used in the System Lock Preinstallation driver in some Lenovo Notebook and ThinkStation models may allow arbitrary code execution.

• SatheeshGitHub575/external_curl_CVE-2020-8321

CVE-2020-8417 (2020-01-28)

The Code Snippets plugin before 2.14.0 for WordPress allows CSRF because of the lack of a Referer check on the import menu.

• vulncrate/wp-codesnippets-cve-2020-8417
• waleweewe12/CVE-2020-8417
• Rapidsafeguard/codesnippets_CVE-2020-8417
• Vulnmachines/WordPress_CVE-2020-8417

CVE-2020-8423 (2020-04-02)

A buffer overflow in the httpd daemon on TP-Link TL-WR841N V10 (firmware version 3.16.9) devices allows an authenticated remote attacker to execute arbitrary code via a GET request to the page for the configuration of the Wi-Fi network.

• lnversed/CVE-2020-8423

CVE-2020-8437 (2020-03-02)

The bencoding parser in BitTorrent uTorrent through 3.5.5 (build 45505) misparses nested bencoded dictionaries, which allows a remote attacker to cause a denial of service.

• mavlevin/uTorrent-CVE-2020-8437

CVE-2020-8515 (2020-02-01)

DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.

• imjdl/CVE-2020-8515-PoC
• truerandom/nmap_draytek_rce
• darrenmartyn/CVE-2020-8515

CVE-2020-8554 (2021-01-21)

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

• rancher/externalip-webhook
• jrmurray000/CVE-2020-8554
• twistlock/k8s-cve-2020-8554-mitigations
• Dviejopomata/CVE-2020-8554
• alebedev87/gatekeeper-cve-2020-8554

CVE-2020-8558 (2020-07-27)

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running on the same node as the service.

• tabbysable/POC-2020-8558
• rhysemmas/martian-packets

CVE-2020-8559 (2020-07-22)

The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

• tabbysable/POC-2020-8559
• tdwyer/CVE-2020-8559

CVE-2020-8597 (2020-02-03)

eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.

• dointisme/CVE-2020-8597
• WinMin/CVE-2020-8597
• Dilan-Diaz/Point-to-Point-Protocol-Daemon-RCE-Vulnerability-CVE-2020-8597-
• lakwsh/CVE-2020-8597

CVE-2020-8617 (2020-05-19)

Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.

• knqyf263/CVE-2020-8617
• gothburz/cve-2020-8617

CVE-2020-8635 (2020-03-06)

Wing FTP Server v6.2.3 for Linux, macOS, and Solaris sets insecure permissions on installation directories and configuration files. This allows local users to arbitrarily create FTP users with full privileges, and escalate privileges within the operating system by modifying system files.

• Al1ex/CVE-2020-8635

CVE-2020-8637 (2020-04-03)

A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes.php via the node_id parameter.

• DXY0411/CVE-2020-8637

CVE-2020-8644 (2020-02-05)

PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.

• H3rm1tR3b0rn/CVE-2020-8644-PlaySMS-1.4

CVE-2020-8809 (2020-02-25)

Gurux GXDLMS Director prior to 8.5.1905.1301 downloads updates to add-ins and OBIS code over an unencrypted HTTP connection. A man-in-the-middle attacker can prompt the user to download updates by modifying the contents of gurux.fi/obis/files.xml and gurux.fi/updates/updates.xml. Then, the attacker can modify the contents of downloaded files. In the case of add-ins (if the user is using those), this will lead to code execution. In case of OBIS codes (which the user is always using as they are needed to communicate with the energy meters), this can lead to code execution when combined with CVE-2020-8810.

• seqred-s-a/gxdlmsdirector-cve

CVE-2020-8813 (2020-02-22)

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

• mhaskar/CVE-2020-8813
• 0xm4ud/Cacti-CVE-2020-8813
• hexcowboy/CVE-2020-8813
• p0dalirius/CVE-2020-8813-Cacti-RCE-in-graph_realtime

CVE-2020-8816 (2020-05-29)

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.

• AndreyRainchik/CVE-2020-8816
• martinsohn/CVE-2020-8816
• cybervaca/CVE-2020-8816
• team0se7en/CVE-2020-8816

CVE-2020-8825 (2020-02-10)

index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows stored XSS.

• hacky1997/CVE-2020-8825

CVE-2020-8835 (2020-04-02)

In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)

• Prabhashaka/Exploitation-CVE-2020-8835
• snappyJack/Rick_write_exp_CVE-2020-8835
• zilong3033/CVE-2020-8835
• SplendidSky/CVE-2020-8835
• digamma-ai/CVE-2020-8835-verification

CVE-2020-8840 (2020-02-10)

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

• jas502n/jackson-CVE-2020-8840
• Wfzsec/FastJson1.2.62-RCE
• fairyming/CVE-2020-8840
• Blyth0He/CVE-2020-8840
• Veraxy00/CVE-2020-8840
• dpredrag/CVE-2020-8840

CVE-2020-8888

• SnipJoe/CVE-2020-8888

CVE-2020-8950 (2020-02-12)

The AUEPLauncher service in Radeon AMD User Experience Program Launcher through 1.0.0.1 on Windows allows elevation of privilege by placing a crafted file in %PROGRAMDATA%\AMD\PPC\upload and then creating a symbolic link in %PROGRAMDATA%\AMD\PPC\temp that points to an arbitrary folder with an arbitrary file name.

• sailay1996/amd_eop_poc

CVE-2020-8958 (2020-07-15)

Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.

• qurbat/CVE-2020-8958
• Asjidkalam/CVE-2020-8958

CVE-2020-9006 (2020-02-17)

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.)

• s3rgeym/cve-2020-9006

CVE-2020-9008 (2020-02-25)

Stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/PeopleTool v9.1 allows users to inject arbitrary web script via the Tile widget in the People Tool profile editor.

• kyletimmermans/blackboard-xss

CVE-2020-9038 (2020-02-17)

Joplin through 1.0.184 allows Arbitrary File Read via XSS.

• JavierOlmedo/CVE-2020-9038

CVE-2020-9047 (2020-06-26)

A vulnerability exists that could allow the execution of unauthorized code or operating system commands on systems running exacqVision Web Service versions 20.06.3.0 and prior and exacqVision Enterprise Manager versions 20.06.4.0 and prior. An attacker with administrative privileges could potentially download and run a malicious executable that could allow OS command injection on the system.

• norrismw/CVE-2020-9047

CVE-2020-9054 (2020-03-04)

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2

• darrenmartyn/CVE-2020-9054

CVE-2020-9273 (2020-02-20)

In ProFTPD 1.3.7, it is possible to corrupt the memory pool by interrupting the data transfer channel. This triggers a use-after-free in alloc_pool in pool.c, and possible remote code execution.

• ptef/CVE-2020-9273

CVE-2020-9283 (2020-02-20)

golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

• brompwnie/CVE-2020-9283

CVE-2020-9289 (2020-06-16)

Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key.

• synacktiv/CVE-2020-9289

CVE-2020-9332 (2020-06-17)

ftusbbus2.sys in FabulaTech USB for Remote Desktop through 2020-02-19 allows privilege escalation via crafted IoCtl code related to a USB HID device.

• Sentinel-One/CVE-2020-9332

CVE-2020-9375 (2020-03-25)

TP-Link Archer C50 V3 devices before Build 200318 Rel. 62209 allows remote attackers to cause a denial of service via a crafted HTTP Header containing an unexpected Referer field.

• thewhiteh4t/cve-2020-9375

CVE-2020-9376 (2020-07-09)

D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

• renatoalencar/dlink-dir610-exploits

CVE-2020-9380 (2020-03-05)

IPTV Smarters WEB TV PLAYER through 2020-02-22 allows attackers to execute OS commands by uploading a script.

• migueltarga/CVE-2020-9380

CVE-2020-9442 (2020-02-28)

OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.

• hessandrew/CVE-2020-9442

CVE-2020-9460 (2020-04-14)

Octech Oempro 4.7 through 4.11 allow XSS by an authenticated user. The parameter CampaignName in Campaign.Create is vulnerable.

• g-rubert/CVE-2020-9460

CVE-2020-9461 (2020-04-14)

Octech Oempro 4.7 through 4.11 allow stored XSS by an authenticated user. The FolderName parameter of the Media.CreateFolder command is vulnerable.

• g-rubert/CVE-2020-9461

CVE-2020-9470 (2020-03-07)

An issue was discovered in Wing FTP Server 6.2.5 before February 2020. Due to insecure permissions when handling session cookies, a local user may view the contents of the session and session_admin directories, which expose active session cookies within the Wing FTP HTTP interface and administration panel. These cookies may be used to hijack user and administrative sessions, including the ability to execute Lua commands as root within the administration panel.

• Al1ex/CVE-2020-9470

CVE-2020-9472 (2020-03-16)

Umbraco CMS 8.5.3 allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality.

• john-dooe/CVE-2020-9472

CVE-2020-9480 (2020-06-23)

In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

• XiaoShaYu617/CVE-2020-9480

CVE-2020-9483 (2020-06-30)

Resolved When use H2/MySQL/TiDB as Apache SkyWalking storage, the metadata query through GraphQL protocol, there is a SQL injection vulnerability, which allows to access unpexcted data. Apache SkyWalking 6.0.0 to 6.6.0, 7.0.0 H2/MySQL/TiDB storage implementations don't use the appropriate way to set SQL parameters.

• shanika04/apache_skywalking
• Neko-chanQwQ/CVE-2020-9483

CVE-2020-9484 (2020-05-20)

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

• threedr3am/tomcat-cluster-session-sync-exp
• masahiro331/CVE-2020-9484
• seanachao/CVE-2020-9484
• IdealDreamLast/CVE-2020-9484
• qerogram/CVE-2020-9484
• osamahamad/CVE-2020-9484-Mass-Scan
• anjai94/CVE-2020-9484-exploit
• PenTestical/CVE-2020-9484
• DanQMoo/CVE-2020-9484-Scanner
• AssassinUKG/CVE-2020-9484
• VICXOR/CVE-2020-9484
• DXY0411/CVE-2020-9484
• RepublicR0K/CVE-2020-9484
• ColdFusionX/CVE-2020-9484
• d3fudd/CVE-2020-9484_Exploit
• 0dayCTF/CVE-2020-9484
• Disturbante/CVE-2020-9484
• savsch/PoC_CVE-2020-9484

CVE-2020-9495 (2020-06-19)

Apache Archiva login service before 2.2.5 is vulnerable to LDAP injection. A attacker is able to retrieve user attribute data from the connected LDAP server by providing special values to the login form. With certain characters it is possible to modify the LDAP filter used to query the LDAP users. By measuring the response time for the login request, arbitrary attribute data can be retrieved from LDAP user objects.

• ggolawski/CVE-2020-9495

CVE-2020-9496 (2020-07-15)

XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03

• dwisiswant0/CVE-2020-9496
• Vulnmachines/apache-ofbiz-CVE-2020-9496
• g33xter/CVE-2020-9496
• cyber-niz/CVE-2020-9496
• yuaneuro/ofbiz-poc
• ambalabanov/CVE-2020-9496
• s4dbrd/CVE-2020-9496
• Ly0nt4r/CVE-2020-9496

CVE-2020-9547 (2020-03-02)

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

• fairyming/CVE-2020-9547

CVE-2020-9548 (2020-03-02)

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

• fairyming/CVE-2020-9548

CVE-2020-9715 (2020-08-19)

Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution .

• lsw29475/CVE-2020-9715
• wonjunchun/CVE-2020-9715

CVE-2020-9758 (2020-03-09)

An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (Helpdesk). A blind JavaScript injection lies in the name parameter. Triggering this can fetch the username and passwords of the helpdesk employees in the URI. This leads to a privilege escalation, from unauthenticated to user-level access, leading to full account takeover. The attack fetches multiple credentials because they are stored in the database (stored XSS). This affects the mobile/chat URI via the lgn and psswrd parameters.

• ari034/CVE-2020-9758

CVE-2020-9767 (2020-08-14)

A vulnerability related to Dynamic-link Library (“DLL”) loading in the Zoom Sharing Service would allow an attacker who had local access to a machine on which the service was running with elevated privileges to elevate their system privileges as well through use of a malicious DLL. Zoom addressed this issue, which only applies to Windows users, in the 5.0.4 client release.

• shubham0d/Zoom-dll-hijacking

CVE-2020-9802 (2020-06-09)

A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.5 and iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. Processing maliciously crafted web content may lead to arbitrary code execution.

• khcujw/CVE-2020-9802

CVE-2020-9922 (2020-12-08)

A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra. Processing a maliciously crafted email may lead to writing arbitrary files.

• Wowfunhappy/Fix-Apple-Mail-CVE-2020-9922

CVE-2020-9934 (2020-10-16)

An issue existed in the handling of environment variables. This issue was addressed with improved validation. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6. A local user may be able to view sensitive user information.

• mattshockl/CVE-2020-9934

CVE-2020-9992 (2020-10-16)

This issue was addressed by encrypting communications over the network to devices running iOS 14, iPadOS 14, tvOS 14, and watchOS 7. This issue is fixed in iOS 14.0 and iPadOS 14.0, Xcode 12.0. An attacker in a privileged network position may be able to execute arbitrary code on a paired device during a debug session over the network.

• c0ntextomy/c0ntextomy

CVE-2020-10128 (2023-09-05)

SearchBlox product with version before 9.2.1 is vulnerable to stored cross-site scripting at multiple user input parameters. In SearchBlox products multiple parameters are not sanitized/validate properly which allows an attacker to inject malicious JavaScript.

• InfoSec4Fun/CVE-2020-10128

CVE-2020-10129 (2023-09-06)

SearchBlox before Version 9.2.1 is vulnerable to Privileged Escalation-Lower user is able to access Admin functionality.

• InfoSec4Fun/CVE-2020-10129

CVE-2020-10130 (2023-09-06)

SearchBlox before Version 9.1 is vulnerable to business logic bypass where the user is able to create multiple super admin users in the system.

• InfoSec4Fun/CVE-2020-10130

CVE-2020-10131 (2023-09-06)

SearchBlox before Version 9.2.1 is vulnerable to CSV macro injection in "Featured Results" parameter.

• InfoSec4Fun/CVE-2020-10131

CVE-2020-10132 (2023-09-06)

SearchBlox before Version 9.1 is vulnerable to cross-origin resource sharing misconfiguration.

• InfoSec4Fun/CVE-2020-10132

CVE-2020-10135 (2020-05-19)

Legacy pairing and secure-connections pairing authentication in Bluetooth BR/EDR Core Specification v5.2 and earlier may allow an unauthenticated user to complete authentication without pairing credentials via adjacent access. An unauthenticated, adjacent attacker could impersonate a Bluetooth BR/EDR master or slave to pair with a previously paired remote device to successfully complete the authentication procedure without knowing the link key.

• m4rm0k/CVE-2020-10135-BIAS

CVE-2020-10148 (2020-12-29)

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.

• rdoix/CVE-2020-10148-Solarwinds-Orion
• B1anda0/CVE-2020-10148

CVE-2020-10189 (2020-03-06)

Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.

• zavke/CVE-2020-10189-ManageEngine

CVE-2020-10199 (2020-04-01)

Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).

• wsfengfan/CVE-2020-10199-10204
• jas502n/CVE-2020-10199
• magicming200/CVE-2020-10199_CVE-2020-10204
• zhzyker/CVE-2020-10199_POC-EXP
• aleenzz/CVE-2020-10199
• hugosg97/CVE-2020-10199-Nexus-3.21.01

CVE-2020-10204 (2020-04-01)

Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.

• zhzyker/CVE-2020-10204

CVE-2020-10238 (2020-03-16)

An issue was discovered in Joomla! before 3.9.16. Various actions in com_templates lack the required ACL checks, leading to various potential attack vectors.

• HoangKien1020/CVE-2020-10238

CVE-2020-10239 (2020-03-16)

An issue was discovered in Joomla! before 3.9.16. Incorrect Access Control in the SQL fieldtype of com_fields allows access for non-superadmin users.

• HoangKien1020/CVE-2020-10239

CVE-2020-10551 (2020-04-09)

QQBrowser before 10.5.3870.400 installs a Windows service TsService.exe. This file is writable by anyone belonging to the NT AUTHORITY\Authenticated Users group, which includes all local and remote users. This can be abused by local attackers to escalate privileges to NT AUTHORITY\SYSTEM by writing a malicious executable to the location of TsService.

• seqred-s-a/CVE-2020-10551

CVE-2020-10558 (2020-03-20)

The driving interface of Tesla Model 3 vehicles in any release before 2020.4.10 allows Denial of Service to occur due to improper process separation, which allows attackers to disable the speedometer, web browser, climate controls, turn signal visual and sounds, navigation, autopilot notifications, along with other miscellaneous functions from the main screen.

• nullze/CVE-2020-10558
• AmazingOut/Tesla-CVE-2020-10558

CVE-2020-10560 (2020-03-30)

An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the SiteKey to insert into a crafted URL for components/OssnComments/ossn_com.php and/or libraries/ossn.lib.upgrade.php.

• alex-seymour/CVE-2020-10560-Key-Recovery
• kevthehermit/CVE-2020-10560

CVE-2020-10596 (2020-03-17)

OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section.

• miguelc49/CVE-2020-10596-2
• miguelc49/CVE-2020-10596-1

CVE-2020-10663 (2020-04-28)

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

• rails-lts/json_cve_2020_10663

CVE-2020-10665 (2020-03-18)

Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnostics with Administrator privileges, leading to arbitrary DACL permissions overwrites and arbitrary file writes. This affects Docker Desktop Enterprise before 2.1.0.9, Docker Desktop for Windows Stable before 2.2.0.4, and Docker Desktop for Windows Edge before 2.2.2.0.

• spaceraccoon/CVE-2020-10665

CVE-2020-10673 (2020-03-18)

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

• harry1080/CVE-2020-10673
• Al1ex/CVE-2020-10673

CVE-2020-10713 (2020-07-30)

A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

• eclypsium/BootHole

CVE-2020-10749 (2020-06-03)

A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.

• knqyf263/CVE-2020-10749

CVE-2020-10757 (2020-06-09)

A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.

• ShaikUsaf/linux-4.19.72_CVE-2020-10757

CVE-2020-10759 (2020-09-15)

A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity.

• justinsteven/CVE-2020-10759-poc

CVE-2020-10770 (2020-12-15)

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

• ColdFusionX/Keycloak-12.0.1-CVE-2020-10770

CVE-2020-10882 (2020-03-25)

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9650.

• lnversed/CVE-2020-10882

CVE-2020-10915 (2020-04-22)

This vulnerability allows remote attackers to execute arbitrary code on affected installations of VEEAM One Agent 9.5.4.4587. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HandshakeResult method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-10401.

• Cinnamon1212/Modified-CVE-2020-10915-MsfModule

CVE-2020-10963 (2020-03-25)

FrozenNode Laravel-Administrator through 5.0.12 allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has the .php extension. NOTE: this product is discontinued.

• scopion/CVE-2020-10963

CVE-2020-10977 (2020-04-08)

GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.

• KooroshRZ/CVE-2020-10977
• thewhiteh4t/cve-2020-10977
• JustMichi/CVE-2020-10977.py
• erk3/gitlab-12.9.0-file-read
• possib1e/cve-2020-10977
• liath/CVE-2020-10977
• lisp3r/cve-2020-10977-read-and-execute
• vandycknick/gitlab-cve-2020-10977

CVE-2020-11019 (2020-05-29)

In FreeRDP less than or equal to 2.0.0, when running with logger set to "WLOG_TRACE", a possible crash of application could occur due to a read of an invalid array index. Data could be printed as string to local terminal. This has been fixed in 2.1.0.

• Lixterclarixe/CVE-2020-11019

CVE-2020-11022 (2020-04-29)

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

• 0xAJ2K/CVE-2020-11022-CVE-2020-11023
• Snorlyd/https-nj.gov---CVE-2020-11022

CVE-2020-11023 (2020-04-29)

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

• Snorlyd/https-nj.gov---CVE-2020-11023
• Cybernegro/CVE-2020-11023
• andreassundstrom/cve-2020-11023-demonstration

CVE-2020-11060 (2020-05-12)

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

• 0xdreadnaught/cve-2020-11060-poc

CVE-2020-11076 (2020-05-22)

In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.

• dentarg/cougar

CVE-2020-11107 (2020-04-02)

An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution.

• S1lkys/CVE-2020-11107
• andripwn/CVE-2020-11107

CVE-2020-11108 (2020-05-11)

The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.

• Frichetten/CVE-2020-11108-PoC

CVE-2020-11110 (2020-07-27)

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

• AVE-Stoik/CVE-2020-11110-Proof-of-Concept

CVE-2020-11113 (2020-03-31)

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

• Al1ex/CVE-2020-11113

CVE-2020-11179 (2021-01-21)

Arbitrary read and write to kernel addresses by temporarily overwriting ring buffer pointer and creating a race condition. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

• sparrow-labz/CVE-2020-11179-Adreno-Qualcomm-GPU

CVE-2020-11444 (2020-04-02)

Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has Incorrect Access Control.

• zhzyker/CVE-2020-11444
• CN016/Nexus-Repository-Manager-3-CVE-2020-11444-

CVE-2020-11492 (2020-06-05)

An issue was discovered in Docker Desktop through 2.2.0.5 on Windows. If a local attacker sets up their own named pipe prior to starting Docker with the same name, this attacker can intercept a connection attempt from Docker Service (which runs as SYSTEM), and then impersonate their privileges.

• CrackerCat/CVE-2020-11492

CVE-2020-11493 (2020-09-04)

In Foxit Reader and PhantomPDF before 10.0.1, and PhantomPDF before 9.7.3, attackers can obtain sensitive information about an uninitialized object because of direct transformation from PDF Object to Stream without concern for a crafted XObject.

• fengjixuchui/CVE-2020-11493

CVE-2020-11519 (2020-06-22)

The SDDisk2k.sys driver of WinMagic SecureDoc v8.5 and earlier allows local users to read or write to physical disc sectors via a \.\SecureDocDevice handle. Exploiting this vulnerability results in privileged code execution.

• patois/winmagic_sd

CVE-2020-11539 (2020-04-22)

An issue was discovered on Tata Sonata Smart SF Rush 1.12 devices. It has been identified that the smart band has no pairing (mode 0 Bluetooth LE security level) The data being transmitted over the air is not encrypted. Adding to this, the data being sent to the smart band doesn't have any authentication or signature verification. Thus, any attacker can control a parameter of the device.

• the-girl-who-lived/CVE-2020-11539

CVE-2020-11546 (2020-07-14)

SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection.

• Official-BlackHat13/CVE-2020-11546
• damit5/CVE-2020-11546

CVE-2020-11547 (2020-04-04)

PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.

• ch-rigu/CVE-2020-11547--PRTG-Network-Monitor-Information-Disclosure

CVE-2020-11579 (2020-09-03)

An issue was discovered in Chadha PHPKB 9.0 Enterprise Edition. installer/test-connection.php (part of the installation process) allows a remote unauthenticated attacker to disclose local files on hosts running PHP before 7.2.16, or on hosts where the MySQL ALLOW LOCAL DATA INFILE option is enabled.

• ShielderSec/CVE-2020-11579

CVE-2020-11650 (2020-04-08)

An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before 11.2-u8 and 11.3 before 11.3-U1. It allows a denial of service. The login authentication component has no limits on the length of an authentication message or the rate at which such messages are sent.

• weinull/CVE-2020-11650

CVE-2020-11651 (2020-04-30)

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.

• chef-cft/salt-vulnerabilities
• rossengeorgiev/salt-security-backports
• dozernz/cve-2020-11651
• 0xc0d/CVE-2020-11651
• jasperla/CVE-2020-11651-poc
• bravery9/SaltStack-Exp
• kevthehermit/CVE-2020-11651
• lovelyjuice/cve-2020-11651-exp-plus
• ssrsec/CVE-2020-11651-CVE-2020-11652-EXP
• RakhithJK/CVE-2020-11651
• appcheck-ng/salt-rce-scanner-CVE-2020-11651-CVE-2020-11652
• hardsoftsecurity/CVE-2020-11651-PoC

CVE-2020-11652 (2020-04-30)

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

• fanjq99/CVE-2020-11652
• Al1ex/CVE-2020-11652
• limon768/CVE-2020-11652-POC

CVE-2020-11738 (2020-04-13)

The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.

• raghu66669999/wordpress-snapcreek

CVE-2020-11794

• w4cky/CVE-2020-11794

CVE-2020-11819 (2020-04-16)

In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.

• danyx07/PoC-RCE-Rukovoditel

CVE-2020-11851 (2020-11-17)

Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in the execution of arbitrary code.

• ch1nghz/CVE-2020-11851

CVE-2020-11881 (2020-09-14)

An array index error in MikroTik RouterOS 6.41.3 through 6.46.5, and 7.x through 7.0 Beta5, allows an unauthenticated remote attacker to crash the SMB server via modified setup-request packets, aka SUP-12964.

• botlabsDev/CVE-2020-11881

CVE-2020-11883 (2020-04-17)

In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace, with absolute file paths and Node.js module names.

• 0ndras3k/CVE-2020-11883

CVE-2020-11890 (2020-04-21)

An issue was discovered in Joomla! before 3.9.17. Improper input validations in the usergroup table class could lead to a broken ACL configuration.

• HoangKien1020/CVE-2020-11890

CVE-2020-11896 (2020-06-17)

The Treck TCP/IP stack before 6.0.1.66 allows Remote Code Execution, related to IPv4 tunneling.

• Fans0n-Fan/Treck20-Related
• 0xkol/ripple20-digi-connect-exploit

CVE-2020-11898 (2020-06-17)

The Treck TCP/IP stack before 6.0.1.66 improperly handles an IPv4/ICMPv4 Length Parameter Inconsistency, which might allow remote attackers to trigger an information leak.

• scamwork/POC_CVE-2020-11898

CVE-2020-11932 (2020-05-13)

It was discovered that the Subiquity installer for Ubuntu Server logged the LUKS full disk encryption password if one was entered.

• ProjectorBUg/CVE-2020-11932
• Staubgeborener/CVE-2020-11932
• code-developers/CVE-2020-11932

CVE-2020-11975 (2020-06-05)

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.

• 1135/unomi_exploit

CVE-2020-11978 (2020-07-16)

An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.

• pberba/CVE-2020-11978

CVE-2020-11989 (2020-06-22)

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

• HYWZ36/HYWZ36-CVE-2020-11989-code

CVE-2020-11990 (2020-12-01)

We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. An attacker who could install (or lead the victim to install) a specially crafted (or malicious) Android application would be able to access pictures taken with the app externally.

• forse01/CVE-2020-11990-Cordova

CVE-2020-11996 (2020-06-26)

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

• rusakovichma/tomcat-embed-core-9.0.31-CVE-2020-11996

CVE-2020-12077 (2020-04-23)

The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution.

• RandomRobbieBF/CVE-2020-12077

CVE-2020-12078 (2020-04-28)

An issue was discovered in Open-AudIT 3.3.1. There is shell metacharacter injection via attributes to an open-audit/configuration/ URI. An attacker can exploit this by adding an excluded IP address to the global discovery settings (internally called exclude_ip). This exclude_ip value is passed to the exec function in the discoveries_helper.php file (inside the all_ip_list function) without being filtered, which means that the attacker can provide a payload instead of a valid IP address.

• mhaskar/CVE-2020-12078
• 84KaliPleXon3/CVE-2020-12078

CVE-2020-12112 (2020-04-23)

BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.

• tchenu/CVE-2020-12112

CVE-2020-12116 (2020-05-07)

Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.

• BeetleChunks/CVE-2020-12116

CVE-2020-12124 (2020-10-02)

A remote command-line injection vulnerability in the /cgi-bin/live_api.cgi endpoint of the WAVLINK WN530H4 M30H4.V5030.190403 allows an attacker to execute arbitrary Linux commands as root without authentication.

• db44k/CVE-2020-12124
• Scorpion-Security-Labs/CVE-2020-12124

CVE-2020-12255 (2020-05-18)

rConfig 3.9.4 is vulnerable to remote code execution due to improper validation in the file upload functionality. vendor.crud.php accepts a file upload by checking content-type without considering the file extension and header. Thus, an attacker can exploit this by uploading a .php file to vendor.php that contains arbitrary PHP code and changing the content-type to image/gif.

• vishwaraj101/CVE-2020-12255

CVE-2020-12351 (2020-11-23)

Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

• naren-jayram/Linux-Heap-Based-Type-Confusion-in-L2CAP

CVE-2020-12432 (2020-07-21)

The WOPI API integration for Vereign Collabora CODE through 4.2.2 does not properly restrict delivery of JavaScript to a victim's browser, and lacks proper MIME type access control, which could lead to XSS that steals account credentials via cookies or local storage. The attacker must first obtain an API access token, which can be accomplished if the attacker is able to upload a .docx or .odt file. The associated API endpoints for exploitation are /wopi/files and /wopi/getAccessToken.

• d7x/CVE-2020-12432

CVE-2020-12593 (2020-11-18)

Symantec Endpoint Detection & Response, prior to 4.5, may be susceptible to an information disclosure issue, which is a type of vulnerability that could potentially allow unauthorized access to data.

• nasbench/CVE-2020-12593

CVE-2020-12625 (2020-05-04)

An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.

• mbadanoiu/CVE-2020-12625

CVE-2020-12629 (2020-05-04)

include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA Name.

• mkelepce/CVE-2020-12629

CVE-2020-12640 (2020-05-04)

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.

• mbadanoiu/CVE-2020-12640

CVE-2020-12641 (2020-05-04)

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

• mbadanoiu/CVE-2020-12641
• mbadanoiu/MAL-004

CVE-2020-12688

• TheCyberGeek/Centreon-20.04

CVE-2020-12695 (2020-06-08)

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

• yunuscadirci/CallStranger
• corelight/callstranger-detector

CVE-2020-12696 (2020-05-07)

The iframe plugin before 4.5 for WordPress does not sanitize a URL.

• g-rubert/CVE-2020-12696

CVE-2020-12702 (2021-02-24)

Weak encryption in the Quick Pairing mode in the eWeLink mobile application (Android application V4.9.2 and earlier, iOS application V4.9.1 and earlier) allows physically proximate attackers to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the Wi-Fi spectrum during the pairing process.

• salgio/ESPTouchCatcher
• salgio/eWeLink-QR-Code

CVE-2020-12712 (2020-06-11)

A vulnerability based on insecure user/password encryption in the JOE (job editor) component of SOS JobScheduler 1.12 and 1.13 allows attackers to decrypt the user/password that is optionally stored with a user's profile.

• SanderUbink/CVE-2020-12712

CVE-2020-12717 (2020-05-14)

The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected.

• wabzqem/covidsafe-CVE-2020-12717-exploit

CVE-2020-12753 (2020-05-11)

An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 software. Arbitrary code execution can occur via the bootloader because of an EL1/EL3 coldboot vulnerability involving raw_resources. The LG ID is LVE-SMP-200006 (May 2020).

• shinyquagsire23/CVE-2020-12753-PoC

CVE-2020-12800 (2020-06-08)

The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.

• amartinsec/CVE-2020-12800

CVE-2020-12828 (2020-05-21)

An issue was discovered in AnchorFree VPN SDK before 1.3.3.218. The VPN SDK service takes certain executable locations over a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges.

• 0xsha/ZombieVPN

CVE-2020-12856 (2020-05-18)

OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used.

• alwentiu/COVIDSafe-CVE-2020-12856

CVE-2020-12928 (2020-10-13)

A vulnerability in a dynamically loaded AMD driver in AMD Ryzen Master V15 may allow any authenticated user to escalate privileges to NT authority system.

• ekknod/AmdRyzenMasterCheat

CVE-2020-13094 (2020-05-18)

Dolibarr before 11.0.4 allows XSS.

• mkelepce/CVE-2020-13094

CVE-2020-13151 (2020-08-05)

Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service.

• b4ny4n/CVE-2020-13151

CVE-2020-13158 (2020-06-22)

Artica Proxy before 4.30.000000 Community Edition allows Directory Traversal via the fw.progrss.details.php popup parameter.

• InfoSec4Fun/CVE-2020-13158

CVE-2020-13159 (2020-06-22)

Artica Proxy before 4.30.000000 Community Edition allows OS command injection via the Netbios name, Server domain name, dhclient_mac, Hostname, or Alias field. NOTE: this may overlap CVE-2020-10818.

• InfoSec4Fun/CVE-2020-13159

CVE-2020-13162 (2020-06-16)

A time-of-check time-of-use vulnerability in PulseSecureService.exe in Pulse Secure Client versions prior to 9.1.6 down to 5.3 R70 for Windows (which runs as NT AUTHORITY/SYSTEM) allows unprivileged users to run a Microsoft Installer executable with elevated privileges.

• redtimmy/tu-TOCTOU-kaiu-TOCMEU-CVE-2020-13162-

CVE-2020-13254 (2020-06-03)

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.

• danpalmer/django-cve-2020-13254

CVE-2020-13259 (2020-09-16)

A vulnerability in the web-based management interface of RAD SecFlow-1v os-image SF_0290_2.3.01.26 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260.

• UrielYochpaz/CVE-2020-13259

CVE-2020-13277 (2020-06-19)

An authorization issue in the mirroring logic allowed read access to private repositories in GitLab CE/EE 10.6 and later through 13.0.5

• EXP-Docs/CVE-2020-13277

CVE-2020-13401 (2020-06-02)

An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.

• arax-zaeimi/Docker-Container-CVE-2020-13401

CVE-2020-13405 (2020-07-16)

userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request.

• mrnazu/CVE-2020-13405

CVE-2020-13424 (2020-05-23)

The XCloner component before 3.5.4 for Joomla! allows Authenticated Local File Disclosure.

• mkelepce/CVE-2020-13424

CVE-2020-13457

• alt3kx/CVE-2020-13457

CVE-2020-13519 (2020-12-18)

A privilege escalation vulnerability exists in the WinRing0x64 Driver IRP 0x9c402088 functionality of NZXT CAM 4.8.0. A specially crafted I/O request packet (IRP) can cause increased privileges. An attacker can send a malicious IRP to trigger this vulnerability.

• SpiralBL0CK/poc-for-CVE-2020-13519-still-under-construction-

CVE-2020-13640 (2020-06-18)

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)

• asterite3/CVE-2020-13640

CVE-2020-13699 (2020-07-29)

TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: --play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.

• Dilshan-Eranda/CVE-2020-13699

CVE-2020-13777 (2020-06-04)

GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.

• 0xxon/cve-2020-13777
• shigeki/challenge_CVE-2020-13777
• prprhyt/PoC_TLS1_3_CVE-2020-13777

CVE-2020-13851 (2020-06-11)

Artica Pandora FMS 7.44 allows remote command execution via the events feature.

• hadrian3689/pandorafms_7.44

CVE-2020-13884 (2020-06-08)

Citrix Workspace App before 1912 on Windows has Insecure Permissions and an Unquoted Path vulnerability which allows local users to gain privileges during the uninstallation of the application.

• hessandrew/CVE-2020-13884

CVE-2020-13885 (2020-06-08)

Citrix Workspace App before 1912 on Windows has Insecure Permissions which allows local users to gain privileges during the uninstallation of the application.

• hessandrew/CVE-2020-13885

CVE-2020-13886 (2020-11-26)

Intelbras TIP 200 60.61.75.15, TIP 200 LITE 60.61.75.15, and TIP 300 65.61.75.22 devices allow cgi-bin/cgiServer.exx?page=../ Directory Traversal.

• Ls4ss/CVE-2020-13886

CVE-2020-13889 (2020-06-06)

showAlert() in the administration panel in Bludit 3.12.0 allows XSS.

• gh0st56/CVE-2020-13889

CVE-2020-13925 (2020-07-14)

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.

• bit4woo/CVE-2020-13925

CVE-2020-13933 (2020-08-17)

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.

• EXP-Docs/CVE-2020-13933
• 0xkami/cve-2020-13933
• KingBangQ/CVE-2020-13933Project

CVE-2020-13935 (2020-07-14)

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

• RedTeamPentesting/CVE-2020-13935
• aabbcc19191/CVE-2020-13935

CVE-2020-13937 (2020-10-19)

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone.

• yaunsky/CVE-2020-13937
• Al1ex/CVE-2020-13937
• kailing0220/CVE-2020-13937

CVE-2020-13942 (2020-11-24)

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.

• lp008/CVE-2020-13942
• eugenebmx/CVE-2020-13942
• shifa123/CVE-2020-13942-POC-
• blackmarketer/CVE-2020-13942
• yaunsky/Unomi-CVE-2020-13942
• hoanx4/apche_unomi_rce
• Prodrious/CVE-2020-13942

CVE-2020-13945 (2020-12-07)

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.

• YutuSec/Apisix_Crack
• K3ysTr0K3R/CVE-2020-13945-EXPLOIT

CVE-2020-13957 (2020-10-13)

Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

• s-index/CVE-2020-13957

CVE-2020-13958 (2020-11-17)

A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be called from the document event handler and other hyperlinks require a control-click.

• Grey-Junior/CVE-2020-13958

CVE-2020-13965 (2020-06-09)

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.

• mbadanoiu/CVE-2020-13965

CVE-2020-13973 (2020-06-09)

OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, may be able to confuse the HTML parser as to where the SCRIPT element ends, and cause non-script content to be interpreted as JavaScript.

• epicosy/json-sanitizer

CVE-2020-13995 (2020-09-25)

U.S. Air Force Sensor Data Management System extract75 has a buffer overflow that leads to code execution. An overflow in a global variable (sBuffer) leads to a Write-What-Where outcome. Writing beyond sBuffer will clobber most global variables until reaching a pointer such as DES_info or image_info. By controlling that pointer, one achieves an arbitrary write when its fields are assigned. The data written is from a potentially untrusted NITF file in the form of an integer. The attacker can gain control of the instruction pointer.

• dbrumley/extract75-cve-2020-13995

CVE-2020-13996 (2020-06-09)

The J2Store plugin before 3.3.13 for Joomla! allows a SQL injection attack by a trusted store manager.

• mkelepce/CVE-2020-13996

CVE-2020-14064 (2020-07-15)

IceWarp Email Server 12.3.0.1 has Incorrect Access Control for user accounts.

• networksecure/CVE-2020-14064

CVE-2020-14065 (2020-07-15)

IceWarp Email Server 12.3.0.1 allows remote attackers to upload files and consume disk space.

• networksecure/CVE-2020-14065
• pinpinsec/CVE-2020-14065

CVE-2020-14066 (2020-07-15)

IceWarp Email Server 12.3.0.1 allows remote attackers to upload JavaScript files that are dangerous for clients to access.

• networksecure/CVE-2020-14066
• pinpinsec/CVE-2020-14066

CVE-2020-14144 (2020-10-16)

The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides.

• p0dalirius/CVE-2020-14144-GiTea-git-hooks-rce

CVE-2020-14179 (2020-09-21)

Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from version 8.6.0 before 8.11.1.

• c0brabaghdad1/CVE-2020-14179
• mrnazu/CVE-2020-14179
• 0x0060/CVE-2020-14179

CVE-2020-14181 (2020-09-17)

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.

• und3sc0n0c1d0/UserEnumJira
• Rival420/CVE-2020-14181
• bk-rao/CVE-2020-14181

CVE-2020-14195 (2020-06-16)

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

• Al1ex/CVE-2020-14195

CVE-2020-14210 (2020-06-16)

Reflected Cross-Site Scripting (XSS) vulnerability in MONITORAPP WAF in which script can be executed when responding to Request URL information. It provides a function to response to Request URL information when blocking.

• monitorapp-aicc/report

CVE-2020-14292 (2020-09-09)

In the COVIDSafe application through 1.0.21 for Android, unsafe use of the Bluetooth transport option in the GATT connection allows attackers to trick the application into establishing a connection over Bluetooth BR/EDR transport, which reveals the public Bluetooth address of the victim's phone without authorisation, bypassing the Bluetooth address randomisation protection in the user's phone.

• alwentiu/CVE-2020-14292

CVE-2020-14293 (2020-10-02)

conf_datetime in Secudos DOMOS 5.8 allows remote attackers to execute arbitrary commands as root via shell metacharacters in the zone field (obtained from the web interface).

• patrickhener/CVE-2020-14293

CVE-2020-14294 (2020-10-02)

An issue was discovered in Secudos Qiata FTA 1.70.19. The comment feature allows persistent XSS that is executed when reading transfer comments or the global notice board.

• patrickhener/CVE-2020-14294

CVE-2020-14295 (2020-06-17)

A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.

• 0z09e/CVE-2020-14295
• mrg3ntl3m4n/CVE-2020-14295

CVE-2020-14321 (2022-08-16)

In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.

• HoangKien1020/CVE-2020-14321
• lanzt/CVE-2020-14321
• f0ns1/CVE-2020-14321-modified-exploit

CVE-2020-14343 (2021-02-09)

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

• j4k0m/loader-CVE-2020-14343

CVE-2020-14356 (2020-08-19)

A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found in the way when reboot the system. A local user could use this flaw to crash the system or escalate their privileges on the system.

• ShaikUsaf/linux-4.19.72_CVE-2020-14356

CVE-2020-14364 (2020-08-31)

An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.

• gejian-iscas/CVE-2020-14364
• y-f00l/CVE-2020-14364

CVE-2020-14368 (2020-12-14)

A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an attacker to gain full access to the victim's workspace through the /services endpoint. To perform a successful attack, the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link, which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

• codingchili/CVE-2020-14368

CVE-2020-14372 (2021-03-03)

A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description Table (SSDT) containing code to overwrite the Linux kernel lockdown variable content directly into memory. The table is further loaded and executed by the kernel, defeating its Secure Boot lockdown and allowing the attacker to load unsigned code. The highest threat from this vulnerability is to data confidentiality and integrity, as well as system availability.

• kukrimate/CVE-2020-14372

CVE-2020-14381 (2020-12-03)

A flaw was found in the Linux kernel’s futex implementation. This flaw allows a local attacker to corrupt system memory or escalate their privileges when creating a futex on a filesystem that is about to be unmounted. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

• nanopathi/linux-4.19.72_CVE-2020-14381

CVE-2020-14386 (2020-09-16)

A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.

• cgwalters/cve-2020-14386

CVE-2020-14644 (2020-07-15)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• 0xkami/cve-2020-14644

CVE-2020-14645 (2020-07-15)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• Y4er/CVE-2020-14645
• DaBoQuan/CVE-2020-14645
• ChenZIDu/CVE-2020-14645
• HYWZ36/CVE-2020-14645-code
• Schira4396/CVE-2020-14645

CVE-2020-14750 (2020-11-01)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• pprietosanchez/CVE-2020-14750
• kkhacklabs/CVE-2020-14750

CVE-2020-14756 (2021-01-20)

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core Components). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• Y4er/CVE-2020-14756
• somatrasss/weblogic2021

CVE-2020-14871 (2020-10-21)

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

• robidev/CVE-2020-14871-Exploit

CVE-2020-14882 (2020-10-21)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• zhzyker/exphub
• jas502n/CVE-2020-14882
• s1kr10s/CVE-2020-14882
• XTeam-Wing/CVE-2020-14882
• 0thm4n3/cve-2020-14882
• wsfengfan/cve-2020-14882
• alexfrancow/CVE-2020-14882
• GGyao/CVE-2020-14882_POC
• ludy-dev/Weblogic_Unauthorized-bypass-RCE
• GGyao/CVE-2020-14882_ALL
• ovProphet/CVE-2020-14882-checker
• NS-Sp4ce/CVE-2020-14882
• mmioimm/cve-2020-14882
• QmF0c3UK/CVE-2020-14882
• murataydemir/CVE-2020-14882
• Ormicron/CVE-2020-14882-GUI-Test
• corelight/CVE-2020-14882-weblogicRCE
• xfiftyone/CVE-2020-14882
• BabyTeam1024/CVE-2020-14882
• adm1in/CodeTest
• pwn3z/CVE-2020-14882-WebLogic
• milo2012/CVE-2020-14882
• kk98kk0/CVE-2020-14882
• exploitblizzard/CVE-2020-14882-WebLogic
• qianniaoge/CVE-2020-14882_Exploit_Gui
• N0Coriander/CVE-2020-14882-14883
• nik0nz7/CVE-2020-14882
• Danny-LLi/CVE-2020-14882
• LucasPDiniz/CVE-2020-14882
• xMr110/CVE-2020-14882
• zesnd/CVE-2020-14882-POC
• AleksaZatezalo/CVE-2020-14882

CVE-2020-14883 (2020-10-21)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

• murataydemir/CVE-2020-14883
• B1anda0/CVE-2020-14883
• fan1029/CVE-2020-14883EXP
• Osyanina/westone-CVE-2020-14883-scanner
• 1n7erface/PocList
• amacloudobia/CVE-2020-14883

CVE-2020-14947 (2020-06-30)

OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.

• mhaskar/CVE-2020-14947

CVE-2020-14955 (2020-06-26)

In Jiangmin Antivirus 16.0.13.129, the driver file (KVFG.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220440.

• intrigus-lgtm/CVE-2020-14955

CVE-2020-14965 (2020-06-23)

On TP-Link TL-WR740N v4 and TL-WR740ND v4 devices, an attacker with access to the admin panel can inject HTML code and change the HTML context of the target pages and stations in the access-control settings via targets_lists_name or hosts_lists_name. The vulnerability can also be exploited through a CSRF, requiring no authentication as an administrator.

• g-rubert/CVE-2020-14965

CVE-2020-14974 (2020-06-23)

The driver in IOBit Unlocker 1.1.2 allows a low-privileged user to unlock a file and kill processes (even ones running as SYSTEM) that hold a handle, via IOCTL code 0x222124.

• Aterror2be/CVE-2020-14974

CVE-2020-15002 (2020-10-23)

OX App Suite through 7.10.3 allows SSRF via the the /ajax/messaging/message message API.

• skr0x1c0/Blind-SSRF-CVE-2020-15002
• skr0x1c0/SSRF-CVE-2020-15002

CVE-2020-15051 (2020-07-15)

An issue was discovered in Artica Proxy before 4.30.000000. Stored XSS exists via the Server Domain Name, Your Email Address, Group Name, MYSQL Server, Database, MYSQL Username, Group Name, and Task Description fields.

• pratikshad19/CVE-2020-15051

CVE-2020-15052 (2020-07-20)

An issue was discovered in Artica Proxy CE before 4.28.030.418. SQL Injection exists via the Netmask, Hostname, and Alias fields.

• pratikshad19/CVE-2020-15052

CVE-2020-15053 (2020-07-20)

An issue was discovered in Artica Proxy CE before 4.28.030.418. Reflected XSS exists via these search fields: real time request, System Events, Proxy Events, Proxy Objects, and Firewall objects.

• pratikshad19/CVE-2020-15053

CVE-2020-15148 (2020-09-15)

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

• Maskhe/CVE-2020-15148-bypasses
• 0xkami/cve-2020-15148

CVE-2020-15169 (2020-09-11)

In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the t and translate helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.

• glasses618/CVE-2020-15169

CVE-2020-15175 (2020-10-07)

In GLPI before version 9.5.2, the ​pluginimage.send.php​ endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.

• Xn2/GLPwn

CVE-2020-15227 (2020-10-01)

Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.

• Langriklol/CVE-2020-15227
• hu4wufu/CVE-2020-15227
• filipsedivy/CVE-2020-15227

CVE-2020-15228 (2020-10-01)

In the @actions/core npm module before version 1.2.6,addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the set-env and add-path workflow commands in the near future. For now, users should upgrade to @actions/core v1.2.6 or later, and replace any instance of the set-env or add-path commands in their workflows with the new Environment File Syntax. Workflows and actions using the old commands or older versions of the toolkit will start to warn, then error out during workflow execution.

• guettli/fix-CVE-2020-15228

CVE-2020-15257 (2020-12-01)

containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.

• nccgroup/abstractshimmer

CVE-2020-15261 (2020-10-19)

On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administrative privileges, this vulnerability is only dangerous in anyway unsafe setups. The problem has been fixed in version 4.4.2. As a workaround, the exploitation of the vulnerability can be prevented by revoking administrative privileges from all potentially untrustworthy users.

• yaoyao-cool/CVE-2020-15261

CVE-2020-15349 (2020-11-17)

BinaryNights ForkLift 3.x before 3.4 has a local privilege escalation vulnerability because the privileged helper tool implements an XPC interface that allows file operations to any process (copy, move, delete) as root and changing permissions.

• Traxes/Forklift_LPE

CVE-2020-15367 (2020-07-07)

Venki Supravizio BPM 10.1.2 does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page.

• inflixim4be/CVE-2020-15367

CVE-2020-15368 (2020-06-29)

AsrDrv103.sys in the ASRock RGB Driver does not properly restrict access from user space, as demonstrated by triggering a triple fault via a request to zero CR3.

• stong/CVE-2020-15368
• R7flex/asrockploit

CVE-2020-15392 (2020-07-07)

A user enumeration vulnerability flaw was found in Venki Supravizio BPM 10.1.2. This issue occurs during password recovery, where a difference in error messages could allow an attacker to determine if a username is valid or not, enabling a brute-force attack with valid usernames.

• inflixim4be/CVE-2020-15392

CVE-2020-15399

• mkelepce/CVE-2020-15399

CVE-2020-15416 (2020-07-28)

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9703.

• k3vinlusec/R7000_httpd_BOF_CVE-2020-15416

CVE-2020-15436 (2020-11-23)

Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.

• Trinadh465/linux-4.19.72_CVE-2020-15436

CVE-2020-15492 (2020-07-23)

An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.

• patrickhener/CVE-2020-15492

CVE-2020-15568 (2021-01-30)

TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.

• n0bugz/CVE-2020-15568
• divinepwner/TerraMaster-TOS-CVE-2020-15568

CVE-2020-15778 (2020-07-24)

scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."

• cpandya2909/CVE-2020-15778
• Neko-chanQwQ/CVE-2020-15778-Exploit
• Evan-Zhangyf/CVE-2020-15778

CVE-2020-15780 (2020-07-15)

An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.

• Annavid/CVE-2020-15780-exploit

CVE-2020-15802 (2020-09-11)

Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport, either LE or BR/EDR, and replace a bonding already established on the opposing transport, BR/EDR or LE, potentially overwriting an authenticated key with an unauthenticated key, or a key with greater entropy with one with less.

• francozappa/blur

CVE-2020-15808

• manucuf/CVE202015808

CVE-2020-15848

• faklad/CVE-2020-15848

CVE-2020-15873 (2020-07-21)

In LibreNMS before 1.65.1, an authenticated attacker can achieve SQL Injection via the customoid.inc.php device_id POST parameter to ajax_form.php.

• limerencee/cs4239-cve-2020-15873

CVE-2020-15906 (2020-10-22)

tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.

• S1lkys/CVE-2020-15906

CVE-2020-15916 (2020-07-23)

goform/AdvSetLanip endpoint on Tenda AC15 AC1900 15.03.05.19 devices allows remote attackers to execute arbitrary system commands via shell metacharacters in the lanIp POST parameter.

• geniuszly/CVE-2020-15916

CVE-2020-15931 (2020-10-20)

Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a Domain Controller.

• optiv/CVE-2020-15931

CVE-2020-15956 (2020-08-04)

ActiveMediaServer.exe in ACTi NVR3 Standard Server 3.0.12.42 allows remote unauthenticated attackers to trigger a buffer overflow and application termination via a malformed payload.

• megamagnus/cve-2020-15956

CVE-2020-15999 (2020-11-03)

Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• oxfemale/CVE-2020-15999
• maarlo/CVE-2020-15999
• Marmeus/CVE-2020-15999

CVE-2020-16012 (2021-01-08)

Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

• aleksejspopovs/cve-2020-16012

CVE-2020-16125 (2020-11-10)

gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account.

• za970120604/CVE-2020-16125-Reproduction

CVE-2020-16126 (2020-11-11)

An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, improperly dropped the ruid, allowing untrusted users to send signals to AccountService, thus stopping it from handling D-Bus messages in a timely fashion.

• zev3n/Ubuntu-Gnome-privilege-escalation

CVE-2020-16152 (2021-11-14)

The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine through 10.0r8a allows attackers to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.

• eriknl/CVE-2020-16152
• Nate0634034090/nate158g-m-w-n-l-p-d-a-o-e

CVE-2020-16270 (2020-10-16)

OLIMPOKS under 3.3.39 allows Auth/Admin ErrorMessage XSS. Remote Attacker can use discovered vulnerability to inject malicious JavaScript payload to victim’s browsers in context of vulnerable applications. Executed code can be used to steal administrator’s cookies, influence HTML content of targeted application and perform phishing-related attacks. Vulnerable application used in more than 3000 organizations in different sectors from retail to industries.

• Security-AVS/CVE-2020-16270

CVE-2020-16846 (2020-11-06)

An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

• zomy22/CVE-2020-16846-Saltstack-Salt-API
• hamza-boudouche/projet-secu

CVE-2020-16898 (2020-10-16)

<p>A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.</p>\n<p>To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.</p>\n<p>The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.</p>\n

• advanced-threat-research/CVE-2020-16898
• corelight/CVE-2020-16898
• Maliek/CVE-2020-16898_Check
• ZephrFish/CVE-2020-16898
• esnet-security/cve-2020-16898
• initconf/CVE-2020-16898-Bad-Neighbor
• Q1984/CVE-2020-16898
• 0xeb-bp/cve-2020-16898
• jiansiting/cve-2020-16898
• CPO-EH/CVE-2020-16898_Workaround
• CPO-EH/CVE-2020-16898_Checker
• momika233/CVE-2020-16898-exp
• komomon/CVE-2020-16898-EXP-POC
• komomon/CVE-2020-16898--EXP-POC

CVE-2020-16899 (2020-10-16)

<p>A denial of service vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could cause a target system to stop responding.</p>\n<p>To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer. The vulnerability would not allow an attacker to execute code or to elevate user rights directly.</p>\n<p>The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.</p>\n

• advanced-threat-research/CVE-2020-16899

CVE-2020-16938 (2020-10-16)

<p>An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system.</p>\n<p>To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.</p>\n<p>The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.</p>\n

• ioncodes/CVE-2020-16938

CVE-2020-16939 (2020-10-16)

<p>An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context.</p>\n<p>To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.</p>\n<p>The security update addresses the vulnerability by correcting how Group Policy checks access.</p>\n

• rogue-kdc/CVE-2020-16939

CVE-2020-16947 (2020-10-16)

<p>A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the targeted user. If the targeted user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p>\n<p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p>\n<p>Note that where severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector.</p>\n<p>The security update addresses the vulnerability by correcting how Outlook handles objects in memory.</p>\n

• 0neb1n/CVE-2020-16947
• MasterSploit/CVE-2020-16947

CVE-2020-17008

• jas502n/CVE-2020-17008

CVE-2020-17035 (2020-11-11)

Windows Kernel Elevation of Privilege Vulnerability

• flamelu/CVE-2020-17035-patch-analysis

CVE-2020-17057 (2020-11-11)

Windows Win32k Elevation of Privilege Vulnerability

• fengjixuchui/cve-2020-17057
• lsw29475/CVE-2020-17057

CVE-2020-17086 (2020-11-11)

Raw Image Extension Remote Code Execution Vulnerability

• T81oub/CVE-2020-17086

CVE-2020-17087 (2020-11-11)

Windows Kernel Local Elevation of Privilege Vulnerability

• revengsh/CVE-2020-17087
• ykg88/OHTS_IE6052-CVE-2020-17087
• vp777/Windows-Non-Paged-Pool-Overflow-Exploitation
• raiden757/CVE-2020-17087

CVE-2020-17136 (2020-12-09)

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

• xyddnljydd/CVE-2020-17136
• cssxn/CVE-2020-17136

CVE-2020-17144 (2020-12-09)

Microsoft Exchange Remote Code Execution Vulnerability

• Airboi/CVE-2020-17144-EXP
• zcgonvh/CVE-2020-17144

CVE-2020-17382 (2020-10-02)

The MSI AmbientLink MsIo64 driver 1.0.0.8 has a Buffer Overflow (0x80102040, 0x80102044, 0x80102050,and 0x80102054).

• uf0o/CVE-2020-17382
• houseofxyz/CVE-2020-17382

CVE-2020-17453 (2021-04-05)

WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.

• ydycjz6j/CVE-2020-17453-PoC
• karthi-the-hacker/CVE-2020-17453

CVE-2020-17456 (2020-08-19)

SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page.

• Al1ex/CVE-2020-17456
• TAPESH-TEAM/CVE-2020-17456-Seowon-SLR-120S42G-RCE-Exploit-Unauthenticated

CVE-2020-17496 (2020-08-12)

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.

• ctlyz123/CVE-2020-17496
• ludy-dev/vBulletin_5.x-tab_panel-RCE

CVE-2020-17518 (2021-01-05)

Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.

• QmF0c3UK/CVE-2020-17518
• murataydemir/CVE-2020-17518
• rakjong/Flink-CVE-2020-17518-getshell

CVE-2020-17519 (2021-01-05)

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.

• B1anda0/CVE-2020-17519
• QmF0c3UK/CVE-2020-17519
• dolevf/apache-flink-directory-traversal.nse
• hoanx4/CVE-2020-17519
• murataydemir/CVE-2020-17519
• radbsie/CVE-2020-17519-Exp
• yaunsky/CVE-2020-17519-Apache-Flink
• Osyanina/westone-CVE-2020-17519-scanner
• givemefivw/CVE-2020-17519
• MrCl0wnLab/SimplesApachePathTraversal
• zhangweijie11/CVE-2020-17519

CVE-2020-17523 (2021-02-03)

Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

• jweny/shiro-cve-2020-17523

CVE-2020-17527 (2020-12-03)

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

• forse01/CVE-2020-17527-Tomcat

CVE-2020-17530 (2020-12-11)

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

• secpool2000/CVE-2020-17530
• ka1n4t/CVE-2020-17530
• wuzuowei/CVE-2020-17530
• Al1ex/CVE-2020-17530
• fengziHK/CVE-2020-17530-strust2-061
• ludy-dev/freemarker_RCE_struts2_s2-061
• CyborgSecurity/CVE-2020-17530
• uzzzval/CVE-2020-17530
• killmonday/CVE-2020-17530-s2-061
• keyuan15/CVE-2020-17530
• nth347/CVE-2020-17530

CVE-2020-17531 (2020-12-08)

A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.

• 154802388/CVE-2020-17531

CVE-2020-17533 (2020-12-29)

Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the 'canFlush' and 'canPerformSystemActions' security functions are not checked in some instances, therefore allowing an authenticated user with insufficient permissions to perform the following actions: flushing a table, shutting down Accumulo or an individual tablet server, and setting or removing system-wide Accumulo configuration properties.

• pazeray/CVE-2020-17533

CVE-2020-18324 (2022-03-04)

Cross Site Scripting (XSS) vulnerability exists in Subrion CMS 4.2.1 via the q parameter in the Kickstart template.

• hamm0nz/CVE-2020-18324

CVE-2020-18325 (2022-03-04)

Multilple Cross Site Scripting (XSS) vulnerability exists in Intelliants Subrion CMS v4.2.1 in the Configuration panel.

• hamm0nz/CVE-2020-18325

CVE-2020-18326 (2022-03-04)

Cross Site Request Forgery (CSRF) vulnerability exists in Intelliants Subrion CMS v4.2.1 via the Members administrator function, which could let a remote unauthenticated malicious user send an authorised request to victim and successfully create an arbitrary administrator user.

• hamm0nz/CVE-2020-18326

CVE-2020-19360 (2021-01-20)

Local file inclusion in FHEM 6.0 allows in fhem/FileLog_logWrapper file parameter can allow an attacker to include a file, which can lead to sensitive information disclosure.

• a1665454764/CVE-2020-19360
• zzzz966/CVE-2020-19360

CVE-2020-19586 (2022-09-14)

Incorrect Access Control issue in Yellowfin Business Intelligence 7.3 allows remote attackers to escalate privilege via MIAdminStyles.i4 Admin UI.

• Deepak983/CVE-2020-19586

CVE-2020-19587 (2022-09-14)

Cross Site Scripting (XSS) vulnerability in configMap parameters in Yellowfin Business Intelligence 7.3 allows remote attackers to run arbitrary code via MIAdminStyles.i4 Admin UI.

• Deepak983/CVE-2020-19587

CVE-2020-20093 (2022-03-23)

The Facebook Messenger app for iOS 227.0 and prior and Android 228.1.0.10.116 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.

• zadewg/RIUS

CVE-2020-21378 (2020-12-21)

SQL injection vulnerability in SeaCMS 10.1 (2020.02.08) via the id parameter in an edit action to admin_members_group.php.

• sukusec301/SeaCMS-v10.1

CVE-2020-23160 (2021-01-22)

Remote code execution in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to arbitrary commands as root on the devices.

• Outpost24/Pyrescom-Termod-PoC

CVE-2020-23342 (2021-01-19)

A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users.

• DXY0411/CVE-2020-23342

CVE-2020-23489 (2020-11-16)

The import.json.php file before 8.9 for Avideo is vulnerable to a File Deletion vulnerability. This allows the deletion of configuration.php, which leads to certain privilege checks not being in place, and therefore a user can escalate privileges to admin.

• ahussam/AVideo3xploit

CVE-2020-23582 (2022-11-21)

A vulnerability in the "/admin/wlmultipleap.asp" of optilink OP-XT71000N version: V2.2 could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to create Multiple WLAN BSSID.

• huzaifahussain98/CVE-2020-23582

CVE-2020-23583 (2022-11-23)

OPTILINK OP-XT71000N V2.2 is vulnerable to Remote Code Execution. The issue occurs when the attacker sends an arbitrary code on "/diag_ping_admin.asp" to "PingTest" interface that leads to COMMAND EXECUTION. An attacker can successfully trigger the COMMAND and can compromise full system.

• huzaifahussain98/CVE-2020-23583

CVE-2020-23584 (2022-11-23)

Unauthenticated remote code execution in OPTILINK OP-XT71000N, Hardware Version: V2.2 occurs when the attacker passes arbitrary commands with IP-ADDRESS using " | " to execute commands on " /diag_tracert_admin.asp " in the "PingTest" parameter that leads to command execution.

• huzaifahussain98/CVE-2020-23584

CVE-2020-23585 (2022-11-23)

A remote attacker can conduct a cross-site request forgery (CSRF) attack on OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028. The vulnerability is due to insufficient CSRF protections for the "mgm_config_file.asp" because of which attacker can create a crafted "csrf form" which sends " malicious xml data" to "/boaform/admin/formMgmConfigUpload". the exploit allows attacker to "gain full privileges" and to "fully compromise of router & network".

• huzaifahussain98/CVE-2020-23585

CVE-2020-23586 (2022-11-23)

A vulnerability found in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to Add Network Traffic Control Type Rule.

• huzaifahussain98/CVE-2020-23586

CVE-2020-23587 (2022-11-23)

A vulnerability found in the OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to men in the middle attack by adding New Routes in RoutingConfiguration on " /routing.asp ".

• huzaifahussain98/CVE-2020-23587

CVE-2020-23588 (2022-11-23)

A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to "Enable or Disable Ports" and to "Change port number" through " /rmtacc.asp ".

• huzaifahussain98/CVE-2020-23588

CVE-2020-23589 (2022-11-23)

A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to cause a Denial of Service by Rebooting the router through " /mgm_dev_reboot.asp."

• huzaifahussain98/CVE-2020-23589

CVE-2020-23590 (2022-11-23)

A vulnerability in Optilink OP-XT71000N Hardware version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated remote attacker to conduct a cross-site request forgery (CSRF) attack to change the Password for "WLAN SSID" through "wlwpa.asp".

• huzaifahussain98/CVE-2020-23590

CVE-2020-23591 (2022-11-23)

A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an attacker to upload arbitrary files through " /mgm_dev_upgrade.asp " which can "delete every file for Denial of Service (using 'rm -rf .' in the code), reverse connection (using '.asp' webshell), backdoor.

• huzaifahussain98/CVE-2020-23591

CVE-2020-23592 (2022-11-23)

A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2 , Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to Reset ONU to Factory Default through ' /mgm_dev_reset.asp.' Resetting to default leads to Escalation of Privileges by logging-in with default credentials.

• huzaifahussain98/CVE-2020-23592

CVE-2020-23593 (2022-11-23)

A vulnerability in OPTILINK OP-XT71000N Hardware Version: V2.2, Firmware Version: OP_V3.3.1-191028 allows an unauthenticated, remote attacker to conduct a cross site request forgery (CSRF) attack to enable syslog mode through ' /mgm_log_cfg.asp.' The system starts to log events, 'Remote' mode or 'Both' mode on "Syslog -- Configuration page" logs events and sends to remote syslog server IP and Port.

• huzaifahussain98/CVE-2020-23593

CVE-2020-23839 (2020-09-01)

A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal webpage, allows remote attackers to execute JavaScript code in the client's browser and harvest login credentials after a client clicks a link, enters credentials, and submits the login form.

• boku7/CVE-2020-23839

CVE-2020-23934 (2020-08-18)

An issue was discovered in RiteCMS 2.2.1. An authenticated user can directly execute system commands by uploading a php web shell in the "Filemanager" section.

• H0j3n/CVE-2020-23934

CVE-2020-23968 (2020-11-10)

Ilex International Sign&go Workstation Security Suite 7.1 allows elevation of privileges via a symlink attack on ProgramData\Ilex\S&G\Logs\000-sngWSService1.log.

• ricardojba/CVE-2020-23968-ILEX-SignGo-EoP

CVE-2020-24028 (2020-09-02)

ForLogic Qualiex v1 and v3 allows any authenticated customer to achieve privilege escalation via user creations, password changes, or user permission updates.

• underprotection/CVE-2020-24028
• redteambrasil/CVE-2020-24028

CVE-2020-24029 (2020-09-02)

Because of unauthenticated password changes in ForLogic Qualiex v1 and v3, customer and admin permissions and data can be accessed via a simple request.

• underprotection/CVE-2020-24029
• redteambrasil/CVE-2020-24029

CVE-2020-24030 (2020-09-02)

ForLogic Qualiex v1 and v3 has weak token expiration. This allows remote unauthenticated privilege escalation and access to sensitive data via token reuse.

• underprotection/CVE-2020-24030
• redteambrasil/CVE-2020-24030

CVE-2020-24032 (2020-08-18)

tz.pl on XoruX LPAR2RRD and STOR2RRD 2.70 virtual appliances allows cmd=set&tz=OS command injection via shell metacharacters in a timezone.

• jet-pentest/CVE-2020-24032

CVE-2020-24033 (2020-10-22)

An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escalated privileges.

• M0NsTeRRR/CVE-2020-24033

CVE-2020-24088 (2023-09-11)

An issue was discovered in MmMapIoSpace routine in Foxconn Live Update Utility 2.1.6.26, allows local attackers to escalate privileges.

• rjt-gupta/CVE-2020-24088

CVE-2020-24089 (2023-09-19)

An issue was discovered in ImfHpRegFilter.sys in IOBit Malware Fighter version 8.0.2, allows local attackers to cause a denial of service (DoS).

• rjt-gupta/CVE-2020-24089

CVE-2020-24148 (2021-07-07)

Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml action.

• dwisiswant0/CVE-2020-24148

CVE-2020-24186 (2020-08-24)

A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.

• hev0x/CVE-2020-24186-wpDiscuz-7.0.4-RCE
• meicookies/CVE-2020-24186
• Sakura-501/CVE-2020-24186-exploit
• substing/CVE-2020-24186_reverse_shell_upload

CVE-2020-24227 (2020-11-23)

Playground Sessions v2.5.582 (and earlier) for Windows, stores the user credentials in plain text allowing anyone with access to UserProfiles.sol to extract the email and password.

• nathunandwani/CVE-2020-24227

CVE-2020-24370 (2020-08-17)

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).

• RenukaSelvar/lua_CVE-2020-24370
• RenukaSelvar/lua_CVE-2020-24370_AfterPatch

CVE-2020-24490 (2021-02-02)

Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ.

• AbrarKhan/linux_CVE-2020-24490-beforePatch
• AbrarKhan/Linux-4.19.72_CVE-2020-24490

CVE-2020-24572 (2020-08-24)

An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system (including ones for uploading of files and execution of code).

• lb0x/cve-2020-24572
• gerbsec/CVE-2020-24572-POC

CVE-2020-24597

• HoangKien1020/CVE-2020-24597

CVE-2020-24616 (2020-08-25)

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

• 0xkami/cve-2020-24616-poc

CVE-2020-24656 (2020-08-26)

Maltego before 4.2.12 allows XXE attacks.

• terzinodipaese/Internet-Security-Project

CVE-2020-24750 (2020-09-17)

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

• Al1ex/CVE-2020-24750

CVE-2020-24815 (2020-11-24)

A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020.

• darkvirus-7x/exploit-CVE-2020-24815

CVE-2020-24881 (2020-11-02)

SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.

• harshtech123/cve-2020-24881

CVE-2020-24913 (2021-03-04)

A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.

• agarma/CVE-2020-24913-PoC

CVE-2020-24949 (2020-09-03)

Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).

• r90tpass/CVE-2020-24949

CVE-2020-24955 (2020-09-01)

SUPERAntiSyware Professional X Trial 10.0.1206 is vulnerable to local privilege escalation because it allows unprivileged users to restore a malicious DLL from quarantine into the system32 folder via an NTFS directory junction, as demonstrated by a crafted ualapi.dll file that is detected as malware.

• nmht3t/CVE-2020-24955

CVE-2020-24972 (2020-08-29)

The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary DLL.

• SpiralBL0CK/CVE-2020-24972

CVE-2020-25068 (2020-09-03)

Setelsa Conacwin v3.7.1.2 is vulnerable to a local file inclusion vulnerability. This vulnerability allows a remote unauthenticated attacker to read internal files on the server via an http:IP:PORT/../../path/file_to_disclose Directory Traversal URI. NOTE: The manufacturer indicated that the affected version does not exist. Furthermore, they indicated that they detected this problem in an internal audit more than 3 years ago and fixed it in 2017.

• bryanroma/CVE-2020-25068

CVE-2020-25078 (2020-09-02)

An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.

• MzzdToT/CVE-2020-25078
• chinaYozz/CVE-2020-25078

CVE-2020-25134 (2020-09-25)

An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /settings/?format=../ URIs to pages/settings.inc.php.

• ynsmroztas/CVE-2020-25134

CVE-2020-25200 (2020-10-01)

Pritunl 1.29.2145.25 allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return error 401. However, if the username is valid, then after 20 login attempts, the server will start responding with error 400. Invalid usernames will receive error 401 indefinitely. Note: This has been disputed by the vendor as not a vulnerability. They argue that this is an intended design

• lukaszstu/pritunl-CVE-2020-25200

CVE-2020-25213 (2020-09-09)

The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.

• mansoorr123/wp-file-manager-CVE-2020-25213
• kakamband/WPKiller
• forse01/CVE-2020-25213-Wordpress
• 0000000O0Oo/Wordpress-CVE-2020-25213
• piruprohacking/CVE-2020-25213
• b1ackros337/CVE-2020-25213
• BLY-Coder/Python-exploit-CVE-2020-25213
• E1tex/Python-CVE-2020-25213
• Nguyen-id/CVE-2020-25213

CVE-2020-25223 (2020-09-25)

A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11

• darrenmartyn/sophucked
• twentybel0w/CVE-2020-25223
• gh-2025-02/poc-cve-2020-25223

CVE-2020-25265 (2020-12-02)

AppImage libappimage before 1.0.3 allows attackers to trigger an overwrite of a system-installed .desktop file by providing a .desktop file that contains Name= with path components.

• refi64/CVE-2020-25265-25266

CVE-2020-25270 (2020-10-08)

PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, Guardian Relation, Guardian Contact no, Address, or City.

• Ko-kn3t/CVE-2020-25270

CVE-2020-25271 (2020-10-08)

PHPGurukul hospital-management-system-in-php 4.0 allows XSS via admin/patient-search.php, doctor/search.php, book-appointment.php, doctor/appointment-history.php, or admin/appointment-history.php.

• Ko-kn3t/CVE-2020-25271

CVE-2020-25272 (2020-10-08)

In SourceCodester Online Bus Booking System 1.0, there is XSS through the name parameter in book_now.php.

• Ko-kn3t/CVE-2020-25272

CVE-2020-25273 (2020-10-08)

In SourceCodester Online Bus Booking System 1.0, there is Authentication bypass on the Admin Login screen in admin.php via username or password SQL injection.

• Ko-kn3t/CVE-2020-25273

CVE-2020-25398 (2020-11-05)

CSV Injection exists in InterMind iMind Server through 3.13.65 via the csv export functionality.

• h3llraiser/CVE-2020-25398

CVE-2020-25399 (2020-11-05)

Stored XSS in InterMind iMind Server through 3.13.65 allows any user to hijack another user's session by sending a malicious file in the chat.

• h3llraiser/CVE-2020-25399

CVE-2020-25478

• santokum/CVE-2020-25478--ASUS-RT-AC87U-TFTP-is-vulnerable-to-Denial-of-Service-DoS-attack

CVE-2020-25487 (2020-09-22)

PHPGURUKUL Zoo Management System Using PHP and MySQL version 1.0 is affected by: SQL Injection via zms/animal-detail.php.

• Ko-kn3t/CVE-2020-25487

CVE-2020-25488

• Ko-kn3t/CVE-2020-25488

CVE-2020-25498 (2021-01-06)

Cross Site Scripting (XSS) vulnerability in Beetel router 777VR1 can be exploited via the NTP server name in System Time and "Keyword" in URL Filter.

• the-girl-who-lived/CVE-2020-25498

CVE-2020-25514 (2020-09-22)

Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.

• Ko-kn3t/CVE-2020-25514

CVE-2020-25515 (2020-09-22)

Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.

• Ko-kn3t/CVE-2020-25515

CVE-2020-25518

• g-rubert/wordpress_DoS

CVE-2020-25540 (2020-09-14)

ThinkAdmin v6 is affected by a directory traversal vulnerability. An unauthorized attacker can read arbitrarily file on a remote server via GET request encode parameter.

• Schira4396/CVE-2020-25540
• RajChowdhury240/ThinkAdmin-CVE-2020-25540
• lowkey0808/cve-2020-25540
• simonlee-hello/CVE-2020-25540

CVE-2020-25578 (2021-03-26)

In FreeBSD 12.2-STABLE before r368969, 11.4-STABLE before r369047, 12.2-RELEASE before p3, 12.1-RELEASE before p13 and 11.4-RELEASE before p7 several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems.

• farazsth98/freebsd-dirent-info-leak-bugs

CVE-2020-25613 (2020-10-06)

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

• metapox/CVE-2020-25613

CVE-2020-25627 (2020-12-09)

The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2.

• HoangKien1020/CVE-2020-25627

CVE-2020-25632 (2021-03-03)

A flaw was found in grub2 in versions prior to 2.06. The rmmod implementation allows the unloading of a module used as a dependency without checking if any other dependent module is still loaded leading to a use-after-free scenario. This could allow arbitrary code to be executed or a bypass of Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

• pauljrowland/BootHoleFix

CVE-2020-25637 (2020-10-06)

A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or potentially escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

• brahmiboudjema/CVE-2020-25637-libvirt-double-free

CVE-2020-25668 (2021-05-26)

A flaw was found in Linux Kernel because access to the global variable fg_console is not properly synchronized leading to a use after free in con_font_op.

• hshivhare67/Kernel_4.1.15_CVE-2020-25668

CVE-2020-25686 (2021-01-20)

A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.

• knqyf263/dnspooq

CVE-2020-25705 (2020-11-17)

A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version

• tdwyer/CVE-2020-25705
• nanopathi/linux-4.19.72_CVE-2020-25705

CVE-2020-25747 (2020-09-25)

The Telnet service of Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) can allow a remote attacker to gain access to RTSP and ONFIV services without authentication. Thus, the attacker can watch live streams from the camera, rotate the camera, change some settings (brightness, clarity, time), restart the camera, or reset it to factory settings.

• jet-pentest/CVE-2020-25747

CVE-2020-25748 (2020-09-25)

A Cleartext Transmission issue was discovered on Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339). Someone in the middle can intercept and modify the video data from the camera, which is transmitted in an unencrypted form. One can also modify responses from NTP and RTSP servers and force the camera to use the changed values.

• jet-pentest/CVE-2020-25748

CVE-2020-25749 (2020-09-25)

The Telnet service of Rubetek cameras RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) could allow an remote attacker to take full control of the device with a high-privileged account. The vulnerability exists because a system account has a default and static password. The Telnet service cannot be disabled and this password cannot be changed via standard functionality.

• jet-pentest/CVE-2020-25749

CVE-2020-25769

• defrancescojp/CVE-2020-25769

CVE-2020-25782 (2021-01-28)

An issue was discovered on Accfly Wireless Security IR Camera 720P System with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientManage::ServerIP_Proto_Set during incoming message handling.

• tezeb/accfly

CVE-2020-25790 (2020-09-19)

Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security policy" and is being fixed for 5.2

• 7Mitu/CVE-2020-25790

CVE-2020-25860 (2020-12-21)

The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.

• rauc/rauc-1.5-integration

CVE-2020-25867 (2020-10-07)

SoPlanning before 1.47 doesn't correctly check the security key used to publicly share plannings. It allows a bypass to get access without authentication.

• thomasfady/CVE-2020-25867

CVE-2020-26061 (2020-10-05)

ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. The ResetPassword function does not validate whether the user has successfully authenticated using security questions. An unauthenticated, remote attacker can send a crafted HTTP request to the /account/ResetPassword page to set a new password for any registered user.

• missing0x00/CVE-2020-26061

CVE-2020-26217 (2020-11-16)

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

• novysodope/CVE-2020-26217-XStream-RCE-POC
• Al1ex/CVE-2020-26217
• epicosy/XStream-1

CVE-2020-26233 (2020-12-08)

Git Credential Manager Core (GCM Core) is a secure Git credential helper built on .NET Core that runs on Windows and macOS. In Git Credential Manager Core before version 2.0.289, when recursively cloning a Git repository on Windows with submodules, Git will first clone the top-level repository and then recursively clone all submodules by starting new Git processes from the top-level working directory. If a malicious git.exe executable is present in the top-level repository then this binary will be started by Git Credential Manager Core when attempting to read configuration, and not git.exe as found on the %PATH%. This only affects GCM Core on Windows, not macOS or Linux-based distributions. GCM Core version 2.0.289 contains the fix for this vulnerability, and is available from the project's GitHub releases page. GCM Core 2.0.289 is also bundled in the latest Git for Windows release; version 2.29.2(3). As a workaround, users should avoid recursively cloning untrusted repositories with the --recurse-submodules option.

• whr819987540/test_CVE-2020-26233
• an1p3lg5/CVE-2020-26233

CVE-2020-26243 (2020-11-25)

Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following workarounds are available: 1) Set the option no_unions for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to FT_POINTER. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards.

• HimanshuS67/external_nanopb-c_AOSP10_CVE-2020-26243

CVE-2020-26258 (2020-12-16)

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

• Al1ex/CVE-2020-26258

CVE-2020-26259 (2020-12-16)

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

• jas502n/CVE-2020-26259
• Al1ex/CVE-2020-26259

CVE-2020-26413 (2020-12-11)

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.

• Kento-Sec/GitLab-Graphql-CVE-2020-26413

CVE-2020-26525 (2020-10-02)

Damstra Smart Asset 2020.7 has SQL injection via the API/api/Asset originator parameter. This allows forcing the database and server to initiate remote connections to third party DNS servers.

• lukaszstu/SmartAsset-SQLinj-CVE-2020-26525

CVE-2020-26526 (2020-10-02)

An issue was discovered in Damstra Smart Asset 2020.7. It is possible to enumerate valid usernames on the login page. The application sends a different server response when the username is invalid than when the username is valid ("Unable to find an APIDomain" versus "Wrong email or password").

• lukaszstu/SmartAsset-UE-CVE-2020-26526

CVE-2020-26527 (2020-10-02)

An issue was discovered in API/api/Version in Damstra Smart Asset 2020.7. Cross-origin resource sharing trusts random origins by accepting the arbitrary 'Origin: example.com' header and responding with 200 OK and a wildcard 'Access-Control-Allow-Origin: *' header.

• lukaszstu/SmartAsset-CORS-CVE-2020-26527

CVE-2020-26732 (2021-01-14)

SKYWORTH GN542VF Hardware Version 2.0 and Software Version 2.0.0.16 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

• swzhouu/CVE-2020-26732

CVE-2020-26733 (2021-01-14)

Cross Site Scripting (XSS) in Configuration page in SKYWORTH GN542VF Hardware Version 2.0 and Software Version 2.0.0.16 allows authenticated attacker to inject their own script into the page via DDNS Configuration Section.

• swzhouu/CVE-2020-26733

CVE-2020-26878 (2020-10-26)

Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.

• htarsoo/CVE-2020-26878

CVE-2020-27190

• qlh831/x-CVE-2020-27190

CVE-2020-27194 (2020-10-16)

An issue was discovered in the Linux kernel before 5.8.15. scalar32_min_max_or in kernel/bpf/verifier.c mishandles bounds tracking during use of 64-bit values, aka CID-5b9fbeb75b6a.

• willinin/CVE-2020-27194-exp
• xmzyshypnc/CVE-2020-27194

CVE-2020-27199 (2020-12-17)

The Magic Home Pro application 1.5.1 for Android allows Authentication Bypass. The security control that the application currently has in place is a simple Username and Password authentication function. Using enumeration, an attacker is able to forge a User specific token without the need for correct password to gain access to the mobile application as that victim user.

• 9lyph/CVE-2020-27199

CVE-2020-27223 (2021-02-26)

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

• motikan2010/CVE-2020-27223
• ttestoo/Jetty-CVE-2020-27223
• hshivhare67/Jetty_v9.4.31_CVE-2020-27223_beforepatch
• hshivhare67/Jetty_v9.4.31_CVE-2020-27223

CVE-2020-27252 (2020-12-14)

Medtronic MyCareLink Smart 25000 all versions are vulnerable to a race condition in the MCL Smart Patient Reader software update system, which allows unsigned firmware to be uploaded and executed on the Patient Reader. If exploited an attacker could remotely execute code on the MCL Smart Patient Reader device, leading to control of the device.

• OccultSlolem/GatorMed

CVE-2020-27301 (2021-06-04)

A stack buffer overflow in Realtek RTL8710 (and other Ameba-based devices) can lead to remote code execution via the "AES_UnWRAP" function, when an attacker in Wi-Fi range sends a crafted "Encrypted GTK" value as part of the WPA2 4-way-handshake.

• chertoGUN/CVE-2020-27301-hostapd

CVE-2020-27358 (2020-10-31)

An issue was discovered in REDCap 8.11.6 through 9.x before 10. The messenger's CSV feature (that allows users to export their conversation threads as CSV) allows non-privileged users to export one another's conversation threads by changing the thread_id parameter in the request to the endpoint Messenger/messenger_download_csv.php?title=Hey&thread_id={THREAD_ID}.

• sebastian-mora/cve-2020-27358-27359

CVE-2020-27368 (2021-01-14)

Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /icons/ directories via GET Parameter.

• swzhouu/CVE-2020-27368

CVE-2020-27603 (2020-10-21)

BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.

• hannob/CVE-2020-27603-bbb-libreoffice-poc

CVE-2020-27688 (2020-11-05)

RVToolsPasswordEncryption.exe in RVTools 4.0.6 allows users to encrypt passwords to be used in the configuration files. This encryption used a static IV and key, and thus using the Decrypt() method from VISKD.cs from the RVTools.exe executable allows for decrypting the encrypted passwords. The accounts used in the configuration files have access to vSphere instances.

• matthiasmaes/CVE-2020-27688

CVE-2020-27747 (2020-10-29)

An issue was discovered in Click Studios Passwordstate 8.9 (Build 8973).If the user of the system has assigned himself a PIN code for entering from a mobile device using the built-in generator (4 digits), a remote attacker has the opportunity to conduct a brute force attack on this PIN code. As result, remote attacker retrieves all passwords from another systems, available for affected account.

• jet-pentest/CVE-2020-27747

CVE-2020-27786 (2020-12-11)

A flaw was found in the Linux kernel’s implementation of MIDI, where an attacker with a local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue. A write to this specific memory while freed and before use causes the flow of execution to change and possibly allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

• kiks7/CVE-2020-27786-Kernel-Exploit
• elbiazo/CVE-2020-27786
• Trinadh465/linux-4.19.72_CVE-2020-27786
• ii4gsp/CVE-2020-27786
• enlist12/CVE-2020-27786

CVE-2020-27815 (2021-05-26)

A flaw was found in the JFS filesystem code in the Linux Kernel which allows a local attacker with the ability to set extended attributes to panic the system, causing memory corruption or escalating privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

• Trinadh465/linux-4.19.72_CVE-2020-27815

CVE-2020-27824 (2021-05-13)

A flaw was found in OpenJPEG’s encoder in the opj_dwt_calc_explicit_stepsizes() function. This flaw allows an attacker who can supply crafted input to decomposition levels to cause a buffer overflow. The highest threat from this vulnerability is to system availability.

• pazhanivel07/openjpeg-2.3.0_CVE-2020-27824

CVE-2020-27838 (2021-03-08)

A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.

• Cappricio-Securities/CVE-2020-27838

CVE-2020-27904 (2020-12-08)

A logic issue existed resulting in memory corruption. This was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1. An application may be able to execute arbitrary code with kernel privileges.

• pattern-f/xattr-oob-swap

CVE-2020-27930 (2020-12-08)

A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. Processing a maliciously crafted font may lead to arbitrary code execution.

• FunPhishing/Apple-Safari-Remote-Code-Execution-CVE-2020-27930

CVE-2020-27935 (2021-04-02)

Multiple issues were addressed with improved logic. This issue is fixed in iOS 14.2 and iPadOS 14.2, macOS Big Sur 11.0.1, watchOS 7.1, tvOS 14.2. A sandboxed process may be able to circumvent sandbox restrictions.

• LIJI32/SnatchBox

CVE-2020-27949 (2021-04-02)

This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave. A malicious application may cause unexpected changes in memory belonging to processes traced by DTrace.

• seemoo-lab/dtrace-memaccess_cve-2020-27949

CVE-2020-27950 (2020-12-08)

A memory initialization issue was addressed. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 12.4.9, watchOS 6.2.9, Security Update 2020-006 High Sierra, Security Update 2020-006 Mojave, iOS 14.2 and iPadOS 14.2, watchOS 5.3.9, macOS Catalina 10.15.7 Supplemental Update, macOS Catalina 10.15.7 Update. A malicious application may be able to disclose kernel memory.

• synacktiv/CVE-2020-27950
• lyonzon2/browser-crash-tool

CVE-2020-27955 (2020-11-05)

Git LFS 2.12.0 allows Remote Code Execution.

• ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955
• ExploitBox/git-lfs-RCE-exploit-CVE-2020-27955-Go
• yhsung/cve-2020-27955-poc
• r00t4dm/CVE-2020-27955
• shubham0d/CVE-2020-27955
• TheTh1nk3r/cve-2020-27955
• NeoDarwin/CVE-2020-27955
• DeeLMind/CVE-2020-27955-LFS
• HK69s/CVE-2020-27955
• IanSmith123/CVE-2020-27955
• Arnoldqqq/CVE-2020-27955
• nob0dy-3389/CVE-2020-27955
• Marsable/CVE-2020-27955-LFS
• FrostsaberX/CVE-2020-27955
• whitetea2424/CVE-2020-27955-LFS-main
• userxfan/cve-2020-27955
• z50913/CVE-2020-27955
• Kimorea/CVE-2020-27955-LFS

CVE-2020-27976 (2020-10-28)

osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.

• k0rnh0li0/CVE-2020-27976

CVE-2020-28018 (2021-05-06)

Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.

• dorkerdevil/CVE-2020-28018
• zr0tt/CVE-2020-28018

CVE-2020-28032 (2020-10-31)

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

• nth347/CVE-2020-28032_PoC

CVE-2020-28052 (2020-12-18)

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

• madstap/bouncy-castle-generative-test-poc
• kurenaif/CVE-2020-28052_PoC

CVE-2020-28054 (2020-11-19)

JamoDat TSMManager Collector version up to 6.5.0.21 is vulnerable to an Authorization Bypass because the Collector component is not properly validating an authenticated session with the Viewer. If the Viewer has been modified (binary patched) and the Bypass Login functionality is being used, an attacker can request every Collector's functionality as if they were a properly logged-in user: administrating connected instances, reviewing logs, editing configurations, accessing the instances' consoles, accessing hardware configurations, etc.Exploiting this vulnerability won't grant an attacker access nor control on remote ISP servers as no credentials is sent with the request.

• VoidSec/Tivoli-Madness

CVE-2020-28148

• fengchenzxc/CVE-2020-28148

CVE-2020-28169 (2020-12-24)

The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYSTEM.

• zubrahzz/FluentD-TD-agent-Exploit-CVE-2020-28169

CVE-2020-28243 (2021-02-27)

An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.

• stealthcopter/CVE-2020-28243

CVE-2020-28328 (2020-11-06)

SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.

• mcorybillington/SuiteCRM-RCE

CVE-2020-28351 (2020-11-09)

The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page.

• dievus/CVE-2020-28351

CVE-2020-28414 (2020-11-12)

A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28415).

• jet-pentest/CVE-2020-28414

CVE-2020-28415 (2020-11-12)

A reflected cross-site scripting (XSS) vulnerability exists in the TranzWare Payment Gateway 3.1.12.3.2. A remote unauthenticated attacker is able to execute arbitrary HTML code via crafted url (different vector than CVE-2020-28414).

• jet-pentest/CVE-2020-28415

CVE-2020-28458 (2020-12-16)

All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.

• fazilbaig1/CVE-2020-28458

CVE-2020-28478 (2021-01-19)

This affects the package gsap before 3.6.0.

• NetJBS/CVE-2020-28478--PoC

CVE-2020-28488

• rafaelcintralopes/CVE-2020-28488

CVE-2020-28502 (2021-03-05)

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

• s-index/CVE-2020-28502
• dpredrag/CVE-2020-28502

CVE-2020-28647 (2020-11-17)

In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS).

• SECFORCE/Progress-MOVEit-Transfer-2020.1-Stored-XSS-CVE-2020-28647

CVE-2020-28653 (2021-02-03)

Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.

• tuo4n8/CVE-2020-28653
• intrigueio/cve-2020-28653-poc
• mr-r3bot/ManageEngine-CVE-2020-28653

CVE-2020-28874 (2021-01-21)

reset-password.php in ProjectSend before r1295 allows remote attackers to reset a password because of incorrect business logic. Errors are not properly considered (an invalid token parameter).

• varandinawer/CVE-2020-28874

CVE-2020-28926 (2020-11-30)

ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug resulting in a buffer overflow in calls to memcpy/memmove.

• lorsanta/exploit-CVE-2020-28926

CVE-2020-28948 (2020-11-19)

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

• 0x240x23elu/CVE-2020-28948-and-CVE-2020-28949
• nopdata/cve-2020-28948
• JinHao-L/PoC-for-CVE-2020-28948-CVE-2020-28949

CVE-2020-29007 (2023-04-15)

The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to edit articles (potentially including unauthenticated anonymous users) to execute arbitrary Scheme or shell code by using crafted {{Image data to generate musical scores containing malicious code.

• seqred-s-a/cve-2020-29007

CVE-2020-29070 (2020-11-25)

osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.

• aslanemre/cve-2020-29070

CVE-2020-29134 (2021-03-05)

The TOTVS Fluig platform allows path traversal through the parameter "file = .. /" encoded in base64. This affects all versions Fluig Lake 1.7.0, Fluig 1.6.5 and Fluig 1.6.4

• Ls4ss/CVE-2020-29134

CVE-2020-29156 (2020-12-27)

The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.

• Ko-kn3t/CVE-2020-29156

CVE-2020-29254 (2020-12-11)

TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited.

• S1lkys/CVE-2020-29254

CVE-2020-29364 (2020-11-30)

In NetArt News Lister 1.0.0, the news headlines vulnerable to stored xss attacks. Attackers can inject codes in news titles.

• aslanemre/CVE-2020-29364

CVE-2020-29370 (2020-11-28)

An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.

• nanopathi/linux-4.19.72_CVE-2020-29370

CVE-2020-29583 (2020-12-22)

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

• ruppde/scan_CVE-2020-29583

CVE-2020-29599 (2020-12-07)

ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.

• lnwza0x0a/CVE-2020-29599

CVE-2020-29607 (2020-12-16)

A file upload restriction bypass vulnerability in Pluck CMS before 4.7.13 allows an admin privileged user to gain access in the host through the "manage files" functionality, which may result in remote code execution.

• 0xAbbarhSF/CVE-2020-29607
• 0xN7y/CVE-2020-29607

CVE-2020-29661 (2020-12-09)

A locking issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_jobctrl.c allows a use-after-free attack against TIOCSPGRP, aka CID-54ffccbf053b.

• wojkos9/arm-CVE-2020-29661

CVE-2020-29666 (2020-12-10)

In Lan ATMService M3 ATM Monitoring System 6.1.0, due to a directory-listing vulnerability, a remote attacker can view log files, located in /websocket/logs/, that contain a user's cookie values and the predefined developer's cookie value.

• jet-pentest/CVE-2020-29666

CVE-2020-29667 (2020-12-10)

In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER, can achieve control over the system because of Insufficient Session Expiration.

• jet-pentest/CVE-2020-29667

CVE-2020-29669 (2020-12-14)

In the Macally WIFISD2-2A82 Media and Travel Router 2.000.010, the Guest user is able to reset its own password. This process has a vulnerability which can be used to take over the administrator account and results in shell access. As the admin user may read the /etc/shadow file, the password hashes of each user (including root) can be dumped. The root hash can be cracked easily which results in a complete system compromise.

• code-byter/CVE-2020-29669

CVE-2020-35191 (2020-12-17)

The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.

• megadimenex/MegaHiDocker

CVE-2020-35262 (2021-01-06)

Cross Site Scripting (XSS) vulnerability in Digisol DG-HR3400 can be exploited via the NTP server name in Time and date module and "Keyword" in URL Filter.

• the-girl-who-lived/CVE-2020-35262

CVE-2020-35314 (2021-04-20)

A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbitrary code and obtain a webshell via the theme/plugin installer.

• ybdegit2020/wonderplugin
• AkashLingayat/WonderCMS-CVE-2020-35314

CVE-2020-35391 (2021-01-01)

Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related issue to CVE-2017-14942. NOTE: the vulnerability report may suggest that either a ? character must be placed after the RouterCfm.cfg filename, or that the HTTP request headers must be unusual, but it is not known why these are relevant to the device's HTTP response behavior.

• dumitory-dev/CVE-2020-35391-POC
• H454NSec/CVE-2020-35391

CVE-2020-35476 (2020-12-16)

A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)

• glowbase/CVE-2020-35476

CVE-2020-35488 (2021-01-05)

The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.)

• GuillaumePetit84/CVE-2020-35488
• githubfoam/nxlog-ubuntu-githubactions

CVE-2020-35489 (2020-12-17)

The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters.

• dn9uy3n/Check-WP-CVE-2020-35489
• X0UCYB3R/Check-WP-CVE-2020-35489
• reneoliveirajr/wp_CVE-2020-35489_checker
• Cappricio-Securities/CVE-2020-35489
• gh202503/poc-cve-2020-35489

CVE-2020-35498 (2021-02-11)

A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.

• freddierice/cve-2020-35498-flag

CVE-2020-35545 (2020-12-17)

Time-based SQL injection exists in Spotweb 1.4.9 via the query string.

• bousalman/CVE-2020-35545

CVE-2020-35575 (2020-12-26)

A password-disclosure issue in the web interface on certain TP-Link devices allows a remote attacker to get full administrative access to the web panel. This affects WA901ND devices before 3.16.9(201211) beta, and Archer C5, Archer C7, MR3420, MR6400, WA701ND, WA801ND, WDR3500, WDR3600, WE843N, WR1043ND, WR1045ND, WR740N, WR741ND, WR749N, WR802N, WR840N, WR841HP, WR841N, WR842N, WR842ND, WR845N, WR940N, WR941HP, WR945N, WR949N, and WRD4300 devices.

• dylvie/CVE-2020-35575-TP-LINK-TL-WR841ND-password-disclosure

CVE-2020-35590 (2020-12-21)

LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.

• N4nj0/CVE-2020-35590

CVE-2020-35606 (2020-12-21)

Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840.

• anasbousselham/webminscan

CVE-2020-35669 (2020-12-24)

An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request.

• n0npax/CVE-2020-35669

CVE-2020-35682 (2021-03-13)

Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).

• its-arun/CVE-2020-35682

CVE-2020-35713 (2020-12-26)

Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters to the goform/setSysAdm page.

• Al1ex/CVE-2020-35713

CVE-2020-35717 (2021-01-01)

zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true).

• hmartos/cve-2020-35717
• Redfox-Secuirty/Hacking-Electron-Apps-CVE-2020-35717-

CVE-2020-35728 (2020-12-27)

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

• Al1ex/CVE-2020-35728

CVE-2020-35729 (2020-12-27)

KLog Server 2.4.1 allows OS command injection via shell metacharacters in the actions/authenticate.php user parameter.

• Al1ex/CVE-2020-35729

CVE-2020-35749 (2021-01-15)

Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2.9.3 and earlier for WordPress allows remote attackers to read arbitrary files via the sjb_file parameter to wp-admin/post.php.

• M4xSec/Wordpress-CVE-2020-35749

CVE-2020-35846 (2020-12-30)

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.

• JohnHammond/CVE-2020-35846
• 0z09e/CVE-2020-35846

CVE-2020-35847 (2020-12-30)

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.

• w33vils/CVE-2020-35847_CVE-2020-35848

CVE-2020-36079 (2021-02-26)

Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder) portion of the UI. This can, for example, place a .php file in the server's uploaded/ directory. NOTE: the vendor disputes this because exploitation can only be performed by an admin who has "lots of other possibilities to harm a site.

• azizalshammari/CVE-2020-36079.

CVE-2020-36109 (2021-02-01)

ASUS RT-AX86U router firmware below version under 9.0.0.4_386 has a buffer overflow in the blocking_request.cgi function of the httpd module that can cause code execution when an attacker constructs malicious data.

• tin-z/CVE-2020-36109-POC
• sunn1day/CVE-2020-36109-POC

CVE-2020-36179 (2021-01-06)

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

• Al1ex/CVE-2020-36179

CVE-2020-36184 (2021-01-06)

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

• Al1ex/CVE-2020-36184

CVE-2020-36188 (2021-01-06)

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

• Al1ex/CVE-2020-36188

CVE-2020-36287 (2021-04-09)

The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.

• f4rber/CVE-2020-36287

CVE-2020-36518 (2022-03-11)

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

• ghillert/boot-jackson-cve

CVE-2020-36603 (2022-09-14)

The HoYoVerse (formerly miHoYo) Genshin Impact mhyprot2.sys 1.0.0.0 anti-cheat driver does not adequately restrict unprivileged function calls, allowing local, unprivileged users to execute arbitrary code with SYSTEM privileges on Microsoft Windows systems. The mhyprot2.sys driver must first be installed by a user with administrative privileges.

• gmh5225/CVE-2020-36603

CVE-2020-36730 (2023-06-07)

The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmp_get_post_detail(), niteo_export_csv(), and cmp_disable_comingsoon_ajax() functions in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to read posts, export subscriber lists, and/or deactivate the plugin.

• RandomRobbieBF/CVE-2020-36730

CVE-2020-36732 (2023-06-12)

The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.

• miguelc49/CVE-2020-36732-2
• miguelc49/CVE-2020-36732-1

CVE-2020-72381

• jdordonezn/CVE-2020-72381

CVE-2020-256480

• dim0x69/cve-2022-25640-exploit

2019

CVE-2019-0053 (2019-07-11)

Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffer overflows, which can be exploited to bypass veriexec restrictions on Junos OS. A stack-based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client — accessible from the CLI or shell — in Junos OS. Inbound telnet services are not affected by this issue. This issue affects: Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S13; 12.3X48 versions prior to 12.3X48-D80; 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X49 versions prior to 15.1X49-D170; 15.1X53 versions prior to 15.1X53-D237, 15.1X53-D496, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S11, 16.1R7-S4; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3-S1; 17.3 versions prior to 17.3R3-S4; 17.4 versions prior to 17.4R1-S6, 17.4R2-S3, 17.4R3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2 versions prior to 18.2R1-S5, 18.2R2-S2, 18.2R3; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S3, 18.3R2; 18.4 versions prior to 18.4R1-S2, 18.4R2.

• dreamsmasher/inetutils-CVE-2019-0053-Patched-PKGBUILD

CVE-2019-0162 (2019-04-17)

Memory access in virtual memory mapping for some microprocessors may allow an authenticated user to potentially enable information disclosure via local access.

• saadislamm/SPOILER

CVE-2019-0192 (2019-03-07)

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

• mpgn/CVE-2019-0192
• Rapidsafeguard/Solr-RCE-CVE-2019-0192

CVE-2019-0193 (2019-08-01)

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property "enable.dih.dataConfigParam" to true.

• xConsoIe/CVE-2019-0193
• jas502n/CVE-2019-0193
• 1135/solr_exploit
• jaychouzzk/CVE-2019-0193-exp
• freeFV/ApacheSolrRCE

CVE-2019-0211 (2019-04-08)

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

• ozkanbilge/Apache-Exploit-2019

CVE-2019-0217 (2019-04-08)

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

• savsch/PoC_CVE-2019-0217

CVE-2019-0227 (2019-05-01)

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

• ianxtianxt/cve-2019-0227

CVE-2019-0230 (2020-09-14)

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

• PrinceFPF/CVE-2019-0230
• ramoncjs3/CVE-2019-0230
• f8al/CVE-2019-0230-PoC
• Al1ex/CVE-2019-0230
• tw-eason-tseng/CVE-2019-0230_Struts2S2-059

CVE-2019-0232 (2019-04-15)

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

• pyn3rd/CVE-2019-0232
• jas502n/CVE-2019-0232
• cyy95/CVE-2019-0232-EXP
• setrus/CVE-2019-0232
• Nicoslo/Windows-exploitation-Apache-Tomcat-8.5.19-CVE-2019-0232-
• Nicoslo/Windows-Exploitation-Web-Server-Tomcat-8.5.39-CVE-2019-0232
• jaiguptanick/CVE-2019-0232
• xsxtw/CVE-2019-0232
• Dharan10/CVE-2019-0232

CVE-2019-0539 (2019-01-08)

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0567, CVE-2019-0568.

• 0x43434343/CVE-2019-0539

CVE-2019-0567 (2019-01-08)

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0539, CVE-2019-0568.

• NatteeSetobol/Chakra-CVE-2019-0567
• NatteeSetobol/CVE-2019-0567-MS-Edge

CVE-2019-0604 (2019-03-06)

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.

• linhlhq/CVE-2019-0604
• likekabin/CVE-2019-0604_sharepoint_CVE
• k8gege/CVE-2019-0604
• m5050/CVE-2019-0604
• boxhg/CVE-2019-0604
• Gh0st0ne/weaponized-0604
• davidlebr1/cve-2019-0604-SP2010-netv3.5

CVE-2019-0623 (2019-03-06)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

• Anti-ghosts/CVE-2019-0623-32-exp

CVE-2019-0678 (2019-04-08)

An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain.In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability, aka 'Microsoft Edge Elevation of Privilege Vulnerability'.

• sharmasandeepkr/CVE-2019-0678

CVE-2019-0708 (2019-05-16)

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

• hook-s3c/CVE-2019-0708-poc
• SherlockSec/CVE-2019-0708
• yetiddbb/CVE-2019-0708-PoC
• p0p0p0/CVE-2019-0708-exploit
• rockmelodies/CVE-2019-0708-Exploit
• anquanscan/CVE-2019-0708
• xiyangzuishuai/Dark-Network-CVE-2019-0708
• temp-user-2014/CVE-2019-0708
• areusecure/CVE-2019-0708
• pry0cc/cve-2019-0708-2
• sbkcbig/CVE-2019-0708-EXPloit
• sbkcbig/CVE-2019-0708-EXPloit-3389
• YSheldon/MS_T120
• k8gege/CVE-2019-0708
• hotdog777714/RDS_CVE-2019-0708
• jiansiting/CVE-2019-0708
• NullByteSuiteDevs/CVE-2019-0708
• thugcrowd/CVE-2019-0708
• blacksunwen/CVE-2019-0708
• infenet/CVE-2019-0708
• n0auth/CVE-2019-0708
• gildaaa/CVE-2019-0708
• sbkcbig/CVE-2019-0708-Poc-exploit
• HackerJ0e/CVE-2019-0708
• syriusbughunt/CVE-2019-0708
• Barry-McCockiner/CVE-2019-0708
• ShadowBrokers-ExploitLeak/CVE-2019-0708
• safly/CVE-2019-0708
• Jaky5155/cve-2019-0708-exp
• fourtwizzy/CVE-2019-0708-Check-Device-Patch-Status
• 303sec/CVE-2019-0708
• f8al/CVE-2019-0708-POC
• blockchainguard/CVE-2019-0708
• yushiro/CVE-2019-0708
• skyshell20082008/CVE-2019-0708-PoC-Hitting-Path
• ttsite/CVE-2019-0708-
• ttsite/CVE-2019-0708
• biggerwing/CVE-2019-0708-poc
• n1xbyte/CVE-2019-0708
• freeide/CVE-2019-0708
• edvacco/CVE-2019-0708-POC
• pry0cc/BlueKeepTracker
• zjw88282740/CVE-2019-0708-win7
• victor0013/CVE-2019-0708
• herhe/CVE-2019-0708poc
• l9c/rdp0708scanner
• major203/cve-2019-0708-scan
• SugiB3o/Check-vuln-CVE-2019-0708
• gobysec/CVE-2019-0708
• smallFunction/CVE-2019-0708-POC
• freeide/CVE-2019-0708-PoC-Exploit
• robertdavidgraham/rdpscan
• closethe/CVE-2019-0708-POC
• SQLDebugger/CVE-2019-0708-Tool
• Rostelecom-CERT/bluekeepscan
• Leoid/CVE-2019-0708
• ht0Ruial/CVE-2019-0708Poc-BatchScanning
• oneoy/BlueKeep
• infiniti-team/CVE-2019-0708
• haishanzheng/CVE-2019-0708-generate-hosts
• Ekultek/BlueKeep
• UraSecTeam/CVE-2019-0708
• Gh0st0ne/rdpscan-BlueKeep
• algo7/bluekeep_CVE-2019-0708_poc_to_exploit
• JasonLOU/CVE-2019-0708
• AdministratorGithub/CVE-2019-0708
• umarfarook882/CVE-2019-0708
• HynekPetrak/detect_bluekeep.py
• Pa55w0rd/CVE-2019-0708
• at0mik/CVE-2019-0708-PoC
• cream-sec/CVE-2019-0708-Msf--
• ZhaoYukai/CVE-2019-0708
• ZhaoYukai/CVE-2019-0708-Batch-Blue-Screen
• wdfcc/CVE-2019-0708
• cvencoder/cve-2019-0708
• ze0r/CVE-2019-0708-exp
• mekhalleh/cve-2019-0708
• cve-2019-0708-poc/cve-2019-0708
• andripwn/CVE-2019-0708
• 0xeb-bp/bluekeep
• ntkernel0/CVE-2019-0708
• dorkerdevil/Remote-Desktop-Services-Remote-Code-Execution-Vulnerability-CVE-2019-0708-
• turingcompl33t/bluekeep
• skommando/CVE-2019-0708
• RickGeex/msf-module-CVE-2019-0708
• wqsemc/CVE-2019-0708
• Micr067/CVE-2019-0708RDP-MSF
• FrostsaberX/CVE-2019-0708
• 0x6b7966/CVE-2019-0708-RCE
• qing-root/CVE-2019-0708-EXP-MSF-
• distance-vector/CVE-2019-0708
• 0xFlag/CVE-2019-0708-test
• 1aa87148377/CVE-2019-0708
• coolboy4me/cve-2019-0708_bluekeep_rce
• Cyb0r9/ispy
• ulisesrc/-2-CVE-2019-0708
• worawit/CVE-2019-0708
• Ameg-yag/Wincrash
• cbwang505/CVE-2019-0708-EXP-Windows
• eastmountyxz/CVE-2019-0708-Windows
• RICSecLab/CVE-2019-0708
• JSec1337/Scanner-CVE-2019-0708
• nochemax/bLuEkEeP-GUI
• AaronCaiii/CVE-2019-0708-POC
• DeathStroke-source/Mass-scanner-for-CVE-2019-0708-RDP-RCE-Exploit
• go-bi/CVE-2019-0708-EXP-Windows
• CircuitSoul/CVE-2019-0708
• pywc/CVE-2019-0708
• bibo318/kali-CVE-2019-0708-lab
• lisinan988/CVE-2019-0708-scan
• offensity/CVE-2019-0708
• CPT-Jack-A-Castle/Haruster-CVE-2019-0708-Exploit
• Ravaan21/Bluekeep-Hunter
• davidfortytwo/bluekeep
• tranqtruong/Detect-BlueKeep
• rasan2001/Microsoft-Remote-Desktop-Services-Remote-Code-Execution-Vulnerability-CVE-2019-0708
• adyanamul/Remote-Code-Execution-RCE-Exploit-BlueKeep-CVE-2019-0708-PoC
• DenuwanJayasekara/CVE-Exploitation-Reports
• hualy13/CVE-2019-0708-Check

CVE-2019-0709 (2019-06-12)

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Windows Hyper-V Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0620, CVE-2019-0722.

• YHZX2013/CVE-2019-0709
• qq431169079/CVE-2019-0709
• ciakim/CVE-2019-0709

CVE-2019-0752 (2019-04-09)

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0739, CVE-2019-0753, CVE-2019-0862.

• edxsh/CVE-2019-0752

CVE-2019-0768 (2019-04-09)

A security feature bypass vulnerability exists when Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, and to allow requests that should otherwise be ignored, aka 'Internet Explorer Security Feature Bypass Vulnerability'. This CVE ID is unique from CVE-2019-0761.

• ruthlezs/ie11_vbscript_exploit

CVE-2019-0785 (2019-07-15)

A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.

• Jaky5155/CVE-2019-0785

CVE-2019-0803 (2019-04-09)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0685, CVE-2019-0859.

• Iamgublin/CVE-2019-0803
• ExpLife0011/CVE-2019-0803

CVE-2019-0808 (2019-04-09)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0797.

• ze0r/cve-2019-0808-poc
• rakesh143/CVE-2019-0808
• exodusintel/CVE-2019-0808
• bb33bb/CVE-2019-0808-32-64-exp

CVE-2019-0841 (2019-04-09)

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0730, CVE-2019-0731, CVE-2019-0796, CVE-2019-0805, CVE-2019-0836.

• rogue-kdc/CVE-2019-0841
• likekabin/CVE-2019-0841
• 0x00-0x00/CVE-2019-0841-BYPASS
• mappl3/CVE-2019-0841

CVE-2019-0859 (2019-04-09)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-0685, CVE-2019-0803.

• Sheisback/CVE-2019-0859-1day-Exploit

CVE-2019-0887 (2019-07-15)

A remote code execution vulnerability exists in Remote Desktop Services - formerly known as Terminal Services - when an authenticated attacker abuses clipboard redirection, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.

• qianshuidewajueji/CVE-2019-0887
• t43Wiu6/CVE-2019-0887

CVE-2019-0888 (2019-06-12)

A remote code execution vulnerability exists in the way that ActiveX Data Objects (ADO) handle objects in memory, aka 'ActiveX Data Objects (ADO) Remote Code Execution Vulnerability'.

• sophoslabs/CVE-2019-0888

CVE-2019-0986 (2019-06-12)

An elevation of privilege vulnerability exists when the Windows User Profile Service (ProfSvc) improperly handles symlinks, aka 'Windows User Profile Service Elevation of Privilege Vulnerability'.

• padovah4ck/CVE-2019-0986

CVE-2019-905

• xtafnull/CMS-made-simple-sqli-python3

CVE-2019-1006 (2019-07-15)

An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'.

• 521526/CVE-2019-1006

CVE-2019-1040 (2019-06-12)

A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka 'Windows NTLM Tampering Vulnerability'.

• Ridter/CVE-2019-1040
• Ridter/CVE-2019-1040-dcpwn
• lazaars/UltraRealy_with_CVE-2019-1040
• fox-it/cve-2019-1040-scanner
• QAX-A-Team/dcpwn

CVE-2019-1064 (2019-06-12)

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'.

• RythmStick/CVE-2019-1064
• 0x00-0x00/CVE-2019-1064
• attackgithub/CVE-2019-1064

CVE-2019-1068 (2019-07-15)

A remote code execution vulnerability exists in Microsoft SQL Server when it incorrectly handles processing of internal functions, aka 'Microsoft SQL Server Remote Code Execution Vulnerability'.

• Vulnerability-Playground/CVE-2019-1068

CVE-2019-1069 (2019-06-12)

An elevation of privilege vulnerability exists in the way the Task Scheduler Service validates certain file operations, aka 'Task Scheduler Elevation of Privilege Vulnerability'.

• S3cur3Th1sSh1t/SharpPolarBear

CVE-2019-1083 (2019-07-15)

A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests, aka '.NET Denial of Service Vulnerability'.

• stevenseeley/HowCVE-2019-1083Works

CVE-2019-1096 (2019-07-15)

An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka 'Win32k Information Disclosure Vulnerability'.

• CrackerCat/cve-2019-1096-poc

CVE-2019-1108 (2019-07-29)

An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory, aka 'Remote Desktop Protocol Client Information Disclosure Vulnerability'.

• Lanph3re/cve-2019-1108

CVE-2019-1125 (2019-09-03)

An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries.\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further.\nOn January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities (known as Spectre) involving speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. This vulnerability, released on August 6, 2019, is a variant of the Spectre Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.\nMicrosoft released a security update on July 9, 2019 that addresses the vulnerability through a software change that mitigates how the CPU speculatively accesses memory. Note that this vulnerability does not require a microcode update from your device OEM.\n

• bitdefender/swapgs-attack-poc

CVE-2019-1132 (2019-07-29)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

• Vlad-tri/CVE-2019-1132
• petercc/CVE-2019-1132

CVE-2019-1181 (2019-08-14)

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\nTo exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.\nThe update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.\n

• major203/cve-2019-1181

CVE-2019-1215 (2019-09-11)

An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1253, CVE-2019-1278, CVE-2019-1303.

• bluefrostsecurity/CVE-2019-1215

CVE-2019-1218 (2019-08-14)

A spoofing vulnerability exists in the way Microsoft Outlook iOS software parses specifically crafted email messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim.\nThe attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user.\nThe security update addresses the vulnerability by correcting how Outlook iOS parses specially crafted email messages.\n

• d0gukank/CVE-2019-1218

CVE-2019-1221 (2019-09-11)

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'.

• edxsh/CVE-2019-1221

CVE-2019-1253 (2019-09-11)

An elevation of privilege vulnerability exists when the Windows AppX Deployment Server improperly handles junctions.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1215, CVE-2019-1278, CVE-2019-1303.

• rogue-kdc/CVE-2019-1253
• likekabin/CVE-2019-1253
• padovah4ck/CVE-2019-1253
• sgabe/CVE-2019-1253

CVE-2019-1315 (2019-10-10)

An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links, aka 'Windows Error Reporting Manager Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1339, CVE-2019-1342.

• Mayter/CVE-2019-1315

CVE-2019-1332 (2019-12-10)

A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka 'Microsoft SQL Server Reporting Services XSS Vulnerability'.

• mbadanoiu/CVE-2019-1332

CVE-2019-1351 (2020-01-24)

A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'.

• JonasDL/PruebaCVE20191351

CVE-2019-1367 (2019-09-23)

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.

• mandarenmanman/CVE-2019-1367

CVE-2019-1388 (2019-11-12)

An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka 'Windows Certificate Dialog Elevation of Privilege Vulnerability'.

• jas502n/CVE-2019-1388
• jaychouzzk/CVE-2019-1388
• sv3nbeast/CVE-2019-1388
• nobodyatall648/CVE-2019-1388
• suprise4u/CVE-2019-1388

CVE-2019-1402 (2019-11-12)

An information disclosure vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka 'Microsoft Office Information Disclosure Vulnerability'.

• lauxjpn/CorruptQueryAccessWorkaround

CVE-2019-1405 (2019-11-12)

An elevation of privilege vulnerability exists when the Windows Universal Plug and Play (UPnP) service improperly allows COM object creation, aka 'Windows UPnP Service Elevation of Privilege Vulnerability'.

• apt69/COMahawk

CVE-2019-1422 (2019-11-12)

An elevation of privilege vulnerability exists in the way that the iphlpsvc.dll handles file creation allowing for a file overwrite, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1420, CVE-2019-1423.

• ze0r/cve-2019-1422

CVE-2019-1458 (2019-12-10)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

• piotrflorczyk/cve-2019-1458_POC
• rip1s/CVE-2019-1458
• Eternit7/CVE-2019-1458

CVE-2019-1476 (2019-12-10)

An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links, aka 'Windows Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1483.

• sgabe/CVE-2019-1476

CVE-2019-1579 (2019-07-19)

Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code.

• securifera/CVE-2019-1579
• Elsfa7-110/CVE-2019-1579

CVE-2019-1619 (2019-06-27)

A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session management on affected DCNM software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to gain administrative access on the affected device.

• Cipolone95/CVE-2019-1619

CVE-2019-1652 (2019-01-24)

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability.

• 0x27/CiscoRV320Dump

CVE-2019-1653 (2019-01-24)

A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.

• dubfr33/CVE-2019-1653
• shaheemirza/CiscoSpill
• ibrahimzx/CVE-2019-1653
• elzerjp/nuclei-CiscoRV320Dump-CVE-2019-1653

CVE-2019-1663 (2019-02-28)

A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.

• StealYourCode/CVE-2019-1663
• abrumsen/CVE-2019-1663
• WolffCorentin/CVE-2019-1663-Binary-Analysis

CVE-2019-1698 (2019-02-21)

A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by importing a crafted XML file with malicious entries, which could allow the attacker to read files within the affected application. Versions prior to 4.4(0.26) are affected.

• raytran54/CVE-2019-1698

CVE-2019-1759 (2019-03-28)

A vulnerability in access control list (ACL) functionality of the Gigabit Ethernet Management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to reach the configured IP addresses on the Gigabit Ethernet Management interface. The vulnerability is due to a logic error that was introduced in the Cisco IOS XE Software 16.1.1 Release, which prevents the ACL from working when applied against the management interface. An attacker could exploit this issue by attempting to access the device via the management interface.

• r3m0t3nu11/CVE-2019-1759-csrf-js-rce

CVE-2019-1821 (2019-05-16)

A vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute code with root-level privileges on the underlying operating system. This vulnerability exist because the software improperly validates user-supplied input. An attacker could exploit this vulnerability by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.

• k8gege/CiscoExploit

CVE-2019-1881 (2019-06-05)

A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on an affected device. For more information about CSRF attacks and potential mitigations, see Understanding Cross-Site Request Forgery Threat Vectors.

• Shadawks/Strapi-CVE-2019-1881

CVE-2019-2107 (2019-07-08)

In ihevcd_parse_pps of ihevcd_parse_headers.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-130024844.

• CrackerCat/CVE-2019-2107
• infiniteLoopers/CVE-2019-2107

CVE-2019-2196 (2019-11-13)

In Download Provider, there is possible SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-135269143

• IOActive/AOSP-DownloadProviderDbDumperSQLiLimit

CVE-2019-2198 (2019-11-13)

In Download Provider, there is a possible SQL injection vulnerability. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-135270103

• IOActive/AOSP-DownloadProviderDbDumperSQLiWhere

CVE-2019-2205 (2019-11-13)

In ProxyResolverV8::SetPacScript of proxy_resolver_v8.cc, there is a possible memory corruption due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139806216

• aemmitt-ns/pacpoc

CVE-2019-2215 (2019-10-11)

A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095

• timwr/CVE-2019-2215
• raystyle/CVE-2019-2215
• kangtastic/cve-2019-2215
• ATorNinja/CVE-2019-2215
• LIznzn/CVE-2019-2215
• DimitriFourny/cve-2019-2215
• qre0ct/android-kernel-exploitation-ashfaq-CVE-2019-2215
• sharif-dev/AndroidKernelVulnerability
• c3r34lk1ll3r/CVE-2019-2215
• Byte-Master-101/CVE-2019-2215
• mufidmb38/CVE-2019-2215
• CrackerCat/Rootsmart-v2.0
• enceka/cve-2019-2215-3.18
• elbiazo/CVE-2019-2215
• stevejubx/CVE-2019-2215
• willboka/CVE-2019-2215-HuaweiP20Lite
• mutur4/CVE-2019-2215
• R0rt1z2/huawei-unlock
• raymontag/CVE-2019-2215
• XiaozaYa/CVE-2019-2215

CVE-2019-2525 (2019-01-16)

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are prior to 5.2.24 and prior to 6.0.2. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 5.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N).

• Phantomn/VirtualBox_CVE-2019-2525-CVE-2019-2548
• wotmd/VirtualBox-6.0.0-Exploit-1-day

CVE-2019-2615 (2019-04-23)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

• chiaifan/CVE-2019-2615

CVE-2019-2618 (2019-04-23)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data as well as unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 5.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N).

• pyn3rd/CVE-2019-2618
• jas502n/cve-2019-2618
• wsfengfan/CVE-2019-2618-
• dr0op/WeblogicScan
• he1dan/cve-2019-2618
• ianxtianxt/cve-2019-2618
• 0xn0ne/weblogicScanner

CVE-2019-2725 (2019-04-26)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• shack2/javaserializetools
• SkyBlueEternal/CNVD-C-2019-48814-CNNVD-201904-961
• tobechenghuai/CNTA-2019-0014xCVE-2019-2725
• lasensio/cve-2019-2725
• davidmthomsen/CVE-2019-2725
• leerina/CVE-2019-2725
• zhusx110/cve-2019-2725
• lufeirider/CVE-2019-2725
• TopScrew/CVE-2019-2725
• welove88888/CVE-2019-2725
• jiansiting/CVE-2019-2725
• kerlingcode/CVE-2019-2725
• black-mirror/Weblogic
• pimps/CVE-2019-2725
• ianxtianxt/CVE-2019-2725
• N0b1e6/CVE-2019-2725-POC
• GGyao/weblogic_2019_2725_wls_batch
• ludy-dev/Oracle-WLS-Weblogic-RCE
• 1stPeak/CVE-2019-2725-environment
• CalegariMindSec/Exploit-CVE-2019-2725

CVE-2019-2729 (2019-06-19)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• waffl3ss/CVE-2019-2729
• ruthlezs/CVE-2019-2729-Exploit
• pizza-power/weblogic-CVE-2019-2729-POC
• Luchoane/CVE-2019-2729_creal

CVE-2019-2888 (2019-10-16)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: EJB Container). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

• jas502n/CVE-2019-2888

CVE-2019-2890 (2019-10-16)

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

• ZO1RO/CVE-2019-2890
• Ky0-HVA/CVE-2019-2890
• freeide/weblogic_cve-2019-2890
• l1nk3rlin/CVE-2019-2890
• jas502n/CVE-2019-2890
• ianxtianxt/CVE-2019-2890
• zhzhdoai/Weblogic_Vuln

CVE-2019-3010 (2019-10-16)

Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

• chaizeg/privilege-escalation-breach

CVE-2019-3394 (2019-08-29)

There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. An attacker with permission to editing a page is able to exploit this issue to read arbitrary file on the server under <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, which could potentially leak credentials or other sensitive information such as LDAP credentials. The LDAP credential will be potentially leaked only if the Confluence server is configured to use LDAP as user repository. All versions of Confluence Server from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.

• jas502n/CVE-2019-3394

CVE-2019-3396 (2019-03-25)

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

• dothanthitiendiettiende/CVE-2019-3396
• x-f1v3/CVE-2019-3396
• xiaoshuier/CVE-2019-3396
• Yt1g3r/CVE-2019-3396_EXP
• jas502n/CVE-2019-3396
• pyn3rd/CVE-2019-3396
• s1xg0d/CVE-2019-3396
• quanpt103/CVE-2019-3396
• vntest11/confluence_CVE-2019-3396
• tanw923/test1
• skommando/CVE-2019-3396-confluence-poc
• JonathanZhou348/CVE-2019-3396TEST
• am6539/CVE-2019-3396
• W2Ning/CVE-2019-3396
• yuehanked/cve-2019-3396
• 0xNinjaCyclone/cve-2019-3396
• 46o60/CVE-2019-3396_Confluence
• PetrusViet/cve-2019-3396
• Avento/CVE-2019-3396-Memshell-for-Behinder

CVE-2019-3398 (2019-04-18)

Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs or to create a new space or a personal space or who has 'Admin' permissions for a space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. All versions of Confluence Server from 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability.

• superevr/cve-2019-3398
• 132231g/CVE-2019-3398

CVE-2019-3403 (2019-05-22)

The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.

• und3sc0n0c1d0/UserEnumJira
• davidmckennirey/CVE-2019-3403

CVE-2019-3462 (2019-01-28)

Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.

• tonejito/check_CVE-2019-3462
• atilacastro/update-apt-package

CVE-2019-3663 (2019-11-13)

Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system. This was originally published with a CVSS rating of High, further investigation has resulted in this being updated to Critical. The root password is common across all instances of ATD prior to 4.8. See the Security bulletin for further details

• funoverip/mcafee_atd_CVE-2019-3663

CVE-2019-3719 (2019-04-18)

Dell SupportAssist Client versions prior to 3.2.0.90 contain a remote code execution vulnerability. An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites.

• jiansiting/CVE-2019-3719

CVE-2019-3778 (2019-03-07)

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. This vulnerability exposes applications that meet all of the following requirements: Act in the role of an Authorization Server (e.g. @EnableAuthorizationServer) and uses the DefaultRedirectResolver in the AuthorizationEndpoint. This vulnerability does not expose applications that: Act in the role of an Authorization Server and uses a different RedirectResolver implementation other than DefaultRedirectResolver, act in the role of a Resource Server only (e.g. @EnableResourceServer), act in the role of a Client only (e.g. @EnableOAuthClient).

• BBB-man/CVE-2019-3778-Spring-Security-OAuth-2.3-Open-Redirection

CVE-2019-3799 (2019-05-06)

Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

• mpgn/CVE-2019-3799
• Corgizz/SpringCloud

CVE-2019-3810 (2019-03-25)

A flaw was found in moodle versions 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions. The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.

• farisv/Moodle-CVE-2019-3810

CVE-2019-3847 (2019-03-27)

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

• danielthatcher/moodle-login-csrf

CVE-2019-3929 (2019-04-30)

The Crestron AM-100 firmware 1.6.0.2, Crestron AM-101 firmware 2.7.0.1, Barco wePresent WiPG-1000P firmware 2.3.0.10, Barco wePresent WiPG-1600W before firmware 2.4.1.19, Extron ShareLink 200/250 firmware 2.0.3.4, Teq AV IT WIPS710 firmware 1.1.0.7, SHARP PN-L703WA firmware 1.4.2.3, Optoma WPS-Pro firmware 1.0.0.5, Blackbox HD WPS firmware 1.0.0.5, InFocus LiteShow3 firmware 1.0.16, and InFocus LiteShow4 2.0.0.7 are vulnerable to command injection via the file_transfer.cgi HTTP endpoint. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root.

• xfox64x/CVE-2019-3929

CVE-2019-3980 (2019-10-08)

The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable run under the Local System account.

• warferik/CVE-2019-3980
• Barbarisch/CVE-2019-3980

CVE-2019-4650 (2020-06-26)

IBM Maximo Asset Management 7.6.1.1 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 170961.

• aneeshanilkumar89/Maximo_Sql_Injection-CVE-2019-4650

CVE-2019-5010 (2019-10-31)

An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.

• JonathanWilbur/CVE-2019-5010

CVE-2019-5029 (2019-11-13)

An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.

• thehunt1s0n/Exihibitor-RCE

CVE-2019-5096 (2019-12-03)

An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures that could lead to full code execution. The request can be unauthenticated in the form of GET or POST requests, and does not require the requested resource to exist on the server.

• ianxtianxt/CVE-2019-5096-GoAhead-Web-Server-Dos-Exploit

CVE-2019-5413 (2019-03-17)

An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.

• forse01/CVE-2019-5413-NetBeans
• forse01/CVE-2019-5413-NetBeans-NoJson

CVE-2019-5418 (2019-03-27)

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.

• mpgn/CVE-2019-5418
• omarkurt/CVE-2019-5418
• brompwnie/CVE-2019-5418-Scanner
• mpgn/Rails-doubletap-RCE
• takeokunn/CVE-2019-5418
• Bad3r/RailroadBandit
• ztgrace/CVE-2019-5418-Rails3
• random-robbie/CVE-2019-5418
• kailing0220/CVE-2019-5418

CVE-2019-5420 (2019-03-27)

A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.

• knqyf263/CVE-2019-5420
• cved-sources/cve-2019-5420
• AnasTaoutaou/CVE-2019-5420
• Eremiel/CVE-2019-5420
• scumdestroy/CVE-2019-5420.rb
• j4k0m/CVE-2019-5420
• mmeza-developer/CVE-2019-5420-RCE
• trickstersec/CVE-2019-5420
• PenTestical/CVE-2019-5420
• laffray/ruby-RCE-CVE-2019-5420-

CVE-2019-5427 (2019-04-22)

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

• shanika04/cp30_XXE_partial_fix

CVE-2019-5454 (2019-07-30)

SQL Injection in the Nextcloud Android app prior to version 3.0.0 allows to destroy a local cache when a harmful query is executed requiring to resetup the account.

• shanika04/nextcloud_android

CVE-2019-5475 (2019-09-03)

The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Execution when instances using CommandLineExecutor.java are supplied vulnerable data, such as the Yum Configuration Capability.

• jaychouzzk/CVE-2019-5475-Nexus-Repository-Manager-
• rabbitmask/CVE-2019-5475-EXP
• EXP-Docs/CVE-2019-5475

CVE-2019-5489 (2019-01-07)

The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.

• mmxsrup/CVE-2019-5489

CVE-2019-5544 (2019-12-06)

OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

• HynekPetrak/CVE-2019-5544_CVE-2020-3992
• dgh05t/VMware_ESXI_OpenSLP_PoCs

CVE-2019-5596 (2019-02-12)

In FreeBSD 11.2-STABLE after r338618 and before r343786, 12.0-STABLE before r343781, and 12.0-RELEASE before 12.0-RELEASE-p3, a bug in the reference count implementation for UNIX domain sockets can cause a file structure to be incorrectly released potentially allowing a malicious local user to gain root privileges or escape from a jail.

• raymontag/CVE-2019-5596

CVE-2019-5603 (2019-07-26)

In FreeBSD 12.0-STABLE before r350261, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r350263, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, system calls operating on file descriptors as part of mqueuefs did not properly release the reference allowing a malicious user to overflow the counter allowing access to files, directories, and sockets opened by processes owned by other users.

• raymontag/CVE-2019-5603

CVE-2019-5624 (2019-04-30)

Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in the Zip import function of Metasploit. Exploiting this vulnerability can allow an attacker to execute arbitrary code in Metasploit at the privilege level of the user running Metasploit. This issue affects: Rapid7 Metasploit Framework version 4.14.0 and prior versions.

• VoidSec/CVE-2019-5624

CVE-2019-5630 (2019-07-03)

A Cross-Site Request Forgery (CSRF) vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request.

• rbeede/CVE-2019-5630

CVE-2019-5700 (2019-10-09)

NVIDIA Shield TV Experience prior to v8.0.1, NVIDIA Tegra software contains a vulnerability in the bootloader, where it does not validate the fields of the boot image, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.

• oscardagrach/CVE-2019-5700

CVE-2019-5736 (2019-02-11)

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

• q3k/cve-2019-5736-poc
• Frichetten/CVE-2019-5736-PoC
• jas502n/CVE-2019-5736
• likekabin/CVE-2019-5736
• likekabin/cve-2019-5736-poc
• agppp/cve-2019-5736-poc
• b3d3c/poc-cve-2019-5736
• twistlock/RunC-CVE-2019-5736
• yyqs2008/CVE-2019-5736-PoC-2
• stillan00b/CVE-2019-5736
• milloni/cve-2019-5736-exp
• panzouh/Docker-Runc-Exploit
• RyanNgWH/CVE-2019-5736-POC
• Lee-SungYoung/cve-2019-5736-study
• chosam2/cve-2019-5736-poc
• epsteina16/Docker-Escape-Miner
• geropl/CVE-2019-5736
• GiverOfGifts/CVE-2019-5736-Custom-Runtime
• Billith/CVE-2019-5736-PoC
• BBRathnayaka/POC-CVE-2019-5736
• shen54/IT19172088
• n3rdh4x0r/CVE-2019-5736
• fahmifj/Docker-breakout-runc
• Asbatel/CVE-2019-5736_POC
• takumak/cve-2019-5736-reproducer
• si1ent-le/CVE-2019-5736
• sonyavalo/CVE-2019-5736-Dockerattack-and-security-mechanism

CVE-2019-5737 (2019-03-28)

In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.

• beelzebruh/cve-2019-5737

CVE-2019-5782 (2019-02-19)

Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

• edxsh/CVE-2019-5782_CVE-2019-13768

CVE-2019-5784 (2019-06-27)

Incorrect handling of deferred code in V8 in Google Chrome prior to 72.0.3626.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• rooootdev/CVE-2019-5784-PoC

CVE-2019-5786 (2019-06-27)

Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.

• exodusintel/CVE-2019-5786

CVE-2019-5822 (2019-06-27)

Inappropriate implementation in Blink in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

• Silence-Rain/14-828_Exploitation_of_CVE-2019-5822

CVE-2019-5825 (2019-11-25)

Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• timwr/CVE-2019-5825

CVE-2019-5893 (2019-01-10)

Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/utils/query/data.xml query parameter.

• EmreOvunc/OpenSource-ERP-SQL-Injection

CVE-2019-6111 (2019-01-31)

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).

• 53n7hu/SNP
• mbadanoiu/MAL-008

CVE-2019-6203 (2020-04-17)

A logic issue was addressed with improved state management. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4, tvOS 12.2. An attacker in a privileged network position may be able to intercept network traffic.

• qingxp9/CVE-2019-6203-PoC

CVE-2019-6207 (2019-12-18)

An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4, tvOS 12.2, watchOS 5.2. A malicious application may be able to determine kernel memory layout.

• dothanthitiendiettiende/CVE-2019-6207
• maldiohead/CVE-2019-6207
• DimitriFourny/cve-2019-6207

CVE-2019-6225 (2019-03-05)

A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 12.1.3, macOS Mojave 10.14.3, tvOS 12.1.2. A malicious application may be able to elevate privileges.

• fatgrass/OsirisJailbreak12
• TrungNguyen1909/CVE-2019-6225-macOS
• raystyle/jailbreak-iOS12

CVE-2019-6249 (2019-01-13)

An issue was discovered in HuCart v5.7.4. There is a CSRF vulnerability that can add an admin account via /adminsys/index.php?load=admins&act=edit_info&act_type=add.

• AlphabugX/CVE-2019-6249_Hucart-cms

CVE-2019-6250 (2019-01-13)

A pointer overflow, with code execution, was discovered in ZeroMQ libzmq (aka 0MQ) 4.2.x and 4.3.x before 4.3.1. A v2_decoder.cpp zmq::v2_decoder_t::size_ready integer overflow allows an authenticated attacker to overwrite an arbitrary amount of bytes beyond the bounds of a buffer, which can be leveraged to run arbitrary code on the target system. The memory layout allows the attacker to inject OS commands into a data structure located immediately after the problematic buffer (i.e., it is not necessary to use a typical buffer-overflow exploitation technique that changes the flow of control).

• AkashicYiTai/CVE-2019-6250-libzmq

CVE-2019-6260 (2019-01-22)

The ASPEED ast2400 and ast2500 Baseband Management Controller (BMC) hardware and firmware implement Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host (or from the network in unusual cases where the BMC console uart is attached to a serial concentrator). This CVE applies to the specific cases of iLPC2AHB bridge Pt I, iLPC2AHB bridge Pt II, PCIe VGA P2A bridge, DMA from/to arbitrary BMC memory via X-DMA, UART-based SoC Debug interface, LPC2AHB bridge, PCIe BMC P2A bridge, and Watchdog setup.

• nikitapbst/cve-2019-6260

CVE-2019-6263 (2019-01-16)

An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored XSS.

• praveensutar/CVE-2019-6263-Joomla-POC

CVE-2019-6329 (2019-06-25)

HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.

• ManhNDd/CVE-2019-6329

CVE-2019-6339 (2019-01-22)

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

• Vulnmachines/drupal-cve-2019-6339

CVE-2019-6340 (2019-02-21)

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)

• g0rx/Drupal-SA-CORE-2019-003
• knqyf263/CVE-2019-6340
• DevDungeon/CVE-2019-6340-Drupal-8.6.9-REST-Auth-Bypass
• oways/CVE-2019-6340
• cved-sources/cve-2019-6340
• josehelps/cve-2019-6340-bits
• jas502n/CVE-2019-6340
• ludy-dev/drupal8-REST-RCE
• nobodyatall648/CVE-2019-6340
• Sumitpathania03/Drupal-cve-2019-6340

CVE-2019-6440 (2019-01-16)

Zemana AntiMalware before 3.0.658 Beta mishandles update logic.

• hexnone/CVE-2019-6440

CVE-2019-6446 (2019-01-16)

An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources

• RayScri/CVE-2019-6446

CVE-2019-6447 (2019-01-16)

The ES File Explorer File Manager application through 4.1.9.7.4 for Android allows remote attackers to read arbitrary files or execute applications via TCP port 59777 requests on the local Wi-Fi network. This TCP port remains open after the ES application has been launched once, and responds to unauthenticated application/json data over HTTP.

• fs0c131y/ESFileExplorerOpenPortVuln
• SandaRuFdo/ES-File-Explorer-Open-Port-Vulnerability---CVE-2019-6447
• Nehal-Zaman/CVE-2019-6447
• n3rdh4x0r/CVE-2019-6447
• febinrev/CVE-2019-6447-ESfile-explorer-exploit
• Kayky-cmd/CVE-2019-6447--.
• VinuKalana/CVE-2019-6447-Android-Vulnerability-in-ES-File-Explorer
• Osuni-99/CVE-2019-6447
• Chethine/EsFileExplorer-CVE-2019-6447
• vino-theva/CVE-2019-6447
• KaviDk/CVE-2019-6447-in-Mobile-Application
• Cmadhushanka/CVE-2019-6447-Exploitation

CVE-2019-6453 (2019-02-18)

mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable).

• proofofcalc/cve-2019-6453-poc
• andripwn/mIRC-CVE-2019-6453

CVE-2019-6467 (2019-10-09)

A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally. The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible. Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also affects all releases in the 9.13 development branch.

• knqyf263/CVE-2019-6467

CVE-2019-6487 (2019-01-18)

TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.

• afang5472/TP-Link-WDR-Router-Command-injection_POC

CVE-2019-6690 (2019-03-17)

python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input Validation" issue affecting the affect functionality component.

• stigtsp/CVE-2019-6690-python-gnupg-vulnerability
• brianwrf/CVE-2019-6690

CVE-2019-6693 (2019-11-21)

Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set).

• gquere/CVE-2019-6693
• synacktiv/CVE-2020-9289
• saladandonionrings/cve-2019-6693

CVE-2019-6715 (2019-04-01)

pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data.

• random-robbie/cve-2019-6715

CVE-2019-7192 (2019-12-05)

This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.

• cycraft-corp/cve-2019-7192-check
• th3gundy/CVE-2019-7192_QNAP_Exploit

CVE-2019-7213 (2019-04-24)

SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. An authenticated user could delete arbitrary files or could create files in new folders in arbitrary locations on the mail server. This could lead to command execution on the server for instance by putting files inside the web directories.

• secunnix/CVE-2019-7213

CVE-2019-7214 (2019-04-24)

SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch.

• devzspy/CVE-2019-7214
• andyfeili/-CVE-2019-7214

CVE-2019-7216 (2019-01-31)

An issue was discovered in FileChucker 4.99e-free-e02. filechucker.cgi has a filter bypass that allows a malicious user to upload any type of file by using % characters within the extension, e.g., file.%ph%p becomes file.php.

• Ekultek/CVE-2019-7216

CVE-2019-7219 (2019-04-11)

Unauthenticated reflected cross-site scripting (XSS) exists in Zarafa Webapp 2.0.1.47791 and earlier. NOTE: this is a discontinued product. The issue was fixed in later Zarafa Webapp versions; however, some former Zarafa Webapp customers use the related Kopano product instead.

• verifysecurity/CVE-2019-7219

CVE-2019-7238 (2019-03-21)

Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.

• mpgn/CVE-2019-7238
• jas502n/CVE-2019-7238
• verctor/nexus_rce_CVE-2019-7238
• magicming200/CVE-2019-7238_Nexus_RCE_Tool
• smallpiggy/CVE-2019-7238

CVE-2019-7304 (2019-04-23)

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1.

• initstring/dirty_sock
• SecuritySi/CVE-2019-7304_DirtySock
• elvi7major/snap_priv_esc
• f4T1H21/dirty_sock

CVE-2019-7356 (2020-11-04)

Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter.

• ngpentest007/CVE-2019-7356

CVE-2019-7357 (2020-11-10)

Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins.

• ngpentest007/CVE-2019-7357

CVE-2019-7406

• Alonzozzz/alonzzzo

CVE-2019-7482 (2019-12-19)

Stack-based buffer overflow in SonicWall SMA100 allows an unauthenticated user to execute arbitrary code in function libSys.so. This vulnerability impacted SMA100 version 9.0.0.3 and earlier.

• singletrackseeker/CVE-2019-7482
• b4bay/CVE-2019-7482
• w0lfzhang/sonicwall-cve-2019-7482

CVE-2019-7489 (2019-12-23)

A vulnerability in SonicWall Email Security appliance allow an unauthenticated user to perform remote code execution. This vulnerability affected Email Security Appliance version 10.0.2 and earlier.

• nromsdahl/CVE-2019-7489

CVE-2019-7609 (2019-03-25)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

• jas502n/kibana-RCE
• mpgn/CVE-2019-7609
• LandGrey/CVE-2019-7609
• hekadan/CVE-2019-7609
• rhbb/CVE-2019-7609
• dnr6419/CVE-2019-7609
• wolf1892/CVE-2019-7609
• Cr4ckC4t/cve-2019-7609
• OliveiraaX/CVE-2019-7609-KibanaRCE
• Akshay15-png/CVE-2019-7609

CVE-2019-7616 (2019-07-30)

Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.

• random-robbie/CVE-2019-7616

CVE-2019-7642 (2019-03-25)

D-Link routers with the mydlink feature have some web interfaces without authentication requirements. An attacker can remotely obtain users' DNS query logs and login logs. Vulnerable targets include but are not limited to the latest firmware versions of DIR-817LW (A1-1.04), DIR-816L (B1-2.06), DIR-816 (B1-2.06?), DIR-850L (A1-1.09), and DIR-868L (A1-1.10).

• xw77cve/CVE-2019-7642

CVE-2019-7839 (2019-06-12)

ColdFusion versions Update 3 and earlier, Update 10 and earlier, and Update 18 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

• securifera/CVE-2019-7839

CVE-2019-8014 (2019-08-20)

Adobe Acrobat and Reader versions 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have a heap overflow vulnerability. Successful exploitation could lead to arbitrary code execution .

• f01965/CVE-2019-8014

CVE-2019-8331 (2019-02-20)

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

• Snorlyd/https-nj.gov---CVE-2019-8331
• Thampakon/CVE-2019-8331

CVE-2019-8341 (2019-02-15)

An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing

• adindrabkin/llama_facts

CVE-2019-8389 (2019-02-17)

A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) to the download.script endpoint. This will create a MusicPlayerArchive.zip archive that is publicly accessible and includes the content of any requested file (such as the /etc/passwd file).

• shawarkhanethicalhacker/CVE-2019-8389

CVE-2019-8449 (2019-09-11)

The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

• mufeedvh/CVE-2019-8449
• r0lh/CVE-2019-8449

CVE-2019-8451 (2019-09-11)

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

• 0xbug/CVE-2019-8451
• ianxtianxt/CVE-2019-8451
• jas502n/CVE-2019-8451
• h0ffayyy/Jira-CVE-2019-8451

CVE-2019-8540 (2019-12-18)

A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 12.2, macOS Mojave 10.14.4, tvOS 12.2, watchOS 5.2. A malicious application may be able to determine kernel memory layout.

• maldiohead/CVE-2019-8540

CVE-2019-8561 (2019-12-18)

A logic issue was addressed with improved validation. This issue is fixed in macOS Mojave 10.14.4. A malicious application may be able to elevate privileges.

• 0xmachos/CVE-2019-8561

CVE-2019-8591 (2019-12-18)

A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1. An application may be able to cause unexpected system termination or write kernel memory.

• jsherman212/used_sock

CVE-2019-8601 (2019-12-18)

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1, Safari 12.1.1, iTunes for Windows 12.9.5, iCloud for Windows 7.12. Processing maliciously crafted web content may lead to arbitrary code execution.

• BadAccess11/CVE-2019-8601

CVE-2019-8605 (2019-12-18)

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 12.3, macOS Mojave 10.14.5, tvOS 12.3, watchOS 5.2.1. A malicious application may be able to execute arbitrary code with system privileges.

• 1nteger-c/CVE-2019-8605

CVE-2019-8627

• maldiohead/CVE-2019-8627

CVE-2019-8641 (2019-12-18)

An out-of-bounds read was addressed with improved input validation.

• chia33164/CVE-2019-8641-reproduction

CVE-2019-8656 (2020-10-27)

This was addressed with additional checks by Gatekeeper on files mounted through a network share. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. Extracting a zip file containing a symbolic link to an endpoint in an NFS mount that is attacker controlled may bypass Gatekeeper.

• D00MFist/CVE-2019-8656

CVE-2019-8781 (2019-12-18)

A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15. An application may be able to execute arbitrary code with kernel privileges.

• A2nkF/macOS-Kernel-Exploit
• TrungNguyen1909/CVE-2019-8781-macOS

CVE-2019-8791 (2019-12-18)

An issue existed in the parsing of URL schemes. This issue was addressed with improved URL validation. This issue is fixed in Shazam Android App Version 9.25.0, Shazam iOS App Version 12.11.0. Processing a maliciously crafted URL may lead to an open redirect.

• ashleykinguk/Shazam-CVE-2019-8791-CVE-2019-8792

CVE-2019-8805 (2019-12-18)

A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement. This issue is fixed in macOS Catalina 10.15.1. An application may be able to execute arbitrary code with system privileges.

• securelayer7/CVE-2019-8805

CVE-2019-8852 (2020-10-27)

A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.2, Security Update 2019-002 Mojave, and Security Update 2019-007 High Sierra. An application may be able to execute arbitrary code with kernel privileges.

• pattern-f/CVE-2019-8852

CVE-2019-8936 (2019-05-15)

NTP through 4.2.8p12 has a NULL Pointer Dereference.

• snappyJack/CVE-2019-8936

CVE-2019-8942 (2019-02-20)

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

• brianwrf/WordPress_4.9.8_RCE_POC
• synacktiv/CVE-2019-8942
• synod2/WP_CROP_RCE
• tuannq2299/CVE-2019-8942

CVE-2019-8943 (2019-02-20)

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

• oussama-rahali/CVE-2019-8943
• hadrian3689/wordpress_cropimage

CVE-2019-8956 (2019-04-01)

In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-free error in the "sctp_sendmsg()" function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory.

• butterflyhack/CVE-2019-8956

CVE-2019-8978 (2019-05-14)

An improper authentication vulnerability can be exploited through a race condition that occurs in Ellucian Banner Web Tailor 8.8.3, 8.8.4, and 8.9 and Banner Enterprise Identity Services 8.3, 8.3.1, 8.3.2, and 8.4, in conjunction with SSO Manager. This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID. During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.

• SecKatie/CVE-2019-8978

CVE-2019-8979 (2019-02-21)

Kohana through 3.3.6 has SQL Injection when the order_by() parameter can be controlled.

• elttam/ko7demo

CVE-2019-8985 (2019-02-21)

On Netis WF2411 with firmware 2.1.36123 and other Netis WF2xxx devices (possibly WF2411 through WF2880), there is a stack-based buffer overflow that does not require authentication. This can cause denial of service (device restart) or remote code execution. This vulnerability can be triggered by a GET request with a long HTTP "Authorization: Basic" header that is mishandled by user_auth->user_ok in /bin/boa.

• Squirre17/CVE-2019-8985

CVE-2019-8997 (2019-03-21)

An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions earlier than 7.6 HF-567 could allow an attacker to potentially read arbitrary local files from the application server or make requests on the network by entering maliciously crafted XML in an existing field.

• nxkennedy/CVE-2019-8997

CVE-2019-9053 (2019-03-26)

An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.

• SUNNYSAINI01001/46635.py_CVE-2019-9053
• n3rdh4x0r/CVE-2019-9053
• maraspiras/46635.py
• e-renna/CVE-2019-9053
• zmiddle/Simple_CMS_SQLi
• ELIZEUOPAIN/CVE-2019-9053-CMS-Made-Simple-2.2.10---SQL-Injection-Exploit
• pedrojosenavasperez/CVE-2019-9053-Python3
• Mahamedm/CVE-2019-9053-Exploit-Python-3
• im-suman-roy/CVE-2019-9053
• bthnrml/guncel-cve-2019-9053.py
• kahluri/CVE-2019-9053
• Doc0x1/CVE-2019-9053-Python3
• fernandobortotti/CVE-2019-9053
• byrek/CVE-2019-9053
• davcwikla/CVE-2019-9053-exploit
• BjarneVerschorre/CVE-2019-9053
• Jason-Siu/CVE-2019-9053-Exploit-in-Python-3
• FedericoTorres233/CVE-2019-9053-Fixed
• Dh4nuJ4/SimpleCTF-UpdatedExploit
• TeymurNovruzov/CVE-2019-9053-python3-remastered
• jtoalu/CTF-CVE-2019-9053-GTFOBins
• Azrenom/CMS-Made-Simple-2.2.9-CVE-2019-9053
• louisthedonothing/CVE-2019-9053

CVE-2019-9081

• nth347/CVE-2019-9081_PoC
• scopion/cve-2019-9081
• qafdevsec/CVE-2019-9081_PoC

CVE-2019-9153 (2019-08-22)

Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature.

• ZenyWay/opgp-service-cve-2019-9153

CVE-2019-9184 (2019-02-26)

SQL injection vulnerability in the J2Store plugin 3.x before 3.3.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the product_option[] parameter.

• cved-sources/cve-2019-9184

CVE-2019-9193 (2019-04-01)

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.

• wkjung0624/cve-2019-9193
• b4keSn4ke/CVE-2019-9193
• chromanite/CVE-2019-9193-PostgreSQL-9.3-11.7
• paulotrindadec/CVE-2019-9193
• geniuszly/CVE-2019-9193
• AxthonyV/CVE-2019-9193
• A0be/CVE-2019-9193

CVE-2019-9194 (2019-02-26)

elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.

• cved-sources/cve-2019-9194

CVE-2019-9202 (2019-03-28)

Nagios IM (component of Nagios XI) before 2.2.7 allows authenticated users to execute arbitrary code via API key issues.

• polict/CVE-2019-9202

CVE-2019-9465 (2020-01-07)

In the Titan M handling of cryptographic operations, there is a possible information disclosure due to an unusual root cause. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-10 Android ID: A-133258003

• alexbakker/CVE-2019-9465
• MichaelsPlayground/CVE-2019-9465

CVE-2019-9506 (2019-08-14)

The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.

• francozappa/knob

CVE-2019-9511 (2019-08-13)

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

• flyniu666/ingress-nginx-0.21-1.19.5

CVE-2019-9580 (2019-03-09)

In st2web in StackStorm Web UI before 2.9.3 and 2.10.x before 2.10.3, it is possible to bypass the CORS protection mechanism via a "null" origin value, potentially leading to XSS.

• mpgn/CVE-2019-9580

CVE-2019-9596 (2019-10-23)

Darktrace Enterprise Immune System before 3.1 allows CSRF via the /whitelisteddomains endpoint.

• gerwout/CVE-2019-9596-and-CVE-2019-9597

CVE-2019-9599 (2019-03-06)

The AirDroid application through 4.2.1.6 for Android allows remote attackers to cause a denial of service (service crash) via many simultaneous sdctl/comm/lite_auth/ requests.

• s4vitar/AirDroidPwner

CVE-2019-9621 (2019-04-30)

Zimbra Collaboration Suite before 8.6 patch 13, 8.7.x before 8.7.11 patch 10, and 8.8.x before 8.8.10 patch 7 or 8.8.x before 8.8.11 patch 3 allows SSRF via the ProxyServlet component.

• k8gege/ZimbraExploit

CVE-2019-9653 (2019-05-31)

NUUO Network Video Recorder Firmware 1.7.x through 3.3.x allows unauthenticated attackers to execute arbitrary commands via shell metacharacters to handle_load_config.php.

• grayoneday/CVE-2019-9653

CVE-2019-9670 (2019-05-29)

mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.

• rek7/Zimbra-RCE
• attackgithub/Zimbra-RCE
• oppsec/arbimz
• oppsec/zaber
• Cappricio-Securities/CVE-2019-9670
• OracleNep/CVE-2019-9670-DtdFilegeneration

CVE-2019-9673 (2019-06-05)

Freenet 1483 has a MIME type bypass that allows arbitrary JavaScript execution via a crafted Freenet URI.

• mgrube/CVE-2019-9673

CVE-2019-9729 (2019-03-12)

In Shanda MapleStory Online V160, the SdoKeyCrypt.sys driver allows privilege escalation to NT AUTHORITY\SYSTEM because of not validating the IOCtl 0x8000c01c input value, leading to an integer signedness error and a heap-based buffer underflow.

• HyperSine/SdoKeyCrypt-sys-local-privilege-elevation
• timeowilliamsq/HyperSine
• recozone/HyperSine
• huangyutange0uywlcn/HyperSine

CVE-2019-9730 (2019-06-05)

Incorrect access control in the CxUtilSvc component of the Synaptics Sound Device drivers prior to version 2.29 allows a local attacker to increase access privileges to the Windows Registry via an unpublished API.

• jthuraisamy/CVE-2019-9730

CVE-2019-9745 (2019-10-14)

CloudCTI HIP Integrator Recognition Configuration Tool allows privilege escalation via its EXQUISE integration. This tool communicates with a service (Recognition Update Client Service) via an insecure communication channel (Named Pipe). The data (JSON) sent via this channel is used to import data from CRM software using plugins (.dll files). The plugin to import data from the EXQUISE software (DatasourceExquiseExporter.dll) can be persuaded to start arbitrary programs (including batch files) that are executed using the same privileges as Recognition Update Client Service (NT AUTHORITY\SYSTEM), thus elevating privileges. This occurs because a higher-privileged process executes scripts from a directory writable by a lower-privileged user.

• KPN-CISO/CVE-2019-9745

CVE-2019-9766 (2019-03-14)

Stack-based buffer overflow in Free MP3 CD Ripper 2.6, when converting a file, allows user-assisted remote attackers to execute arbitrary code via a crafted .mp3 file.

• moonheadobj/CVE-2019-9766
• zeronohacker/CVE-2019-9766

CVE-2019-9787 (2019-03-14)

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

• rkatogit/cve-2019-9787_csrf_poc
• PalmTreeForest/CodePath_Week_7-8
• sijiahi/Wordpress_cve-2019-9787_defense
• matinciel/Wordpress_CVE-2019-9787
• dexXxed/CVE-2019-9787
• kuangting4231/mitigation-cve-2019-9787

CVE-2019-9791 (2019-04-26)

The type inference system allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMonkey just-in-time (JIT) compiler and when the constructor function is entered through on-stack replacement (OSR). This allows for possible arbitrary reading and writing of objects during an exploitable crash. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.

• Sp0pielar/CVE-2019-9791

CVE-2019-9810 (2019-04-26)

Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.

• xuechiyaobai/CVE-2019-9810-PoC
• 0vercl0k/CVE-2019-9810

CVE-2019-9849 (2019-07-17)

LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.

• mbadanoiu/CVE-2019-9849

CVE-2019-9896 (2019-03-21)

In PuTTY versions before 0.71 on Windows, local attackers could hijack the application by putting a malicious help file in the same directory as the executable.

• yasinyilmaz/vuln-chm-hijack

CVE-2019-9978 (2019-03-24)

The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

• mpgn/CVE-2019-9978
• hash3liZer/CVE-2019-9978
• KTN1990/CVE-2019-9978
• cved-sources/cve-2019-9978
• d3fudd/CVE-2019-9978_Exploit
• grimlockx/CVE-2019-9978
• h8handles/CVE-2019-9978-Python3
• 0xMoonrise/cve-2019-9978
• MAHajian/CVE-2019-9978

CVE-2019-10008 (2019-04-24)

Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.

• ignis-sec/CVE-2019-10008

CVE-2019-10086 (2019-08-20)

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

• evilangelplus/CVE-2019-10086

CVE-2019-10092 (2019-09-26)

In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

• motikan2010/CVE-2019-10092_Docker
• mbadanoiu/CVE-2019-10092

CVE-2019-10149 (2019-06-05)

A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.

• bananaphones/exim-rce-quickfix
• cowbe0x004/eximrce-CVE-2019-10149
• MNEMO-CERT/PoC--CVE-2019-10149_Exim
• aishee/CVE-2019-10149-quick
• AzizMea/CVE-2019-10149-privilege-escalation
• Brets0150/StickyExim
• Chris-dev1/exim.exp
• darsigovrustam/CVE-2019-10149
• Diefunction/CVE-2019-10149
• Dilshan-Eranda/CVE-2019-10149
• cloudflare/exim-cve-2019-10149-data
• Stick-U235/CVE-2019-10149-Exploit
• rahmadsandy/EXIM-4.87-CVE-2019-10149
• hyim0810/CVE-2019-10149
• qlusec/CVE-2019-10149
• uyerr/PoC_CVE-2019-10149--rce

CVE-2019-10172 (2019-11-18)

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

• rusakovichma/CVE-2019-10172

CVE-2019-10207 (2019-11-25)

A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.

• butterflyhack/CVE-2019-10207

CVE-2019-10220 (2019-11-27)

Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.

• Trinadh465/linux-3.0.35_CVE-2019-10220
• hshivhare67/kernel_v4.1.15_CVE-2019-10220

CVE-2019-10392 (2019-09-12)

Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.

• jas502n/CVE-2019-10392
• ftk-sostupid/CVE-2019-10392_EXP

CVE-2019-10475 (2019-10-23)

A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.

• vesche/CVE-2019-10475

CVE-2019-10678 (2019-03-31)

Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options.

• cved-sources/cve-2019-10678

CVE-2019-10685 (2019-05-24)

A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Heidelberg Prinect Archiver v2013 release 1.0.

• alt3kx/CVE-2019-10685

CVE-2019-10708 (2019-04-02)

S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike id parameter.

• stavhaygn/CVE-2019-10708

CVE-2019-10742 (2019-05-07)

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

• Viniciuspxf/CVE-2019-10742

CVE-2019-10758 (2019-12-24)

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the toBSON method. A misuse of the vm dependency to perform exec commands in a non-safe environment.

• masahiro331/CVE-2019-10758
• lp008/CVE-2019-10758

CVE-2019-10760 (2019-10-15)

safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.

• lirantal/safer-eval-cve-CVE-2019-10760

CVE-2019-10779 (2020-01-28)

All versions of stroom:stroom-app before 5.5.12 and all versions of the 6.0.0 branch before 6.0.25 are affected by Cross-site Scripting. An attacker website is able to load the Stroom UI into a hidden iframe. Using that iframe, the attacker site can issue commands to the Stroom UI via an XSS vulnerability to take full control of the Stroom UI on behalf of the logged-in user.

• RepublicR0K/CVE-2019-10779

CVE-2019-10869 (2019-05-07)

Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters.

• KTN1990/CVE-2019-10869

CVE-2019-10915 (2019-07-11)

A vulnerability has been identified in TIA Administrator (All versions < V1.0 SP1 Upd1). The integrated configuration web application (TIA Administrator) allows to execute certain application commands without proper authentication. The vulnerability could be exploited by an attacker with local access to the affected system. Successful exploitation requires no privileges and no user interaction. An attacker could use the vulnerability to compromise confidentiality and integrity and availability of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known.

• jiansiting/CVE-2019-10915

CVE-2019-10945 (2019-04-10)

An issue was discovered in Joomla! before 3.9.5. The Media Manager component does not properly sanitize the folder parameter, allowing attackers to act outside the media manager root directory.

• dpgg101/CVE-2019-10945

CVE-2019-10999 (2019-05-06)

The D-Link DCS series of Wi-Fi cameras contains a stack-based buffer overflow in alphapd, the camera's web server. The overflow allows a remotely authenticated attacker to execute arbitrary code by providing a long string in the WEPEncryption parameter when requesting wireless.htm. Vulnerable devices include DCS-5009L (1.08.11 and below), DCS-5010L (1.14.09 and below), DCS-5020L (1.15.12 and below), DCS-5025L (1.03.07 and below), DCS-5030L (1.04.10 and below), DCS-930L (2.16.01 and below), DCS-931L (1.14.11 and below), DCS-932L (2.17.01 and below), DCS-933L (1.14.11 and below), and DCS-934L (1.05.04 and below).

• tacnetsol/CVE-2019-10999
• qjh2333/CVE-2019-10999

CVE-2019-11043 (2019-10-28)

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

• neex/phuip-fpizdam
• B1gd0g/CVE-2019-11043
• tinker-li/CVE-2019-11043
• jas502n/CVE-2019-11043
• AleWong/PHP-FPM-Remote-Code-Execution-Vulnerability-CVE-2019-11043-
• ianxtianxt/CVE-2019-11043
• fairyming/CVE-2019-11043
• akamajoris/CVE-2019-11043-Docker
• theMiddleBlue/CVE-2019-11043
• shadow-horse/cve-2019-11043
• huowen/CVE-2019-11043
• ypereirareis/docker-CVE-2019-11043
• MRdoulestar/CVE-2019-11043
• 0th3rs-Security-Team/CVE-2019-11043
• k8gege/CVE-2019-11043
• moniik/CVE-2019-11043_env
• kriskhub/CVE-2019-11043
• alokaranasinghe/cve-2019-11043
• corifeo/CVE-2019-11043
• lindemer/CVE-2019-11043
• jptr218/php_hack
• jas9reet/CVE-2019-11043

CVE-2019-11061 (2019-08-29)

A broken access control vulnerability in HG100 firmware versions up to 4.00.06 allows an attacker in the same local area network to control IoT devices that connect with itself via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

• tim124058/ASUS-SmartHome-Exploit

CVE-2019-11076 (2019-04-23)

Cribl UI 1.5.0 allows remote attackers to run arbitrary commands via an unauthenticated web request.

• livehybrid/poc-cribl-rce

CVE-2019-11157 (2019-12-16)

Improper conditions check in voltage settings for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege and/or information disclosure via local access.

• zkenjar/v0ltpwn

CVE-2019-11223 (2019-04-18)

An Unrestricted File Upload Vulnerability in the SupportCandy plugin through 2.0.0 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension.

• AngelCtulhu/CVE-2019-11223

CVE-2019-11224 (2019-05-15)

HARMAN AMX MVP5150 v2.87.13 devices allow remote OS Command Injection.

• Insecurities/CVE-2019-11224

CVE-2019-11358 (2019-04-19)

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

• DanielRuf/snyk-js-jquery-174006
• bitnesswise/jquery-prototype-pollution-fix
• DanielRuf/snyk-js-jquery-565129
• chrisneagu/FTC-Skystone-Dark-Angels-Romania-2020
• Snorlyd/https-nj.gov---CVE-2019-11358
• isacaya/CVE-2019-11358

CVE-2019-11395 (2019-04-21)

A buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long string, as demonstrated by SMTP RCPT TO, POP3 USER, POP3 LIST, POP3 TOP, or POP3 RETR.

• RedAlien00/CVE-2019-11395
• caioprince/CVE-2019-11395

CVE-2019-11408 (2019-06-17)

XSS in app/operator_panel/index_inc.php in the Operator Panel module in FusionPBX 4.4.3 allows remote unauthenticated attackers to inject arbitrary JavaScript characters by placing a phone call using a specially crafted caller ID number. This can further lead to remote code execution by chaining this vulnerability with a command injection vulnerability also present in FusionPBX.

• HoseynHeydari/fusionpbx_rce_vulnerability

CVE-2019-11447 (2019-04-22)

An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal. There is no effective control of $imgsize in /core/modules/dashboard.php. The header content of a file can be changed and the control can be bypassed for code execution. (An attacker can use the GIF header for this.)

• mt-code/CVE-2019-11447
• khuntor/CVE-2019-11447-EXP
• dinesh876/CVE-2019-11447-POC
• ColdFusionX/CVE-2019-11447_CuteNews-AvatarUploadRCE
• thewhiteh4t/cve-2019-11447
• banomaly/CVE-2019-11447
• substing/CVE-2019-11447_reverse_shell_upload
• CRFSlick/CVE-2019-11447-POC
• ojo5/CVE-2019-11447.c

CVE-2019-11477 (2019-06-18)

Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.

• sasqwatch/cve-2019-11477-poc

CVE-2019-11510 (2019-05-08)

In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .

• projectzeroindia/CVE-2019-11510
• nuc13us/Pulse
• imjdl/CVE-2019-11510-poc
• es0/CVE-2019-11510_poc
• r00tpgp/http-pulse_ssl_vpn.nse
• jas502n/CVE-2019-11510-1
• jason3e7/CVE-2019-11510
• BishopFox/pwn-pulse
• aqhmal/pulsexploit
• cisagov/check-your-pulse
• andripwn/pulse-exploit
• pwn3z/CVE-2019-11510-PulseVPN
• 34zY/APT-Backpack

CVE-2019-11523 (2019-06-06)

Anviz Global M3 Outdoor RFID Access Control executes any command received from any source. No authentication/encryption is done. Attackers can fully interact with the device: for example, send the "open door" command, download the users list (which includes RFID codes and passcodes in cleartext), or update/create users. The same attack can be executed on a local network and over the internet (if the device is exposed on a public IP address).

• wizlab-it/anviz-m3-rfid-cve-2019-11523-poc

CVE-2019-11539 (2019-04-26)

In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

• 0xDezzy/CVE-2019-11539

CVE-2019-11580 (2019-06-03)

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

• jas502n/CVE-2019-11580
• shelld3v/CVE-2019-11580

CVE-2019-11581 (2019-08-09)

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

• jas502n/CVE-2019-11581
• kobs0N/CVE-2019-11581
• PetrusViet/CVE-2019-11581

CVE-2019-11687 (2019-05-02)

An issue was discovered in the DICOM Part 10 File Format in the NEMA DICOM Standard 1995 through 2019b. The preamble of a DICOM file that complies with this specification can contain the header for an executable file, such as Portable Executable (PE) malware. This space is left unspecified so that dual-purpose files can be created. (For example, dual-purpose TIFF/DICOM files are used in digital whole slide imaging for applications in medicine.) To exploit this vulnerability, someone must execute a maliciously crafted file that is encoded in the DICOM Part 10 File Format. PE/DICOM files are executable even with the .dcm file extension. Anti-malware configurations at healthcare facilities often ignore medical imagery. Also, anti-malware tools and business processes could violate regulatory frameworks (such as HIPAA) when processing suspicious DICOM files.

• kosmokato/bad-dicom

CVE-2019-11707 (2019-07-23)

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.

• vigneshsrao/CVE-2019-11707
• flabbergastedbd/cve-2019-11707

CVE-2019-11708 (2019-07-23)

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.

• 0vercl0k/CVE-2019-11708

CVE-2019-11730 (2019-07-23)

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

• lihuaiqiu/CVE-2019-11730

CVE-2019-11869 (2019-05-09)

The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the request is for an admin page). An unauthenticated attacker can inject a payload into the plugin settings, such as the yuzo_related_post_css_and_style setting.

• gitrecon1455/CVE-2019-11869

CVE-2019-11881 (2019-06-10)

A vulnerability exists in Rancher before 2.2.4 in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics, e.g., displaying a "This version of Rancher is outdated, please visit https://malicious.rancher.site/upgrading" message.

• MauroEldritch/VanCleef

CVE-2019-11931 (2019-11-14)

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100.

• kasif-dekel/whatsapp-rce-patched
• nop-team/CVE-2019-11931

CVE-2019-11932 (2019-10-03)

A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android before version 2.19.244 and many other Android applications, allows remote attackers to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image.

• dorkerdevil/CVE-2019-11932
• awakened1712/CVE-2019-11932
• JasonJerry/WhatsRCE
• TulungagungCyberLink/CVE-2019-11932
• infiniteLoopers/CVE-2019-11932
• valbrux/CVE-2019-11932-SupportApp
• fastmo/CVE-2019-11932
• mRanonyMousTZ/CVE-2019-11932-whatsApp-exploit
• SmoZy92/CVE-2019-11932
• dashtic172/https-github.com-awakened171
• Err0r-ICA/WhatsPayloadRCE
• starling021/CVE-2019-11932-SupportApp
• primebeast/CVE-2019-11932
• BadAssAiras/hello
• kal1gh0st/WhatsAppHACK-RCE
• zxn1/CVE-2019-11932
• k3vinlusec/WhatsApp-Double-Free-Vulnerability_CVE-2019-11932
• Tabni/https-github.com-awakened1712-CVE-2019-11932
• 0759104103/cd-CVE-2019-11932
• tucommenceapousser/CVE-2019-11932
• tucommenceapousser/CVE-2019-11932deta

CVE-2019-11933 (2019-10-23)

A heap buffer overflow bug in libpl_droidsonroids_gif before 1.2.19, as used in WhatsApp for Android before version 2.19.291 could allow remote attackers to execute arbitrary code or cause a denial of service.

• NatleoJ/CVE-2019-11933
• KISH84172/CVE-2019-11933

CVE-2019-12086 (2019-05-17)

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

• motoyasu-saburi/CVE-2019-12086-jackson-databind-file-read
• Al1ex/CVE-2019-12086

CVE-2019-12169 (2019-06-03)

ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.

• fuzzlove/ATutor-2.2.4-Language-Exploit

CVE-2019-12170 (2019-05-17)

ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.

• fuzzlove/ATutor-Instructor-Backup-Arbitrary-File

CVE-2019-12180 (2020-02-05)

An issue was discovered in SmartBear ReadyAPI through 2.8.2 and 3.0.0 and SoapUI through 5.5. When opening a project, the Groovy "Load Script" is automatically executed. This allows an attacker to execute arbitrary Groovy Language code (Java scripting language) on the victim machine by inducing it to open a malicious Project. The same issue is present in the "Save Script" function, which is executed automatically when saving a project.

• 0x-nope/CVE-2019-12180

CVE-2019-12181 (2019-06-17)

A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.

• mavlevin/CVE-2019-12181

CVE-2019-12185 (2019-05-19)

eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.

• fuzzlove/eLabFTW-1.8.5-EntityController-Arbitrary-File-Upload-RCE

CVE-2019-12189 (2019-05-21)

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.

• falconz/CVE-2019-12189

CVE-2019-12255 (2019-08-09)

Wind River VxWorks has a Buffer Overflow in the TCP component (issue 1 of 4). This is a IPNET security vulnerability: TCP Urgent Pointer = 0 that leads to an integer underflow.

• sud0woodo/Urgent11-Suricata-LUA-scripts

CVE-2019-12272 (2019-05-23)

In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability.

• HACHp1/LuCI_RCE_exp
• nevercodecorrect/lede-17.01.3

CVE-2019-12314 (2019-05-24)

Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute path traversal in the WS.macx1.W_MCS/ PATH_INFO, as demonstrated by a cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/etc/passwd URI.

• ras313/CVE-2019-12314

CVE-2019-12384 (2019-06-24)

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

• jas502n/CVE-2019-12384
• MagicZer0/Jackson_RCE-CVE-2019-12384

CVE-2019-12409 (2019-11-18)

The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

• jas502n/CVE-2019-12409

CVE-2019-12422 (2019-11-18)

Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.

• BaiHLiu/RuoYI-4.2-Shiro-721-Docker-PoC

CVE-2019-12453 (2019-07-19)

In MicroStrategy Web before 10.1 patch 10, stored XSS is possible in the FLTB parameter due to missing input validation.

• undefinedmode/CVE-2019-12453

CVE-2019-12460 (2019-05-30)

Web Port 1.19.1 allows XSS via the /access/setup type parameter.

• EmreOvunc/WebPort-v1.19.1-Reflected-XSS

CVE-2019-12475 (2019-07-17)

In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation.

• undefinedmode/CVE-2019-12475

CVE-2019-12476 (2019-06-17)

An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input.

• 0katz/CVE-2019-12476

CVE-2019-12489 (2019-11-26)

An issue was discovered on Fastweb Askey RTV1907VW 0.00.81_FW_200_Askey 2018-10-02 18:08:18 devices. By using the usb_remove service through an HTTP request, it is possible to inject and execute a command between two & characters in the mount parameter.

• garis/Fastgate

CVE-2019-12538 (2019-06-05)

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.

• tarantula-team/CVE-2019-12538

CVE-2019-12541 (2019-06-05)

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.

• tarantula-team/CVE-2019-12541

CVE-2019-12542 (2019-06-05)

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.

• tarantula-team/CVE-2019-12542

CVE-2019-12543 (2019-06-05)

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.

• tarantula-team/CVE-2019-12543

CVE-2019-12562 (2019-09-26)

Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to the server, etc. Successful exploitation occurs when an admin user visits a notification page with stored cross-site scripting.

• MAYASEVEN/CVE-2019-12562

CVE-2019-12586 (2019-09-04)

The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 processes EAP Success messages before any EAP method completion or failure, which allows attackers in radio range to cause a denial of service (crash) via a crafted message.

• Matheus-Garbelini/esp32_esp8266_attacks

CVE-2019-12594 (2019-07-02)

DOSBox 0.74-2 has Incorrect Access Control.

• Alexandre-Bartel/CVE-2019-12594

CVE-2019-12616 (2019-06-05)

An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.

• Cappricio-Securities/CVE-2019-12616

CVE-2019-12725 (2019-07-19)

Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.

• givemefivw/CVE-2019-12725
• sma11new/PocList
• hev0x/CVE-2019-12725-Command-Injection
• gougou123-hash/CVE-2019-12725
• YZS17/CVE-2019-12725
• nowindows9/CVE-2019-12725-modified-exp

CVE-2019-12735 (2019-06-05)

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.

• pcy190/ace-vim-neovim
• oldthree3/CVE-2019-12735-VIM-NEOVIM
• datntsec/CVE-2019-12735
• nickylimjj/cve-2019-12735
• st9007a/CVE-2019-12735

CVE-2019-12744 (2019-06-20)

SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of unvalidated file upload of PHP scripts, a different vulnerability than CVE-2018-12940.

• nobodyatall648/CVE-2019-12744

CVE-2019-12750 (2019-07-31)

Symantec Endpoint Protection, prior to 14.2 RU1 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition, prior to 12.1 RU6 MP10c (12.1.7491.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

• v-p-b/cve-2019-12750

CVE-2019-12796

• PeterUpfold/CVE-2019-12796

CVE-2019-12814 (2019-06-19)

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

• Al1ex/CVE-2019-12814

CVE-2019-12815 (2019-07-19)

An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.

• KTN1990/CVE-2019-12815
• lcartey/proftpd-cve-2019-12815

CVE-2019-12836 (2019-06-21)

The Bobronix JEditor editor before 3.0.6 for Jira allows an attacker to add a URL/Link (to an existing issue) that can cause forgery of a request to an out-of-origin domain. This in turn may allow for a forged request that can be invoked in the context of an authenticated user, leading to stealing of session tokens and account takeover.

• 9lyph/CVE-2019-12836

CVE-2019-12840 (2019-06-15)

In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.

• bkaraceylan/CVE-2019-12840_POC
• KrE80r/webmin_cve-2019-12840_poc
• anasbousselham/webminscan
• zAbuQasem/CVE-2019-12840
• WizzzStark/CVE-2019-12840.py
• Pol-Ruiz/PoC-CVE-2019-12840

CVE-2019-12889 (2019-08-20)

An unauthenticated privilege escalation exists in SailPoint Desktop Password Reset 7.2. A user with local access to only the Windows logon screen can escalate their privileges to NT AUTHORITY\System. An attacker would need local access to the machine for a successful exploit. The attacker must disconnect the computer from the local network / WAN and connect it to an internet facing access point / network. At that point, the attacker can execute the password-reset functionality, which will expose a web browser. Browsing to a site that calls local Windows system functions (e.g., file upload) will expose the local file system. From there an attacker can launch a privileged command shell.

• nulsect0r/CVE-2019-12889

CVE-2019-12890 (2019-06-19)

RedwoodHQ 2.5.5 does not require any authentication for database operations, which allows remote attackers to create admin users via a con.automationframework users insert_one call.

• EthicalHCOP/CVE-2019-12890_RedxploitHQ

CVE-2019-12937 (2019-06-23)

apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable.

• AkashicYiTai/CVE-2019-12937-ToaruOS

CVE-2019-12949 (2019-06-25)

In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authenticated administrator into clicking on a button on a phishing page, an attacker can leverage XSS to upload arbitrary executable code, via diag_command.php and rrd_fetch_json.php (timePeriod parameter), to a server. Then, the remote attacker can run any command with root privileges on that server.

• tarantula-team/CVE-2019-12949

CVE-2019-12999 (2020-01-31)

Lightning Network Daemon (lnd) before 0.7 allows attackers to trigger loss of funds because of Incorrect Access Control.

• lightninglabs/chanleakcheck

CVE-2019-13000 (2020-01-31)

Eclair through 0.3 allows attackers to trigger loss of funds because of Incorrect Access Control. NOTE: README.md states "it is beta-quality software and don't put too much money in it."

• ACINQ/detection-tool-cve-2019-13000

CVE-2019-13024 (2019-07-01)

Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).

• mhaskar/CVE-2019-13024
• get-get-get-get/Centreon-RCE

CVE-2019-13025 (2019-10-02)

Compal CH7465LG CH7465LG-NCIP-6.12.18.24-5p8-NOSH devices have Incorrect Access Control because of Improper Input Validation. The attacker can send a maliciously modified POST (HTTP) request containing shell commands, which will be executed on the device, to an backend API endpoint of the cable modem.

• x1tan/CVE-2019-13025

CVE-2019-13027 (2019-07-12)

Realization Concerto Critical Chain Planner (aka CCPM) 5.10.8071 has SQL Injection in at least in the taskupdt/taskdetails.aspx webpage via the projectname parameter.

• IckoGZ/CVE-2019-13027

CVE-2019-13051 (2019-10-09)

Pi-Hole 4.3 allows Command Injection.

• pr0tean/CVE-2019-13051

CVE-2019-13063 (2019-09-23)

Within Sahi Pro 8.0.0, an attacker can send a specially crafted URL to include any victim files on the system via the script parameter on the Script_view page. This will result in file disclosure (i.e., being able to pull any file from the remote victim application). This can be used to steal and obtain sensitive config and other files. This can result in complete compromise of the application. The script parameter is vulnerable to directory traversal and both local and remote file inclusion.

• 0x6b7966/CVE-2019-13063-POC

CVE-2019-13086 (2019-06-30)

core/MY_Security.php in CSZ CMS 1.2.2 before 2019-06-20 has member/login/check SQL injection by sending a crafted HTTP User-Agent header and omitting the csrf_csz parameter.

• lingchuL/CVE_POC_test

CVE-2019-13101 (2019-08-08)

An issue was discovered on D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices. wan.htm can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify the data fields of the page.

• halencarjunior/dlkploit600

CVE-2019-13115 (2019-07-16)

In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.

• viz27/Libssh2-Exploit
• CSSProject/libssh2-Exploit

CVE-2019-13143 (2019-08-06)

An HTTP parameter pollution issue was discovered on Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 2.3. With the user ID, user name, and the lock's MAC address, anyone can unbind the existing owner of the lock, and bind themselves instead. This leads to complete takeover of the lock. The user ID, name, and MAC address are trivially obtained from APIs found within the Android or iOS application. With only the MAC address of the lock, any attacker can transfer ownership of the lock from the current user, over to the attacker's account. Thus rendering the lock completely inaccessible to the current user.

• securelayer7/pwnfb50

CVE-2019-13144 (2019-07-05)

myTinyTodo 1.3.3 through 1.4.3 allows CSV Injection. This is fixed in 1.5.

• cccaaasser/CVE-2019-13144

CVE-2019-13272 (2019-07-17)

In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.

• jas502n/CVE-2019-13272
• Cyc1eC/CVE-2019-13272
• bigbigliang-malwarebenchmark/cve-2019-13272
• oneoy/CVE-2019-13272
• polosec/CVE-2019-13272
• sumedhaDharmasena/-Kernel-ptrace-c-mishandles-vulnerability-CVE-2019-13272
• Tharana/Exploiting-a-Linux-kernel-vulnerability
• RashmikaEkanayake/Privilege-Escalation-CVE-2019-13272-
• Tharana/vulnerability-exploitation
• teddy47/CVE-2019-13272---Documentation
• datntsec/CVE-2019-13272
• jana30116/CVE-2019-13272-Local-Privilege-Escalation
• babyshen/CVE-2019-13272
• GgKendall/secureCodingDemo
• asepsaepdin/CVE-2019-13272
• MDS1GNAL/ptrace_scope-CVE-2019-13272-privilege-escalation
• josemlwdf/CVE-2019-13272

CVE-2019-13288 (2019-07-04)

In Xpdf 4.01.01, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack. This is similar to CVE-2018-16646.

• gleaming0/CVE-2019-13288
• Fineas/CVE-2019-13288-POC

CVE-2019-13292 (2019-07-04)

A SQL Injection issue was discovered in webERP 4.15. Payments.php accepts payment data in base64 format. After this is decoded, it is deserialized. Then, this deserialized data goes directly into a SQL query, with no sanitizing checks.

• gustanini/CVE-2019-13292-WebERP_4.15

CVE-2019-13361 (2019-09-05)

Smanos W100 1.0.0 devices have Insecure Permissions, exploitable by an attacker on the same Wi-Fi network.

• lodi-g/CVE-2019-13361

CVE-2019-13403 (2019-07-17)

Temenos CWX version 8.9 has an Broken Access Control vulnerability in the module /CWX/Employee/EmployeeEdit2.aspx, leading to the viewing of user information.

• B3Bo1d/CVE-2019-13403

CVE-2019-13496 (2019-11-04)

One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows OTP bypass via vectors involving a man in the middle, the One Identity Defender product, and replacing a failed SAML response with a successful SAML response.

• FurqanKhan1/CVE-2019-13496

CVE-2019-13497 (2019-11-04)

One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests.

• FurqanKhan1/CVE-2019-13497

CVE-2019-13498 (2019-07-29)

One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4.

• FurqanKhan1/CVE-2019-13498

CVE-2019-13574 (2019-07-12)

In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.

• masahiro331/CVE-2019-13574

CVE-2019-13633 (2020-10-19)

Blinger.io v.1.0.2519 is vulnerable to Blind/Persistent XSS. An attacker can send arbitrary JavaScript code via a built-in communication channel, such as Telegram, WhatsApp, Viber, Skype, Facebook, Vkontakte, or Odnoklassniki. This is mishandled within the administration panel for conversations/all, conversations/inbox, conversations/unassigned, and conversations/closed.

• Security-AVS/CVE-2019-13633

CVE-2019-13720 (2019-11-25)

Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• cve-2019-13720/cve-2019-13720
• ChoKyuWon/CVE-2019-13720

CVE-2019-13764 (2019-12-10)

Type confusion in JavaScript in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• HaboobLab/CVE-2019-13764

CVE-2019-13956 (2019-07-18)

Discuz!ML 3.2 through 3.4 allows remote attackers to execute arbitrary PHP code via a modified language cookie, as demonstrated by changing 4gH4_0df5_language=en to 4gH4_0df5_language=en'.phpinfo().'; (if the random prefix 4gH4_0df5_ were used).

• rhbb/CVE-2019-13956

CVE-2019-13990 (2019-07-26)

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

• epicosy/Quartz-1

CVE-2019-14040 (2020-02-07)

Using memory after being freed in qsee due to wrong implementation can lead to unexpected behavior such as execution of unknown code in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SM8150, SXR1130

• tamirzb/CVE-2019-14040

CVE-2019-14041 (2020-02-07)

During listener modified response processing, a buffer overrun occurs due to lack of buffer size verification when updating message buffer with physical address information in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8953, MSM8996AU, Nicobar, QCM2150, QCS405, QCS605, QM215, Rennell, SA6155P, Saipan, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130

• tamirzb/CVE-2019-14041

CVE-2019-14079 (2020-03-05)

Access to the uninitialized variable when the driver tries to unmap the dma buffer of a request which was never mapped in the first place leading to kernel failure in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8009, APQ8053, MDM9607, MDM9640, MSM8909W, MSM8953, QCA6574AU, QCS605, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM632, SDM670, SDM710, SDM845, SDX24, SM8150, SXR1130

• parallelbeings/CVE-2019-14079

CVE-2019-14220 (2019-09-24)

An issue was discovered in BlueStacks 4.110 and below on macOS and on 4.120 and below on Windows. BlueStacks employs Android running in a virtual machine (VM) to enable Android apps to run on Windows or MacOS. Bug is in a local arbitrary file read through a system service call. The impacted method runs with System admin privilege and if given the file name as parameter returns you the content of file. A malicious app using the affected method can then read the content of any system file which it is not authorized to read

• seqred-s-a/cve-2019-14220

CVE-2019-14234 (2019-08-09)

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

• malvika-thakur/CVE-2019-14234

CVE-2019-14267 (2019-07-29)

PDFResurrect 0.15 has a buffer overflow via a crafted PDF file because data associated with startxref and %%EOF is mishandled.

• snappyJack/pdfresurrect_CVE-2019-14267

CVE-2019-14271 (2019-07-29)

In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

• iridium-soda/CVE-2019-14271_Exploit

CVE-2019-14287 (2019-10-17)

In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u #$((0xffffffff))" command.

• FauxFaux/sudo-cve-2019-14287
• CashWilliams/CVE-2019-14287-demo
• n0w4n/CVE-2019-14287
• gurneesh/CVE-2019-14287-write-up
• shallvhack/Sudo-Security-Bypass-CVE-2019-14287
• huang919/cve-2019-14287-PPT
• wenyu1999/sudo-
• Sindadziy/cve-2019-14287
• Sindayifu/CVE-2019-14287-CVE-2014-6271
• CMNatic/Dockerized-CVE-2019-14287
• axax002/sudo-vulnerability-CVE-2019-14287
• SachinthaDeSilva-cmd/Exploit-CVE-2019-14287
• HussyCool/CVE-2019-14287-IT18030372-
• ShianTrish/sudo-Security-Bypass-vulnerability-CVE-2019-14287
• ejlevin99/Sudo-Security-Bypass-Vulnerability
• thinuri99/Sudo-Security-Bypass-Vulnerability-CVE-2019-14287-
• janod313/-CVE-2019-14287-SUDO-bypass-vulnerability
• DewmiApsara/CVE-2019-14287
• M108Falcon/Sudo-CVE-2019-14287
• edsonjt81/CVE-2019-14287-
• DularaAnushka/Linux-Privilege-Escalation-using-Sudo-Rights
• n3rdh4x0r/CVE-2019-14287
• Hasintha-98/Sudo-Vulnerability-Exploit-CVE-2019-14287
• MariliaMeira/CVE-2019-14287
• Ijinleife/CVE-2019-14287
• lemonadern/poc-cve-2019-14287

CVE-2019-14314 (2019-08-27)

A SQL injection vulnerability exists in the Imagely NextGEN Gallery plugin before 3.2.11 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via modules/nextgen_gallery_display/package.module.nextgen_gallery_display.php.

• imthoe/CVE-2019-14314

CVE-2019-14319 (2019-09-04)

The TikTok (formerly Musical.ly) application 12.2.0 for Android and iOS performs unencrypted transmission of images, videos, and likes. This allows an attacker to extract private sensitive information by sniffing network traffic.

• MelroyB/CVE-2019-14319

CVE-2019-14322 (2019-07-28)

In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.

• faisalfs10x/CVE-2019-14322-scanner
• faisalfs10x/http-vuln-cve2019-14322.nse
• sergiovks/CVE-2019-14322

CVE-2019-14326 (2020-04-14)

An issue was discovered in AndyOS Andy versions up to 46.11.113. By default, it starts telnet and ssh (ports 22 and 23) with root privileges in the emulated Android system. This can be exploited by remote attackers to gain full access to the device, or by malicious apps installed inside the emulator to perform privilege escalation from a normal user to root (unlike with standard methods of getting root privileges on Android - e.g., the SuperSu program - the user is not asked for consent). There is no authentication performed - access to a root shell is given upon a successful connection. NOTE: although this was originally published with a slightly different CVE ID number, the correct ID for this Andy vulnerability has always been CVE-2019-14326.

• seqred-s-a/cve-2019-14326

CVE-2019-14339 (2019-09-05)

The ContentProvider in the Canon PRINT jp.co.canon.bsd.ad.pixmaprint 2.5.5 application for Android does not properly restrict canon.ij.printer.capability.data data access. This allows an attacker's malicious application to obtain sensitive information including factory passwords for the administrator web interface and WPA2-PSK key.

• 0x48piraj/CVE-2019-14339

CVE-2019-14439 (2019-07-30)

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

• jas502n/CVE-2019-14439

CVE-2019-14450 (2019-10-28)

A directory traversal vulnerability was discovered in RepetierServer.exe in Repetier-Server 0.8 through 0.91 that allows for the creation of a user controlled XML file at an unintended location. When this is combined with CVE-2019-14451, an attacker can upload an "external command" configuration as a printer configuration, and achieve remote code execution. After exploitation, loading of the external command configuration is dependent on a system reboot or service restart.

• securifera/CVE-2019-14450

CVE-2019-14514 (2020-02-10)

An issue was discovered in Microvirt MEmu all versions prior to 7.0.2. A guest Android operating system inside the MEmu emulator contains a /system/bin/systemd binary that is run with root privileges on startup (this is unrelated to Red Hat's systemd init program, and is a closed-source proprietary tool that seems to be developed by Microvirt). This program opens TCP port 21509, presumably to receive installation-related commands from the host OS. Because everything after the installer:uninstall command is concatenated directly into a system() call, it is possible to execute arbitrary commands by supplying shell metacharacters.

• seqred-s-a/cve-2019-14514

CVE-2019-14529 (2019-08-02)

OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php.

• Wezery/CVE-2019-14529

CVE-2019-14530 (2019-08-13)

An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.

• Wezery/CVE-2019-14530
• sec-it/exploit-CVE-2019-14530

CVE-2019-14537 (2019-08-07)

YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass.

• Wocanilo/CVE-2019-14537

CVE-2019-14540 (2019-09-15)

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

• LeadroyaL/cve-2019-14540-exploit

CVE-2019-14615 (2020-01-17)

Insufficient control flow in certain data structures for some Intel(R) Processors with Intel(R) Processor Graphics may allow an unauthenticated user to potentially enable information disclosure via local access.

• HE-Wenjian/iGPU-Leak

CVE-2019-14678 (2019-11-14)

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects the XMLV2 LIBNAME engine when the AUTOMAP option is used.

• mbadanoiu/CVE-2019-14678

CVE-2019-14745 (2019-08-07)

In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables.

• xooxo/CVE-2019-14745

CVE-2019-14751 (2019-08-22)

NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.

• mssalvatore/CVE-2019-14751_PoC

CVE-2019-14830 (2021-03-19)

A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").

• Fr3d-/moodle-token-stealer

CVE-2019-14900 (2020-07-06)

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

• shanika04/hibernate-orm

CVE-2019-14912 (2019-09-20)

An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module does not properly check the goto parameter, leading to an open redirect that leaks the session cookie.

• Wocanilo/adaPwn

CVE-2019-14974 (2019-08-14)

SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.html?desktop_url= XSS.

• conan-sudo/CVE-2019-14974-bypass

CVE-2019-15029 (2019-09-05)

FusionPBX 4.4.8 allows an attacker to execute arbitrary system commands by submitting a malicious command to the service_edit.php file (which will insert the malicious command into the database). To trigger the command, one needs to call the services.php file via a GET request with the service id followed by the parameter a=start to execute the stored command.

• mhaskar/CVE-2019-15029

CVE-2019-15043 (2019-09-03)

In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.

• h0ffayyy/CVE-2019-15043

CVE-2019-15053 (2019-08-14)

The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element.

• l0nax/CVE-2019-15053

CVE-2019-15107 (2019-08-16)

An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

• jas502n/CVE-2019-15107
• HACHp1/webmin_docker_and_exp
• ketlerd/CVE-2019-15107
• AdministratorGithub/CVE-2019-15107
• Rayferrufino/Make-and-Break
• AleWong/WebminRCE-EXP-CVE-2019-15107-
• ianxtianxt/CVE-2019-15107
• hannob/webminex
• ChakoMoonFish/webmin_CVE-2019-15107
• cdedmondson/Modified-CVE-2019-15107
• ruthvikvegunta/CVE-2019-15107
• n0obit4/Webmin_1.890-POC
• squid22/Webmin_CVE-2019-15107
• MuirlandOracle/CVE-2019-15107
• diegojuan/CVE-2019-15107
• whokilleddb/CVE-2019-15107
• darrenmartyn/CVE-2019-15107
• hacknotes/CVE-2019-15107-Exploit
• CyberTuz/CVE-2019-15107_detection
• hadrian3689/webmin_1.920
• f0rkr/CVE-2019-15107
• psw01/CVE-2019-15107_webminRCE
• TheAlpha19/MiniExploit
• wenruoya/CVE-2019-15107
• g1vi/CVE-2019-15107
• K3ysTr0K3R/CVE-2019-15107-EXPLOIT
• gozn/detect-CVE-2019-15107-by-pyshark
• h4ck0rman/CVE-2019-15107
• olingo99/CVE-2019-15107
• aamfrk/Webmin-CVE-2019-15107
• 0x4r2/Webmin-CVE-2019-15107
• NasrallahBaadi/CVE-2019-15107
• grayorwhite/CVE-2019-15107
• MasterCode112/CVE-2019-15107

CVE-2019-15120 (2019-08-16)

The Kunena extension before 5.1.14 for Joomla! allows XSS via BBCode.

• h3llraiser/CVE-2019-15120

CVE-2019-15126 (2020-02-05)

An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic, a different vulnerability than CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.

• 0x13enny/kr00k
• hexway/r00kie-kr00kie
• akabe1/kr00ker

CVE-2019-15166 (2019-10-03)

lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4.9.3 lacks certain bounds checks.

• Satheesh575555/external_tcpdump_AOSP10_r33_CVE-2019-15166

CVE-2019-15224 (2019-08-19)

The rest-client gem 1.6.10 through 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions <=1.6.9 and >=1.6.14 are unaffected.

• chef-cft/inspec_cve_2019_15224

CVE-2019-15231

• wizardy0ga/THM-Source-CVE-2019-15231

CVE-2019-15233 (2019-08-20)

The Live:Text Box macro in the Old Street Live Input Macros app before 2.11 for Confluence has XSS, leading to theft of the Administrator Session Cookie.

• l0nax/CVE-2019-15233

CVE-2019-15477 (2019-08-23)

Jooby before 1.6.4 has XSS via the default error handler.

• epicosy/jooby

CVE-2019-15511 (2019-11-21)

An exploitable local privilege escalation vulnerability exists in the GalaxyClientService installed by GOG Galaxy. Due to Improper Access Control, an attacker can send unauthenticated local TCP packets to the service to gain SYSTEM privileges in Windows system where GOG Galaxy software is installed. All GOG Galaxy versions before 1.2.60 and all corresponding versions of GOG Galaxy 2.0 Beta are affected.

• adenkiewicz/CVE-2019-15511

CVE-2019-15514 (2019-08-23)

The Privacy > Phone Number feature in the Telegram app 5.10 for Android and iOS provides an incorrect indication that the access level is Nobody, because attackers can find these numbers via the Group Info feature, e.g., by adding a significant fraction of a region's assigned phone numbers.

• bibi1959/CVE-2019-15514

CVE-2019-15588 (2019-11-01)

There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability.

• EXP-Docs/CVE-2019-15588

CVE-2019-15605 (2020-02-07)

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

• jlcarruda/node-poc-http-smuggling

CVE-2019-15642 (2019-08-26)

rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users."

• jas502n/CVE-2019-15642

CVE-2019-15813 (2019-09-04)

Multiple file upload restriction bypass vulnerabilities in Sentrifugo 3.2 could allow authenticated users to execute arbitrary code via a webshell.

• wolf1892/CVE-2019-15813

CVE-2019-15846 (2019-09-06)

Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.

• synacktiv/Exim-CVE-2019-15846

CVE-2019-15858 (2019-09-03)

admin/includes/class.import.snippet.php in the "Woody ad snippets" plugin before 2.2.5 for WordPress allows unauthenticated options import, as demonstrated by storing an XSS payload for remote code execution.

• GeneralEG/CVE-2019-15858
• orangmuda/CVE-2019-15858

CVE-2019-15896 (2019-09-10)

An issue was discovered in the LifterLMS plugin through 3.34.5 for WordPress. The upload_import function in the class.llms.admin.import.php script is prone to an unauthenticated options import vulnerability that could lead to privilege escalation (administrator account creation), website redirection, and stored XSS.

• RandomRobbieBF/CVE-2019-15896

CVE-2019-15972 (2019-11-26)

A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. The vulnerability exists because the web-based management interface improperly validates SQL values. An attacker could exploit this vulnerability by authenticating to the application and sending malicious requests to an affected system. A successful exploit could allow the attacker to modify values on or return values from the underlying database.

• FSecureLABS/Cisco-UCM-SQLi-Scripts

CVE-2019-16097 (2019-09-08)

core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.

• evilAdan0s/CVE-2019-16097
• rockmelodies/CVE-2019-16097-batch
• ianxtianxt/CVE-2019-16097
• dacade/cve-2019-16097
• theLSA/harbor-give-me-admin
• luckybool1020/CVE-2019-16097

CVE-2019-16098 (2019-09-11)

The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.

• Barakat/CVE-2019-16098
• 0xDivyanshu-new/CVE-2019-16098
• Offensive-Panda/NT-AUTHORITY-SYSTEM-CONTEXT-RTCORE

CVE-2019-16113 (2019-09-08)

Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.

• ynots0ups/CVE-2019-16113
• cybervaca/CVE-2019-16113
• hg8/CVE-2019-16113-PoC
• Kenun99/CVE-2019-16113-Dockerfile
• dldygnl/CVE-2019-16113
• banomaly/CVE-2019-16113
• DXY0411/CVE-2019-16113
• banomaly/CVE-2019-16113_
• mind2hex/CVE-2019-16113
• tronghoang89/cve-2019-16113

CVE-2019-16172 (2019-09-09)

LimeSurvey before v3.17.14 allows stored XSS for escalating privileges from a low-privileged account to, for example, SuperAdmin. The attack uses a survey group in which the title contains JavaScript that is mishandled upon group deletion.

• TrixSec/CVE-2019-16172

CVE-2019-16253 (2019-09-25)

The Text-to-speech Engine (aka SamsungTTS) application before 3.0.02.7 and 3.0.00.101 for Android allows a local attacker to escalate privileges, e.g., to system privileges. The Samsung case ID is 101755.

• k0mraid3/K0mraid3s-System-Shell-PREBUILT

CVE-2019-16278 (2019-10-14)

Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.

• jas502n/CVE-2019-16278
• imjdl/CVE-2019-16278-PoC
• ianxtianxt/CVE-2019-16278
• darkerego/Nostromo_Python3
• AnubisSec/CVE-2019-16278
• aN0mad/CVE-2019-16278-Nostromo_1.9.6-RCE
• Kr0ff/cve-2019-16278
• NHPT/CVE-2019-16278
• keshiba/cve-2019-16278
• n3rdh4x0r/CVE-2019-16278
• alexander-fernandes/CVE-2019-16278
• FredBrave/CVE-2019-16278-Nostromo-1.9.6-RCE
• 0xTabun/CVE-2019-16278
• cancela24/CVE-2019-16278-Nostromo-1.9.6-RCE

CVE-2019-16279 (2019-10-14)

A memory error in the function SSL_accept in nostromo nhttpd through 1.9.6 allows an attacker to trigger a denial of service via a crafted HTTP request.

• ianxtianxt/CVE-2019-16279

CVE-2019-16374 (2020-08-13)

Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.

• IAG0110/CVE-2019-16374

CVE-2019-16394 (2019-09-17)

SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.

• trungnd51/Silent_CVE_2019_16394

CVE-2019-16405 (2019-11-21)

Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can modify Macro Expression location settings. CVE-2019-16405 and CVE-2019-17501 are similar to one another and may be the same.

• TheCyberGeek/CVE-2019-16405.rb

CVE-2019-16516 (2020-01-23)

An issue was discovered in ConnectWise Control (formerly known as ScreenConnect) 19.3.25270.7185. There is a user enumeration vulnerability, allowing an unauthenticated attacker to determine with certainty if an account exists for a given username.

• czz/ScreenConnect-UserEnum

CVE-2019-16662 (2019-10-28)

An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.

• mhaskar/CVE-2019-16662

CVE-2019-16663 (2019-10-28)

An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to search.crud.php because the catCommand parameter is passed to the exec function without filtering, which can lead to command execution.

• mhaskar/CVE-2019-16663

CVE-2019-16692 (2019-09-22)

phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.

• kkirsche/CVE-2019-16692

CVE-2019-16724 (2019-09-24)

File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow in an HTTP POST parameter, a similar issue to CVE-2010-2330 and CVE-2010-2331.

• nanabingies/CVE-2019-16724

CVE-2019-16746 (2019-09-24)

An issue was discovered in net/wireless/nl80211.c in the Linux kernel through 5.2.17. It does not check the length of variable elements in a beacon head, leading to a buffer overflow.

• uthrasri/CVE-2019-16746

CVE-2019-16759 (2019-09-24)

vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request.

• M0sterHxck/CVE-2019-16759-Vbulletin-rce-exploit
• r00tpgp/http-vuln-CVE-2019-16759
• jas502n/CVE-2019-16759
• theLSA/vbulletin5-rce
• FarjaalAhmad/CVE-2019-16759
• andripwn/pwn-vbulletin
• psychoxploit/vbull
• polar1s7/CVE-2019-16759-bypass
• nako48/CVE-2019-16759
• 0xdims/CVE-2019-16759
• sunian19/CVE-2019-16759
• ludy-dev/vBulletin_Routestring-RCE
• fxp0-4tx/CVE-2019-16759

CVE-2019-16784 (2020-01-14)

In PyInstaller before version 3.6, only on Windows, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in "onefile" mode is launched by a privileged user (at least more than the current one) which have his "TempPath" resolving to a world writable directory. This is the case for example if the software is launched as a service or as a scheduled task using a system account (TempPath will be C:\Windows\Temp). In order to be exploitable the software has to be (re)started after the attacker launch the exploit program, so for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade).

• AlterSolutions/PyInstallerPrivEsc
• Ckrielle/CVE-2019-16784-POC

CVE-2019-16889 (2019-09-25)

Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header. The attacker can use a long series of unique session IDs.

• grampae/CVE-2019-16889-poc

CVE-2019-16920 (2019-09-27)

Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.

• eniac888/CVE-2019-16920-MassPwn3r

CVE-2019-16941 (2019-09-28)

NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).

• purpleracc00n/CVE-2019-16941

CVE-2019-17026 (2020-03-02)

Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1.

• maxpl0it/CVE-2019-17026-Exploit
• lsw29475/CVE-2019-17026

CVE-2019-17041 (2019-10-07)

An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfrom/pmaixforwardedfrom.c has a heap overflow in the parser for AIX log messages. The parser tries to locate a log message delimiter (in this case, a space or a colon) but fails to account for strings that do not satisfy this constraint. If the string does not match, then the variable lenMsg will reach the value zero and will skip the sanity check that detects invalid log messages. The message will then be considered valid, and the parser will eat up the nonexistent colon delimiter. In doing so, it will decrement lenMsg, a signed integer, whose value was zero and now becomes minus one. The following step in the parser is to shift left the contents of the message. To do this, it will call memmove with the right pointers to the target and destination strings, but the lenMsg will now be interpreted as a huge value, causing a heap overflow.

• Resery/CVE-2019-17041

CVE-2019-17080 (2019-10-02)

mintinstall (aka Software Manager) 7.9.9 for Linux Mint allows code execution if a REVIEWS_CACHE file is controlled by an attacker, because an unpickle occurs. This is resolved in 8.0.0 and backports.

• Andhrimnirr/Mintinstall-object-injection
• materaj2/Mintinstall-object-injection

CVE-2019-17124 (2019-10-09)

Kramer VIAware 2.5.0719.1034 has Incorrect Access Control.

• hessandrew/CVE-2019-17124

CVE-2019-17137 (2020-02-10)

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR AC1200 R6220 Firmware version 1.1.0.86 Smart WiFi Router. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of path strings. By inserting a null byte into the path, the user can skip most authentication checks. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-8616.

• vncloudsco/CVE-2019-17137

CVE-2019-17147 (2020-01-07)

This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-LINK TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web service, which listens on TCP port 80 by default. When parsing the Host request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length static buffer. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-8457.

• DrmnSamoLiu/CVE-2019-17147_Practice_Material

CVE-2019-17195 (2019-10-15)

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

• somatrasss/weblogic2021

CVE-2019-17221 (2019-11-05)

PhantomJS through 2.1.1 has an arbitrary file read vulnerability, as demonstrated by an XMLHttpRequest for a file:// URI. The vulnerability exists in the page.open() function of the webpage module, which loads a specified URL and calls a given callback. An attacker can supply a specially crafted HTML file, as user input, that allows reading arbitrary files on the filesystem. For example, if page.render() is the function callback, this generates a PDF or an image of the targeted file. NOTE: this product is no longer developed.

• h4ckologic/CVE-2019-17221

CVE-2019-17225 (2019-10-06)

Subrion 4.2.1 allows XSS via the panel/members/ Username, Full Name, or Email field, aka an "Admin Member JSON Update" issue.

• hacker625/CVE-2019-17225

CVE-2019-17234 (2019-11-12)

includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows unauthenticated arbitrary file deletion.

• administra1tor/CVE-2019-17234b-Exploit

CVE-2019-17240 (2019-10-06)

bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers.

• pingport80/CVE-2019-17240
• LucaReggiannini/Bludit-3-9-2-bb
• triple-octopus/Bludit-CVE-2019-17240-Fork
• ColdFusionX/CVE-2019-17240_Bludit-BF-Bypass
• jayngng/bludit-CVE-2019-17240
• brunosergi/bloodit
• spyx/cve-2019-17240
• mind2hex/CVE-2019-17240

CVE-2019-17382 (2019-10-09)

An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin.

• K3ysTr0K3R/CVE-2019-17382-EXPLOIT

CVE-2019-17424 (2019-10-22)

A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.

• mavlevin/CVE-2019-17424

CVE-2019-17427 (2019-10-10)

In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors.

• RealLinkers/CVE-2019-17427

CVE-2019-17495 (2019-10-10)

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

• SecT0uch/CVE-2019-17495-test

CVE-2019-17497 (2019-10-10)

Tracker PDF-XChange Editor before 8.0.330.0 has an NTLM SSO hash theft vulnerability using crafted FDF or XFDF files (a related issue to CVE-2018-4993). For example, an NTLM hash is sent for a link to \192.168.0.2\C$\file.pdf without user interaction.

• JM-Lemmi/cve-2019-17497

CVE-2019-17498 (2019-10-21)

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

• Timon-L/3007Project

CVE-2019-17513 (2019-10-18)

An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.

• epicosy/Ratpack-1

CVE-2019-17525 (2020-04-21)

The login page on D-Link DIR-615 T1 20.10 devices allows remote attackers to bypass the CAPTCHA protection mechanism and conduct brute-force attacks.

• huzaifahussain98/CVE-2019-17525

CVE-2019-17558 (2019-12-30)

Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is trusted (has been uploaded by an authenticated user).

• thelostworldFree/CVE-2019-17558_Solr_Vul_Tool
• zhzyker/exphub
• Ma1Dong/Solr_CVE-2019-17558
• xkyrage/Exploit_CVE-2019-17558-RCE

CVE-2019-17564 (2020-04-01)

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.

• r00t4dm/CVE-2019-17564
• Jaky5155/CVE-2019-17564
• Hu3sky/CVE-2019-17564
• Exploit-3389/CVE-2019-17564
• Dor-Tumarkin/CVE-2019-17564-FastJson-Gadget
• fairyming/CVE-2019-17564

CVE-2019-17570 (2020-01-23)

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.

• r00t4dm/CVE-2019-17570
• slowmistio/xmlrpc-common-deserialization

CVE-2019-17571 (2019-12-20)

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

• shadow-horse/CVE-2019-17571
• Al1ex/CVE-2019-17571
• HynekPetrak/log4shell-finder

CVE-2019-17596 (2019-10-24)

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

• pquerna/poc-dsa-verify-CVE-2019-17596

CVE-2019-17621 (2019-12-30)

The UPnP endpoint URL /gena.cgi in the D-Link DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 allows an Unauthenticated remote attacker to execute system commands as root, by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service when connecting to the local network.

• Squirre17/CVE-2019-17621

CVE-2019-17625 (2019-10-16)

There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such as an exec of OS commands within the onerror attribute of an IMG element.

• Ekultek/CVE-2019-17625

CVE-2019-17633 (2019-12-19)

For Eclipse Che versions 6.16 to 7.3.0, with both authentication and TLS disabled, visiting a malicious web site could trigger the start of an arbitrary Che workspace. Che with no authentication and no TLS is not usually deployed on a public network but is often used for local installations (e.g. on personal laptops). In that case, even if the Che API is not exposed externally, some javascript running in the local browser is able to send requests to it.

• mgrube/CVE-2019-17633

CVE-2019-17638 (2020-07-09)

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with other data. Thread1 then proceeds to write the buffer that now contains different data. This results in client1, which issued request1 seeing data from another request or response which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.). If the Jetty version cannot be upgraded, the vulnerability can be significantly reduced by configuring a responseHeaderSize significantly larger than the requestHeaderSize (12KB responseHeaderSize and 8KB requestHeaderSize).

• forse01/CVE-2019-17638-Jetty

CVE-2019-17658 (2020-03-12)

An unquoted service path vulnerability in the FortiClient FortiTray component of FortiClientWindows v6.2.2 and prior allow an attacker to gain elevated privileges via the FortiClientConsole executable service path.

• Ibonok/CVE-2019-17658

CVE-2019-17662 (2019-10-16)

ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector.

• MuirlandOracle/CVE-2019-17662
• kxisxr/Bash-Script-CVE-2019-17662
• whokilleddb/CVE-2019-17662
• rajendrakumaryadav/CVE-2019-17662-Exploit
• Tamagaft/CVE-2019-17662
• bl4ck574r/CVE-2019-17662
• thomas-osgood/CVE-2019-17662
• medarov411/vnc-lab-cve-2019-17662

CVE-2019-17666 (2019-10-17)

rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.

• uthrasri/CVE-2019-17666

CVE-2019-17671 (2019-10-17)

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

• rhbb/CVE-2019-17671

CVE-2019-18276 (2019-11-28)

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

• M-ensimag/CVE-2019-18276
• SABI-Ensimag/CVE-2019-18276

CVE-2019-18370 (2019-10-23)

An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress, so one can control the contents of the files in the decompressed directory. In addition, the application's sh script for testing upload and download speeds reads a URL list from /tmp/speedtest_urls.xml, and there is a command injection vulnerability, as demonstrated by api/xqnetdetect/netspeed.

• FzBacon/CVE-2019-18370_XiaoMi_Mi_WIFI_RCE_analysis

CVE-2019-18371 (2019-10-23)

An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication.

• UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC
• AjayMT6/UltramanGaia
• jsnhcuan1997/UltramanGaia

CVE-2019-18426 (2020-01-21)

A vulnerability in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting and local file reading. Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.

• PerimeterX/CVE-2019-18426

CVE-2019-18634 (2020-01-29)

In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.

• Plazmaz/CVE-2019-18634
• saleemrashid/sudo-cve-2019-18634
• N1et/CVE-2019-18634
• ptef/CVE-2019-18634
• edsonjt81/sudo-cve-2019-18634
• paras1te-x/CVE-2019-18634
• aesophor/CVE-2019-18634
• TheJoyOfHacking/saleemrashid-sudo-cve-2019-18634
• DDayLuong/CVE-2019-18634
• chanbakjsd/CVE-2019-18634
• l0w3/CVE-2019-18634

CVE-2019-18655 (2019-11-12)

File Sharing Wizard version 1.5.0 build 2008 is affected by a Structured Exception Handler based buffer overflow vulnerability. An unauthenticated attacker is able to perform remote command execution and obtain a command shell by sending a HTTP GET request including the malicious payload in the URL. A similar issue to CVE-2019-17415, CVE-2019-16724, and CVE-2010-2331.

• 0xhuesca/CVE-2019-18655

CVE-2019-18683 (2019-11-04)

An issue was discovered in drivers/media/platform/vivid in the Linux kernel through 5.3.8. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.

• sanjana123-cloud/CVE-2019-18683
• Limesss/cve-2019-18683

CVE-2019-18818 (2019-11-07)

strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.

• guglia001/CVE-2019-18818
• rasyidfox/CVE-2019-18818
• hadrian3689/strapi_cms_3.0.0-beta.17.7
• Hackhoven/Strapi-RCE

CVE-2019-18845 (2019-11-09)

The MsIo64.sys and MsIo32.sys drivers in Patriot Viper RGB before 1.1 allow local users (including low integrity processes) to read and write to arbitrary memory locations, and consequently gain NT AUTHORITY\SYSTEM privileges, by mapping \Device\PhysicalMemory into the calling process via ZwOpenSection and ZwMapViewOfSection.

• fengjixuchui/CVE-2019-18845

CVE-2019-18873 (2019-11-12)

FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php.

• fuzzlove/FUDforum-XSS-RCE

CVE-2019-18885 (2019-11-14)

fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verify_dev_extents NULL pointer dereference via a crafted btrfs image because fs_devices->devices is mishandled within find_device, aka CID-09ba3bc9dd15.

• bobfuzzer/CVE-2019-18885

CVE-2019-18890 (2019-11-21)

A SQL injection vulnerability in Redmine through 3.2.9 and 3.3.x before 3.3.10 allows Redmine users to access protected information via a crafted object query.

• RealLinkers/CVE-2019-18890

CVE-2019-18935 (2019-12-11)

Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

• bao7uo/RAU_crypto
• noperator/CVE-2019-18935
• becrevex/Telerik_CVE-2019-18935
• ThanHuuTuan/Telerik_CVE-2019-18935
• ThanHuuTuan/CVE_2019_18935
• murataydemir/CVE-2019-18935
• appliedi/Telerik_CVE-2019-18935
• random-robbie/CVE-2019-18935
• 0xAgun/CVE-2019-18935-checker
• KasunPriyashan/Telerik-UI-ASP.NET-AJAX-Exploitation
• dust-life/CVE-2019-18935-memShell

CVE-2019-18988 (2020-02-07)

TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system.

• reversebrain/CVE-2019-18988
• mr-r3b00t/CVE-2019-18988

CVE-2019-19012 (2019-11-16)

An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression.

• ManhNDd/CVE-2019-19012
• tarantula-team/CVE-2019-19012

CVE-2019-19030 (2022-12-26)

Cloud Native Computing Foundation Harbor before 1.10.3 and 2.x before 2.0.1 allows resource enumeration because unauthenticated API calls reveal (via the HTTP status code) whether a resource exists.

• shodanwashere/boatcrash

CVE-2019-19033 (2019-11-21)

Jalios JCMS 10 allows attackers to access any part of the website and the WebDAV server with administrative privileges via a backdoor account, by using any username and the hardcoded dev password.

• ricardojoserf/CVE-2019-19033

CVE-2019-19194 (2020-02-12)

The Bluetooth Low Energy Secure Manager Protocol (SMP) implementation on Telink Semiconductor BLE SDK versions before November 2019 for TLSR8x5x through 3.4.0, TLSR823x through 1.3.0, and TLSR826x through 3.3 devices installs a zero long term key (LTK) if an out-of-order link-layer encryption request is received during Secure Connections pairing. An attacker in radio range can have arbitrary read/write access to protected GATT service data, cause a device crash, or possibly control a device's function by establishing an encrypted session with the zero LTK.

• louisabricot/writeup-cve-2019-19194

CVE-2019-19203 (2019-11-21)

An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read.

• ManhNDd/CVE-2019-19203
• tarantula-team/CVE-2019-19203

CVE-2019-19204 (2019-11-21)

An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.

• ManhNDd/CVE-2019-19204
• tarantula-team/CVE-2019-19204

CVE-2019-19231 (2019-12-20)

An insecure file access vulnerability exists in CA Client Automation 14.0, 14.1, 14.2, and 14.3 Agent for Windows that can allow a local attacker to gain escalated privileges.

• hessandrew/CVE-2019-19231

CVE-2019-19268

• TheCyberGeek/CVE-2019-19268

CVE-2019-19315 (2019-12-17)

NLSSRV32.EXE in Nalpeiron Licensing Service 7.3.4.0, as used with Nitro PDF and other products, allows Elevation of Privilege via the \.\mailslot\nlsX86ccMailslot mailslot.

• monoxgas/mailorder

CVE-2019-19356 (2020-02-07)

Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing.

• shadowgatt/CVE-2019-19356
• qq1515406085/CVE-2019-19356

CVE-2019-19369

• TheCyberGeek/CVE-2019-19369

CVE-2019-19383 (2019-12-03)

freeFTPd 1.0.8 has a Post-Authentication Buffer Overflow via a crafted SIZE command (this is exploitable even if logging is disabled).

• killvxk/CVE-2019-19383

CVE-2019-19393 (2020-10-01)

The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the content is always displayed after and before login. Persistent XSS allows an attacker to modify displayed content or to change the victim's information. Successful exploitation requires access to the web management interface, either with valid credentials or a hijacked session.

• miguelhamal/CVE-2019-19393

CVE-2019-19447 (2019-12-08)

In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c.

• Trinadh465/linux-4.19.72_CVE-2019-19447

CVE-2019-19470 (2019-12-30)

Unsafe usage of .NET deserialization in Named Pipe message processing allows privilege escalation to NT AUTHORITY\SYSTEM for a local attacker. Affected product is TinyWall, all versions up to and including 2.1.12. Fixed in version 2.1.13.

• juliourena/CVE-2019-19470-RedTeamRD

CVE-2019-19492 (2019-12-02)

FreeSWITCH 1.6.10 through 1.10.1 has a default password in event_socket.conf.xml.

• Chocapikk/CVE-2019-19492
• tucommenceapousser/CVE-2019-19492
• tucommenceapousser/CVE-2019-19492-2

CVE-2019-19511

• jra89/CVE-2019-19511

CVE-2019-19520 (2019-12-04)

xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.

• retrymp3/Openbsd-Privilege-Escalation

CVE-2019-19547 (2020-01-13)

Symantec Endpoint Detection and Response (SEDR), prior to 4.3.0, may be susceptible to a cross site scripting (XSS) issue. XSS is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. An XSS vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy.

• nasbench/CVE-2019-19547

CVE-2019-19550 (2020-01-31)

Remote Authentication Bypass in Senior Rubiweb 6.2.34.28 and 6.2.34.37 allows admin access to sensitive information of affected users using vulnerable versions. The attacker only needs to provide the correct URL.

• underprotection/CVE-2019-19550
• redteambrasil/CVE-2019-19550

CVE-2019-19576 (2019-12-04)

class.upload.php in verot.net class.upload before 1.0.3 and 2.x before 2.0.4, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions.

• jra89/CVE-2019-19576

CVE-2019-19609 (2019-12-05)

The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.

• ebadfd/CVE-2019-19609
• diego-tella/CVE-2019-19609-EXPLOIT
• guglia001/CVE-2019-19609
• D3m0nicw0lf/CVE-2019-19609
• n000xy/CVE-2019-19609-POC-Python
• RamPanic/CVE-2019-19609-EXPLOIT
• glowbase/CVE-2019-19609

CVE-2019-19633

• jra89/CVE-2019-19633

CVE-2019-19634 (2019-12-17)

class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576.

• jra89/CVE-2019-19634

CVE-2019-19651

• jra89/CVE-2019-19651

CVE-2019-19652

• jra89/CVE-2019-19652

CVE-2019-19653

• jra89/CVE-2019-19653

CVE-2019-19654

• jra89/CVE-2019-19654

CVE-2019-19658

• jra89/CVE-2019-19658

CVE-2019-19699 (2020-04-06)

There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day. To exploit the vulnerability, someone must have Admin access to the Centreon Web Interface and create a custom main.php?p=60803&type=3 command. The user must then set the Pollers Post-Restart Command to this previously created command via the main.php?p=60901&o=c&server_id=1 URI. This is triggered via an export of the Poller Configuration.

• SpengeSec/CVE-2019-19699

CVE-2019-19781 (2019-12-27)

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

• projectzeroindia/CVE-2019-19781
• trustedsec/cve-2019-19781
• cisagov/check-cve-2019-19781
• jas502n/CVE-2019-19781
• ianxtianxt/CVE-2019-19781
• mpgn/CVE-2019-19781
• oways/CVE-2019-19781
• becrevex/Citrix_CVE-2019-19781
• unknowndevice64/Exploits_CVE-2019-19781
• haxrob/citrixmash_scanner
• jamesjguthrie/Shitrix-CVE-2019-19781
• haxrob/CVE-2019-19781
• hollerith/CVE-2019-19781
• aqhmal/CVE-2019-19781
• MalwareTech/CitrixHoneypot
• mekhalleh/citrix_dir_traversal_rce
• zgelici/CVE-2019-19781-Checker
• digitalshadows/CVE-2019-19781_IOCs
• onSec-fr/CVE-2019-19781-Forensic
• DanielWep/CVE-NetScalerFileSystemCheck
• Castaldio86/Detect-CVE-2019-19781
• j81blog/ADC-19781
• b510/CVE-2019-19781
• redscan/CVE-2019-19781
• digitalgangst/massCitrix
• mandiant/ioc-scanner-CVE-2019-19781
• citrix/ioc-scanner-CVE-2019-19781
• haxrob/citrix-honeypot
• L4r1k/CitrixNetscalerAnalysis
• Azeemering/CVE-2019-19781-DFIR-Notes
• 0xams/citrixvulncheck
• r4ulcl/CVE-2019-19781
• nmanzi/webcvescanner
• darren646/CVE-2019-19781POC
• Roshi99/Remote-Code-Execution-Exploit-for-Citrix-Application-Delivery-Controller-and-Citrix-Gateway-CVE-201
• yukar1z0e/CVE-2019-19781
• SharpHack/CVE-2019-19781
• qiong-qi/CVE-2019-19781-poc
• w4fz5uck5/CVE-2019-19781-CitrixRCE
• andripwn/CVE-2019-19781
• VladRico/CVE-2019-19781
• pwn3z/CVE-2019-19781-Citrix
• Vulnmachines/Ctirix_RCE-CVE-2019-19781
• k-fire/CVE-2019-19781-exploit
• zerobytesecure/CVE-2019-19781
• citrixgitoff/-ioc-scanner-CVE-2019-19781

CVE-2019-19782 (2019-12-13)

The FTP client in AceaXe Plus 1.0 allows a buffer overflow via a long EHLO response from an FTP server.

• Underwood12/CVE-2019-19782

CVE-2019-19842 (2020-01-22)

emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote attackers to execute OS commands via a POST request with the attribute xcmd=spectra-analysis to admin/_cmdstat.jsp via the mac attribute.

• bdunlap9/CVE-2019-19842

CVE-2019-19844 (2019-12-18)

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

• ryu22e/django_cve_2019_19844_poc
• andripwn/django_cve201919844
• 0xsha/CVE_2019_19844

CVE-2019-19871

• VDISEC/CVE-2019-19871-AuditGuide

CVE-2019-19905 (2019-12-19)

NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when reading very long lines from configuration files. This affects systems that have NetHack installed suid/sgid, and shared systems that allow users to upload their own configuration files.

• dpmdpm2/CVE-2019-19905

CVE-2019-19919 (2019-12-20)

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

• fazilbaig1/CVE-2019-19919

CVE-2019-19945 (2020-03-16)

uhttpd in OpenWrt through 18.06.5 and 19.x through 19.07.0-rc2 has an integer signedness error. This leads to out-of-bounds access to a heap buffer and a subsequent crash. It can be triggered with an HTTP POST request to a CGI script, specifying both "Transfer-Encoding: chunked" and a large negative Content-Length value.

• delicateByte/CVE-2019-19945_Test

CVE-2019-20059 (2020-02-10)

payment_manage.ajax.php and various *_manage.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.4 directly insert values from the sSortDir_0 parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. NOTE: this issue exists because of an incomplete fix for CVE-2019-19732.

• cve-vuln/CVE-2019-20059

CVE-2019-20085 (2019-12-30)

TVT NVMS-1000 devices allow GET /.. Directory Traversal

• AleDiBen/NVMS1000-Exploit

CVE-2019-20197 (2019-12-31)

In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary OS commands via shell metacharacters in the id parameter to schedulereport.php, in the context of the web-server user account.

• lp008/CVE-2019-20197
• jas502n/CVE-2019-20197

CVE-2019-20224 (2020-01-09)

netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has been fixed in Pandora FMS 7.0 NG 742.

• mhaskar/CVE-2019-20224

CVE-2019-20326 (2020-03-16)

A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c in GNOME gThumb before 3.8.3 and Linux Mint Pix before 2.4.5 allows attackers to cause a crash and potentially execute arbitrary code via a crafted JPEG file.

• Fysac/CVE-2019-20326

CVE-2019-20361 (2020-01-08)

There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).

• jerrylewis9/CVE-2019-20361-EXPLOIT

CVE-2019-20372 (2020-01-09)

NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.

• vuongnv3389-sec/CVE-2019-20372
• 0xleft/CVE-2019-20372

CVE-2019-20933 (2020-11-19)

InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret (aka shared secret).

• LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933
• Hydragyrum/CVE-2019-20933

CVE-2019-25024 (2021-02-19)

OpenRepeater (ORP) before 2.2 allows unauthenticated command injection via shell metacharacters in the functions/ajax_system.php post_service parameter.

• codexlynx/CVE-2019-25024

CVE-2019-25065 (2022-06-09)

A vulnerability was found in OpenNetAdmin 18.1.1. It has been rated as critical. Affected by this issue is some unknown functionality. The manipulation leads to privilege escalation. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

• sagisar1/CVE-2019-25065-exploit

CVE-2019-25137 (2023-05-18)

Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Code Execution by authenticated administrators via msxsl:script in an xsltSelection to developer/Xslt/xsltVisualize.aspx.

• Ickarah/CVE-2019-25137-Version-Research

CVE-2019-25162 (2024-02-26)

In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: Fix a potential use after free\n\nFree the adap structure only after we are done using it.\nThis patch just moves the put_device() down a bit to avoid the\nuse after free.\n\n[wsa: added comment to the code, added Fixes tag]

• uthrasri/CVE-2019-25162

CVE-2019-48814

• wucj001/cve-2019-48814

CVE-2019-1002101 (2019-04-01)

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.

• brompwnie/CVE-2019-1002101-Helpers

CVE-2019-1003000 (2019-01-22)

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM.

• wetw0rk/Exploit-Development
• adamyordan/cve-2019-1003000-jenkins-rce-poc
• slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins
• 1NTheKut/CVE-2019-1003000_RCE-DETECTION
• purple-WL/Jenkins_CVE-2019-1003000

CVE-2019-1010054 (2019-07-18)

Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls.

• chaizeg/CSRF-breach

CVE-2019-1010174 (2019-07-25)

CImg The CImg Library v.2.3.3 and earlier is affected by: command injection. The impact is: RCE. The component is: load_network() function. The attack vector is: Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url. The fixed version is: v.2.3.4.

• NketiahGodfred/CVE-2019-1010174

CVE-2019-1010268 (2019-07-18)

Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.

• Tonyynot14/CVE-2019-1010268

CVE-2019-1010298 (2019-07-15)

Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. The impact is: Code execution in the context of TEE core (kernel). The component is: optee_os. The fixed version is: 3.4.0 and later.

• RKX1209/CVE-2019-1010298

CVE-2019-1020010 (2019-07-29)

Misskey before 10.102.4 allows hijacking a user's token.

• DXY0411/CVE-2019-1020010

2018

CVE-2018-0101 (2018-01-29)

A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device. This vulnerability affects Cisco ASA Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, ASA 1000V Cloud Firewall, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4110 Security Appliance, Firepower 9300 ASA Security Module, Firepower Threat Defense Software (FTD). Cisco Bug IDs: CSCvg35618.

• 1337g/CVE-2018-0101-DOS-POC
• Cymmetria/ciscoasa_honeypot

CVE-2018-0114 (2018-01-04)

A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature (JWS) standard for JSON Web Tokens (JWTs). This standard specifies that a JSON Web Key (JWK) representing a public key can be embedded within the header of a JWS. This public key is then trusted for verification. An attacker could exploit this by forging valid JWS objects by removing the original signature, adding a new public key to the header, and then signing the object using the (attacker-owned) private key associated with the public key embedded in that JWS header.

• zi0Black/POC-CVE-2018-0114
• Logeirs/CVE-2018-0114
• adityathebe/POC-CVE-2018-0114
• Eremiel/CVE-2018-0114
• Starry-lord/CVE-2018-0114
• scumdestroy/CVE-2018-0114
• j4k0m/CVE-2018-0114
• mmeza-developer/CVE-2018-0114
• Pandora-research/CVE-2018-0114-Exploit
• amr9k8/jwt-spoof-tool

CVE-2018-0171 (2018-03-28)

A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts: Triggering a reload of the device, Allowing the attacker to execute arbitrary code on the device, Causing an indefinite loop on the affected device that triggers a watchdog crash. Cisco Bug IDs: CSCvg76186.

• AlrikRr/Cisco-Smart-Exploit

CVE-2018-0202 (2018-03-27)

clamscan in ClamAV before 0.99.4 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanisms when handling Portable Document Format (.pdf) files sent to an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted .pdf file to an affected device. This action could cause an out-of-bounds read when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition. This concerns pdf_parse_array and pdf_parse_string in libclamav/pdfng.c. Cisco Bug IDs: CSCvh91380, CSCvh91400.

• jaychowjingjie/CVE-2018-0202

CVE-2018-0208 (2018-03-08)

A vulnerability in the web-based management interface of the (cloud based) Cisco Registered Envelope Service could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected service. The vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based management interface of the affected service. An attacker could exploit this vulnerability by persuading a user of the interface to click a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive browser-based information. Cisco Bug IDs: CSCvg74126.

• dima5455/Cve-2018-0208

CVE-2018-0296 (2018-06-07)

A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. The vulnerability is due to lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic. This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 1000V Cloud Firewall, ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv). Cisco Bug IDs: CSCvi16029.

• milo2012/CVE-2018-0296
• yassineaboukir/CVE-2018-0296
• bhenner1/CVE-2018-0296
• qiantu88/CVE-2018-0296

CVE-2018-0708 (2018-07-16)

Command injection vulnerability in networking of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.

• ntkernel0/CVE-2019-0708

CVE-2018-0798 (2018-01-10)

Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability".

• Sunqiz/CVE-2018-0798-reproduction

CVE-2018-0802 (2018-01-10)

Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE is unique from CVE-2018-0797 and CVE-2018-0812.

• zldww2011/CVE-2018-0802_POC
• rxwx/CVE-2018-0802
• Ridter/RTF_11882_0802
• likekabin/CVE-2018-0802_CVE-2017-11882
• roninAPT/CVE-2018-0802
• Abdibimantara/Maldoc-Analysis

CVE-2018-0824 (2018-05-09)

A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

• codewhitesec/UnmarshalPwn

CVE-2018-0834 (2018-02-15)

Microsoft Edge and ChakraCore in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows remote code execution, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2018-0835, CVE-2018-0836, CVE-2018-0837, CVE-2018-0838, CVE-2018-0840, CVE-2018-0856, CVE-2018-0857, CVE-2018-0858, CVE-2018-0859, CVE-2018-0860, CVE-2018-0861, and CVE-2018-0866.

• SpiralBL0CK/-CVE-2018-0834-aab-aar

CVE-2018-0886 (2018-03-14)

The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".

• preempt/credssp

CVE-2018-0952 (2018-08-15)

An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations, aka "Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Microsoft Visual Studio, Windows 10 Servers.

• atredispartners/CVE-2018-0952-SystemCollector

CVE-2018-0959 (2018-05-09)

A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system, aka "Hyper-V Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

• pwndorei/CVE-2018-0959

CVE-2018-14

• lckJack/legacySymfony

CVE-2018-1010 (2018-04-12)

A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1012, CVE-2018-1013, CVE-2018-1015, CVE-2018-1016.

• ymgh96/Detecting-the-patch-of-CVE-2018-1010

CVE-2018-1026 (2018-04-12)

A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability." This affects Microsoft Office. This CVE ID is unique from CVE-2018-1030.

• ymgh96/Detecting-the-CVE-2018-1026-and-its-patch

CVE-2018-1042 (2018-01-22)

Moodle 3.x has Server Side Request Forgery in the filepicker.

• UDPsycho/Moodle-CVE-2018-1042

CVE-2018-1088 (2018-04-18)

A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.

• MauroEldritch/GEVAUDAN

CVE-2018-1111 (2018-05-17)

DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

• knqyf263/CVE-2018-1111
• kkirsche/CVE-2018-1111
• baldassarreFe/FEP3370-advanced-ethical-hacking

CVE-2018-1123 (2018-05-23)

procps-ng before version 3.3.15 is vulnerable to a denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maps a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service).

• aravinddathd/CVE-2018-1123

CVE-2018-1133 (2018-05-25)

An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection.

• darrynten/MoodleExploit
• Feidao-fei/MOODLE-3.X-Remote-Code-Execution
• That-Guy-Steve/CVE-2018-1133-Exploit

CVE-2018-1160 (2018-12-20)

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

• SachinThanushka/CVE-2018-1160

CVE-2018-1207 (2018-03-23)

Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to execute remote code.

• mgargiullo/cve-2018-1207
• un4gi/CVE-2018-1207

CVE-2018-1235 (2018-05-29)

Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to execute arbitrary commands on the affected system with root privilege.

• AbsoZed/CVE-2018-1235

CVE-2018-1259 (2018-05-11)

Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

• tafamace/CVE-2018-1259

CVE-2018-1263 (2018-05-15)

Addresses partial fix in CVE-2018-1261. Pivotal spring-integration-zip, versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

• sakib570/CVE-2018-1263-Demo

CVE-2018-1270 (2018-04-06)

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

• CaledoniaProject/CVE-2018-1270
• genxor/CVE-2018-1270_EXP
• tafamace/CVE-2018-1270
• Venscor/CVE-2018-1270
• mprunet/owasp-formation-cve-2018-1270

CVE-2018-1273 (2018-04-11)

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

• knqyf263/CVE-2018-1273
• wearearima/poc-cve-2018-1273
• webr0ck/poc-cve-2018-1273
• cved-sources/cve-2018-1273
• jas502n/cve-2018-1273

CVE-2018-1285 (2020-05-11)

Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

• alex-ermolaev/Log4NetSolarWindsSNMP-

CVE-2018-1288 (2018-07-26)

In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.

• joegallagher4/CVE-2018-1288-

CVE-2018-1297 (2018-02-13)

When using Distributed Test only (RMI based), Apache JMeter 2.x and 3.x uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.

• Al1ex/CVE-2018-1297
• 48484848484848/Jmeter-CVE-2018-1297-

CVE-2018-1304 (2018-02-28)

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

• knqyf263/CVE-2018-1304
• thariyarox/tomcat_CVE-2018-1304_testing

CVE-2018-1305 (2018-02-23)

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

• Pa55w0rd/CVE-2018-1305

CVE-2018-1306 (2018-06-27)

The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto version 3.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict path information provided during a file upload. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.

• JJSO12/Apache-Pluto-3.0.0--CVE-2018-1306

CVE-2018-1311 (2019-12-18)

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.

• johnjamesmccann/xerces-3.2.3-DTD-hotfix

CVE-2018-1313 (2018-05-07)

In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.

• tafamace/CVE-2018-1313

CVE-2018-1324 (2018-03-16)

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

• tafamace/CVE-2018-1324

CVE-2018-1335 (2018-04-25)

From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

• SkyBlueEternal/CVE-2018-1335-EXP-GUI
• N0b1e6/CVE-2018-1335-Python3
• canumay/cve-2018-1335
• siramk/CVE-2018-1335
• DigitalNinja00/CVE-2018-1335

CVE-2018-1932 (2019-01-08)

IBM API Connect 5.0.0.0 through 5.0.8.4 is affected by a vulnerability in the role-based access control in the management server that could allow an authenticated user to obtain highly sensitive information. IBM X-Force ID: 153175.

• BKreisel/CVE-2018-1932X

CVE-2018-2380 (2018-03-01)

SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.

• erpscanteam/CVE-2018-2380

CVE-2018-2392 (2018-02-14)

Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.

• Vladimir-Ivanov-Git/sap_igs_xxe

CVE-2018-2628 (2018-04-19)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• forlin/CVE-2018-2628
• shengqi158/CVE-2018-2628
• skydarker/CVE-2018-2628
• jiansiting/weblogic-cve-2018-2628
• zjxzjx/CVE-2018-2628-detect
• aedoo/CVE-2018-2628-MultiThreading
• victor0013/CVE-2018-2628
• 9uest/CVE-2018-2628
• Shadowshusky/CVE-2018-2628all
• shaoshore/CVE-2018-2628
• tdy218/ysoserial-cve-2018-2628
• wrysunny/cve-2018-2628
• jas502n/CVE-2018-2628
• stevenlinfeng/CVE-2018-2628
• likekabin/CVE-2018-2628
• Nervous/WebLogic-RCE-exploit
• Lighird/CVE-2018-2628
• 0xMJ/CVE-2018-2628
• 0xn0ne/weblogicScanner
• seethen/cve-2018-2628
• BabyTeam1024/cve-2018-2628
• cscadoge/weblogic-cve-2018-2628

CVE-2018-2636 (2018-01-18)

Vulnerability in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (subcomponent: Security). Supported versions that are affected are 2.7, 2.8 and 2.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Simphony. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Simphony. CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

• erpscanteam/CVE-2018-2636
• Cymmetria/micros_honeypot

CVE-2018-2844 (2018-04-19)

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

• renorobert/virtualbox-cve-2018-2844

CVE-2018-2879 (2018-04-19)

Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine). Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. Note: Please refer to Doc ID <a href="http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=2386496.1">My Oracle Support Note 2386496.1 for instructions on how to address this issue. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

• MostafaSoliman/Oracle-OAM-Padding-Oracle-CVE-2018-2879-Exploit
• AymanElSherif/oracle-oam-authentication-bypas-exploit
• redtimmy/OAMBuster

CVE-2018-2893 (2018-07-18)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• sry309/CVE-2018-2893
• artofwar344/CVE-2018-2893
• bigsizeme/CVE-2018-2893
• pyn3rd/CVE-2018-2893
• qianl0ng/CVE-2018-2893
• jas502n/CVE-2018-2893
• ianxtianxt/CVE-2018-2893

CVE-2018-2894 (2018-07-18)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• 111ddea/cve-2018-2894
• LandGrey/CVE-2018-2894
• jas502n/CVE-2018-2894
• k8gege/PyLadon

CVE-2018-3191 (2018-10-17)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• arongmh/CVE-2018-3191
• m00zh33/CVE-2018-3191
• Libraggbond/CVE-2018-3191
• jas502n/CVE-2018-3191
• mackleadmire/CVE-2018-3191-Rce-Exploit

CVE-2018-3245 (2018-10-17)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• pyn3rd/CVE-2018-3245
• jas502n/CVE-2018-3245
• ianxtianxt/CVE-2018-3245

CVE-2018-3252 (2018-10-17)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• jas502n/CVE-2018-3252
• go-spider/CVE-2018-3252
• pyn3rd/CVE-2018-3252

CVE-2018-3260

• ionescu007/SpecuCheck

CVE-2018-3295 (2018-10-17)

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

• ndureiss/e1000_vulnerability_exploit
• jeongzero8732/cve-2018-3295

CVE-2018-3608 (2018-07-06)

A vulnerability in Trend Micro Maximum Security's (Consumer) 2018 (versions 12.0.1191 and below) User-Mode Hooking (UMH) driver could allow an attacker to create a specially crafted packet that could alter a vulnerable system in such a way that malicious code could be injected into other processes.

• gguaiker/Trend_Micro_POC

CVE-2018-3639 (2018-05-22)

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.

• tyhicks/ssbd-tools
• malindarathnayake/Intel-CVE-2018-3639-Mitigation_RegistryUpdate
• mmxsrup/CVE-2018-3639
• Shuiliusheng/CVE-2018-3639-specter-v4-

CVE-2018-3760 (2018-06-26)

There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.

• mpgn/CVE-2018-3760
• cyberharsh/Ruby-On-Rails-Path-Traversal-Vulnerability-CVE-2018-3760-
• wudidwo/CVE-2018-3760-poc

CVE-2018-3783 (2018-08-17)

A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset.

• nisaruj/nosqli-flintcms

CVE-2018-3786 (2018-08-24)

A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument.

• erik-krogh/egg-scripts-CVE-2018-3786

CVE-2018-3810 (2018-01-01)

Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages served by WordPress. The saveGoogleCode() function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code.

• lucad93/CVE-2018-3810
• cved-sources/cve-2018-3810
• nth347/CVE-2018-3810_exploit

CVE-2018-3811 (2018-01-01)

SQL Injection vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to execute SQL queries in the context of the web server. The saveGoogleAdWords() function in smartgooglecode.php did not use prepared statements and did not sanitize the $_POST["oId"] variable before passing it as input into the SQL query.

• cved-sources/cve-2018-3811

CVE-2018-4013 (2018-10-19)

An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library version 0.92. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.

• DoubleMice/cve-2018-4013
• r3dxpl0it/RTSPServer-Code-Execution-Vulnerability

CVE-2018-4084 (2018-04-03)

An issue was discovered in certain Apple products. macOS before 10.13.3 is affected. The issue involves the "Wi-Fi" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.

• dybrkr/wifi_leak

CVE-2018-4087 (2018-04-03)

An issue was discovered in certain Apple products. iOS before 11.2.5 is affected. tvOS before 11.2.5 is affected. watchOS before 4.2.2 is affected. The issue involves the "Core Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

• rani-i/bluetoothdPoC
• MTJailed/UnjailMe
• joedaguy/Exploit11.2

CVE-2018-4110 (2018-04-03)

An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "Web App" component. It allows remote attackers to bypass intended restrictions on cookie persistence.

• bencompton/ios11-cookie-set-expire-issue

CVE-2018-4121 (2018-04-03)

An issue was discovered in certain Apple products. iOS before 11.3 is affected. Safari before 11.1 is affected. iCloud before 7.4 on Windows is affected. iTunes before 12.7.4 on Windows is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

• FSecureLABS/CVE-2018-4121
• likekabin/CVE-2018-4121
• jezzus/CVE-2018-4121

CVE-2018-4124 (2018-04-03)

An issue was discovered in certain Apple products. iOS before 11.2.6 is affected. macOS before 10.13.3 Supplemental Update is affected. tvOS before 11.2.6 is affected. watchOS before 4.2.3 is affected. The issue involves the "CoreText" component. It allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via a crafted string containing a certain Telugu character.

• jamf/TELUGU_CVE-2018-4124_POC

CVE-2018-4150 (2018-04-03)

An issue was discovered in certain Apple products. iOS before 11.3 is affected. macOS before 10.13.4 is affected. tvOS before 11.3 is affected. watchOS before 4.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

• Jailbreaks/CVE-2018-4150
• rpwnage/LovelySn0w
• littlelailo/incomplete-exploit-for-CVE-2018-4150-bpf-filter-poc-

CVE-2018-4185 (2019-01-11)

In iOS before 11.3, tvOS before 11.3, watchOS before 4.3, and macOS before High Sierra 10.13.4, an information disclosure issue existed in the transition of program state. This issue was addressed with improved state handling.

• bazad/x18-leak
• xigexbh/bazad1
• Giler2004/bazad1

CVE-2018-4193 (2018-06-08)

An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Windows Server" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

• Synacktiv-contrib/CVE-2018-4193

CVE-2018-4233 (2018-06-08)

An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

• saelo/cve-2018-4233

CVE-2018-4241 (2018-06-08)

An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Kernel" component. A buffer overflow in mptcp_usr_connectx allows attackers to execute arbitrary code in a privileged context via a crafted app.

• 0neday/multi_path

CVE-2018-4242 (2018-06-08)

An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "Hypervisor" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

• yeonnic/Look-at-The-XNU-Through-A-Tube-CVE-2018-4242-Write-up-Translation-

CVE-2018-4243 (2018-06-08)

An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Kernel" component. A buffer overflow in getvolattrlist allows attackers to execute arbitrary code in a privileged context via a crafted app.

• Jailbreaks/empty_list

CVE-2018-4248 (2019-04-03)

An out-of-bounds read was addressed with improved input validation. This issue affected versions prior to iOS 11.4.1, macOS High Sierra 10.13.6, tvOS 11.4.1, watchOS 4.3.2.

• bazad/xpc-string-leak

CVE-2018-4280 (2019-04-03)

A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 11.4.1, macOS High Sierra 10.13.6, tvOS 11.4.1, watchOS 4.3.2.

• bazad/launchd-portrep
• bazad/blanket

CVE-2018-4327 (2019-04-03)

A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 11.4.1.

• omerporze/brokentooth
• harryanon/POC-CVE-2018-4327-and-CVE-2018-4330

CVE-2018-4330 (2019-01-11)

In iOS before 11.4, a memory corruption issue exists and was addressed with improved memory handling.

• omerporze/toothfairy

CVE-2018-4331 (2019-04-03)

A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.

• bazad/gsscred-race

CVE-2018-4343 (2019-04-03)

A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.

• bazad/gsscred-move-uaf

CVE-2018-4407 (2019-04-03)

A memory corruption issue was addressed with improved validation. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12, watchOS 5.

• Pa55w0rd/check_icmp_dos
• unixpickle/cve-2018-4407
• s2339956/check_icmp_dos-CVE-2018-4407-
• farisv/AppleDOS
• WyAtu/CVE-2018-4407
• zteeed/CVE-2018-4407-IOS
• SamDecrock/node-cve-2018-4407
• r3dxpl0it/CVE-2018-4407
• lucagiovagnoli/CVE-2018-4407
• anonymouz4/Apple-Remote-Crash-Tool-CVE-2018-4407
• soccercab/wifi
• zeng9t/CVE-2018-4407-iOS-exploit
• 5431/CVE-2018-4407
• pwnhacker0x18/iOS-Kernel-Crash
• Fans0n-Fan/CVE-2018-4407
• szabo-tibor/CVE-2018-4407

CVE-2018-4411 (2019-04-03)

A memory corruption issue was addressed with improved input validation. This issue affected versions prior to macOS Mojave 10.14.

• lilang-wu/POC-CVE-2018-4411

CVE-2018-4415 (2019-04-03)

A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to macOS Mojave 10.14.1.

• T1V0h/CVE-2018-4415

CVE-2018-4416 (2019-04-03)

Multiple memory corruption issues were addressed with improved memory handling. This issue affected versions prior to iOS 12.1, tvOS 12.1, watchOS 5.1, Safari 12.0.1, iTunes 12.9.1, iCloud for Windows 7.8.

• erupmi/CVE-2018-4416-exploit

CVE-2018-4431 (2019-04-03)

A memory initialization issue was addressed with improved memory handling. This issue affected versions prior to iOS 12.1.1, macOS Mojave 10.14.2, tvOS 12.1.1, watchOS 5.1.2.

• ktiOSz/PoC_iOS12

CVE-2018-4441 (2019-04-03)

A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 12.1.1, tvOS 12.1.1, watchOS 5.1.2, Safari 12.0.2, iTunes 12.9.2 for Windows, iCloud for Windows 7.9.

• Cryptogenic/PS4-6.20-WebKit-Code-Execution-Exploit

CVE-2018-4878 (2018-02-06)

A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to media player handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018.

• ydl555/CVE-2018-4878-
• mdsecactivebreach/CVE-2018-4878
• demonsec666/CVE-2018-4878
• vysecurity/CVE-2018-4878
• KathodeN/CVE-2018-4878
• SyFi/CVE-2018-4878
• ydl555/CVE-2018-4878
• B0fH/CVE-2018-4878
• Yable/CVE-2018-4878
• HuanWoWeiLan/SoftwareSystemSecurity-2019
• lvyoshino/CVE-2018-4878

CVE-2018-4879 (2018-02-27)

An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. The vulnerability is caused by the computation that writes data past the end of the intended buffer; the computation is part of the image conversion module that processes Enhanced Metafile Format Plus (EMF+) data. An attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code.

• H3llozy/CVE-2018-4879

CVE-2018-4901 (2018-02-27)

An issue was discovered in Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions. The vulnerability is caused by the computation that writes data past the end of the intended buffer; the computation is part of the document identity representation. An attacker can potentially leverage the vulnerability to corrupt sensitive data or execute arbitrary code.

• bigric3/CVE-2018-4901

CVE-2018-5146 (2018-06-11)

An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. This vulnerability affects Firefox < 59.0.1, Firefox ESR < 52.7.2, and Thunderbird < 52.7.

• f01965/CVE-2018-5146

CVE-2018-5158 (2018-06-11)

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60.

• puzzle-tools/-CVE-2018-5158.pdf

CVE-2018-5234 (2018-04-30)

The Norton Core router prior to v237 may be susceptible to a command injection exploit. This is a type of attack in which the goal is execution of arbitrary commands on the host system via vulnerable software.

• embedi/ble_norton_core
• saruman9/ble_connect_rust

CVE-2018-5333 (2018-01-11)

In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.

• hoanganh2k/cve-2018-5333

CVE-2018-5353 (2020-09-29)

The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required

• missing0x00/CVE-2018-5353

CVE-2018-5354 (2020-09-29)

The custom GINA/CP module in ANIXIS Password Reset Client before version 3.22 allows remote attackers to execute code and escalate privileges via spoofing. When the client is configured to use HTTP, it does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP.

• missing0x00/CVE-2018-5354

CVE-2018-5711 (2018-01-16)

gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.

• huzhenghui/Test-7-2-0-PHP-CVE-2018-5711
• huzhenghui/Test-7-2-1-PHP-CVE-2018-5711

CVE-2018-5740 (2019-01-16)

"deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Affects BIND 9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->9.12.2, 9.13.0->9.13.2.

• sischkg/cve-2018-5740

CVE-2018-5767 (2018-02-15)

An issue was discovered on Tenda AC15 V15.03.1.16_multi devices. A remote, unauthenticated attacker can gain remote code execution on the device with a crafted password parameter for the COOKIE header.

• db44k/CVE-2018-5767-AC9
• Scorpion-Security-Labs/CVE-2018-5767-AC9

CVE-2018-5873 (2018-07-06)

An issue was discovered in the __ns_get_path function in fs/nsfs.c in the Linux kernel before 4.11. Due to a race condition when accessing files, a Use After Free condition can occur. This also affects all Android releases from CAF using the Linux kernel (Android for MSM, Firefox OS for MSM, QRD Android) before security patch level 2018-07-05.

• Trinadh465/linux-4.1.15_CVE-2018-5873

CVE-2018-5951 (2020-03-02)

An issue was discovered in Mikrotik RouterOS. Crafting a packet that has a size of 1 byte and sending it to an IPv6 address of a RouterOS box with IP Protocol 97 will cause RouterOS to reboot imminently. All versions of RouterOS that supports EoIPv6 are vulnerable to this attack.

• Nat-Lab/CVE-2018-5951

CVE-2018-5955 (2018-01-21)

An issue was discovered in GitStack through 2.3.10. User controlled input is not sufficiently filtered, allowing an unauthenticated attacker to add a user to the server via the username and password fields to the rest/user/ URI.

• b0bac/GitStackRCE
• YagamiiLight/Cerberus
• MikeTheHash/CVE-2018-5955

CVE-2018-6065 (2018-11-14)

Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

• b1tg/CVE-2018-6065-exploit

CVE-2018-6066 (2018-11-14)

Lack of CORS checking by ResourceFetcher/ResourceLoader in Blink in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

• DISREL/Ring0VBA

CVE-2018-6242 (2018-05-01)

Some NVIDIA Tegra mobile processors released prior to 2016 contain a buffer overflow vulnerability in BootROM Recovery Mode (RCM). An attacker with physical access to the device's USB and the ability to force the device to reboot into RCM could exploit the vulnerability to execute unverified code.

• DavidBuchanan314/NXLoader
• reswitched/rcm-modchips
• ChrisFigura/react-tegra-payload-launcher
• austinhartzheim/fusee-gelee
• Swiftloke/fusee-toy

CVE-2018-6341 (2018-12-31)

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

• diwangs/react16-ssr

CVE-2018-6376 (2018-01-30)

In Joomla! before 3.8.4, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.

• knqyf263/CVE-2018-6376

CVE-2018-6389 (2018-02-06)

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.

• yolabingo/wordpress-fix-cve-2018-6389
• safebuffer/CVE-2018-6389
• rastating/modsecurity-cve-2018-6389
• knqyf263/CVE-2018-6389
• JulienGadanho/cve-2018-6389-php-patcher
• dsfau/wordpress-CVE-2018-6389
• Jetserver/CVE-2018-6389-FIX
• thechrono13/PoC---CVE-2018-6389
• BlackRouter/cve-2018-6389
• alessiogilardi/PoC---CVE-2018-6389
• JavierOlmedo/wordpress-cve-2018-6389
• m3ssap0/wordpress_cve-2018-6389
• s0md3v/Shiva
• mudhappy/Wordpress-Hack-CVE-2018-6389
• armaanpathan12345/WP-DOS-Exploit-CVE-2018-6389
• ItinerisLtd/trellis-cve-2018-6389
• Zazzzles/Wordpress-DOS
• fakedob/tvsz
• vineetkia/Wordpress-DOS-Attack-CVE-2018-6389
• ianxtianxt/CVE-2018-6389
• amit-pathak009/CVE-2018-6389-FIX

CVE-2018-6396 (2018-02-17)

SQL Injection exists in the Google Map Landkarten through 4.2.3 component for Joomla! via the cid or id parameter in a layout=form_markers action, or the map parameter in a layout=default action.

• JavierOlmedo/joomla-cve-2018-6396

CVE-2018-6407 (2018-01-30)

An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 devices. An unauthenticated attacker can crash a device by sending a POST request with a huge body size to /hy-cgi/devices.cgi?cmd=searchlandevice. The crash completely freezes the device.

• dreadlocked/ConceptronicIPCam_MultipleVulnerabilities

CVE-2018-6479 (2018-01-31)

An issue was discovered on Netwave IP Camera devices. An unauthenticated attacker can crash a device by sending a POST request with a huge body size to the / URI.

• dreadlocked/netwave-dosvulnerability
• LeQuocKhanh2K/Tool_Camera_Exploit_Netwave_CVE-2018-6479

CVE-2018-6518 (2018-04-26)

Composr CMS 10.0.13 has XSS via the site_name parameter in a page=admin-setupwizard&type=step3 request to /adminzone/index.php.

• faizzaidi/Composr-CMS-10.0.13-Cross-Site-Scripting-XSS

CVE-2018-6546 (2018-04-13)

plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming Evolved products, executes code at a user-defined (local or SMB) path as SYSTEM when the execute_installer parameter is used in an HTTP message. This occurs without properly authenticating the user.

• securifera/CVE-2018-6546-Exploit

CVE-2018-6574 (2018-02-07)

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

• acole76/cve-2018-6574
• neargle/Go-Get-RCE-CVE-2018-6574-POC
• wb4r/go-get-rce
• ahmetmanga/go-get-rce
• ahmetmanga/cve-2018-6574
• redirected/cve-2018-6574
• 20matan/CVE-2018-6574-POC
• zur250/Zur-Go-GET-RCE-Solution
• mekhalleh/cve-2018-6574
• veter069/go-get-rce
• duckzsc2/CVE-2018-6574-POC
• dollyptm/cve-2018-6574
• qweraqq/CVE-2018-6574
• d4rkshell/go-get-rce
• chaosura/CVE-2018-6574
• french560/ptl6574
• InfoSecJack/CVE-2018-6574
• asavior2/CVE-2018-6574
• drset/golang
• frozenkp/CVE-2018-6574
• kev-ho/cve-2018-6574-payload
• sdosis/cve-2018-6574
• No1zy/CVE-2018-6574-PoC
• nthuong95/CVE-2018-6574
• AdriVillaB/CVE-2018-6574
• yitingfan/CVE-2018-6574_demo
• mhamed366/CVE-2018-6574
• Eugene24/CVE-2018-6574
• coblax/CVE-2018-6574
• darthvader-htb/CVE-2018-6574
• it3x55/CVE-2018-6574
• Malone5923/CVE-2018-6574-go-get-RCE
• illnino/CVE-2018-6574
• TakuCoder/CVE-2018-6574
• kawkab101/cve-2018-6574
• lsnakazone/cve-2018-6574
• pswalia2u/CVE-2018-6574
• jongmartinez/CVE-2018-6574-POC
• azzzzzzzzzzzzzzzzz/CVE-2018-6574
• noname-nohost/CVE-2018-6574
• shadofren/CVE-2018-6574
• NikolaT3sla/cve-2018-6574
• vishack/CVE-2018-6574
• PLP-Orange/cve-2018-6574-exercise
• purgedemo/CVE-2018-6574
• purgedemo/CVE-2018-6574_2
• killtr0/POC-CVE-2018-6574
• theJuan1112/pentesterlab-cve-2018-6574
• MohamedTarekq/test-CVE-2018-6574-
• OLAOLAOLA789/CVE-2018-6574
• repos13579/labCVE-2018-6574
• sec000/cve-2018-6574
• jaya522/CVE-2018-6574-go-get-RCE
• noobTest1122/CVE-2018-6574
• ErnestZiemkowski/cve-2018-6574
• l3ouu4n9/CVE-2018-6574-POC
• R3dAlch3mist/cve-2018-6574
• Devang-Solanki/CVE-2018-6574
• ItsFadinG/CVE-2018-6574
• imojne/CVE-2018-6574-POC
• twseptian/cve-2018-6574
• the-valluvarsploit/CVE-2018-6574
• yavolo/CVE-2018-6574
• jftierno/CVE-2018-6574
• Cypheer/exploit_CVE-2018-6574
• jftierno/CVE-2018-6574-2
• tjcim/cve-2018-6574
• markisback/CVE-2018-6574
• hasharmujahid/CVE-2018-6574-go-get-RCE
• jeyaseelans86/CVE-2018-6574
• jeyaseelans86/new-CVE-2018-6574
• chr1sM/CVE-2018-6574
• mux0x/CVE-2018-6574
• seoqqq/CVE-2018-6574
• antunesmpedro/CVE-2018-6574
• jahwni/CVE-2018-6574
• NsByte/CVE-2018-6574
• Zeeshan12340/CVE-2018-6574
• moTorky/CVE-2018-6574-POC
• Ashved9/Orange
• zerbaliy3v/cve-2018-6574-exploit
• jftierno/-CVE-2018-6574
• faiqu3/cve-2018-6574
• Dannners/CVE-2018-6574-go-get-RCE
• bme2003/CVE-2018-6574
• iNoSec2/cve-2018-6574
• faqihudin13/CVE-2018-6574
• lisu60/cve-2018-6574
• Saboor-Hakimi/CVE-2018-6574

CVE-2018-6622 (2018-08-17)

An issue was discovered that affects all producers of BIOS firmware who make a certain realistic interpretation of an obscure portion of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2.0 specification. An abnormal case is not handled properly by this firmware while S3 sleep and can clear TPM 2.0. It allows local users to overwrite static PCRs of TPM and neutralize the security features of it, such as seal/unseal and remote attestation.

• kkamagui/napper-for-tpm

CVE-2018-6643 (2018-08-28)

Infoblox NetMRI 7.1.1 has Reflected Cross-Site Scripting via the /api/docs/index.php query parameter.

• undefinedmode/CVE-2018-6643

CVE-2018-6789 (2018-02-08)

An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.

• c0llision/exim-vuln-poc
• beraphin/CVE-2018-6789
• synacktiv/Exim-CVE-2018-6789
• martinclauss/exim-rce-cve-2018-6789
• thistehneisen/CVE-2018-6789-Python3

CVE-2018-6791 (2018-02-07)

An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder.

• rarar0/KDE_Vuln

CVE-2018-6890 (2018-02-22)

Cross-site scripting (XSS) vulnerability in Wolf CMS 0.8.3.1 via the page editing feature, as demonstrated by /?/admin/page/edit/3.

• pradeepjairamani/WolfCMS-XSS-POC

CVE-2018-6892 (2018-02-11)

An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on port 8888 can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the program's execution flow and allowing arbitrary code execution.

• manojcode/CloudMe-Sync-1.10.9---Buffer-Overflow-SEH-DEP-Bypass
• manojcode/-Win10-x64-CloudMe-Sync-1.10.9-Buffer-Overflow-SEH-DEP-Bypass
• latortuga71/CVE-2018-6892-Golang

CVE-2018-6905 (2018-04-08)

The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'], as demonstrated by an admin entering a crafted site name during the installation process.

• pradeepjairamani/TYPO3-XSS-POC
• dnr6419/CVE-2018-6905

CVE-2018-6961 (2018-06-11)

VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be removing this service from the product in future releases. Successful exploitation of this issue could result in remote code execution.

• bokanrb/CVE-2018-6961
• r3dxpl0it/CVE-2018-6961

CVE-2018-6981 (2018-12-04)

VMware ESXi 6.7 without ESXi670-201811401-BG and VMware ESXi 6.5 without ESXi650-201811301-BG, VMware ESXi 6.0 without ESXi600-201811401-BG, VMware Workstation 15, VMware Workstation 14.1.3 or below, VMware Fusion 11, VMware Fusion 10.1.3 or below contain uninitialized stack memory usage in the vmxnet3 virtual network adapter which may allow a guest to execute code on the host.

• LxKxC/vmxnet3Hunter

CVE-2018-7171 (2018-03-30)

Directory traversal vulnerability in Twonky Server 7.0.11 through 8.5 allows remote attackers to share the contents of arbitrary directories via a .. (dot dot) in the contentbase parameter to rpc/set_all.

• mechanico/sharingIsCaring

CVE-2018-7197 (2018-02-18)

An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to inject arbitrary web script or HTML into admin/blog Reaction Comments via a crafted URL.

• Alyssa-o-Herrera/CVE-2018-7197

CVE-2018-7211 (2018-02-18)

An issue was discovered in iDashboards 9.6b. The SSO implementation is affected by a weak obfuscation library, allowing man-in-the-middle attackers to discover credentials.

• c3r34lk1ll3r/CVE-2018-7211-PoC

CVE-2018-7249 (2018-02-26)

An issue was discovered in secdrv.sys as shipped in Microsoft Windows Vista, Windows 7, Windows 8, and Windows 8.1 before KB3086255, and as shipped in Macrovision SafeDisc. Two carefully timed calls to IOCTL 0xCA002813 can cause a race condition that leads to a use-after-free. When exploited, an unprivileged attacker can run arbitrary code in the kernel.

• Elvin9/NotSecDrv

CVE-2018-7250 (2018-02-26)

An issue was discovered in secdrv.sys as shipped in Microsoft Windows Vista, Windows 7, Windows 8, and Windows 8.1 before KB3086255, and as shipped in Macrovision SafeDisc. An uninitialized kernel pool allocation in IOCTL 0xCA002813 allows a local unprivileged attacker to leak 16 bits of uninitialized kernel PagedPool data.

• Elvin9/SecDrvPoolLeak

CVE-2018-7273 (2018-02-21)

In the Linux kernel through 4.15.4, the floppy driver reveals the addresses of kernel functions and global variables using printk calls within the function show_floppy in drivers/block/floppy.c. An attacker can read this information from dmesg and use the addresses to find the locations of kernel code and data and bypass kernel security protections such as KASLR.

• jedai47/CVE-2018-7273

CVE-2018-7284 (2018-02-22)

A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed, despite having a fixed limit of 32. If more than 32 Accept headers were present, the code would write outside of its memory and cause a crash.

• Rodrigo-D/astDoS

CVE-2018-7422 (2018-03-19)

A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php, aka absolute path traversal.

• 0x00-0x00/CVE-2018-7422
• jessisec/CVE-2018-7422
• JacobEbben/CVE-2018-7422

CVE-2018-7448 (2018-02-26)

Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.

• b1d0ws/exploit-cve-2018-7448

CVE-2018-7449 (2018-03-04)

SEGGER FTP Server for Windows before 3.22a allows remote attackers to cause a denial of service (daemon crash) via an invalid LIST, STOR, or RETR command.

• antogit-sys/CVE-2018-7449

CVE-2018-7489 (2018-02-26)

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

• tafamace/CVE-2018-7489

CVE-2018-7490 (2018-02-26)

uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.

• qinzhu111/uWSGI-CVE-2018-7490-POC

CVE-2018-7600 (2018-03-29)

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

• g0rx/CVE-2018-7600-Drupal-RCE
• a2u/CVE-2018-7600
• dreadlocked/Drupalgeddon2
• knqyf263/CVE-2018-7600
• dr-iman/CVE-2018-7600-Drupal-0day-RCE
• jirojo2/drupalgeddon2
• dwisiswant0/CVE-2018-7600
• thehappydinoa/CVE-2018-7600
• sl4cky/CVE-2018-7600
• sl4cky/CVE-2018-7600-Masschecker
• firefart/CVE-2018-7600
• pimps/CVE-2018-7600
• lorddemon/drupalgeddon2
• Hestat/drupal-check
• Damian972/drupalgeddon-2
• soch4n/CVE-2018-7600
• happynote3966/CVE-2018-7600
• shellord/CVE-2018-7600-Drupal-RCE
• r3dxpl0it/CVE-2018-7600
• cved-sources/cve-2018-7600
• madneal/codeql-scanner
• drugeddon/drupal-exploit
• shellord/Drupalgeddon-Mass-Exploiter
• zhzyker/CVE-2018-7600-Drupal-POC-EXP
• rabbitmask/CVE-2018-7600-Drupal7
• ynsmroztas/drupalhunter
• ruthvikvegunta/Drupalgeddon2
• ludy-dev/drupal8-REST-RCE
• 0xAJ2K/CVE-2018-7600
• rafaelcaria/drupalgeddon2-CVE-2018-7600
• vphnguyen/ANM_CVE-2018-7600
• banomaly/CVE-2018-7600
• anldori/CVE-2018-7600
• r0lh/CVE-2018-7600
• killeveee/CVE-2018-7600
• raytran54/CVE-2018-7600

CVE-2018-7602 (2018-07-19)

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

• 1337g/Drupalgedon3
• happynote3966/CVE-2018-7602
• kastellanos/CVE-2018-7602
• cyberharsh/DrupalCVE-2018-7602
• 132231g/CVE-2018-7602

CVE-2018-7669 (2018-04-27)

An issue was discovered in Sitecore Sitecore.NET 8.1 rev. 151207 Hotfix 141178-1 and above. The 'Log Viewer' application is vulnerable to a directory traversal attack, allowing an attacker to access arbitrary files from the host Operating System using a sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file= URI. Validation is performed to ensure that the text passed to the 'file' parameter correlates to the correct log file directory. This filter can be bypassed by including a valid log filename and then appending a traditional 'dot dot' style attack.

• palaziv/CVE-2018-7669

CVE-2018-7690 (2018-12-13)

A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access

• alt3kx/CVE-2018-7690

CVE-2018-7691 (2018-12-13)

A potential Remote Unauthorized Access in Micro Focus Fortify Software Security Center (SSC), versions 17.10, 17.20, 18.10 this exploitation could allow Remote Unauthorized Access

• alt3kx/CVE-2018-7691

CVE-2018-7747 (2018-04-20)

Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log, or (3) an imported form.

• mindpr00f/CVE-2018-7747

CVE-2018-7750 (2018-03-13)

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.

• jm33-m0/CVE-2018-7750
• tlavi00/CVE-2018-7750

CVE-2018-7842 (2019-05-22)

A CWE-290: Authentication Bypass by Spoofing vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause an elevation of privilege by conducting a brute force attack on Modbus parameters sent to the controller.

• yanissec/CVE-2018-7842

CVE-2018-7843 (2019-05-22)

A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading memory blocks with an invalid data size or with an invalid data offset in the controller over Modbus.

• yanissec/CVE-2018-7843

CVE-2018-7844 (2019-05-22)

A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.

• yanissec/CVE-2018-7844

CVE-2018-7845 (2019-05-22)

A CWE-125: Out-of-bounds Read vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of unexpected data from the controller when reading specific memory blocks in the controller over Modbus.

• yanissec/CVE-2018-7845

CVE-2018-7846 (2019-05-22)

A CWE-501: Trust Boundary Violation vulnerability on connection to the Controller exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum and Modicon Premium which could cause unauthorized access by conducting a brute force attack on Modbus protocol to the controller.

• yanissec/CVE-2018-7846

CVE-2018-7848 (2019-05-22)

A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading files from the controller over Modbus

• yanissec/CVE-2018-7848

CVE-2018-7849 (2019-05-22)

A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum and Modicon Premium which could cause a possible Denial of Service due to improper data integrity check when sending files the controller over Modbus.

• yanissec/CVE-2018-7849

CVE-2018-7852 (2019-05-22)

A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when an invalid private command parameter is sent to the controller over Modbus.

• yanissec/CVE-2018-7852

CVE-2018-7854 (2019-05-22)

A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.

• yanissec/CVE-2018-7854

CVE-2018-7935 (2023-02-10)

\nThere is a vulnerability in 21.328.01.00.00 version of the E5573Cs-322. Remote attackers could exploit this vulnerability to make the network where the E5573Cs-322 is running temporarily unavailable.\n\n

• lawrenceamer/CVE-2018-7935

CVE-2018-8004 (2018-08-29)

There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with Apache Traffic Server (ATS). This affects versions 6.0.0 to 6.2.2 and 7.0.0 to 7.1.3. To resolve this issue users running 6.x should upgrade to 6.2.3 or later versions and 7.x users should upgrade to 7.1.4 or later versions.

• mosesrenegade/CVE-2018-8004

CVE-2018-8021 (2018-11-07)

Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.

• r3dxpl0it/Apache-Superset-Remote-Code-Execution-PoC-CVE-2018-8021

CVE-2018-8032 (2018-08-02)

Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.

• cairuojin/CVE-2018-8032

CVE-2018-8033 (2018-12-13)

In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.

• Cappricio-Securities/CVE-2018-8033

CVE-2018-8038 (2018-07-05)

Versions of Apache CXF Fediz prior to 1.4.4 do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.

• tafamace/CVE-2018-8038

CVE-2018-8039 (2018-07-02)

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

• tafamace/CVE-2018-8039

CVE-2018-8045 (2018-03-14)

In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view.

• luckybool1020/CVE-2018-8045

CVE-2018-8060 (2018-05-10)

HWiNFO AMD64 Kernel driver version 8.98 and lower allows an unprivileged user to send an IOCTL to the device driver. If input and/or output buffer pointers are NULL or if these buffers' data are invalid, a NULL/invalid pointer access occurs, resulting in a Windows kernel panic aka Blue Screen. This affects IOCTLs higher than 0x85FE2600 with the HWiNFO32 symbolic device name.

• otavioarj/SIOCtl

CVE-2018-8062 (2020-10-23)

A cross-site scripting (XSS) vulnerability on Comtrend AR-5387un devices with A731-410JAZ-C04_R02.A2pD035g.d23i firmware allows remote attackers to inject arbitrary web script or HTML via the Service Description parameter while creating a WAN service.

• OscarAkaElvis/CVE-2018-8062

CVE-2018-8065 (2018-03-12)

An issue was discovered in the web server in Flexense SyncBreeze Enterprise 10.6.24. There is a user mode write access violation on the syncbrs.exe memory region that can be triggered by rapidly sending a variety of HTTP requests with long HTTP header values or long URIs.

• EgeBalci/CVE-2018-8065

CVE-2018-8078 (2018-03-13)

YzmCMS 3.7 has Stored XSS via the title parameter to advertisement/adver/edit.html.

• Jx0n0/YZMCMSxss

CVE-2018-8090 (2018-07-25)

Quick Heal Total Security 64 bit 17.00 (QHTS64.exe), (QHTSFT64.exe) - Version 10.0.1.38; Quick Heal Total Security 32 bit 17.00 (QHTS32.exe), (QHTSFT32.exe) - Version 10.0.1.38; Quick Heal Internet Security 64 bit 17.00 (QHIS64.exe), (QHISFT64.exe) - Version 10.0.0.37; Quick Heal Internet Security 32 bit 17.00 (QHIS32.exe), (QHISFT32.exe) - Version 10.0.0.37; Quick Heal AntiVirus Pro 64 bit 17.00 (QHAV64.exe), (QHAVFT64.exe) - Version 10.0.0.37; and Quick Heal AntiVirus Pro 32 bit 17.00 (QHAV32.exe), (QHAVFT32.exe) - Version 10.0.0.37 allow DLL Hijacking because of Insecure Library Loading.

• kernelm0de/CVE-2018-8090

CVE-2018-8097 (2018-03-14)

io/mongo/parser.py in Eve (aka pyeve) before 0.7.5 allows remote attackers to execute arbitrary code via Code Injection in the where parameter.

• SilentVoid13/CVE-2018-8097

CVE-2018-8108 (2018-03-14)

The select component in bui through 2018-03-13 has XSS because it performs an escape operation on already-escaped text, as demonstrated by workGroupList text.

• zlgxzswjy/BUI-select-xss

CVE-2018-8115 (2018-05-02)

A remote code execution vulnerability exists when the Windows Host Compute Service Shim (hcsshim) library fails to properly validate input while importing a container image, aka "Windows Host Compute Service Shim Remote Code Execution Vulnerability." This affects Windows Host Compute.

• aquasecurity/scan-cve-2018-8115

CVE-2018-8120 (2018-05-09)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8124, CVE-2018-8164, CVE-2018-8166.

• bigric3/cve-2018-8120
• rip1s/CVE-2018-8120
• ne1llee/cve-2018-8120
• alpha1ab/CVE-2018-8120
• EVOL4/CVE-2018-8120
• ozkanbilge/CVE-2018-8120
• qiantu88/CVE-2018-8120
• Y0n0Y/cve-2018-8120-exp
• StartZYP/CVE-2018-8120
• wikiZ/cve-2018-8120

CVE-2018-8172 (2018-07-11)

A remote code execution vulnerability exists in Visual Studio software when the software does not check the source markup of a file for an unbuilt project, aka "Visual Studio Remote Code Execution Vulnerability." This affects Microsoft Visual Studio, Expression Blend 4.

• SyFi/CVE-2018-8172

CVE-2018-8174 (2018-05-09)

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

• 0x09AL/CVE-2018-8174-msf
• Yt1g3r/CVE-2018-8174_EXP
• SyFi/CVE-2018-8174
• orf53975/Rig-Exploit-for-CVE-2018-8174
• piotrflorczyk/cve-2018-8174_analysis
• likekabin/CVE-2018-8174-msf
• ruthlezs/ie11_vbscript_exploit
• ericisnotrealname/CVE-2018-8174_EXP
• www201001/https-github.com-iBearcat-CVE-2018-8174_EXP
• www201001/https-github.com-iBearcat-CVE-2018-8174_EXP.git-
• delina1/CVE-2018-8174
• delina1/CVE-2018-8174_EXP
• DarkFlameMaster-bit/CVE-2018-8174_EXP
• lisinan988/CVE-2018-8174-exp
• sinisterghost/https-github.com-iBearcat-CVE-2018-8174_EXP

CVE-2018-8208 (2018-06-14)

An elevation of privilege vulnerability exists in Windows when Desktop Bridge does not properly manage the virtual registry, aka "Windows Desktop Bridge Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8214.

• kaisaryousuf/CVE-2018-8208

CVE-2018-8214 (2018-06-14)

An elevation of privilege vulnerability exists in Windows when Desktop Bridge does not properly manage the virtual registry, aka "Windows Desktop Bridge Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8208.

• guwudoor/CVE-2018-8214

CVE-2018-8284 (2018-07-11)

A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ".NET Framework Remote Code Injection Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.

• quantiti/CVE-2018-8284-Sharepoint-RCE

CVE-2018-8353 (2018-08-15)

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-8355, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8385, CVE-2018-8389, CVE-2018-8390.

• whereisr0da/CVE-2018-8353-POC

CVE-2018-8389 (2018-08-15)

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10. This CVE ID is unique from CVE-2018-8353, CVE-2018-8355, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8385, CVE-2018-8390.

• sharmasandeepkr/cve-2018-8389

CVE-2018-8410 (2018-09-13)

An elevation of privilege vulnerability exists when the Windows Kernel API improperly handles registry objects in memory, aka "Windows Registry Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

• trapmine/CVE-2018-8410

CVE-2018-8414 (2018-08-15)

A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows 10 Servers, Windows 10.

• whereisr0da/CVE-2018-8414-POC

CVE-2018-8420 (2018-09-13)

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka "MS XML Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

• idkwim/CVE-2018-8420

CVE-2018-8440 (2018-09-13)

An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka "Windows ALPC Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

• sourceincite/CVE-2018-8440

CVE-2018-8453 (2018-10-10)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

• Mkv4/cve-2018-8453-exp
• ze0r/cve-2018-8453-exp
• thepwnrip/leHACK-Analysis-of-CVE-2018-8453

CVE-2018-8495 (2018-10-10)

A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.

• whereisr0da/CVE-2018-8495-POC

CVE-2018-8581 (2018-11-14)

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server.

• WyAtu/CVE-2018-8581
• qiantu88/CVE-2018-8581
• Ridter/Exchange2domain

CVE-2018-8587 (2018-12-12)

A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory, aka "Microsoft Outlook Remote Code Execution Vulnerability." This affects Office 365 ProPlus, Microsoft Office, Microsoft Outlook.

• Sunqiz/CVE-2018-8587-reproduction

CVE-2018-8611 (2018-12-12)

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka "Windows Kernel Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

• lsw29475/CVE-2018-8611

CVE-2018-8617 (2018-12-12)

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8618, CVE-2018-8624, CVE-2018-8629.

• bb33bb/cve-2018-8617-aab-r-w-

CVE-2018-8639 (2018-12-12)

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8641.

• ze0r/CVE-2018-8639-exp
• timwhitez/CVE-2018-8639-EXP

CVE-2018-8718 (2018-03-27)

Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request.

• GeunSam2/CVE-2018-8718

CVE-2018-8820 (2018-03-28)

An issue was discovered in Square 9 GlobalForms 6.2.x. A Time Based SQL injection vulnerability in the "match" parameter allows remote authenticated attackers to execute arbitrary SQL commands. It is possible to upgrade access to full server compromise via xp_cmdshell. In some cases, the authentication requirement for the attack can be met by sending the default admin credentials.

• hateshape/frevvomapexec

CVE-2018-8897 (2018-05-08)

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.

• nmulasmajic/CVE-2018-8897
• jiazhang0/pop-mov-ss-exploit
• can1357/CVE-2018-8897
• nmulasmajic/syscall_exploit_CVE-2018-8897

CVE-2018-8941 (2018-04-03)

Diagnostics functionality on D-Link DSL-3782 devices with firmware EU v. 1.01 has a buffer overflow, allowing authenticated remote attackers to execute arbitrary code via a long Addr value to the 'set Diagnostics_Entry' function in an HTTP request, related to /userfs/bin/tcapi.

• SECFORCE/CVE-2018-8941

CVE-2018-8947 (2018-03-25)

rap2hpoutre Laravel Log Viewer before v0.13.0 relies on Base64 encoding for l, dl, and del requests, which makes it easier for remote attackers to bypass intended access restrictions, as demonstrated by reading arbitrary files via a dl request.

• scopion/CVE-2018-8947

CVE-2018-8970 (2018-03-24)

The int_x509_param_set_hosts function in lib/libcrypto/x509/x509_vpm.c in LibreSSL 2.7.0 before 2.7.1 does not support a certain special case of a zero name length, which causes silent omission of hostname verification, and consequently allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: the LibreSSL documentation indicates that this special case is supported, but the BoringSSL documentation does not.

• tiran/CVE-2018-8970

CVE-2018-9059 (2018-04-20)

Stack-based buffer overflow in Easy File Sharing (EFS) Web Server 7.2 allows remote attackers to execute arbitrary code via a malicious login request to forum.ghp. NOTE: this may overlap CVE-2014-3791.

• manojcode/easy-file-share-7.2-exploit-CVE-2018-9059

CVE-2018-9075 (2018-09-28)

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when joining a PersonalCloud setup, an attacker can craft a command injection payload using backtick "``" characters in the client:password parameter. As a result, arbitrary commands may be executed as the root user. The attack requires a value __c and iomega parameter.

• beverlymiller818/cve-2018-9075

CVE-2018-9160 (2018-03-31)

SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.

• mechanico/sickrageWTF

CVE-2018-9206 (2018-10-11)

Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

• Den1al/CVE-2018-9206
• Stahlz/JQShell
• cved-sources/cve-2018-9206
• mi-hood/CVE-2018-9206
• MikeyPPPPPPPP/CVE-2018-9206

CVE-2018-9207 (2018-11-19)

Arbitrary file upload in jQuery Upload File <= 4.0.2

• cved-sources/cve-2018-9207

CVE-2018-9208 (2018-11-05)

Unauthenticated arbitrary file upload vulnerability in jQuery Picture Cut <= v1.1Beta

• cved-sources/cve-2018-9208

CVE-2018-9276 (2018-07-02)

An issue was discovered in PRTG Network Monitor before 18.2.39. An attacker who has access to the PRTG System Administrator web console with administrative privileges can exploit an OS command injection vulnerability (both on the server and on devices) by sending malformed parameters in sensor or notification management scenarios.

• wildkindcc/CVE-2018-9276
• andyfeili/CVE-2018-9276
• alvinsmith-eroad/CVE-2018-9276

CVE-2018-9375

• IOActive/AOSP-ExploitUserDictionary

CVE-2018-9411 (2024-11-19)

In decrypt of ClearKeyCasPlugin.cpp there is a possible out-of-bounds write due to a missing bounds check. This could lead to remote arbitrary code execution with no additional execution privileges needed. User interaction is needed for exploitation.

• tamirzb/CVE-2018-9411

CVE-2018-9468 (2024-11-20)

In query of DownloadManager.java, there is a possible read/write of arbitrary files due to a permissions bypass. This could lead to local information disclosure and file rewriting with no additional execution privileges needed. User interaction is not needed for exploitation.

• IOActive/AOSP-DownloadProviderHijacker

CVE-2018-9493 (2018-10-02)

In the content provider of the download manager, there is a possible SQL injection due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9.0 Android ID: A-111085900

• IOActive/AOSP-DownloadProviderDbDumper

CVE-2018-9539 (2018-11-14)

In the ClearKey CAS descrambler, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.0 Android-8.1 Android-9. Android ID: A-113027383

• tamirzb/CVE-2018-9539

CVE-2018-9546

• IOActive/AOSP-DownloadProviderHeadersDumper

CVE-2018-9948 (2018-05-17)

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of typed arrays. The issue results from the lack of proper initialization of a pointer prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5380.

• manojcode/Foxit-Reader-RCE-with-virualalloc-and-shellcode-for-CVE-2018-9948-and-CVE-2018-9958
• orangepirate/cve-2018-9948-9958-exp

CVE-2018-9950 (2018-05-17)

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF documents. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5413.

• sharmasandeepkr/PS-2017-13---CVE-2018-9950

CVE-2018-9951 (2018-05-17)

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of CPDF_Object objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5414.

• sharmasandeepkr/cve-2018-9951

CVE-2018-9958 (2018-05-17)

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Text Annotations. When setting the point attribute, the process does not properly validate the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5620.

• t3rabyt3-zz/CVE-2018-9958--Exploit

CVE-2018-9995 (2018-04-10)

TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.

• ezelf/CVE-2018-9995_dvr_credentials
• zzh217/CVE-2018-9995_Batch_scanning_exp
• Huangkey/CVE-2018-9995_check
• gwolfs/CVE-2018-9995-ModifiedByGwolfs
• shacojx/cve-2018-9995
• Cyb0r9/DVR-Exploiter
• codeholic2k18/CVE-2018-9995
• TateYdq/CVE-2018-9995-ModifiedByGwolfs
• ABIZCHI/CVE-2018-9995_dvr_credentials
• MrAli-Code/CVE-2018-9995_dvr_credentials
• likaifeng0/CVE-2018-9995_dvr_credentials-dev_tool
• b510/CVE-2018-9995-POC
• wmasday/HTC
• awesome-consumer-iot/HTC
• Saeed22487/CVE-2018-9995
• kienquoc102/CVE-2018-9995-2
• dearpan/cve-2018-9995
• LeQuocKhanh2K/Tool_Exploit_Password_Camera_CVE-2018-9995
• ST0PL/DVRFaultNET
• K3ysTr0K3R/CVE-2018-9995-EXPLOIT
• Pab450/CVE-2018-9995
• arminarab1999/CVE-2018-9995
• X3RX3SSec/DVR_Sploit
• batmoshka55/CVE-2018-9995_dvr_credentials
• dego905/Cam
• A-Alabdoo/CVE-DVr

CVE-2018-10097 (2018-04-13)

XSS exists in Domain Trader 2.5.3 via the recoverlogin.php email_address parameter.

• ashangp923/CVE-2018-10097

CVE-2018-10118 (2018-04-15)

Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php.

• GeunSam2/CVE-2018-10118

CVE-2018-10299 (2018-04-23)

An integer overflow in the batchTransfer function of a smart contract implementation for Beauty Ecosystem Coin (BEC), the Ethereum ERC20 token used in the Beauty Chain economic system, allows attackers to accomplish an unauthorized increase of digital assets by providing two _receivers arguments in conjunction with a large _value argument, as exploited in the wild in April 2018, aka the "batchOverflow" issue.

• phzietsman/batchOverflow

CVE-2018-10388 (2019-12-23)

Format string vulnerability in the logMess function in TFTP Server SP 1.66 and earlier allows remote attackers to perform a denial of service or execute arbitrary code via format string sequences in a TFTP error packet.

• 0xddaa/CVE-2018-10388

CVE-2018-10467

• alt3kx/CVE-2018-10467

CVE-2018-10517 (2018-04-27)

In CMS Made Simple (CMSMS) through 2.2.7, the "module import" operation in the admin dashboard contains a remote code execution vulnerability, exploitable by an admin user, because an XML Package can contain base64-encoded PHP code in a data element.

• 0x00-0x00/CVE-2018-10517

CVE-2018-10546 (2018-04-29)

An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.

• dsfau/CVE-2018-10546

CVE-2018-10562 (2018-05-04)

An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.

• ExiaHan/GPON
• 649/Pingpon-Exploit
• Choudai/GPON-LOADER
• c0ld1/GPON_RCE
• ATpiu/CVE-2018-10562

CVE-2018-10583 (2018-05-01)

An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document.

• MrTaherAmine/CVE-2018-10583
• octodi/CVE-2018-10583

CVE-2018-10715

• alt3kx/CVE-2018-10715

CVE-2018-10732 (2018-05-28)

The REST API in Dataiku DSS before 4.2.3 allows remote attackers to obtain sensitive information (i.e., determine if a username is valid) because of profile pictures visibility.

• alt3kx/CVE-2018-10732

CVE-2018-10821 (2018-06-14)

Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated users with the Admin role to inject arbitrary web script or HTML via the search panel.

• BalvinderSingh23/Cross-Site-Scripting-Reflected-XSS-Vulnerability-in-blackcatcms_v1.3

CVE-2018-10920 (2018-08-02)

Improper input validation bug in DNS resolver component of Knot Resolver before 2.4.1 allows remote attacker to poison cache.

• shutingrz/CVE-2018-10920_PoC

CVE-2018-10933 (2018-10-17)

A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.

• SoledaD208/CVE-2018-10933
• blacknbunny/CVE-2018-10933
• hook-s3c/CVE-2018-10933
• kn6869610/CVE-2018-10933
• jobroche/libssh-scanner
• likekabin/CVE-2018-10933_ssh
• likekabin/CVE-2018-10933-libSSH-Authentication-Bypass
• marco-lancini/hunt-for-cve-2018-10933
• hackerhouse-opensource/cve-2018-10933
• cve-2018/cve-2018-10933
• jas502n/CVE-2018-10933
• ninp0/cve-2018-10933_poc
• pghook/CVE-2018-10933_Scanner
• Virgula0/POC-CVE-2018-10933
• shifa123/pythonprojects-CVE-2018-10933
• xFreed0m/CVE-2018-10933
• Bifrozt/CVE-2018-10933
• r3dxpl0it/CVE-2018-10933
• ivanacostarubio/libssh-scanner
• throwawayaccount12312312/precompiled-CVE-2018-10933
• reanimat0r/bpnd-libssh
• ensimag-security/CVE-2018-10933
• 0xadaw/libSSH-bypass
• sambiyal/CVE-2018-10933-POC
• nikhil1232/LibSSH-Authentication-Bypass
• Kurlee/LibSSH-exploit
• crispy-peppers/Libssh-server-CVE-2018-10933
• youkergav/CVE-2018-10933
• kristyna-mlcakova/CVE-2018-10933
• lalishasanduwara/CVE-2018-10933
• JoSecMx/CVE-2018-10933_Scanner
• cyberharsh/Libssh-server-CVE-2018-10933
• Rubikcuv5/CVE-2018-10933
• SilasSpringer/CVE-2018-10933
• HSw109/CVE-2018-10933

CVE-2018-10936 (2018-08-30)

A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.

• tafamace/CVE-2018-10936

CVE-2018-10949 (2018-05-10)

mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the "HTTP 404 - account is not active" and "HTTP 401 - must authenticate" errors.

• 0x00-0x00/CVE-2018-10949

CVE-2018-10993

• nicolastsk/cve-2018-10993

CVE-2018-11235 (2018-05-30)

In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.

• Rogdham/CVE-2018-11235
• vmotos/CVE-2018-11235
• Choihosu/cve-2018-11235
• CHYbeta/CVE-2018-11235-DEMO
• Kiss-sh0t/CVE-2018-11235-poc
• H0K5/clone_and_pwn
• knqyf263/CVE-2018-11235
• ygouzerh/CVE-2018-11235
• qweraqq/CVE-2018-11235-Git-Submodule-CE
• AnonymKing/CVE-2018-11235
• 0rx1/CVE-2018-11235
• cchang27/CVE-2018-11235-test
• nthuong95/CVE-2018-11235
• xElkomy/CVE-2018-11235
• jongmartinez/CVE-2018-11235-PoC
• MohamedTarekq/test-CVE-2018-11235
• j4k0m/CVE-2018-11235
• twseptian/cve-2018-11235-git-submodule-ce-and-docker-ngrok-configuration
• EmaVirgRep/CVE-2018-11235
• theerachaich/lab

CVE-2018-11311 (2018-05-20)

A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.

• EmreOvunc/mySCADA-myPRO-7-Hardcoded-FTP-Username-and-Password

CVE-2018-11321 (2018-05-22)

An issue was discovered in com_fields in Joomla! Core before 3.8.8. Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option.

• ExploitCN/CVE-2018-11321

CVE-2018-11450 (2018-07-09)

A reflected Cross-Site-Scripting (XSS) vulnerability has been identified in Siemens PLM Software TEAMCENTER (V9.1.2.5). If a user visits the login portal through the URL crafted by the attacker, the attacker can insert html/javascript and thus alter/rewrite the login portal page. Siemens PLM Software TEAMCENTER V9.1.3 and newer are not affected.

• LucvanDonk/Siemens-Siemens-PLM-Software-TEAMCENTER-Reflected-Cross-Site-Scripting-XSS-vulnerability

CVE-2018-11510 (2018-06-28)

The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter.

• mefulton/CVE-2018-11510

CVE-2018-11517 (2018-05-28)

mySCADA myPRO 7 allows remote attackers to discover all ProjectIDs in a project by sending all of the prj parameter values from 870000 to 875000 in t=0&rq=0 requests to TCP port 11010.

• EmreOvunc/mySCADA-myPRO-7-projectID-Disclosure

CVE-2018-11564 (2018-06-01)

Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature. A user with elevated privileges could upload a photo to the system in an SVG format. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/poc.svg" that will point to http://localhost/pagekit/storage/poc.svg. When a user comes along to click that link, it will trigger a XSS attack.

• GeunSam2/CVE-2018-11564

CVE-2018-11631 (2018-05-31)

Rondaful M1 Wristband Smart Band 1 devices allow remote attackers to send an arbitrary number of call or SMS notifications via crafted Bluetooth Low Energy (BLE) traffic.

• ColeShelly/bandexploit

CVE-2018-11686 (2019-07-03)

The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allows remote code execution via setup.php and change_config.php.

• mpgn/CVE-2018-11686

CVE-2018-11759 (2018-10-31)

The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.

• immunIT/CVE-2018-11759
• Jul10l1r4/Identificador-CVE-2018-11759
• julioliraup/Identificador-CVE-2018-11759

CVE-2018-11761 (2018-09-19)

In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.

• brianwrf/CVE-2018-11761

CVE-2018-11770 (2018-08-13)

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.rest.enabled' to 'false'.

• ivanitlearning/CVE-2018-11770

CVE-2018-11776 (2018-08-22)

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.

• xfox64x/CVE-2018-11776
• jiguangsdf/CVE-2018-11776
• hook-s3c/CVE-2018-11776-Python-PoC
• mazen160/struts-pwn_CVE-2018-11776
• bhdresh/CVE-2018-11776
• knqyf263/CVE-2018-11776
• Ekultek/Strutter
• tuxotron/cve-2018-11776-docker
• brianwrf/S2-057-CVE-2018-11776
• 649/Apache-Struts-Shodan-Exploit
• jezzus/CVE-2018-11776-Python-PoC
• cved-sources/cve-2018-11776
• OzNetNerd/apche-struts-vuln-demo-cve-2018-11776
• cucadili/CVE-2018-11776
• ArunBhandarii/Apache-Struts-0Day-Exploit
• freshdemo/ApacheStruts-CVE-2018-11776
• sonpt-afk/CVE-2018-11776-FIS

CVE-2018-11784 (2018-10-04)

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

• Cappricio-Securities/CVE-2018-11784

CVE-2018-11788 (2019-01-07)

Apache Karaf provides a features deployer, which allows users to "hot deploy" a features XML by dropping the file directly in the deploy folder. The features XML is parsed by XMLInputFactory class. Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities in Apache Karaf version prior to 4.1.7 or 4.2.2. It has been fixed in Apache Karaf 4.1.7 and 4.2.2 releases.

• brianwrf/CVE-2018-11788

CVE-2018-11790 (2019-01-31)

When loading a document with Apache Open Office 4.1.5 and earlier with smaller end line termination than the operating system uses, the defect occurs. In this case OpenOffice runs into an Arithmetic Overflow at a string length calculation.

• anmuxi-bai/CVE-2018-11790

CVE-2018-12018 (2018-07-05)

The GetBlockHeadersMsg handler in the LES protocol implementation in Go Ethereum (aka geth) before 1.8.11 may lead to an access violation because of an integer signedness error for the array index, which allows attackers to launch a Denial of Service attack by sending a packet with a -1 query.Skip value. The vulnerable remote node would be crashed by such an attack immediately, aka the EPoD (Ethereum Packet of Death) issue.

• k3v142/CVE-2018-12018

CVE-2018-12031 (2018-06-07)

Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via server/node_upgrade_srv.js directory traversal with the firmware parameter in a downloadFirmware action.

• EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion

CVE-2018-12038 (2018-11-20)

An issue was discovered on Samsung 840 EVO devices. Vendor-specific commands may allow access to the disk-encryption key.

• gdraperi/remote-bitlocker-encryption-report

CVE-2018-12086 (2018-09-14)

Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.

• kevinherron/stack-overflow-poc

CVE-2018-12326 (2018-06-17)

Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 RC3 allows an attacker to achieve code execution and escalate to higher privileges via a crafted command line. NOTE: It is unclear whether there are any common situations in which redis-cli is used with, for example, a -h (aka hostname) argument from an untrusted source.

• spasm5/CVE-2018-12326

CVE-2018-12386 (2018-10-18)

A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write. This leads to remote code execution inside the sandboxed content process when triggered. This vulnerability affects Firefox ESR < 60.2.2 and Firefox < 62.0.3.

• Hydra3evil/cve-2018-12386
• 0xLyte/cve-2018-12386

CVE-2018-12418 (2018-06-14)

Archive.java in Junrar before 1.0.1, as used in Apache Tika and other products, is affected by a denial of service vulnerability due to an infinite loop when handling corrupt RAR files.

• tafamace/CVE-2018-12418

CVE-2018-12421 (2018-06-14)

LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string.

• reversebrain/CVE-2018-12421

CVE-2018-12463 (2018-07-12)

An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC), version 17.1, 17.2, 18.1 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

• alt3kx/CVE-2018-12463

CVE-2018-12533 (2018-06-18)

JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310.

• llamaonsecurity/CVE-2018-12533
• Pastea/CVE-2018-12533

CVE-2018-12537 (2018-08-14)

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.

• tafamace/CVE-2018-12537

CVE-2018-12540 (2018-07-12)

In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet.

• bernard-wagner/vertx-web-xsrf
• tafamace/CVE-2018-12540

CVE-2018-12596 (2018-10-10)

Episerver Ektron CMS before 9.0 SP3 Site CU 31, 9.1 before SP3 Site CU 45, or 9.2 before SP2 Site CU 22 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).

• alt3kx/CVE-2018-12596

CVE-2018-12597

• alt3kx/CVE-2018-12597

CVE-2018-12598

• alt3kx/CVE-2018-12598

CVE-2018-12613 (2018-06-21)

An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).

• 0x00-0x00/CVE-2018-12613
• ivanitlearning/CVE-2018-12613
• eastmountyxz/CVE-2018-12613-phpMyAdmin

CVE-2018-12636 (2018-06-22)

The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page.

• nth347/CVE-2018-12636_exploit

CVE-2018-12798 (2018-07-20)

Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Heap Overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.

• sharmasandeepkr/cve-2018-12798

CVE-2018-12895 (2018-06-26)

WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

• bloom-ux/cve-2018-12895-hotfix

CVE-2018-13257 (2019-11-18)

The bb-auth-provider-cas authentication module within Blackboard Learn 2018-07-02 is susceptible to HTTP host header spoofing during Central Authentication Service (CAS) service ticket validation, enabling a phishing attack from the CAS server login page.

• gluxon/CVE-2018-13257

CVE-2018-13341 (2018-08-10)

Crestron TSW-X60 all versions prior to 2.001.0037.001 and MC3 all versions prior to 1.502.0047.00, The passwords for special sudo accounts may be calculated using information accessible to those with regular user privileges. Attackers could decipher these passwords, which may allow them to execute hidden API calls and escape the CTP console sandbox environment with elevated privileges.

• axcheron/crestron_getsudopwd
• RajChowdhury240/CVE-2018-13341

CVE-2018-13379 (2019-06-04)

An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

• milo2012/CVE-2018-13379
• jpiechowka/at-doom-fortigate
• 0xHunter/FortiOS-Credentials-Disclosure
• Blazz3/cve2018-13379-nmap-script
• yukar1z0e/CVE-2018-13379
• pwn3z/CVE-2018-13379-FortinetVPN
• k4nfr3/CVE-2018-13379-Fortinet
• Zeop-CyberSec/fortios_vpnssl_traversal_leak
• B1anda0/CVE-2018-13379
• nivdolgin/CVE-2018-13379

CVE-2018-13382 (2019-06-04)

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests

• milo2012/CVE-2018-13382
• tumikoto/Exploit-FortinetMagicBackdoor

CVE-2018-13410 (2018-07-06)

Info-ZIP Zip 3.0, when the -T and -TT command-line options are used, allows attackers to cause a denial of service (invalid free and application crash) or possibly have unspecified other impact because of an off-by-one error. NOTE: it is unclear whether there are realistic scenarios in which an untrusted party controls the -TT value, given that the entire purpose of -TT is execution of arbitrary commands

• shinecome/zip

CVE-2018-13784 (2018-07-09)

PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.

• ambionics/prestashop-exploits

CVE-2018-13797 (2018-07-10)

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

• dsp-testing/CVE-2018-13797

CVE-2018-13864 (2018-07-17)

A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests.

• tafamace/CVE-2018-13864

CVE-2018-14009 (2018-07-12)

Codiad through 2.8.4 allows Remote Code Execution, a different vulnerability than CVE-2017-11366 and CVE-2017-15689.

• hidog123/Codiad-CVE-2018-14009

CVE-2018-14040 (2018-07-13)

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

• Snorlyd/https-nj.gov---CVE-2018-14040

CVE-2018-14041 (2018-07-13)

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

• Snorlyd/https-nj.gov---CVE-2018-14041

CVE-2018-14042 (2018-07-13)

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

• Snorlyd/https-nj.gov---CVE-2018-14042

CVE-2018-14083 (2018-07-25)

LICA miniCMTS E8K(u/i/...) devices allow remote attackers to obtain sensitive information via a direct POST request for the inc/user.ini file, leading to discovery of a password hash.

• pudding2/CVE-2018-14083

CVE-2018-14442 (2018-07-20)

Foxit Reader before 9.2 and PhantomPDF before 9.2 have a Use-After-Free that leads to Remote Code Execution, aka V-88f4smlocs.

• payatu/CVE-2018-14442
• sharmasandeepkr/PS-2018-002---CVE-2018-14442

CVE-2018-14463 (2019-10-03)

The VRRP parser in tcpdump before 4.9.3 has a buffer over-read in print-vrrp.c:vrrp_print() for VRRP version 2, a different vulnerability than CVE-2019-15167.

• hshivhare67/platform_external_tcpdump_AOSP10_r33_4.9.2-_CVE-2018-14463

CVE-2018-14469 (2019-10-03)

The IKEv1 parser in tcpdump before 4.9.3 has a buffer over-read in print-isakmp.c:ikev1_n_print().

• Trinadh465/external_tcpdump_CVE-2018-14469

CVE-2018-14634 (2018-09-25)

An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerable.

• luan0ap/cve-2018-14634

CVE-2018-14665 (2018-10-25)

A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges.

• jas502n/CVE-2018-14665
• bolonobolo/CVE-2018-14665

CVE-2018-14667 (2018-11-06)

The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.

• nareshmail/cve-2018-14667
• zeroto01/CVE-2018-14667
• r00t4dm/CVE-2018-14667
• syriusbughunt/CVE-2018-14667
• quandqn/cve-2018-14667
• Venscor/CVE-2018-14667-poc

CVE-2018-14699 (2018-12-03)

System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.

• RevoCain/CVE-2018-14699

CVE-2018-14714 (2019-05-13)

System command injection in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to execute system commands via the "load_script" URL parameter.

• tin-z/CVE-2018-14714-POC
• sunn1day/CVE-2018-14714-POC
• BTtea/CVE-2018-14714-RCE-exploit

CVE-2018-14716 (2018-08-06)

A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code.

• 0xB455/CVE-2018-14716

CVE-2018-14729 (2019-05-22)

The database backup feature in upload/source/admincp/admincp_db.php in Discuz! 2.5 and 3.4 allows remote attackers to execute arbitrary PHP code.

• c0010/CVE-2018-14729

CVE-2018-14772 (2018-10-16)

Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution vulnerability in which an attacker with administrator access to the web application can execute arbitrary code on the underlying system via Command Injection.

• killvxk/CVE-2018-14772

CVE-2018-14847 (2018-08-02)

MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.

• BasuCert/WinboxPoC
• msterusky/WinboxExploit
• syrex1013/MikroRoot
• jas502n/CVE-2018-14847
• mahmoodsabir/mikrotik-beast
• Tr33-He11/winboxPOC
• sinichi449/Python-MikrotikLoginExploit
• yukar1z0e/CVE-2018-14847
• hacker30468/Mikrotik-router-hack
• babyshen/routeros-CVE-2018-14847-bytheway
• K3ysTr0K3R/CVE-2018-14847-EXPLOIT

CVE-2018-14879 (2019-10-03)

The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:get_next_file().

• Trinadh465/external_tcpdump_CVE-2018-14879

CVE-2018-14880 (2019-10-03)

The OSPFv3 parser in tcpdump before 4.9.3 has a buffer over-read in print-ospf6.c:ospf6_print_lshdr().

• Trinadh465/external_tcpdump_CVE-2018-14880

CVE-2018-15131 (2019-05-30)

An issue was discovered in Synacor Zimbra Collaboration Suite 8.6.x before 8.6.0 Patch 11, 8.7.x before 8.7.11 Patch 6, 8.8.x before 8.8.8 Patch 9, and 8.8.9 before 8.8.9 Patch 3. Account number enumeration is possible via inconsistent responses for specific types of authentication requests.

• 0x00-0x00/CVE-2018-15131

CVE-2018-15133 (2018-08-09)

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

• kozmic/laravel-poc-CVE-2018-15133
• Bilelxdz/Laravel-CVE-2018-15133
• Prabesh01/Laravel-PHP-Unit-RCE-Auto-shell-uploader
• bukitbarisan/laravel-rce-cve-2018-15133
• AlienX2001/better-poc-for-CVE-2018-15133
• aljavier/exploit_laravel_cve-2018-15133
• pwnedshell/Larascript
• AzhariKun/CVE-2018-15133
• NatteeSetobol/CVE-2018-15133-Lavel-Expliot
• Cr4zyD14m0nd137/Lab-for-cve-2018-15133
• 0xSalle/cve-2018-15133

CVE-2018-15139 (2018-08-13)

Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.

• sec-it/exploit-CVE-2018-15139

CVE-2018-15365 (2018-09-28)

A Reflected Cross-Site Scripting (XSS) vulnerability in Trend Micro Deep Discovery Inspector 3.85 and below could allow an attacker to bypass CSRF protection and conduct an attack on vulnerable installations. An attacker must be an authenticated user in order to exploit the vulnerability.

• nixwizard/CVE-2018-15365

CVE-2018-15473 (2018-08-17)

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

• trimstray/massh-enum
• gbonacini/opensshenum
• Rhynorater/CVE-2018-15473-Exploit
• epi052/cve-2018-15473
• pyperanger/CVE-2018-15473_exploit
• r3dxpl0it/CVE-2018-15473
• JoeBlackSecurity/SSHUsernameBruter-SSHUB
• cved-sources/cve-2018-15473
• LINYIKAI/CVE-2018-15473-exp
• trickster1103/-
• NHPT/SSH-account-enumeration-verification-script
• CaioCGH/EP4-redes
• Moon1705/easy_security
• An0nYm0u5101/enumpossible
• Wh1t3Fox/cve-2018-15473
• 1stPeak/CVE-2018-15473
• coollce/CVE-2018-15473_burte
• Dirty-Racoon/CVE-2018-15473-py3
• Sait-Nuri/CVE-2018-15473
• WildfootW/CVE-2018-15473_OpenSSH_7.7
• MrDottt/CVE-2018-15473
• 66quentin/shodan-CVE-2018-15473
• 0xrobiul/CVE-2018-15473
• philippedixon/CVE-2018-15473
• sergiovks/SSH-User-Enum-Python3-CVE-2018-15473
• Anonimo501/ssh_enum_users_CVE-2018-15473
• mclbn/docker-cve-2018-15473
• GaboLC98/userenum-CVE-2018-15473
• 4xolotl/CVE-2018-15473
• NestyF/SSH_Enum_CVE-2018-15473
• yZ1337/CVE-2018-15473
• MahdiOsman/CVE-2018-15473-SNMPv1-2-Community-String-Vulnerability-Testing
• SUDORM0X/PoC-CVE-2018-15473

CVE-2018-15499 (2018-08-24)

GEAR Software products that include GEARAspiWDM.sys, 2.2.5.0, allow local users to cause a denial of service (Race Condition and BSoD on Windows) by not checking that user-mode memory is available right before writing to it. A check is only performed at the beginning of a long subroutine.

• DownWithUp/CVE-2018-15499

CVE-2018-15686 (2018-10-26)

A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.

• hpcprofessional/remediate_cesa_2019_2091

CVE-2018-15708 (2018-11-14)

Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.

• lkduy2602/Detecting-CVE-2018-15708-Vulnerabilities

CVE-2018-15727 (2018-08-29)

Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user.

• u238/grafana-CVE-2018-15727
• grimbelhax/CVE-2018-15727

CVE-2018-15832 (2018-09-20)

upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI handlers. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process.

• JacksonKuo/ubisoft-uplay-desktop-client-63.0.5699.0

CVE-2018-15835 (2018-11-30)

Android 1.0 through 9.0 has Insecure Permissions. The Android bug ID is 77286983.

• Chirantar7004/Android-Passive-Location-Tracker

CVE-2018-15877 (2018-08-26)

The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.

• cved-sources/cve-2018-15877
• Cinnamon1212/CVE-2018-15877-RCE

CVE-2018-15912 (2018-08-29)

An issue was discovered in manjaro-update-system.sh in manjaro-system 20180716-1 on Manjaro Linux. A local attacker can install or remove arbitrary packages and package repositories potentially containing hooks with arbitrary code, which will automatically be run as root, or remove packages vital to the system.

• coderobe/CVE-2018-15912-PoC

CVE-2018-15961 (2018-09-25)

Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.

• vah13/CVE-2018-15961
• cved-sources/cve-2018-15961
• xbufu/CVE-2018-15961
• orangmuda/CVE-2018-15961
• bu1xuan2/CVE-2018-15961

CVE-2018-15968 (2018-10-12)

Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.

• sharmasandeepkr/cve-2018-15968

CVE-2018-15982 (2019-01-18)

Flash Player versions 31.0.0.153 and earlier, and 31.0.0.108 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execution.

• FlatL1neAPT/CVE-2018-15982
• Ormicron/CVE-2018-15982_PoC
• Ridter/CVE-2018-15982_EXP
• kphongagsorn/adobe-flash-cve2018-15982
• jas502n/CVE-2018-15982_EXP_IE
• scanfsec/CVE-2018-15982
• SyFi/CVE-2018-15982
• create12138/CVE-2018-15982

CVE-2018-16119 (2019-06-20)

Stack-based buffer overflow in the httpd server of TP-Link WR1043nd (Firmware Version 3) allows remote attackers to execute arbitrary code via a malicious MediaServer request to /userRpm/MediaServerFoldersCfgRpm.htm.

• hdbreaker/CVE-2018-16119

CVE-2018-16156 (2019-05-17)

In PaperStream IP (TWAIN) 1.42.0.5685 (Service Update 7), the FJTWSVIC service running with SYSTEM privilege processes unauthenticated messages received over the FjtwMkic_Fjicube_32 named pipe. One of these message processing functions attempts to dynamically load the UninOldIS.dll library and executes an exported function named ChangeUninstallString. The default install does not contain this library and therefore if any DLL with that name exists in any directory listed in the PATH variable, it can be used to escalate to SYSTEM level privilege.

• securifera/CVE-2018-16156-Exploit

CVE-2018-16167 (2019-01-09)

LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.

• dnr6419/CVE-2018-16167

CVE-2018-16283 (2018-09-24)

The Wechat Broadcast plugin 1.2.0 and earlier for WordPress allows Directory Traversal via the Image.php url parameter.

• cved-sources/cve-2018-16283

CVE-2018-16323 (2018-09-01)

ReadXBMImage in coders/xbm.c in ImageMagick before 7.0.8-9 leaves data uninitialized when processing an XBM file that has a negative pixel value. If the affected code is used as a library loaded into a process that includes sensitive information, that information sometimes can be leaked via the image data.

• ttffdd/XBadManners

CVE-2018-16341

• mpgn/CVE-2018-16341
• CN016/Nuxeo-CVE-2018-16341

CVE-2018-16370 (2018-09-03)

In PESCMS Team 2.2.1, attackers may upload and execute arbitrary PHP code through /Public/?g=Team&m=Setting&a=upgrade by placing a .php file in a ZIP archive.

• snappyJack/CVE-2018-16370

CVE-2018-16373 (2018-09-03)

Frog CMS 0.9.5 has an Upload vulnerability that can create files via /admin/?/plugin/file_manager/save.

• snappyJack/CVE-2018-16373

CVE-2018-16431 (2018-09-04)

admin/admin/adminsave.html in YFCMF v3.0 allows CSRF to add an administrator account.

• RHYru9/CVE-2018-16431

CVE-2018-16492 (2019-02-01)

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

• dsp-testing/CVE-2018-16492

CVE-2018-16509 (2018-09-05)

An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction.

• farisv/PIL-RCE-Ghostscript-CVE-2018-16509
• knqyf263/CVE-2018-16509
• cved-sources/cve-2018-16509
• rhpco/CVE-2018-16509

CVE-2018-16706 (2018-09-14)

LG SuperSign CMS allows TVs to be rebooted remotely without authentication via a direct HTTP request to /qsr_server/device/reboot on port 9080.

• Nurdilin/CVE-2018-16706

CVE-2018-16711 (2018-09-26)

IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send an IOCTL (0x9C402088) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for input.

• DownWithUp/CVE-2018-16711

CVE-2018-16712 (2018-09-26)

IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send a specially crafted IOCTL 0x9C406104 to read physical memory.

• DownWithUp/CVE-2018-16712

CVE-2018-16713 (2018-09-26)

IObit Advanced SystemCare, which includes Monitor_win10_x64.sys or Monitor_win7_x64.sys, 1.2.0.5 (and possibly earlier versions) allows a user to send an IOCTL (0x9C402084) with a buffer containing user defined content. The driver's subroutine will execute a rdmsr instruction with the user's buffer for input, and provide output from the instruction.

• DownWithUp/CVE-2018-16713

CVE-2018-16763 (2018-09-09)

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.

• dinhbaouit/CVE-2018-16763
• hikarihacks/CVE-2018-16763-exploit
• n3m1sys/CVE-2018-16763-Exploit-Python3
• uwueviee/Fu3l-F1lt3r
• shoamshilo/Fuel-CMS-Remote-Code-Execution-1.4--RCE--
• kxisxr/Bash-Script-CVE-2018-16763
• padsalatushal/CVE-2018-16763
• wizardy0ga/THM-Vulnerability_Capstone-CVE-2018-16763
• n3rdh4x0r/CVE-2018-16763
• BrunoPincho/cve-2018-16763-rust
• p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE
• not1cyyy/CVE-2018-16763
• antisecc/CVE-2018-16763
• VitoBonetti/CVE-2018-16763
• saccles/CVE-2018-16763-Proof-of-Concept

CVE-2018-16809 (2019-03-07)

An issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit.

• elkassimyhajar/CVE-2018-16809

CVE-2018-16843 (2018-11-07)

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.

• flyniu666/ingress-nginx-0.21-1.19.5

CVE-2018-16854 (2018-11-26)

A flaw was found in moodle versions 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier. The login form is not protected by a token to prevent login cross-site request forgery. Fixed versions include 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15.

• danielthatcher/moodle-login-csrf

CVE-2018-16858 (2019-03-25)

It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.

• 4nimanegra/libreofficeExploit1
• phongld97/detect-cve-2018-16858
• bantu2301/CVE-2018-16858
• Henryisnotavailable/CVE-2018-16858-Python

CVE-2018-16875 (2018-12-14)

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

• alexzorin/poc-cve-2018-16875

CVE-2018-16890 (2019-02-06)

libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.

• michelleamesquita/CVE-2018-16890

CVE-2018-16987 (2018-09-13)

Squash TM through 1.18.0 presents the cleartext passwords of external services in the administration panel, as demonstrated by a ta-server-password field in the HTML source code.

• gquere/CVE-2018-16987

CVE-2018-17081 (2018-09-26)

e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page.

• himanshurahi/e107_2.1.9_CSRF_POC

CVE-2018-17144 (2018-09-19)

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

• iioch/ban-exploitable-bitcoin-nodes
• hikame/CVE-2018-17144_POC

CVE-2018-17182 (2018-09-19)

An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.

• jas502n/CVE-2018-17182
• likekabin/CVE-2018-17182
• likekabin/vmacache_CVE-2018-17182
• jedai47/cve-2018-17182

CVE-2018-17207 (2018-09-19)

An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.

• cved-sources/cve-2018-17207

CVE-2018-17240 (2022-06-10)

There is a memory dump vulnerability on Netwave IP camera devices at //proc/kcore that allows an unauthenticated attacker to exfiltrate sensitive information from the network configuration (e.g., username and password).

• BBge/CVE-2018-17240
• Xewdy444/Netgrave
• FenrirSec/CVE-2018-17240_exploit

CVE-2018-17246 (2018-12-20)

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

• mpgn/CVE-2018-17246

CVE-2018-17254 (2018-09-20)

The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.

• Nickguitar/Joomla-JCK-Editor-6.4.4-SQL-Injection
• MataKucing-OFC/CVE-2018-17254

CVE-2018-17418 (2019-03-07)

Monstra CMS 3.0.4 allows remote attackers to execute arbitrary PHP code via a mixed-case file extension, as demonstrated by the 123.PhP filename, because plugins\box\filesmanager\filesmanager.admin.php mishandles the forbidden_types variable.

• Jx0n0/monstra_cms-3.0.4--getshell

CVE-2018-17431 (2019-01-29)

Web Console in Comodo UTM Firewall before 2.7.0 allows remote attackers to execute arbitrary code without authentication via a crafted URL.

• Fadavvi/CVE-2018-17431-PoC
• sanan2004/CVE-2018-17431-Comodo

CVE-2018-17456 (2018-10-06)

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.

• shpik-kr/CVE-2018-17456
• matlink/CVE-2018-17456
• 799600966/CVE-2018-17456
• AnonymKing/CVE-2018-17456
• jiahuiLeee/test
• KKkai0315/CVE-2018-17456

CVE-2018-17463 (2018-11-14)

Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

• kdmarti2/CVE-2018-17463
• jhalon/CVE-2018-17463

CVE-2018-17552 (2018-10-03)

SQL Injection in login.php in Naviwebs Navigate CMS 2.8 allows remote attackers to bypass authentication via the navigate-user cookie.

• kimstars/CVE-2018-17552

CVE-2018-17553 (2018-10-03)

An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated attackers to achieve remote code execution via a POST request with engine=picnik and id=../../../navigate_info.php.

• MidwintersTomb/CVE-2018-17553

CVE-2018-17873 (2018-10-23)

An incorrect access control vulnerability in the FTP configuration of WiFiRanger devices with firmware version 7.0.8rc3 and earlier allows an attacker with adjacent network access to read the SSH Private Key and log in to the root account.

• Luct0r/CVE-2018-17873

CVE-2018-17924 (2018-12-07)

Rockwell Automation MicroLogix 1400 Controllers and 1756 ControlLogix Communications Modules An unauthenticated, remote threat actor could send a CIP connection request to an affected device, and upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system as the system traffic is still attempting to communicate with the device via the overwritten IP address.

• g0dd0ghd/CVE-2018-17924-PoC

CVE-2018-17961 (2018-10-15)

Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183.

• matlink/CVE-2018-17961

CVE-2018-18026 (2018-10-19)

IMFCameraProtect.sys in IObit Malware Fighter 6.2 (and possibly lower versions) is vulnerable to a stack-based buffer overflow. The attacker can use DeviceIoControl to pass a user specified size which can be used to overwrite return addresses. This can lead to a denial of service or code execution attack.

• DownWithUp/CVE-2018-18026

CVE-2018-18333 (2019-02-05)

A DLL hijacking vulnerability in Trend Micro Security 2019 (Consumer) versions below 15.0.0.1163 and below could allow an attacker to manipulate a specific DLL and escalate privileges on vulnerable installations.

• mrx04programmer/Dr.DLL-CVE-2018-18333

CVE-2018-18368 (2019-11-15)

Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU1, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.

• DimopoulosElias/SEPM-EoP

CVE-2018-18387 (2018-10-29)

playSMS through 1.4.2 allows Privilege Escalation through Daemon abuse.

• TheeBlind/CVE-2018-18387

CVE-2018-18500 (2019-02-05)

A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65.

• sophoslabs/CVE-2018-18500

CVE-2018-18649 (2018-11-29)

An issue was discovered in the wiki API in GitLab Community and Enterprise Edition before 11.2.7, 11.3.x before 11.3.8, and 11.4.x before 11.4.3. It allows for remote code execution.

• Snowming04/CVE-2018-18649

CVE-2018-18714 (2018-11-01)

RegFilter.sys in IOBit Malware Fighter 6.2 and earlier is susceptible to a stack-based buffer overflow when an attacker uses IOCTL 0x8006E010. This can lead to denial of service (DoS) or code execution with root privileges.

• DownWithUp/CVE-2018-18714

CVE-2018-18778 (2018-10-29)

ACME mini_httpd before 1.30 lets remote users read arbitrary files.

• cyberharsh/Mini_httpd-CVE-2018-18778
• auk0x01/CVE-2018-18778-Scanner

CVE-2018-18852 (2019-06-18)

Cerio DT-300N 1.1.6 through 1.1.12 devices allow OS command injection because of improper input validation of the web-interface PING feature's use of Save.cgi to execute a ping command, as exploited in the wild in October 2018.

• hook-s3c/CVE-2018-18852
• andripwn/CVE-2018-18852

CVE-2018-18893 (2019-01-03)

Jinjava before 2.4.6 does not block the getClass method, related to com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java.

• LycsHub/CVE-2018-18893

CVE-2018-18925 (2018-11-04)

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.

• j4k0m/CVE-2018-18925

CVE-2018-18955 (2018-11-16)

In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.

• scheatkode/CVE-2018-18955

CVE-2018-19052 (2018-11-07)

An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.

• iveresk/cve-2018-19052

CVE-2018-19126 (2018-11-09)

PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.

• farisv/PrestaShop-CVE-2018-19126

CVE-2018-19127 (2018-11-09)

A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and is written to a data/cache_template/*.tpl.php file along with a "<?php function " substring.

• ab1gale/phpcms-2008-CVE-2018-19127

CVE-2018-19131 (2018-11-09)

Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.

• JonathanWilbur/CVE-2018-19131

CVE-2018-19207 (2018-11-12)

The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.

• aeroot/WP-GDPR-Compliance-Plugin-Exploit
• cved-sources/cve-2018-19207

CVE-2018-19246 (2018-11-13)

PHP-Proxy 5.1.0 allows remote attackers to read local files if the default "pre-installed version" (intended for users who lack shell access to their web server) is used. This occurs because the aeb067ca0aa9a3193dce3a7264c90187 app_key value from the default config.php is in place, and this value can be easily used to calculate the authorization data needed for local file inclusion.

• NeoWans/CVE-2018-19246

CVE-2018-19276 (2019-03-17)

OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

• mpgn/CVE-2018-19276

CVE-2018-19320 (2018-12-21)

The GDrv low-level driver in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 exposes ring0 memcpy-like functionality that could allow a local attacker to take complete control of the affected system.

• ASkyeye/CVE-2018-19320
• hmnthabit/CVE-2018-19320-LPE
• zer0condition/GDRVLoader

CVE-2018-19321 (2018-12-21)

The GPCIDrv and GDrv low-level drivers in GIGABYTE APP Center v1.05.21 and earlier, AORUS GRAPHICS ENGINE before 1.57, XTREME GAMING ENGINE before 1.26, and OC GURU II v2.08 expose functionality to read and write arbitrary physical memory. This could be leveraged by a local attacker to elevate privileges.

• nanabingies/Driver-RW
• nanabingies/CVE-2018-19321

CVE-2018-19410 (2018-11-21)

PRTG Network Monitor before 18.2.40.1683 allows remote unauthenticated attackers to create users with read-write privileges (including administrator). A remote unauthenticated user can craft an HTTP request and override attributes of the 'include' directive in /public/login.htm and perform a Local File Inclusion attack, by including /api/addusers and executing it. By providing the 'id' and 'users' parameters, an unauthenticated attacker can create a user with read-write privileges (including administrator).

• himash/CVE-2018-19410-POC

CVE-2018-19422 (2018-11-21)

/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.

• hev0x/CVE-2018-19422-SubrionCMS-RCE
• Swammers8/SubrionCMS-4.2.1-File-upload-RCE-auth-

CVE-2018-19466 (2019-03-27)

A vulnerability was found in Portainer before 1.20.0. Portainer stores LDAP credentials, corresponding to a master password, in cleartext and allows their retrieval via API calls.

• MauroEldritch/lempo

CVE-2018-19487 (2019-03-17)

The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_employer_ajax_profile() function through the admin-ajax.php file, which allows remote unauthenticated attackers to enumerate information about users.

• YOLOP0wn/wp-jobhunt-exploit

CVE-2018-19518 (2018-11-25)

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

• ensimag-security/CVE-2018-19518
• houqe/EXP_CVE-2018-19518

CVE-2018-19537 (2018-11-26)

TP-Link Archer C5 devices through V2_160201_US allow remote command execution via shell metacharacters on the wan_dyn_hostname line of a configuration file that is encrypted with the 478DA50BF9E3D2CF key and uploaded through the web GUI by using the web admin account. The default password of admin may be used in some cases.

• JackDoan/TP-Link-ArcherC5-RCE

CVE-2018-19571 (2019-07-10)

GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks.

• xenophil90/edb-49263-fixed
• Algafix/gitlab-RCE-11.4.7
• CS4239-U6/gitlab-ssrf

CVE-2018-19592 (2019-09-27)

The "CLink4Service" service is installed with Corsair Link 4.9.7.35 with insecure permissions by default. This allows unprivileged users to take control of the service and execute commands in the context of NT AUTHORITY\SYSTEM, leading to total system takeover, a similar issue to CVE-2018-12441.

• BradyDonovan/CVE-2018-19592

CVE-2018-19788 (2018-12-03)

A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.

• AbsoZed/CVE-2018-19788
• d4gh0s7/CVE-2018-19788
• Ekultek/PoC
• jhlongjr/CVE-2018-19788

CVE-2018-19859 (2018-12-05)

OpenRefine before 3.2 beta allows directory traversal via a relative pathname in a ZIP archive.

• WhiteOakSecurity/CVE-2018-19859

CVE-2018-19911 (2018-12-06)

FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used.

• iSafeBlue/freeswitch_rce

CVE-2018-19987 (2019-05-13)

D-Link DIR-822 Rev.B 202KRb06, DIR-822 Rev.C 3.10B06, DIR-860L Rev.B 2.03.B03, DIR-868L Rev.B 2.05B02, DIR-880L Rev.A 1.20B01_01_i3se_BETA, and DIR-890L Rev.A 1.21B02_BETA devices mishandle IsAccessPoint in /HNAP1/SetAccessPointMode. In the SetAccessPointMode.php source code, the IsAccessPoint parameter is saved in the ShellPath script file without any regex checking. After the script file is executed, the command injection occurs. A vulnerable /HNAP1/SetAccessPointMode XML message could have shell metacharacters in the IsAccessPoint element such as the telnetd string.

• nahueldsanchez/blogpost_cve-2018-19987-analysis

CVE-2018-20062 (2018-12-11)

An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.

• NS-Sp4ce/thinkphp5.XRce
• yilin1203/CVE-2018-20062

CVE-2018-20148 (2018-12-14)

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

• nth347/CVE-2018-20148_exploit

CVE-2018-20162 (2019-03-17)

Digi TransPort LR54 4.4.0.26 and possible earlier devices have Improper Input Validation that allows users with 'super' CLI access privileges to bypass a restricted shell and execute arbitrary commands as root.

• stigtsp/CVE-2018-20162-digi-lr54-restricted-shell-escape

CVE-2018-20165 (2019-03-22)

Cross-site scripting (XSS) vulnerability in OpenText Portal 7.4.4 allows remote attackers to inject arbitrary web script or HTML via the vgnextoid parameter to a menuitem URI.

• hect0rS/Reflected-XSS-on-Opentext-Portal-v7.4.4

CVE-2018-20250 (2019-02-05)

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.

• WyAtu/CVE-2018-20250
• QAX-A-Team/CVE-2018-20250
• nmweizi/CVE-2018-20250-poc-winrar
• blunden/UNACEV2.DLL-CVE-2018-20250
• easis/CVE-2018-20250-WinRAR-ACE
• STP5940/CVE-2018-20250
• technicaldada/hack-winrar
• Ektoplasma/ezwinrar
• arkangel-dev/CVE-2018-20250-WINRAR-ACE-GUI
• AeolusTF/CVE-2018-20250
• joydragon/Detect-CVE-2018-20250
• likekabin/CVE-2018-20250
• H4xl0r/WinRar_ACE_exploit_CVE-2018-20250
• eastmountyxz/CVE-2018-20250-WinRAR
• lxg5763/cve-2018-20250
• zeronohacker/CVE-2018-20250
• tzwlhack/CVE-2018-20250
• tannlh/CVE-2018-20250
• LamSonBinh/CVE-2018-20250

CVE-2018-20343 (2020-03-02)

Multiple buffer overflow vulnerabilities have been found in Ken Silverman Build Engine 1. An attacker could craft a special map file to execute arbitrary code when the map file is loaded.

• Alexandre-Bartel/CVE-2018-20343

CVE-2018-20377 (2018-12-23)

Orange Livebox 00.96.320S devices allow remote attackers to discover Wi-Fi credentials via /get_getnetworkconf.cgi on port 8080, leading to full control if the admin password equals the Wi-Fi password or has the default admin value. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.

• zadewg/LIVEBOX-0DAY

CVE-2018-20433 (2018-12-24)

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

• shanika04/cp30_XXE_partial_fix

CVE-2018-20434 (2019-04-24)

LibreNMS 1.46 allows remote attackers to execute arbitrary OS commands by using the $_POST['community'] parameter to html/pages/addhost.inc.php during creation of a new device, and then making a /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost request that triggers html/includes/output/capture.inc.php command mishandling.

• mhaskar/CVE-2018-20434

CVE-2018-20463 (2018-12-25)

An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. There is an arbitrary file read vulnerability via ../ directory traversal in query=php://filter/resource= in the jsmol.php query string. This can also be used for SSRF.

• Henry4E36/CVE-2018-20463

CVE-2018-20555 (2019-03-18)

The Design Chemical Social Network Tabs plugin 1.7.1 for WordPress allows remote attackers to discover Twitter access_token, access_token_secret, consumer_key, and consumer_secret values by reading the dcwp_twitter.php source code. This leads to Twitter account takeover.

• fs0c131y/CVE-2018-20555

CVE-2018-20580 (2019-05-03)

The WSDL import functionality in SmartBear ReadyAPI 2.5.0 and 2.6.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.

• gscamelo/CVE-2018-20580

CVE-2018-20718 (2019-01-15)

In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link.

• us3r777/CVE-2018-20718

CVE-2018-20966 (2019-08-12)

The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in the Products Per Page feature.

• parzel/CVE-2018-20966

CVE-2018-25031 (2022-03-11)

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.

• afine-com/CVE-2018-25031
• kriso4os/CVE-2018-25031
• rafaelcintralopes/SwaggerUI-CVE-2018-25031
• mathis2001/CVE-2018-25031
• wrkk112/CVE-2018-25031
• LUCASRENAA/CVE-2018-25031
• hev0x/CVE-2018-25031-PoC
• johnlaurance/CVE-2018-25031-test2
• geozin/POC-CVE-2018-25031
• h2oa/CVE-2018-25031
• natpakun/SSRF-CVE-2018-25031-
• KonEch0/CVE-2018-25031-SG
• Proklinius897/CVE-2018-25031-tests

CVE-2018-25032 (2022-03-25)

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

• Trinadh465/external_zlib_4.4_CVE-2018-25032
• Satheesh575555/external_zlib-1.2.7_CVE-2018-25032
• Trinadh465/external_zlib_AOSP10_r33_CVE-2018-25032

CVE-2018-25075 (2023-01-15)

Es wurde eine kritische Schwachstelle in karsany OBridge bis 1.3 entdeckt. Hiervon betroffen ist die Funktion getAllStandaloneProcedureAndFunction der Datei obridge-main/src/main/java/org/obridge/dao/ProcedureDao.java. Durch Manipulation mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Die Komplexität eines Angriffs ist eher hoch. Sie gilt als schwierig auszunutzen. Ein Aktualisieren auf die Version 1.4 vermag dieses Problem zu lösen. Der Patch wird als 52eca4ad05f3c292aed3178b2f58977686ffa376 bezeichnet. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

• epicosy/obridge

CVE-2018-1000001 (2018-01-31)

In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.

• 0x00-0x00/CVE-2018-1000001
• usernameid0/tools-for-CVE-2018-1000001

CVE-2018-1000006 (2018-01-24)

GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.

• CHYbeta/CVE-2018-1000006-DEMO

CVE-2018-1000030 (2018-02-08)

Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Python versions prior to 2.7.14 may also be vulnerable and it appears that Python 2.7.17 and prior may also be vulnerable however this has not been confirmed. The vulnerability lies when multiply threads are handling large amounts of data. In both cases there is essentially a race condition that occurs. For the Heap-Buffer-Overflow, Thread 2 is creating the size for a buffer, but Thread1 is already writing to the buffer without knowing how much to write. So when a large amount of data is being processed, it is very easy to cause memory corruption using a Heap-Buffer-Overflow. As for the Use-After-Free, Thread3->Malloc->Thread1->Free's->Thread2-Re-uses-Free'd Memory. The PSRT has stated that this is not a security vulnerability due to the fact that the attacker must be able to run code, however in some situations, such as function as a service, this vulnerability can potentially be used by an attacker to violate a trust boundary, as such the DWF feels this issue deserves a CVE.

• tylepr96/CVE-2018-1000030

CVE-2018-1000082 (2018-03-13)

Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) vulnerability in the command execution panel of the tool used to manage the server. that can result in Code execution on the server . This attack appear to be exploitable via Being a CSRF, victim interaction is needed, when the victim access the infected trigger of the CSRF any code that match the victim privledges on the server can be executed..

• SECFORCE/CVE-2018-1000082-exploit

CVE-2018-1000117 (2018-03-07)

Python Software Foundation CPython version From 3.2 until 3.6.4 on Windows contains a Buffer Overflow vulnerability in os.symlink() function on Windows that can result in Arbitrary code execution, likely escalation of privilege. This attack appears to be exploitable via a python script that creates a symlink with an attacker controlled name or location. This vulnerability appears to have been fixed in 3.7.0 and 3.6.5.

• u0pattern/CVE-2018-1000117-Exploit

CVE-2018-1000134 (2018-03-16)

UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty password when running in synchronous mode. commit with applied fix https://github.com/pingidentity/ldapsdk/commit/8471904a02438c03965d21367890276bc25fa5a6#diff-f6cb23b459be1ec17df1da33760087fd that can result in Ability to impersonate any valid user. This attack appear to be exploitable via Providing valid username and empty password against servers that do not do additional validation as per https://tools.ietf.org/html/rfc4513#section-5.1.1. This vulnerability appears to have been fixed in after commit 8471904a02438c03965d21367890276bc25fa5a6.

• dragotime/cve-2018-1000134

CVE-2018-1000140 (2018-03-23)

rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow vulnerability in the checking of x509 certificates from a peer that can result in Remote code execution. This attack appear to be exploitable a remote attacker that can connect to rsyslog and trigger a stack buffer overflow by sending a specially crafted x509 certificate.

• s0/rsyslog-librelp-CVE-2018-1000140
• s0/rsyslog-librelp-CVE-2018-1000140-fixed

CVE-2018-1000199 (2018-05-24)

The Linux Kernel version 3.18 contains a dangerous feature vulnerability in modify_user_hw_breakpoint() that can result in crash and possibly memory corruption. This attack appear to be exploitable via local code execution and the ability to use ptrace. This vulnerability appears to have been fixed in git commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f.

• dsfau/CVE-2018-1000199

CVE-2018-1000224 (2018-08-20)

Godot Engine version All versions prior to 2.1.5, all 3.0 versions prior to 3.0.6. contains a Signed/unsigned comparison, wrong buffer size chackes, integer overflow, missing padding initialization vulnerability in (De)Serialization functions (core/io/marshalls.cpp) that can result in DoS (packet of death), possible leak of uninitialized memory. This attack appear to be exploitable via A malformed packet is received over the network by a Godot application that uses built-in serialization (e.g. game server, or game client). Could be triggered by multiplayer opponent. This vulnerability appears to have been fixed in 2.1.5, 3.0.6, master branch after commit feaf03421dda0213382b51aff07bd5a96b29487b.

• zann1x/ITS

CVE-2018-1000529 (2018-06-26)

Grails Fields plugin version 2.2.7 contains a Cross Site Scripting (XSS) vulnerability in Using the display tag that can result in XSS . This vulnerability appears to have been fixed in 2.2.8.

• martinfrancois/CVE-2018-1000529

CVE-2018-1000531 (2018-06-26)

inversoft prime-jwt version prior to commit abb0d479389a2509f939452a6767dc424bb5e6ba contains a CWE-20 vulnerability in JWTDecoder.decode that can result in an incorrect signature validation of a JWT token. This attack can be exploitable when an attacker crafts a JWT token with a valid header using 'none' as algorithm and a body to requests it be validated. This vulnerability was fixed after commit abb0d479389a2509f939452a6767dc424bb5e6ba.

• realbatuhan/JWT-Bruteforcer

CVE-2018-1000542 (2018-06-26)

netbeans-mmd-plugin version <= 1.4.3 contains a XML External Entity (XXE) vulnerability in MMD file import that can result in Possible information disclosure, server-side request forgery, or remote code execution. This attack appear to be exploitable via Specially crafted MMD file.

• forse01/CVE-2018-1000542-NetBeans

CVE-2018-1000802 (2018-09-18)

Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.

• tna0y/CVE-2018-1000802-PoC

CVE-2018-1000844 (2018-12-20)

Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.

• epicosy/Retrofit-1

CVE-2018-1000861 (2018-12-10)

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.

• 1NTheKut/CVE-2019-1003000_RCE-DETECTION
• smokeintheshell/CVE-2018-1000861

CVE-2018-1002105 (2018-12-05)

In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

• gravitational/cve-2018-1002105
• evict/poc_CVE-2018-1002105
• imlzw/Kubernetes-1.12.3-all-auto-install
• bgeesaman/cve-2018-1002105
• sh-ubh/CVE-2018-1002105

CVE-2018-1999002 (2018-07-23)

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

• wetw0rk/Exploit-Development
• slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins
• 0x6b7966/CVE-2018-1999002

2017

CVE-2017-0005 (2017-03-17)

The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "Windows GDI Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0001, CVE-2017-0025, and CVE-2017-0047.

• sheri31/0005poc

CVE-2017-0037 (2017-02-26)

Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.

• chattopadhyaykittu/CVE-2017-0037

CVE-2017-0038 (2017-02-20)

gdi32.dll in Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to obtain sensitive information from process heap memory via a crafted EMF file, as demonstrated by an EMR_SETDIBITSTODEVICE record with modified Device Independent Bitmap (DIB) dimensions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3216, CVE-2016-3219, and/or CVE-2016-3220.

• k0keoyo/CVE-2017-0038-EXP-C-JS

CVE-2017-0055 (2017-03-17)

Microsoft Internet Information Server (IIS) in Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to perform cross-site scripting and run script with local user privileges via a crafted request, aka "Microsoft IIS Server XSS Elevation of Privilege Vulnerability."

• NetJBS/CVE-2017-0055-PoC

CVE-2017-0065 (2017-03-17)

Microsoft Edge allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability." This vulnerability is different from those described in CVE-2017-0009, CVE-2017-0011, CVE-2017-0017, and CVE-2017-0068.

• Dankirk/cve-2017-0065

CVE-2017-0075 (2017-03-17)

Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows guest OS users to execute arbitrary code on the host OS via a crafted application, aka "Hyper-V Remote Code Execution Vulnerability." This vulnerability is different from that described in CVE-2017-0109.

• 4B5F5F4B/HyperV
• belyakovvitagmailt/4B5F5F4Bp
• MarkusCarelli1/4B5F5F4Bp

CVE-2017-0089 (2017-03-17)

Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Uniscribe Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0072, CVE-2017-0083, CVE-2017-0084, CVE-2017-0086, CVE-2017-0087, CVE-2017-0088, and CVE-2017-0090.

• rainhawk13/Added-Pentest-Ground-to-vulnerable-websites-for-training

CVE-2017-0100 (2017-03-17)

A DCOM object in Helppane.exe in Microsoft Windows 7 SP1; Windows Server 2008 R2; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows local users to gain privileges via a crafted application, aka "Windows HelpPane Elevation of Privilege Vulnerability."

• cssxn/CVE-2017-0100

CVE-2017-0106 (2017-04-12)

Microsoft Excel 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outlook 2013 SP1, and Microsoft Outlook 2016 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."

• ryhanson/CVE-2017-0106

CVE-2017-0108 (2017-03-17)

The Windows Graphics Component in Microsoft Office 2007 SP3; 2010 SP2; and Word Viewer; Skype for Business 2016; Lync 2013 SP1; Lync 2010; Live Meeting 2007; Silverlight 5; Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Graphics Component Remote Code Execution Vulnerability." This vulnerability is different from that described in CVE-2017-0014.

• homjxi0e/CVE-2017-0108

CVE-2017-0143 (2017-03-17)

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.

• valarauco/wannafind
• NatteeSetobol/Etern-blue-Windows-7-Checker
• n3rdh4x0r/MS17-010_CVE-2017-0143
• SampatDhakal/Metasploit-Attack-Report

CVE-2017-0144 (2017-03-17)

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.

• peterpt/eternal_scanner
• kimocoder/eternalblue
• EEsshq/CVE-2017-0144---EtneralBlue-MS17-010-Remote-Code-Execution
• quynhold/Detect-CVE-2017-0144-attack
• ducanh2oo3/Vulnerability-Research-CVE-2017-0144
• AnugiArrawwala/CVE-Research
• DenuwanJayasekara/CVE-Exploitation-Reports
• sethwhy/BlueDoor
• AtithKhawas/autoblue

CVE-2017-0145 (2017-03-17)

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.

• MelonSmasher/chef_tissues

CVE-2017-0147 (2017-03-17)

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka "Windows SMB Information Disclosure Vulnerability."

• RobertoLeonFR-ES/Exploit-Win32.CVE-2017-0147.A

CVE-2017-0148 (2017-03-17)

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.

• HakaKali/CVE-2017-0148

CVE-2017-0199 (2017-04-12)

Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

• ryhanson/CVE-2017-0199
• SyFi/cve-2017-0199
• bhdresh/CVE-2017-0199
• NotAwful/CVE-2017-0199-Fix
• haibara3839/CVE-2017-0199-master
• Exploit-install/CVE-2017-0199
• mzakyz666/PoC-CVE-2017-0199
• n1shant-sinha/CVE-2017-0199
• kn0wm4d/htattack
• joke998/Cve-2017-0199
• joke998/Cve-2017-0199-
• sUbc0ol/Microsoft-Word-CVE-2017-0199-
• viethdgit/CVE-2017-0199
• nicpenning/RTF-Cleaner
• herbiezimmerman/2017-11-17-Maldoc-Using-CVE-2017-0199
• jacobsoo/RTF-Cleaner
• likekabin/CVE-2017-0199
• stealth-ronin/CVE-2017-0199-PY-KIT
• Phantomlancer123/CVE-2017-0199
• BRAINIAC22/CVE-2017-0199
• Sunqiz/CVE-2017-0199-reprofuction
• TheCyberWatchers/CVE-2017-0199-v5.0
• kash-123/CVE-2017-0199

CVE-2017-0204 (2017-04-12)

Microsoft Outlook 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outlook 2013 SP1, and Microsoft Outlook 2016 allow remote attackers to bypass the Office Protected View via a specially crafted document, aka "Microsoft Office Security Feature Bypass Vulnerability."

• ryhanson/CVE-2017-0204

CVE-2017-0213 (2017-05-12)

Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation privilege vulnerability when an attacker runs a specially crafted application, aka "Windows COM Elevation of Privilege Vulnerability". This CVE ID is unique from CVE-2017-0214.

• shaheemirza/CVE-2017-0213-
• zcgonvh/CVE-2017-0213
• billa3283/CVE-2017-0213
• likekabin/CVE-2017-0213
• jbooz1/CVE-2017-0213
• eonrickity/CVE-2017-0213
• Anonymous-Family/CVE-2017-0213

CVE-2017-0248 (2017-05-12)

Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."

• rubenmamo/CVE-2017-0248-Test

CVE-2017-0261 (2017-05-12)

Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0262 and CVE-2017-0281.

• kcufId/eps-CVE-2017-0261
• erfze/CVE-2017-0261

CVE-2017-0263 (2017-05-12)

The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."

• R06otMD5/cve-2017-0263-poc

CVE-2017-0290 (2017-05-09)

The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 does not properly scan a specially crafted file leading to memory corruption, aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability."

• homjxi0e/CVE-2017-0290-

CVE-2017-0358 (2018-04-13)

Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation.

• Wangsafz/cve-2017-0358.sh

CVE-2017-0411 (2017-02-08)

An elevation of privilege vulnerability in the Framework APIs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: 7.0, 7.1.1. Android ID: A-33042690.

• lulusudoku/PoC

CVE-2017-0478 (2017-03-08)

A remote code execution vulnerability in the Framesequence library could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses the Framesequence library. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33718716.

• bingghost/CVE-2017-0478
• likekabin/CVE-2017-0478

CVE-2017-0505 (2017-03-08)

An elevation of privilege vulnerability in MediaTek components, including the M4U driver, sound driver, touchscreen driver, GPU driver, and Command Queue driver, could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: N/A. Android ID: A-31822282. References: M-ALPS02992041.

• R0rt1z2/CVE-2017-0505-mtk

CVE-2017-0541 (2017-04-07)

A remote code execution vulnerability in sonivox in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-34031018.

• C0dak/CVE-2017-0541
• likekabin/CVE-2017-0541

CVE-2017-0554 (2017-04-07)

An elevation of privilege vulnerability in the Telephony component could enable a local malicious application to access capabilities outside of its permission levels. This issue is rated as Moderate because it could be used to gain access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33815946.

• lanrat/tethr

CVE-2017-0564 (2017-04-07)

An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34276203.

• guoygang/CVE-2017-0564-ION-PoC

CVE-2017-0781 (2017-09-14)

A remote code execution vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146105.

• ojasookert/CVE-2017-0781
• X3eRo0/android712-blueborne
• mjancek/BlueborneDetection
• CrackSoft900/Blue-Borne
• CarlosDelRosario7/sploit-bX
• DamianSuess/Learn.BlueJam

CVE-2017-0785 (2017-09-14)

A information disclosure vulnerability in the Android system (bluetooth). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63146698.

• ojasookert/CVE-2017-0785
• aymankhalfatni/CVE-2017-0785
• Alfa100001/-CVE-2017-0785-BlueBorne-PoC
• Hackerscript/BlueBorne-CVE-2017-0785
• pieterbork/blueborne
• sigbitsadmin/diff
• RavSS/Bluetooth-Crash-CVE-2017-0785
• sh4rknado/BlueBorn
• Joanmei/CVE-2017-0785
• CyberKimathi/Py3-CVE-2017-0785
• MasterCode112/Upgraded_BlueBourne-CVE-2017-0785-

CVE-2017-0806 (2017-10-03)

An elevation of privilege vulnerability in the Android framework (gatekeeperresponse). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-62998805.

• michalbednarski/ReparcelBug

CVE-2017-0807 (2017-10-03)

An elevation of privilege vulnerability in the Android framework (ui framework). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-35056974.

• kpatsakis/PoC_CVE-2017-0807

CVE-2017-75

• CalebFIN/EXP-CVE-2017-75

CVE-2017-1235 (2017-09-25)

IBM WebSphere MQ 8.0 could allow an authenticated user to cause a premature termination of a client application thread which could potentially cause denial of service. IBM X-Force ID: 123914.

• 11k4r/CVE-2017-1235_exploit

CVE-2017-1635 (2017-12-13)

IBM Tivoli Monitoring V6 6.2.2.x could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error. A remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash. IBM X-Force ID: 133243.

• emcalv/tivoli-poc
• bcdannyboy/cve-2017-1635-PoC

CVE-2017-2024

• FarizDevloper/CVE-2017-2024

CVE-2017-2368 (2017-02-20)

An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. The issue involves the "Contacts" component. It allows remote attackers to cause a denial of service (application crash) via a crafted contact card.

• vincedes3/CVE-2017-2368

CVE-2017-2370 (2017-02-20)

An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. macOS before 10.12.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (buffer overflow) via a crafted app.

• maximehip/extra_recipe
• ldebug/extra_recipe
• Rootkitsmm-zz/extra_recipe-iOS-10.2
• Peterpan0927/CVE-2017-2370

CVE-2017-2388 (2017-04-02)

An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "IOFireWireFamily" component. It allows attackers to cause a denial of service (NULL pointer dereference) via a crafted app.

• bazad/IOFireWireFamily-null-deref

CVE-2017-2636 (2017-03-07)

Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline.

• alexzorin/cve-2017-2636-el

CVE-2017-2666 (2018-07-27)

It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

• tafamace/CVE-2017-2666

CVE-2017-2671 (2017-04-05)

The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call.

• homjxi0e/CVE-2017-2671

CVE-2017-2741 (2018-01-23)

A potential security vulnerability has been identified with HP PageWide Printers, HP OfficeJet Pro Printers, with firmware before 1708D. This vulnerability could potentially be exploited to execute arbitrary code.

• dopheide-esnet/zeek-jetdirect

CVE-2017-2751 (2018-10-03)

A BIOS password extraction vulnerability has been reported on certain consumer notebooks with firmware F.22 and others. The BIOS password was stored in CMOS in a way that allowed it to be extracted. This applies to consumer notebooks launched in early 2014.

• BaderSZ/CVE-2017-2751

CVE-2017-2793 (2017-05-23)

An exploitable heap corruption vulnerability exists in the UnCompressUnicode functionality of Antenna House DMC HTMLFilter used by MarkLogic 8.0-6. A specially crafted xls file can cause a heap corruption resulting in arbitrary code execution. An attacker can send/provide malicious XLS file to trigger this vulnerability.

• sUbc0ol/Detection-for-CVE-2017-2793

CVE-2017-2824 (2017-05-24)

An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.

• listenquiet/cve-2017-2824-reverse-shell

CVE-2017-2903 (2018-04-24)

An exploitable integer overflow exists in the DPX loading functionality of the Blender open-source 3d creation suite version 2.78c. A specially crafted '.cin' file can cause an integer overflow resulting in a buffer overflow which can allow for code execution under the context of the application. An attacker can convince a user to use the file as an asset via the sequencer in order to trigger this vulnerability.

• SpiralBL0CK/dpx_work_CVE-2017-2903

CVE-2017-3000 (2017-03-14)

Adobe Flash Player versions 24.0.0.221 and earlier have a vulnerability in the random number generator used for constant blinding. Successful exploitation could lead to information disclosure.

• dangokyo/CVE-2017-3000

CVE-2017-3066 (2017-04-27)

Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.

• codewhitesec/ColdFusionPwn
• cucadili/CVE-2017-3066

CVE-2017-3078 (2017-06-20)

Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable memory corruption vulnerability in the Adobe Texture Format (ATF) module. Successful exploitation could lead to arbitrary code execution.

• homjxi0e/CVE-2017-3078

CVE-2017-3143 (2019-01-16)

An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2.

• saaph/CVE-2017-3143

CVE-2017-3164 (2019-03-08)

Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.

• tdwyer/PoC_CVE-2017-3164_CVE-2017-1262

CVE-2017-3241 (2017-01-27)

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111; JRockit: R28.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts).

• xfei3/CVE-2017-3241-POC
• scopion/CVE-2017-3241

CVE-2017-3248 (2017-01-27)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).

• ianxtianxt/CVE-2017-3248
• 0xn0ne/weblogicScanner
• BabyTeam1024/CVE-2017-3248

CVE-2017-3506 (2017-04-24)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

• ianxtianxt/CVE-2017-3506
• Al1ex/CVE-2017-3506

CVE-2017-3599 (2017-04-24)

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). NOTE: the previous information is from the April 2017 CPU. Oracle has not commented on third-party claims that this issue is an integer overflow in sql/auth/sql_authentication.cc which allows remote attackers to cause a denial of service via a crafted authentication packet.

• SECFORCE/CVE-2017-3599
• jptr218/mysql_dos

CVE-2017-3730 (2017-05-04)

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.

• olivierh59500/CVE-2017-3730

CVE-2017-3881 (2017-03-17)

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893.

• artkond/cisco-rce
• homjxi0e/CVE-2017-3881-exploit-cisco-
• homjxi0e/CVE-2017-3881-Cisco
• mzakyz666/PoC-CVE-2017-3881
• 1337g/CVE-2017-3881

CVE-2017-4490

• homjxi0e/CVE-2017-4490-
• homjxi0e/CVE-2017-4490-install-Script-Python-in-Terminal-

CVE-2017-4878

• brianwrf/CVE-2017-4878-Samples

CVE-2017-4971 (2017-06-13)

An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

• cved-sources/cve-2017-4971

CVE-2017-5005 (2017-01-02)

Stack-based buffer overflow in Quick Heal Internet Security 10.1.0.316 and earlier, Total Security 10.1.0.316 and earlier, and AntiVirus Pro 10.1.0.316 and earlier on OS X allows remote attackers to execute arbitrary code via a crafted LC_UNIXTHREAD.cmdsize field in a Mach-O file that is mishandled during a Security Scan (aka Custom Scan) operation.

• payatu/QuickHeal

CVE-2017-5007 (2017-02-17)

Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled the sequence of events when closing a page, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

• Ang-YC/CVE-2017-5007

CVE-2017-5123 (2021-11-02)

Insufficient data validation in waitid allowed an user to escape sandboxes on Linux.

• FloatingGuy/CVE-2017-5123
• 0x5068656e6f6c/CVE-2017-5123
• Synacktiv-contrib/exploiting-cve-2017-5123
• teawater/CVE-2017-5123
• c3r34lk1ll3r/CVE-2017-5123
• h1bAna/CVE-2017-5123

CVE-2017-5124 (2018-02-07)

Incorrect application of sandboxing in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted MHTML page.

• Bo0oM/CVE-2017-5124

CVE-2017-5223 (2017-01-16)

An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base directory is provided, it resolves to /, meaning that relative image URLs get treated as absolute local file paths and added as attachments. To form a remote vulnerability, the msgHTML method must be called, passed an unfiltered, user-supplied HTML document, and must not set a base directory.

• cscli/CVE-2017-5223

CVE-2017-5415 (2018-06-11)

An attack can use a blob URL and script to spoof an arbitrary addressbar URL prefaced by "blob:" as the protocol, leading to user confusion and further spoofing attacks. This vulnerability affects Firefox < 52.

• 649/CVE-2017-5415

CVE-2017-5487 (2017-01-15)

wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.

• teambugsbunny/wpUsersScan
• R3K1NG/wpUsersScan
• GeunSam2/CVE-2017-5487
• patilkr/wp-CVE-2017-5487-exploit
• zkhalidul/GrabberWP-CVE-2017-5487
• SeasonLeague/CVE-2017-5487
• Ravindu-Priyankara/CVE-2017-5487-vulnerability-on-NSBM
• K3ysTr0K3R/CVE-2017-5487-EXPLOIT
• dream434/CVE-2017-5487

CVE-2017-5633 (2017-03-06)

Multiple cross-site request forgery (CSRF) vulnerabilities on the D-Link DI-524 Wireless Router with firmware 9.01 allow remote attackers to (1) change the admin password, (2) reboot the device, or (3) possibly have unspecified other impact via crafted requests to CGI programs.

• cardangi/Exploit-CVE-2017-5633

CVE-2017-5638 (2017-03-11)

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

• PolarisLab/S2-045
• Flyteas/Struts2-045-Exp
• bongbongco/cve-2017-5638
• jas502n/S2-045-EXP-POC-TOOLS
• mthbernardes/strutszeiro
• xsscx/cve-2017-5638
• immunio/apache-struts2-CVE-2017-5638
• Masahiro-Yamada/OgnlContentTypeRejectorValve
• aljazceru/CVE-2017-5638-Apache-Struts2
• sjitech/test_struts2_vulnerability_CVE-2017-5638
• jrrombaldo/CVE-2017-5638
• random-robbie/CVE-2017-5638
• initconf/CVE-2017-5638_struts
• mazen160/struts-pwn
• ret2jazzy/Struts-Apache-ExploitPack
• lolwaleet/ExpStruts
• oktavianto/CVE-2017-5638-Apache-Struts2
• jrrdev/cve-2017-5638
• opt9/Strutshock
• falcon-lnhg/StrutsShell
• bhagdave/CVE-2017-5638
• jas502n/st2-046-poc
• KarzsGHR/S2-046_S2-045_POC
• gsfish/S2-Reaper
• mcassano/cve-2017-5638
• opt9/Strutscli
• tahmed11/strutsy
• payatu/CVE-2017-5638
• Aasron/Struts2-045-Exp
• SpiderMate/Stutsfi
• jpacora/Struts2Shell
• AndreasKl/CVE-2017-5638
• riyazwalikar/struts-rce-cve-2017-5638
• homjxi0e/CVE-2017-5638
• eeehit/CVE-2017-5638
• sUbc0ol/Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner
• sUbc0ol/Apache-Struts2-RCE-Exploit-v2-CVE-2017-5638
• R4v3nBl4ck/Apache-Struts-2-CVE-2017-5638-Exploit-
• Xhendos/CVE-2017-5638
• TamiiLambrado/Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner
• invisiblethreat/strutser
• lizhi16/CVE-2017-5638
• c002/Apache-Struts
• donaldashdown/Common-Vulnerability-and-Exploit
• sighup1/cybersecurity-struts2
• cafnet/apache-struts-v2-CVE-2017-5638
• 0x00-0x00/CVE-2017-5638
• m3ssap0/struts2_cve-2017-5638
• Greynad/struts2-jakarta-inject
• ggolawski/struts-rce
• win3zz/CVE-2017-5638
• leandrocamposcardoso/CVE-2017-5638-Mass-Exploit
• Iletee/struts2-rce
• andypitcher/check_struts
• un4ckn0wl3z/CVE-2017-5638
• colorblindpentester/CVE-2017-5638
• injcristianrojas/cve-2017-5638
• ludy-dev/XworkStruts-RCE
• sonatype-workshops/struts2-rce
• jongmartinez/CVE-2017-5638
• Badbird3/CVE-2017-5638
• jptr218/struts_hack
• testpilot031/vulnerability_struts-2.3.31
• readloud/CVE-2017-5638
• Tankirat/CVE-2017-5638
• banomaly/CVE-2017-5638
• mfdev-solution/Exploit-CVE-2017-5638
• mritunjay-k/CVE-2017-5638
• FredBrave/CVE-2017-5638-ApacheStruts2.3.5
• Nithylesh/web-application-firewall-
• kloutkake/CVE-2017-5638-PoC
• Xernary/CVE-2017-5638-POC

CVE-2017-5645 (2017-04-17)

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

• pimps/CVE-2017-5645
• HynekPetrak/log4shell-finder

CVE-2017-5689 (2017-05-02)

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT).

• CerberusSecurity/CVE-2017-5689
• haxrob/amthoneypot
• Bijaye/intel_amt_bypass
• embedi/amt_auth_bypass_poc
• TheWay-hue/CVE-2017-5689-Checker

CVE-2017-5693 (2018-07-31)

Firmware in the Intel Puma 5, 6, and 7 Series might experience resource depletion or timeout, which allows a network attacker to create a denial of service via crafted network traffic.

• LunNova/Puma6Fail

CVE-2017-5715 (2018-01-04)

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

• opsxcq/exploit-cve-2017-5715
• mathse/meltdown-spectre-bios-list
• GregAskew/SpeculativeExecutionAssessment
• dmo2118/retpoline-audit
• GalloLuigi/Analisi-CVE-2017-5715

CVE-2017-5721 (2017-10-11)

Insufficient input validation in system firmware for Intel NUC7i3BNK, NUC7i3BNH, NUC7i5BNK, NUC7i5BNH, NUC7i7BNH versions BN0049 and below allows local attackers to execute arbitrary code via manipulation of memory.

• embedi/smm_usbrt_poc

CVE-2017-5753 (2018-01-04)

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

• Eugnis/spectre-attack
• EdwardOwusuAdjei/Spectre-PoC
• 00052/spectre-attack-example
• pedrolucasoliva/spectre-attack-demo
• ixtal23/spectreScope
• albertleecn/cve-2017-5753
• sachinthaBS/Spectre-Vulnerability-CVE-2017-5753-

CVE-2017-5754 (2018-01-04)

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

• ionescu007/SpecuCheck
• raphaelsc/Am-I-affected-by-Meltdown
• Viralmaniar/In-Spectre-Meltdown
• speecyy/Am-I-affected-by-Meltdown
• zzado/Meltdown
• jdmulloy/meltdown-aws-scanner

CVE-2017-5792 (2018-02-15)

A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found.

• scanfsec/HPE-iMC-7.3-RMI-Java-Deserialization

CVE-2017-5941 (2017-02-09)

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).

• Frivolous-scholar/CVE-2017-5941-NodeJS-RCE
• turnernator1/Node.js-CVE-2017-5941
• Cr4zyD14m0nd137/Lab-for-cve-2018-15133
• uartu0/nodejshell

CVE-2017-6008 (2017-09-13)

A kernel pool overflow in the driver hitmanpro37.sys in Sophos SurfRight HitmanPro before 3.7.20 Build 286 (included in the HitmanPro.Alert solution and Sophos Clean) allows local users to escalate privileges via a malformed IOCTL call.

• cbayet/Exploit-CVE-2017-6008

CVE-2017-6074 (2017-02-18)

The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.

• BimsaraMalinda/Linux-Kernel-4.4.0-Ubuntu---DCCP-Double-Free-Privilege-Escalation-CVE-2017-6074
• toanthang1842002/CVE-2017-6074

CVE-2017-6079 (2017-05-16)

The HTTP web-management application on Edgewater Networks Edgemarc appliances has a hidden page that allows for user-defined commands such as specific iptables routes, etc., to be set. You can use this page as a web shell essentially to execute commands, though you get no feedback client-side from the web application: if the command is valid, it executes. An example is the wget command. The page that allows this has been confirmed in firmware as old as 2006.

• MostafaSoliman/CVE-2017-6079-Blind-Command-Injection-In-Edgewater-Edgemarc-Devices-Exploit

CVE-2017-6090 (2017-10-02)

Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in logos_clients/.

• jlk/exploit-CVE-2017-6090

CVE-2017-6206 (2017-02-23)

D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28, and DGS-1510-20 Websmart devices with firmware before 1.31.B003 allow attackers to conduct Unauthenticated Information Disclosure attacks via unspecified vectors.

• varangamin/CVE-2017-6206

CVE-2017-6370 (2017-03-17)

TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields.

• faizzaidi/TYPO3-v7.6.15-Unencrypted-Login-Request

CVE-2017-6516 (2017-03-14)

A Local Privilege Escalation Vulnerability in MagniComp's Sysinfo before 10-H64 for Linux and UNIX platforms could allow a local attacker to gain elevated privileges. Parts of SysInfo require setuid-to-root access in order to access restricted system files and make restricted kernel calls. This access could be exploited by a local attacker to gain a root shell prompt using the right combination of environment variables and command line arguments.

• Rubytox/CVE-2017-6516-mcsiwrapper-

CVE-2017-6558 (2017-03-09)

iball Baton 150M iB-WRA150N v1 00000001 1.2.6 build 110401 Rel.47776n devices are prone to an authentication bypass vulnerability that allows remote attackers to view and modify administrative router settings by reading the HTML source code of the password.cgi file.

• GemGeorge/iBall-UTStar-CVEChecker

CVE-2017-6640 (2017-06-08)

A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or system-level privileges. The vulnerability exists because the affected software has a default user account that has a default, static password. The user account is created automatically when the software is installed. An attacker could exploit this vulnerability by connecting remotely to an affected system and logging in to the affected software by using the credentials for this default user account. A successful exploit could allow the attacker to use this default user account to log in to the affected software and gain access to the administrative console of a DCNM server. This vulnerability affects Cisco Prime Data Center Network Manager (DCNM) Software releases prior to Release 10.2(1) for Microsoft Windows, Linux, and Virtual Appliance platforms. Cisco Bug IDs: CSCvd95346.

• hemp3l/CVE-2017-6640-POC

CVE-2017-6736 (2017-07-17)

The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP: Versions 1, 2c, and 3. To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system. All devices that have enabled SNMP and have not explicitly excluded the affected MIBs or OIDs should be considered vulnerable. Cisco Bug IDs: CSCve57697.

• GarnetSunset/CiscoSpectreTakeover
• GarnetSunset/CiscoIOSSNMPToolkit

CVE-2017-6913 (2018-09-18)

Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail before 7.6.3-rev28 allows remote attackers to inject arbitrary web script or HTML via the event attribute in a time tag.

• gquere/CVE-2017-6913

CVE-2017-6971 (2017-03-22)

AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow remote authenticated users to execute arbitrary commands in a privileged context, or launch a reverse shell, via vectors involving the PHP session ID and the NfSen PHP code, aka AlienVault ID ENG-104862.

• patrickfreed/nfsen-exploit
• KeyStrOke95/nfsen_1.3.7_CVE-2017-6971

CVE-2017-7038 (2017-07-20)

A DOMParser XSS issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component.

• ansjdnakjdnajkd/CVE-2017-7038

CVE-2017-7047 (2017-07-20)

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. macOS before 10.12.6 is affected. tvOS before 10.2.2 is affected. watchOS before 3.2.3 is affected. The issue involves the "libxpc" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

• JosephShenton/Triple_Fetch-Kernel-Creds
• q1f3/Triple_fetch

CVE-2017-7089 (2017-10-23)

An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site that is mishandled during parent-tab processing.

• Bo0oM/CVE-2017-7089
• aymankhalfatni/Safari_Mac

CVE-2017-7092 (2017-10-23)

An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. iTunes before 12.7 on Windows is affected. tvOS before 11 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

• xuechiyaobai/CVE-2017-7092-PoC

CVE-2017-7173 (2018-04-03)

An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.

• bazad/sysctl_coalition_get_pid_list-dos

CVE-2017-7184 (2017-03-19)

The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52.

• rockl/cve-2017-7184
• rockl/cve-2017-7184-bak

CVE-2017-7188 (2017-04-14)

Zurmo 3.1.1 Stable allows a Cross-Site Scripting (XSS) attack with a base64-encoded SCRIPT element within a data: URL in the returnUrl parameter to default/toggleCollapse.

• faizzaidi/Zurmo-Stable-3.1.1-XSS-By-Provensec-LLC

CVE-2017-7269 (2017-03-27)

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.

• eliuha/webdav_exploit
• lcatro/CVE-2017-7269-Echo-PoC
• caicai1355/CVE-2017-7269-exploit
• M1a0rz/CVE-2017-7269
• whiteHat001/cve-2017-7269picture
• zcgonvh/cve-2017-7269
• g0rx/iis6-exploit-2017-CVE-2017-7269
• slimpagey/IIS_6.0_WebDAV_Ruby
• homjxi0e/cve-2017-7269
• xiaovpn/CVE-2017-7269
• zcgonvh/cve-2017-7269-tool
• mirrorblack/CVE-2017-7269
• Al1ex/CVE-2017-7269
• ThanHuuTuan/CVE-2017-7269
• n3rdh4x0r/CVE-2017-7269
• denchief1/CVE-2017-7269_Python3
• denchief1/CVE-2017-7269
• Cappricio-Securities/CVE-2017-7269
• VanishedPeople/CVE-2017-7269
• geniuszly/CVE-2017-7269
• AxthonyV/CVE-2017-7269

CVE-2017-7308 (2017-03-29)

The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.

• anldori/CVE-2017-7308

CVE-2017-7358 (2017-04-05)

In LightDM through 1.22.0, a directory traversal issue in debian/guest-account.sh allows local attackers to own arbitrary directory path locations and escalate privileges to root when the guest user logs out.

• JonPichel/CVE-2017-7358

CVE-2017-7374 (2017-03-31)

Use-after-free vulnerability in fs/crypto/ in the Linux kernel before 4.10.7 allows local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely.

• ww9210/cve-2017-7374

CVE-2017-7376 (2018-02-19)

Buffer overflow in libxml2 allows remote attackers to execute arbitrary code by leveraging an incorrect limit for port values when handling redirects.

• brahmstaedt/libxml2-exploit

CVE-2017-7410 (2017-04-03)

Multiple SQL injection vulnerabilities in account/signup.php and account/signup2.php in WebsiteBaker 2.10.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) display_name parameter.

• ashangp923/CVE-2017-7410

CVE-2017-7472 (2017-05-11)

The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.

• homjxi0e/CVE-2017-7472

CVE-2017-7494 (2017-05-30)

Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

• betab0t/cve-2017-7494
• homjxi0e/CVE-2017-7494
• opsxcq/exploit-CVE-2017-7494
• Waffles-2/SambaCry
• brianwrf/SambaHunter
• joxeankoret/CVE-2017-7494
• Zer0d0y/Samba-CVE-2017-7494
• incredible1yu/CVE-2017-7494
• cved-sources/cve-2017-7494
• john-80/cve-2017-7494
• Hansindu-M/CVE-2017-7494_IT19115344
• 0xm4ud/noSAMBAnoCRY-CVE-2017-7494
• I-Rinka/BIT-EternalBlue-for-macOS_Linux
• adjaliya/-CVE-2017-7494-Samba-Exploit-POC
• 00mjk/exploit-CVE-2017-7494
• d3fudd/CVE-2017-7494_SambaCry

CVE-2017-7504 (2017-05-19)

HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.

• wudidwo/CVE-2017-7504-poc

CVE-2017-7525 (2018-02-06)

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

• SecureSkyTechnology/study-struts2-s2-054_055-jackson-cve-2017-7525_cve-2017-15095
• Nazicc/S2-055
• JavanXD/Demo-Exploit-Jackson-RCE
• BassinD/jackson-RCE
• Dannners/jackson-deserialization-2017-7525
• Ingenuity-Fainting-Goats/CVE-2017-7525-Jackson-Deserialization-Lab

CVE-2017-7529 (2017-07-13)

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

• liusec/CVE-2017-7529
• en0f/CVE-2017-7529_PoC
• cved-sources/cve-2017-7529
• MaxSecurity/CVE-2017-7529-POC
• cyberk1w1/CVE-2017-7529
• cyberharsh/nginx-CVE-2017-7529
• daehee/nginx-overflow
• gemboxteam/exploit-nginx-1.10.3
• fardeen-ahmed/Remote-Integer-Overflow-Vulnerability
• mo3zj/Nginx-Remote-Integer-Overflow-Vulnerability
• fu2x2000/CVE-2017-7529-Nginx---Remote-Integer-Overflow-Exploit
• Shehzadcyber/CVE-2017-7529
• coolman6942o/-Exploit-CVE-2017-7529
• SirEagIe/CVE-2017-7529

CVE-2017-7648 (2017-04-10)

Foscam networked devices use the same hardcoded SSL private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.

• notmot/CVE-2017-7648.

CVE-2017-7651 (2018-04-24)

In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.

• mukkul007/MqttAttack
• St3v3nsS/CVE-2017-7651

CVE-2017-7679 (2017-06-20)

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.

• snknritr/CVE-2017-7679-in-python

CVE-2017-7912 (2019-04-08)

Hanwha Techwin SRN-4000, SRN-4000 firmware versions prior to SRN4000_v2.16_170401, A specially crafted http request and response could allow an attacker to gain access to the device management page with admin privileges without proper authentication.

• homjxi0e/CVE-2017-7912_Sneak

CVE-2017-7921 (2017-05-06)

An Improper Authentication issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The improper authentication vulnerability occurs when an application does not adequately or correctly authenticate users. This may allow a malicious user to escalate his or her privileges on the system and gain access to sensitive information.

• JrDw0/CVE-2017-7921-EXP
• BurnyMcDull/CVE-2017-7921
• MisakaMikato/cve-2017-7921-golang
• chrisjd20/hikvision_CVE-2017-7921_auth_bypass_config_decryptor
• p4tq/hikvision_CVE-2017-7921_auth_bypass_config_decryptor
• 201646613/CVE-2017-7921
• inj3ction/CVE-2017-7921-EXP
• krypton612/hikivision
• K3ysTr0K3R/CVE-2017-7921-EXPLOIT
• fracergu/CVE-2017-7921
• AnonkiGroup/AnonHik
• b3pwn3d/CVE-2017-7921
• yousouf-Tasfin/cve-2017-7921-Mass-Exploit
• kooroshsanaei/HikVision-CVE-2017-7921
• aengussong/hikvision_probe

CVE-2017-7998 (2018-01-08)

Multiple cross-site scripting (XSS) vulnerabilities in Gespage before 7.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) printer name when adding a printer in the admin panel or (2) username parameter to webapp/users/user_reg.jsp.

• homjxi0e/CVE-2017-7998

CVE-2017-8046 (2018-01-04)

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.

• Soontao/CVE-2017-8046-DEMO
• sj/spring-data-rest-CVE-2017-8046
• m3ssap0/SpringBreakVulnerableApp
• m3ssap0/spring-break_cve-2017-8046
• FixYourFace/SpringBreakPoC
• jkutner/spring-break-cve-2017-8046
• bkhablenko/CVE-2017-8046
• cved-sources/cve-2017-8046
• jsotiro/VulnerableSpringDataRest
• guanjivip/CVE-2017-8046

CVE-2017-8056 (2017-04-22)

WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. This causes the Firebox wgagent process to crash. This process crash ends all authenticated sessions to the Firebox, including management connections, and prevents new authenticated sessions until the process has recovered. The Firebox may also experience an overall degradation in performance while the wgagent process recovers. An attacker could continuously send XML-RPC requests that contain references to external entities to perform a limited Denial of Service (DoS) attack against an affected Firebox.

• itzexploit/CVE-2017-8056

CVE-2017-8225 (2017-04-25)

On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (containing credentials) is not correctly checked. An attacker can bypass authentication by providing an empty loginuse parameter and an empty loginpas parameter in the URI.

• kienquoc102/CVE-2017-8225
• K3ysTr0K3R/CVE-2017-8225-EXPLOIT

CVE-2017-8295 (2017-05-04)

WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

• homjxi0e/CVE-2017-8295-WordPress-4.7.4---Unauthorized-Password-Reset
• alash3al/wp-allowed-hosts
• cyberheartmi9/CVE-2017-8295

CVE-2017-8367 (2017-04-30)

Buffer overflow in Ether Software Easy MOV Converter 1.4.24, Easy DVD Creator, Easy MPEG/AVI/DIVX/WMV/RM to DVD, Easy Avi/Divx/Xvid to DVD Burner, Easy MPEG to DVD Burner, Easy WMV/ASF/ASX to DVD Burner, Easy RM RMVB to DVD Burner, Easy CD DVD Copy, MP3/AVI/MPEG/WMV/RM to Audio CD Burner, MP3/WAV/OGG/WMA/AC3 to CD Burner, MP3 WAV to CD Burner, My Video Converter, Easy AVI DivX Converter, Easy Video to iPod Converter, Easy Video to PSP Converter, Easy Video to 3GP Converter, Easy Video to MP4 Converter, and Easy Video to iPod/MP4/PSP/3GP Converter allows local attackers to cause a denial of service (SEH overwrite) or possibly have unspecified other impact via a long username.

• rnnsz/CVE-2017-8367

CVE-2017-8382 (2017-05-16)

admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.

• faizzaidi/Admidio-3.2.8-CSRF-POC-by-Provensec-llc

CVE-2017-8464 (2017-06-15)

Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka "LNK Remote Code Execution Vulnerability."

• Elm0D/CVE-2017-8464
• 3gstudent/CVE-2017-8464-EXP
• doudouhala/CVE-2017-8464-exp-generator
• X-Vector/usbhijacking
• xssfile/CVE-2017-8464-EXP
• TrG-1999/DetectPacket-CVE-2017-8464
• tuankiethkt020/Phat-hien-CVE-2017-8464
• TieuLong21Prosper/Detect-CVE-2017-8464

CVE-2017-8465 (2017-06-15)

Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to run processes in an elevated context when the Windows kernel improperly handles objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This CVE ID is unique from CVE-2017-8468.

• nghiadt1098/CVE-2017-8465

CVE-2017-8529 (2017-06-15)

Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, and Windows Server 2012 and R2 allow an attacker to detect specific files on the user's computer when affected Microsoft scripting engines do not properly handle objects in memory, aka "Microsoft Browser Information Disclosure Vulnerability".

• sfitpro/cve-2017-8529
• kaddirov/windows2016fixCVE-2017-8529

CVE-2017-8543 (2017-06-15)

Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to take control of the affected system when Windows Search fails to handle objects in memory, aka "Windows Search Remote Code Execution Vulnerability".

• americanhanko/windows-security-cve-2017-8543

CVE-2017-8570 (2017-07-11)

Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0243.

• temesgeny/ppsx-file-generator
• rxwx/CVE-2017-8570
• MaxSecurity/Office-CVE-2017-8570
• SwordSheath/CVE-2017-8570
• Drac0nids/CVE-2017-8570
• sasqwatch/CVE-2017-8570
• erfze/CVE-2017-8570

CVE-2017-8625 (2017-08-08)

Internet Explorer in Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to bypass Device Guard User Mode Code Integrity (UMCI) policies due to Internet Explorer failing to validate UMCI policies, aka "Internet Explorer Security Feature Bypass Vulnerability".

• homjxi0e/CVE-2017-8625_Bypass_UMCI

CVE-2017-8641 (2017-08-08)

Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allow an attacker to execute arbitrary code in the context of the current user due to the way that Microsoft browser JavaScript engines render when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-8634, CVE-2017-8635, CVE-2017-8636, CVE-2017-8638, CVE-2017-8639, CVE-2017-8640, CVE-2017-8645, CVE-2017-8646, CVE-2017-8647, CVE-2017-8655, CVE-2017-8656, CVE-2017-8657, CVE-2017-8670, CVE-2017-8671, CVE-2017-8672, and CVE-2017-8674.

• homjxi0e/CVE-2017-8641_chakra_Js_GlobalObject

CVE-2017-8759 (2017-09-13)

Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to execute code remotely via a malicious document or application, aka ".NET Framework Remote Code Execution Vulnerability."

• Voulnet/CVE-2017-8759-Exploit-sample
• nccgroup/CVE-2017-8759
• vysecurity/CVE-2017-8759
• BasuCert/CVE-2017-8759
• tahisaad6/CVE-2017-8759-Exploit-sample2
• homjxi0e/CVE-2017-8759_-SOAP_WSDL
• bhdresh/CVE-2017-8759
• JonasUliana/CVE-2017-8759
• sythass/CVE-2017-8759
• ashr/CVE-2017-8759-exploits
• l0n3rs/CVE-2017-8759
• ChaitanyaHaritash/CVE-2017-8759
• smashinu/CVE-2017-8759Expoit
• adeljck/CVE-2017-8759
• zhengkook/CVE-2017-8759
• varunsaru/SNP
• GayashanM/OHTS

CVE-2017-8760 (2017-05-05)

An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in courier/1000@/index.html with the auth_params parameter. The device tries to use internal WAF filters to stop specific XSS Vulnerabilities. However, these can be bypassed by using some modifications to the payloads, e.g., URL encoding.

• Voraka/cve-2017-8760

CVE-2017-8779 (2017-05-04)

rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

• drbothen/GO-RPCBOMB

CVE-2017-8802 (2018-01-16)

Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite (aka ZCS) before 8.8.0 Beta2 might allow remote attackers to inject arbitrary web script or HTML via vectors related to the "Show Snippet" functionality.

• ozzi-/Zimbra-CVE-2017-8802-Hotifx

CVE-2017-8809 (2017-11-15)

api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability.

• motikan2010/CVE-2017-8809_MediaWiki_RFD

CVE-2017-8890 (2017-05-10)

The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15 allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call.

• beraphin/CVE-2017-8890
• thinkycx/CVE-2017-8890
• 7043mcgeep/cve-2017-8890-msf

CVE-2017-8917 (2017-05-17)

SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.

• brianwrf/Joomla3.7-SQLi-CVE-2017-8917
• stefanlucas/Exploit-Joomla
• cved-sources/cve-2017-8917
• gmohlamo/CVE-2017-8917
• AkuCyberSec/CVE-2017-8917-Joomla-370-SQL-Injection
• Siopy/CVE-2017-8917
• ionutbaltariu/joomla_CVE-2017-8917
• BaptisteContreras/CVE-2017-8917-Joomla
• gloliveira1701/Joomblah

CVE-2017-9096 (2017-11-08)

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

• jakabakos/CVE-2017-9096-iText-XXE

CVE-2017-9097 (2017-06-16)

In Anti-Web through 3.8.7, as used on NetBiter FGW200 devices through 3.21.2, WS100 devices through 3.30.5, EC150 devices through 1.40.0, WS200 devices through 3.30.4, EC250 devices through 1.40.0, and other products, an LFI vulnerability allows a remote attacker to read or modify files through a path traversal technique, as demonstrated by reading the password file, or using the template parameter to cgi-bin/write.cgi to write to an arbitrary file.

• MDudek-ICS/AntiWeb_testing-Suite

CVE-2017-9101 (2017-05-21)

import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file.

• jasperla/CVE-2017-9101

CVE-2017-9248 (2017-07-03)

Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.

• bao7uo/dp_crypto
• capt-meelo/Telewreck
• ictnamanh/CVE-2017-9248
• oldboysonnt/dp
• blacklanternsecurity/dp_cryptomg
• cehamod/UI_CVE-2017-9248
• hlong12042/CVE-2017-9248

CVE-2017-9417 (2017-06-03)

Broadcom BCM43xx Wi-Fi chips allow remote attackers to execute arbitrary code via unspecified vectors, aka the "Broadpwn" issue.

• mailinneberg/Broadpwn

CVE-2017-9430 (2017-06-05)

Stack-based buffer overflow in dnstracer through 1.9 allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a command line with a long name argument that is mishandled in a strcpy call for argv[0]. An example threat model is a web application that launches dnstracer with an untrusted name string.

• homjxi0e/CVE-2017-9430
• j0lama/Dnstracer-1.9-Fix

CVE-2017-9476 (2017-07-31)

The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); and Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices makes it easy for remote attackers to determine the hidden SSID and passphrase for a Home Security Wi-Fi network.

• wiire-a/CVE-2017-9476

CVE-2017-9506 (2017-08-23)

The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).

• random-robbie/Jira-Scan
• pwn1sher/jira-ssrf
• labsbots/CVE-2017-9506

CVE-2017-9544 (2017-06-12)

There is a remote stack-based buffer overflow (SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1. By sending an overly long username string to registresult.htm for registering the user, an attacker may be able to execute arbitrary code.

• adenkiewicz/CVE-2017-9544

CVE-2017-9554 (2017-07-24)

An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.

• rfcl/Synology-DiskStation-User-Enumeration-CVE-2017-9554-
• Ez0-yf/CVE-2017-9554-Exploit-Tool

CVE-2017-9606 (2017-06-15)

Infotecs ViPNet Client and Coordinator before 4.3.2-42442 allow local users to gain privileges by placing a Trojan horse ViPNet update file in the update folder. The attack succeeds because of incorrect folder permissions in conjunction with a lack of integrity and authenticity checks.

• Houl777/CVE-2017-9606

CVE-2017-9608 (2017-12-27)

The dnxhd decoder in FFmpeg before 3.2.6, and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted mov file.

• LaCinquette/practice-22-23

CVE-2017-9609 (2017-07-17)

Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the map_language parameter to backend/pages/lang_settings.php.

• faizzaidi/Blackcat-cms-v1.2-xss-POC-by-Provensec-llc

CVE-2017-9627 (2017-07-07)

An Uncontrolled Resource Consumption issue was discovered in Schneider Electric Wonderware ArchestrA Logger, versions 2017.426.2307.1 and prior. The uncontrolled resource consumption vulnerability could allow an attacker to exhaust the memory resources of the machine, causing a denial of service.

• USSCltd/aaLogger

CVE-2017-9757 (2017-06-19)

IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi via the OINKCODE parameter, which is mishandled by a shell. This can be exploited directly by authenticated users, or through CSRF.

• peterleiva/CVE-2017-9757

CVE-2017-9769 (2017-08-02)

A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process.

• kkent030315/CVE-2017-9769

CVE-2017-9779 (2017-09-07)

OCaml compiler allows attackers to have unspecified impact via unknown vectors, a similar issue to CVE-2017-9772 "but with much less impact."

• homjxi0e/CVE-2017-9779

CVE-2017-9791 (2017-07-10)

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

• IanSmith123/s2-048
• dragoneeg/Struts2-048
• xfer0/CVE-2017-9791

CVE-2017-9798 (2017-09-18)

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

• nitrado/CVE-2017-9798
• pabloec20/optionsbleed
• l0n3rs/CVE-2017-9798
• brokensound77/OptionsBleed-POC-Scanner

CVE-2017-9805 (2017-09-15)

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

• luc10/struts-rce-cve-2017-9805
• hahwul/struts2-rce-cve-2017-9805-ruby
• mazen160/struts-pwn_CVE-2017-9805
• Lone-Ranger/apache-struts-pwn_CVE-2017-9805
• 0x00-0x00/-CVE-2017-9805
• BeyondCy/S2-052
• chrisjd20/cve-2017-9805.py
• UbuntuStrike/struts_rest_rce_fuzz-CVE-2017-9805-
• UbuntuStrike/CVE-2017-9805-Apache-Struts-Fuzz-N-Sploit
• AvishkaSenadheera/CVE-2017-9805---Documentation---IT19143378
• wifido/CVE-2017-9805-Exploit
• rvermeulen/apache-struts-cve-2017-9805
• jongmartinez/-CVE-2017-9805-
• z3bd/CVE-2017-9805
• 0xd3vil/CVE-2017-9805-Exploit
• Shakun8/CVE-2017-9805

CVE-2017-9822 (2017-07-20)

DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."

• murataydemir/CVE-2017-9822

CVE-2017-9830 (2017-06-27)

Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients.

• securifera/CVE-2017-9830

CVE-2017-9833 (2017-06-24)

/cgi-bin/wapopen in Boa 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges. NOTE: multiple third parties report that this is a system-integrator issue (e.g., a vulnerability on one type of camera) because Boa does not include any wapopen program or any code to read a FILECAMERA variable.

• anldori/CVE-2017-9833

CVE-2017-9841 (2017-06-27)

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

• mbrasile/CVE-2017-9841
• RandomRobbieBF/phpunit-brute
• cyberharsh/Php-unit-CVE-2017-9841
• ludy-dev/PHPUnit_eval-stdin_RCE
• incogbyte/laravel-phpunit-rce-masscaner
• akr3ch/CVE-2017-9841
• p1ckzi/CVE-2017-9841
• jax7sec/CVE-2017-9841
• mileticluka1/eval-stdin
• dream434/CVE-2017-9841-
• MadExploits/PHPunit-Exploit
• MrG3P5/CVE-2017-9841
• Chocapikk/CVE-2017-9841

CVE-2017-9934 (2017-07-17)

Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability.

• xyringe/CVE-2017-9934

CVE-2017-9947 (2017-10-23)

A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions <V3.5. A directory traversal vulnerability could allow a remote attacker with network access to the integrated web server (80/tcp and 443/tcp) to obtain information on the structure of the file system of the affected devices.

• RoseSecurity/APOLOGEE

CVE-2017-9999

• homjxi0e/CVE-2017-9999_bypassing_General_Firefox

CVE-2017-10235 (2017-08-08)

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.1.24. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.7 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H).

• fundacion-sadosky/vbox_cve_2017_10235

CVE-2017-10271 (2017-10-19)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

• 1337g/CVE-2017-10271
• s3xy/CVE-2017-10271
• ZH3FENG/PoCs-Weblogic_2017_10271
• c0mmand3rOpSec/CVE-2017-10271
• Luffin/CVE-2017-10271
• cjjduck/weblogic_wls_wsat_rce
• kkirsche/CVE-2017-10271
• pssss/CVE-2017-10271
• SuperHacker-liuan/cve-2017-10271-poc
• peterpeter228/Oracle-WebLogic-CVE-2017-10271
• Cymmetria/weblogic_honeypot
• JackyTsuuuy/weblogic_wls_rce_poc-exp
• lonehand/Oracle-WebLogic-CVE-2017-10271-master
• shack2/javaserializetools
• ETOCheney/JavaDeserialization
• r4b3rt/CVE-2017-10271
• cved-sources/cve-2017-10271
• XHSecurity/Oracle-WebLogic-CVE-2017-10271
• kbsec/Weblogic_Wsat_RCE
• SkyBlueEternal/CNVD-C-2019-48814-CNNVD-201904-961
• Yuusuke4/WebLogic_CNVD_C_2019_48814
• 7kbstorm/WebLogic_CNVD_C2019_48814
• ianxtianxt/-CVE-2017-10271-
• testwc/CVE-2017-10271
• Al1ex/CVE-2017-10271
• pizza-power/weblogic-CVE-2019-2729-POC
• KKsdall/7kbstormq

CVE-2017-10352 (2017-10-19)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). The supported version that is affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server as well as unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H).

• bigsizeme/weblogic-XMLDecoder

CVE-2017-10366 (2017-10-19)

Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: Performance Monitor). Supported versions that are affected are 8.54, 8.55 and 8.56. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PT PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PT PeopleTools. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

• blazeinfosec/CVE-2017-10366_peoplesoft

CVE-2017-10617 (2017-10-13)

The ifmap service that comes bundled with Contrail has an XML External Entity (XXE) vulnerability that may allow an attacker to retrieve sensitive system files. Affected releases are Juniper Networks Contrail 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).

• gteissier/CVE-2017-10617

CVE-2017-10661 (2017-08-19)

Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing.

• GeneBlue/CVE-2017-10661_POC

CVE-2017-10797

• n4xh4ck5/CVE-2017-10797

CVE-2017-10952 (2017-08-29)

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.2.0.2051. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the saveAs JavaScript function. The issue results from the lack of proper validation of user-supplied data, which can lead to writing arbitrary files into attacker controlled locations. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4518.

• afbase/CVE-2017-10952

CVE-2017-11165 (2017-07-12)

dataTaker DT80 dEX 1.50.012 allows remote attackers to obtain sensitive credential and configuration information via a direct request for the /services/getFile.cmd?userfile=config.xml URI.

• xymbiot-solution/CVE-2017-11165

CVE-2017-11176 (2017-07-11)

The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.

• lexfo/cve-2017-11176
• DoubleMice/cve-2017-11176
• hckex/CVE-2017-11176
• leonardo1101/cve-2017-11176
• c3r34lk1ll3r/CVE-2017-11176
• Sama-Ayman-Mokhtar/CVE-2017-11176
• Yanoro/CVE-2017-11176

CVE-2017-11317 (2017-08-23)

Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

• bao7uo/RAU_crypto
• KasunPriyashan/Unrestricted-File-Upload-by-Weak-Encryption-affected-versions-CVE-2017-11317-Remote-Code-Execut
• KasunPriyashan/Telerik-UI-ASP.NET-AJAX-Exploitation
• hlong12042/CVE-2017-11317-and-CVE-2017-11357-in-Telerik

CVE-2017-11366 (2017-08-21)

components/filemanager/class.filemanager.php in Codiad before 2.8.4 is vulnerable to remote command execution because shell commands can be embedded in parameter values, as demonstrated by search_file_type.

• hidog123/Codiad-CVE-2018-14009

CVE-2017-11427 (2019-04-17)

OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

• CHYbeta/CVE-2017-11427-DEMO

CVE-2017-11503 (2017-07-20)

PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Address" fields of code_generator.php.

• wizardafric/download

CVE-2017-11519 (2017-07-21)

passwd_recovery.lua on the TP-Link Archer C9(UN)_V2_160517 allows an attacker to reset the admin password by leveraging a predictable random number generator seed. This is fixed in C9(UN)_V2_170511.

• vakzz/tplink-CVE-2017-11519

CVE-2017-11610 (2017-08-23)

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

• ivanitlearning/CVE-2017-11610
• yaunsky/CVE-2017-11610

CVE-2017-11611 (2017-09-08)

Wolf CMS 0.8.3.1 allows Cross-Site Scripting (XSS) attacks. The vulnerability exists due to insufficient sanitization of the file name in a "create-file-popup" action, and the directory name in a "create-directory-popup" action, in the HTTP POST method to the "/plugin/file_manager/" script (aka an /admin/plugin/file_manager/browse// URI).

• faizzaidi/Wolfcms-v0.8.3.1-xss-POC-by-Provensec-llc

CVE-2017-11774 (2017-10-13)

Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka "Microsoft Outlook Security Feature Bypass Vulnerability."

• devcoinfet/SniperRoost

CVE-2017-11783 (2017-10-13)

Microsoft Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an elevation of privilege vulnerability in the way it handles calls to Advanced Local Procedure Call (ALPC), aka "Windows Elevation of Privilege Vulnerability".

• Sheisback/CVE-2017-11783

CVE-2017-11826 (2017-10-13)

Microsoft Office 2010, SharePoint Enterprise Server 2010, SharePoint Server 2010, Web Applications, Office Web Apps Server 2010 and 2013, Word Viewer, Word 2007, 2010, 2013 and 2016, Word Automation Services, and Office Online Server allow remote code execution when the software fails to properly handle objects in memory.

• thatskriptkid/CVE-2017-11826

CVE-2017-11882 (2017-11-15)

Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.

• zhouat/cve-2017-11882
• embedi/CVE-2017-11882
• Ridter/CVE-2017-11882
• BlackMathIT/2017-11882_Generator
• rip1s/CVE-2017-11882
• 0x09AL/CVE-2017-11882-metasploit
• HZachev/ABC
• starnightcyber/CVE-2017-11882
• Grey-Li/CVE-2017-11882
• legendsec/CVE-2017-11882-for-Kali
• CSC-pentest/cve-2017-11882
• Shadowshusky/CVE-2017-11882-
• rxwx/CVE-2018-0802
• Ridter/RTF_11882_0802
• likekabin/CVE-2017-11882
• likekabin/CVE-2018-0802_CVE-2017-11882
• herbiezimmerman/CVE-2017-11882-Possible-Remcos-Malspam
• ChaitanyaHaritash/CVE-2017-11882
• qy1202/https-github.com-Ridter-CVE-2017-11882-
• j0lama/CVE-2017-11882
• chanbin/CVE-2017-11882
• littlebin404/CVE-2017-11882
• ekgg/Overflow-Demo-CVE-2017-11882
• HaoJame/CVE-2017-11882
• ActorExpose/CVE-2017-11882
• Retr0-code/SignHere
• lisinan988/CVE-2017-11882-exp
• tzwlhack/CVE-2017-11882
• Sunqiz/CVE-2017-11882-reproduction
• Abdibimantara/Maldoc-Analysis
• n18dcat053-luuvannga/DetectPacket-CVE-2017-11882
• nhuynhuy/cve-2017-11882
• jadeapar/Dragonfish-s-Malware-Cyber-Analysis
• yaseenibnakhtar/Malware-Analysis-CVE-2017-11882

CVE-2017-11907 (2017-12-12)

Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to gain the same user rights as the current user, due to how Internet Explorer handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11886, CVE-2017-11889, CVE-2017-11890, CVE-2017-11893, CVE-2017-11894, CVE-2017-11895, CVE-2017-11901, CVE-2017-11903, CVE-2017-11905, CVE-2017-11905, CVE-2017-11908, CVE-2017-11909, CVE-2017-11910, CVE-2017-11911, CVE-2017-11912, CVE-2017-11913, CVE-2017-11914, CVE-2017-11916, CVE-2017-11918, and CVE-2017-11930.

• AV1080p/CVE-2017-11907

CVE-2017-12149 (2017-10-04)

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

• sevck/CVE-2017-12149
• yunxu1/jboss-_CVE-2017-12149
• 1337g/CVE-2017-12149
• jreppiks/CVE-2017-12149
• Xcatolin/jboss-deserialization
• VVeakee/CVE-2017-12149
• MrE-Fog/jboss-_CVE-2017-12149
• JesseClarkND/CVE-2017-12149
• zesnd/cve-2017-12149

CVE-2017-12426 (2017-08-14)

GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.

• sm-paul-schuette/CVE-2017-12426

CVE-2017-12542 (2018-02-15)

A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.

• skelsec/CVE-2017-12542
• sk1dish/ilo4-rce-vuln-scanner

CVE-2017-12561 (2018-02-15)

A remote code execution vulnerability in HPE intelligent Management Center (iMC) PLAT version Plat 7.3 E0504P4 and earlier was found.

• Everdoh/CVE-2017-12561

CVE-2017-12611 (2017-09-20)

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

• brianwrf/S2-053-CVE-2017-12611

CVE-2017-12615 (2017-09-19)

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

• breaktoprotect/CVE-2017-12615
• mefulton/cve-2017-12615
• zi0Black/POC-CVE-2017-12615-or-CVE-2017-12717
• wsg00d/cve-2017-12615
• BeyondCy/CVE-2017-12615
• 1337g/CVE-2017-12615
• Shellkeys/CVE-2017-12615
• cved-sources/cve-2017-12615
• ianxtianxt/CVE-2017-12615
• cyberharsh/Tomcat-CVE-2017-12615
• w0x68y/CVE-2017-12615-EXP
• tpt11fb/AttackTomcat
• xiaokp7/Tomcat_PUT_GUI_EXP
• lizhianyuguangming/TomcatScanPro
• wudidwo/CVE-2017-12615-poc

CVE-2017-12617 (2017-10-03)

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

• cyberheartmi9/CVE-2017-12617
• devcoinfet/CVE-2017-12617
• qiantu88/CVE-2017-12617
• ygouzerh/CVE-2017-12617
• tyranteye666/tomcat-cve-2017-12617
• jptr218/tc_hack
• LongWayHomie/CVE-2017-12617
• K3ysTr0K3R/CVE-2017-12617-EXPLOIT
• scirusvulgaris/CVE-2017-12617
• yZ1337/CVE-2017-12617
• DevaDJ/CVE-2017-12617

CVE-2017-12624 (2017-11-14)

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

• tafamace/CVE-2017-12624

CVE-2017-12635 (2017-11-14)

Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.

• assalielmehdi/CVE-2017-12635
• cyberharsh/Apache-couchdb-CVE-2017-12635
• Weisant/CVE-2017-12635-POC

CVE-2017-12636 (2017-11-14)

CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

• moayadalmalat/CVE-2017-12636
• XTeam-Wing/CVE-2017-12636

CVE-2017-12792 (2017-10-02)

Multiple cross-site request forgery (CSRF) vulnerabilities in NexusPHP 1.5 allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) linkname, (2) url, or (3) title parameter in an add action to linksmanage.php.

• ZZS2017/cve-2017-12792

CVE-2017-12852 (2017-08-15)

The numpy.pad function in Numpy 1.13.1 and older versions is missing input validation. An empty list or ndarray will stick into an infinite loop, which can allow attackers to cause a DoS attack.

• BT123/numpy-1.13.1

CVE-2017-12943 (2017-08-18)

D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, as demonstrated by discovering the admin password.

• aymankhalfatni/D-Link
• d4rk30/CVE-2017-12943

CVE-2017-12945 (2019-11-27)

Insufficient validation of user-supplied input for the Solstice Pod before 2.8.4 networking configuration enables authenticated attackers to execute arbitrary commands as root.

• aress31/cve-2017-12945

CVE-2017-13089 (2017-10-27)

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument.

• r1b/CVE-2017-13089
• mzeyong/CVE-2017-13089

CVE-2017-13156 (2017-12-06)

An elevation of privilege vulnerability in the Android system (art). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-64211847.

• xyzAsian/Janus-CVE-2017-13156
• caxmd/CVE-2017-13156
• giacomoferretti/janus-toolkit
• tea9/CVE-2017-13156-Janus
• M507/CVE-2017-13156
• nahid0x1/Janus-Vulnerability-CVE-2017-13156-Exploit

CVE-2017-13208 (2018-01-12)

In receive_packet of libnetutils/packet.c, there is a possible out-of-bounds write due to a missing bounds check on the DHCP response. This could lead to remote code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-67474440.

• idanshechter/CVE-2017-13208-Scanner

CVE-2017-13253 (2018-04-04)

In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-71389378.

• tamirzb/CVE-2017-13253

CVE-2017-13286 (2018-04-04)

In writeToParcel and readFromParcel of OutputConfiguration.java, there is a permission bypass due to mismatched serialization. This could lead to a local escalation of privilege where the user can start an activity with system privileges, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-69683251.

• UmVfX1BvaW50/CVE-2017-13286

CVE-2017-13672 (2017-09-01)

QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update.

• DavidBuchanan314/CVE-2017-13672

CVE-2017-13868 (2017-12-25)

An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.

• bazad/ctl_ctloutput-leak

CVE-2017-13872 (2017-11-29)

An issue was discovered in certain Apple products. macOS High Sierra before Security Update 2017-001 is affected. The issue involves the "Directory Utility" component. It allows attackers to obtain administrator access without a password via certain interactions involving entry of the root user name.

• giovannidispoto/CVE-2017-13872-Patch

CVE-2017-14105 (2017-09-01)

HiveManager Classic through 8.1r1 allows arbitrary JSP code execution by modifying a backup archive before a restore, because the restore feature does not validate pathnames within the archive. An authenticated, local attacker - even restricted as a tenant - can add a jsp at HiveManager/tomcat/webapps/hm/domains/$yourtenant/maps (it will be exposed at the web interface).

• theguly/CVE-2017-14105

CVE-2017-14262 (2017-09-11)

On Samsung NVR devices, remote attackers can read the MD5 password hash of the 'admin' account via certain szUserName JSON data to cgi-bin/main-cgi, and login to the device with that hash in the szUserPasswd parameter.

• zzz66686/CVE-2017-14262

CVE-2017-14263 (2017-09-11)

Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device.

• zzz66686/CVE-2017-14263

CVE-2017-14322 (2017-10-18)

The function in charge to check whether the user is already logged in init.php in Interspire Email Marketer (IEM) prior to 6.1.6 allows remote attackers to bypass authentication and obtain administrative access by using the IEM_CookieLogin cookie with a specially crafted value.

• joesmithjaffa/CVE-2017-14322

CVE-2017-14491 (2017-10-02)

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.

• skyformat99/dnsmasq-2.4.1-fix-CVE-2017-14491

CVE-2017-14493 (2017-10-02)

Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request.

• pupiles/bof-dnsmasq-cve-2017-14493

CVE-2017-14719 (2017-09-23)

Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.

• PalmTreeForest/CodePath_Week_7-8

CVE-2017-14948 (2019-10-14)

Certain D-Link products are affected by: Buffer Overflow. This affects DIR-880L 1.08B04 and DIR-895 L/R 1.13b03. The impact is: execute arbitrary code (remote). The component is: htdocs/fileaccess.cgi. The attack vector is: A crafted HTTP request handled by fileacces.cgi could allow an attacker to mount a ROP attack: if the HTTP header field CONTENT_TYPE starts with ''boundary=' followed by more than 256 characters, a buffer overflow would be triggered, potentially causing code execution.

• badnack/d_link_880_bug

CVE-2017-14954 (2017-10-01)

The waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call.

• echo-devim/exploit_linux_kernel4.13

CVE-2017-14980 (2017-10-09)

Buffer overflow in Sync Breeze Enterprise 10.0.28 allows remote attackers to have unspecified impact via a long username parameter to /login.

• TheDarthMole/CVE-2017-14980

CVE-2017-15099 (2017-11-22)

INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.

• ToontjeM/CVE-2017-15099

CVE-2017-15120 (2018-07-27)

An issue has been found in the parsing of authoritative answers in PowerDNS Recursor before 4.0.8, leading to a NULL pointer dereference when parsing a specially crafted answer containing a CNAME of a different class than IN. An unauthenticated remote attacker could cause a denial of service.

• shutingrz/CVE-2017-15120_PoC

CVE-2017-15277 (2017-10-12)

ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette.

• hexrom/ImageMagick-CVE-2017-15277

CVE-2017-15303 (2017-10-16)

In CPUID CPU-Z before 1.43, there is an arbitrary memory write that results directly in elevation of privileges, because any program running on the local machine (while CPU-Z is running) can issue an ioctl 0x9C402430 call to the kernel-mode driver (e.g., cpuz141_x64.sys for version 1.41).

• hfiref0x/Stryker

CVE-2017-15361 (2017-10-16)

The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM) firmware, such as versions before 0000000000000422 - 4.34, before 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles RSA key generation, which makes it easier for attackers to defeat various cryptographic protection mechanisms via targeted attacks, aka ROCA. Examples of affected technologies include BitLocker with TPM 1.2, YubiKey 4 (before 4.3.5) PGP key generation, and the Cached User Data encryption feature in Chrome OS.

• lva/Infineon-CVE-2017-15361
• titanous/rocacheck
• nsacyber/Detect-CVE-2017-15361-TPM
• 0xxon/zeek-plugin-roca
• 0xxon/roca
• Elbarbons/ROCA-attack-on-vulnerability-CVE-2017-15361

CVE-2017-15394 (2018-02-07)

Insufficient Policy Enforcement in Extensions in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform domain spoofing in permission dialogs via IDN homographs in a crafted Chrome Extension.

• sudosammy/CVE-2017-15394

CVE-2017-15428 (2019-01-09)

Insufficient data validation in V8 builtins string generator could lead to out of bounds read and write access in V8 in Google Chrome prior to 62.0.3202.94 and allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

• w1ldb1t/CVE-2017-15428

CVE-2017-15708 (2017-12-11)

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

• HuSoul/CVE-2017-15708

CVE-2017-15715 (2018-03-26)

In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.

• whisp1830/CVE-2017-15715

CVE-2017-15944 (2017-12-11)

Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.

• xxnbyy/CVE-2017-15944-POC
• surajraghuvanshi/PaloAltoRceDetectionAndExploit
• yukar1z0e/CVE-2017-15944
• 3yujw7njai/PaloAlto_EXP

CVE-2017-15950 (2017-10-31)

Flexense SyncBreeze Enterprise version 10.1.16 is vulnerable to a buffer overflow that can be exploited for arbitrary code execution. The flaw is triggered by providing a long input into the "Destination directory" field, either within an XML document or through use of passive mode.

• rnnsz/CVE-2017-15950

CVE-2017-16082 (2018-06-07)

A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious.

• nulldreams/CVE-2017-16082

CVE-2017-16088 (2018-06-07)

The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.

• Flyy-yu/CVE-2017-16088

CVE-2017-16245

• AOCorsaire/CVE-2017-16245

CVE-2017-16524 (2017-11-06)

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing Local File Read Vulnerability referenced as CVE-2015-8279, which allows remote attackers to read the web-interface credentials via a request for the cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.

• realistic-security/CVE-2017-16524

CVE-2017-16541 (2017-11-04)

Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected.

• Ethan-Chen-uwo/A-breif-introduction-of-CVE-2017-16541

CVE-2017-16567 (2017-11-09)

Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a "favorite."

• dewankpant/CVE-2017-16567

CVE-2017-16568 (2017-11-09)

Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a radio URL.

• dewankpant/CVE-2017-16568

CVE-2017-16651 (2017-11-09)

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

• ropbear/CVE-2017-16651
• sephiroth950911/CVE-2017-16651-Exploit

CVE-2017-16720 (2018-01-05)

A Path Traversal issue was discovered in WebAccess versions 8.3.2 and earlier. An attacker has access to files within the directory structure of the target device.

• CN016/WebAccess-CVE-2017-16720-

CVE-2017-16744 (2018-08-20)

A path traversal vulnerability in Tridium Niagara AX Versions 3.8 and prior and Niagara 4 systems Versions 4.4 and prior installed on Microsoft Windows Systems can be exploited by leveraging valid platform (administrator) credentials.

• GainSec/CVE-2017-16744-and-CVE-2017-16748-Tridium-Niagara

CVE-2017-16778 (2019-12-24)

An access control weakness in the DTMF tone receiver of Fermax Outdoor Panel allows physical attackers to inject a Dual-Tone-Multi-Frequency (DTMF) tone to invoke an access grant that would allow physical access to a restricted floor/level. By design, only a residential unit owner may allow such an access grant. However, due to incorrect access control, an attacker could inject it via the speaker unit to perform an access grant to gain unauthorized access, as demonstrated by a loud DTMF tone representing '1' and a long '#' (697 Hz and 1209 Hz, followed by 941 Hz and 1477 Hz).

• breaktoprotect/CVE-2017-16778-Intercom-DTMF-Injection

CVE-2017-16806 (2017-11-13)

The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ulterius before 1.9.5.0 allows HTTP server directory traversal.

• rickoooooo/ulteriusExploit

CVE-2017-16943 (2017-11-25)

The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.

• beraphin/CVE-2017-16943

CVE-2017-16994 (2017-11-27)

The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.

• jedai47/CVE-2017-16994

CVE-2017-16995 (2017-12-22)

The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.

• C0dak/CVE-2017-16995
• Al1ex/CVE-2017-16995
• gugronnier/CVE-2017-16995
• senyuuri/cve-2017-16995
• vnik5287/CVE-2017-16995
• littlebin404/CVE-2017-16995
• Lumindu/CVE-2017-16995-Linux-Kernel---BPF-Sign-Extension-Local-Privilege-Escalation-
• ph4ntonn/CVE-2017-16995
• ivilpez/cve-2017-16995.c
• fei9747/CVE-2017-16995
• anldori/CVE-2017-16995
• mareks1007/cve-2017-16995
• ZhiQiAnSecFork/cve-2017-16995

CVE-2017-16997 (2017-12-18)

elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.

• Xiami2012/CVE-2017-16997-poc

CVE-2017-17058 (2017-11-29)

The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that Directory Traversal is not possible because all of the template files have "if (!defined('ABSPATH')) {exit;}" code

• fu2x2000/CVE-2017-17058-woo_exploit

CVE-2017-17099 (2017-12-03)

There exists an unauthenticated SEH based Buffer Overflow vulnerability in the HTTP server of Flexense SyncBreeze Enterprise v10.1.16. When sending a GET request with an excessive length, it is possible for a malicious user to overwrite the SEH record and execute a payload that would run under the Windows SYSTEM account.

• wetw0rk/Exploit-Development

CVE-2017-17215 (2018-03-20)

Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code.

• 1337g/CVE-2017-17215
• wilfred-wulbou/HG532d-RCE-Exploit
• ltfafei/HuaWei_Route_HG532_RCE_CVE-2017-17215

CVE-2017-17275

• kd992102/CVE-2017-17275

CVE-2017-17309 (2018-06-14)

Huawei HG255s-10 V100R001C163B025SP02 has a path traversal vulnerability due to insufficient validation of the received HTTP requests, a remote attacker may access the local files on the device without authentication.

• exploit-labs/huawei_hg255s_exploit

CVE-2017-17485 (2018-01-10)

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

• tafamace/CVE-2017-17485
• x7iaob/cve-2017-17485
• Al1ex/CVE-2017-17485

CVE-2017-17562 (2017-12-12)

Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.

• 1337g/CVE-2017-17562
• ivanitlearning/CVE-2017-17562
• crispy-peppers/Goahead-CVE-2017-17562
• nu11pointer/goahead-rce-exploit
• freitzzz/bash-CVE-2017-17562

CVE-2017-17692 (2017-12-21)

Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that redirects to a child tab and rewrites the innerHTML property.

• specloli/CVE-2017-17692

CVE-2017-17736 (2018-03-23)

Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.

• 0xSojalSec/Nuclei-TemplatesNuclei-Templates-CVE-2017-17736

CVE-2017-17917 (2017-12-29)

SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input

• matiasarenhard/rails-cve-2017-17917

CVE-2017-18019 (2018-01-04)

In K7 Total Security before 15.1.0.305, user-controlled input to the K7Sentry device is not sufficiently sanitized: the user-controlled input can be used to compare an arbitrary memory address with a fixed value, which in turn can be used to read the contents of arbitrary memory. Similarly, the product crashes upon a \.\K7Sentry DeviceIoControl call with an invalid kernel pointer.

• SpiralBL0CK/CVE-2017-18019

CVE-2017-18044 (2018-01-19)

A Command Injection issue was discovered in ContentStore/Base/CVDataPipe.dll in Commvault before v11 SP6. A certain message parsing function inside the Commvault service does not properly validate the input of an incoming string before passing it to CreateProcess. As a result, a specially crafted message can inject commands that will be executed on the target operating system. Exploitation of this vulnerability does not require authentication and can lead to SYSTEM level privilege on any system running the cvd daemon. This is a different vulnerability than CVE-2017-3195.

• securifera/CVE-2017-18044-Exploit

CVE-2017-18345 (2018-08-26)

The Joomanager component through 2.0.0 for Joomla! has an arbitrary file download issue, resulting in exposing the credentials of the database via an index.php?option=com_joomanager&controller=details&task=download&path=configuration.php request.

• Luth1er/CVE-2017-18345-COM_JOOMANAGER-ARBITRARY-FILE-DOWNLOAD

CVE-2017-18349 (2018-10-23)

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

• h0cksr/Fastjson--CVE-2017-18349-

CVE-2017-18486 (2019-08-09)

Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter. By inspecting the token value provided in a password reset link, a user can leverage a weak PRNG to recover the shared secret used by the server for remote authentication. The shared secret can be used to escalate privileges by forging new tokens for any user. These tokens can be used to automatically log in as the affected user.

• Kc57/JitBit_Helpdesk_Auth_Bypass

CVE-2017-18635 (2019-09-25)

An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.

• ShielderSec/CVE-2017-18635

CVE-2017-20165 (2023-01-09)

Es wurde eine Schwachstelle in debug-js debug bis 3.0.x entdeckt. Sie wurde als problematisch eingestuft. Es betrifft die Funktion useColors der Datei src/node.js. Durch Manipulieren des Arguments str mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Ein Aktualisieren auf die Version 3.1.0 vermag dieses Problem zu lösen. Der Patch wird als c38a0166c266a679c8de012d4eaccec3f944e685 bezeichnet. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

• fastify/send

CVE-2017-98505

• mike-williams/Struts2Vuln

CVE-2017-1000000

• smythtech/DWF-CVE-2017-1000000

CVE-2017-1000028 (2017-07-13)

Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.

• NeonNOXX/CVE-2017-1000028

CVE-2017-1000083 (2017-09-05)

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.

• matlink/evince-cve-2017-1000083
• matlink/cve-2017-1000083-atril-nautilus

CVE-2017-1000112 (2017-10-04)

Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.

• hikame/docker_escape_pwn
• ol0273st-s/CVE-2017-1000112-Adpated
• IT19083124/SNP-Assignment

CVE-2017-1000117 (2017-10-04)

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.

• timwr/CVE-2017-1000117
• Manouchehri/CVE-2017-1000117
• thelastbyte/CVE-2017-1000117
• alilangtest/CVE-2017-1000117
• VulApps/CVE-2017-1000117
• greymd/CVE-2017-1000117
• shogo82148/Fix-CVE-2017-1000117
• sasairc/CVE-2017-1000117_wasawasa
• Shadow5523/CVE-2017-1000117-test
• ieee0824/CVE-2017-1000117
• rootclay/CVE-2017-1000117
• ieee0824/CVE-2017-1000117-sl
• takehaya/CVE-2017-1000117
• ikmski/CVE-2017-1000117
• nkoneko/CVE-2017-1000117
• chenzhuo0618/test
• siling2017/CVE-2017-1000117
• Q2h1Cg/CVE-2017-1000117
• cved-sources/cve-2017-1000117
• leezp/CVE-2017-1000117
• AnonymKing/CVE-2017-1000117
• Jerry-zhuang/CVE-2017-1000117

CVE-2017-1000170 (2017-11-17)

jqueryFileTree 2.1.5 and older Directory Traversal

• Nickguitar/Jquery-File-Tree-1.6.6-Path-Traversal

CVE-2017-1000250 (2017-09-12)

All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests.

• olav-st/CVE-2017-1000250-PoC

CVE-2017-1000251 (2017-09-12)

The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.

• hayzamjs/Blueborne-CVE-2017-1000251
• tlatkdgus1/blueborne-CVE-2017-1000251
• own2pwn/blueborne-CVE-2017-1000251-POC
• istanescu/CVE-2017-1000251_Exploit
• sgxgsx/blueborne-CVE-2017-1000251

CVE-2017-1000253 (2017-10-04)

Linux distributions that have not patched their long-term kernels with https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (committed on April 14, 2015). This kernel vulnerability was fixed in April 2015 by commit a87938b2e246b81b4fb713edb371a9fa3c5c3c86 (backported to Linux 3.10.77 in May 2015), but it was not recognized as a security threat. With CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE enabled, and a normal top-down address allocation strategy, load_elf_binary() will attempt to map a PIE binary into an address range immediately below mm->mmap_base. Unfortunately, load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary which means that, while the first PT_LOAD segment is mapped below mm->mmap_base, the subsequent PT_LOAD segment(s) end up being mapped above mm->mmap_base into the are that is supposed to be the "gap" between the stack and the binary.

• RicterZ/PIE-Stack-Clash-CVE-2017-1000253
• sxlmnwb/CVE-2017-1000253

CVE-2017-1000353 (2018-01-29)

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding SignedObject to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

• vulhub/CVE-2017-1000353
• r00t4dm/Jenkins-CVE-2017-1000353

CVE-2017-1000367 (2017-06-05)

Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.

• c0d3z3r0/sudo-CVE-2017-1000367
• homjxi0e/CVE-2017-1000367
• pucerpocok/sudo_exploit

CVE-2017-1000371 (2017-06-19)

The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.

• Trinadh465/linux-4.1.15_CVE-2017-1000371

CVE-2017-1000405 (2017-11-30)

The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.

• bindecy/HugeDirtyCowPOC

CVE-2017-1000475 (2018-01-24)

FreeSSHd 1.3.1 version is vulnerable to an Unquoted Path Service allowing local users to launch processes with elevated privileges.

• lajarajorge/CVE-2017-1000475

CVE-2017-1000486 (2018-01-03)

Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution

• pimps/CVE-2017-1000486
• mogwailabs/CVE-2017-1000486
• cved-sources/cve-2017-1000486
• Pastea/CVE-2017-1000486
• oppsec/pwnfaces
• LongWayHomie/CVE-2017-1000486
• jam620/primefaces

CVE-2017-1000499 (2018-01-03)

phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.

• Villaquiranm/5MMISSI-CVE-2017-1000499

CVE-2017-1002101 (2018-03-13)

In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.

• bgeesaman/subpath-exploit

2016

CVE-2016-0040 (2016-02-10)

The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows local users to gain privileges via a crafted application, aka "Windows Elevation of Privilege Vulnerability."

• Rootkitsmm-zz/cve-2016-0040
• de7ec7ed/CVE-2016-0040

CVE-2016-0049 (2016-02-10)

Kerberos in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, and Windows 10 Gold and 1511 does not properly validate password changes, which allows remote attackers to bypass authentication by deploying a crafted Key Distribution Center (KDC) and then performing a sign-in action, aka "Windows Kerberos Security Feature Bypass."

• JackOfMostTrades/bluebox

CVE-2016-0051 (2016-02-10)

The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "WebDAV Elevation of Privilege Vulnerability."

• koczkatamas/CVE-2016-0051
• hexx0r/CVE-2016-0051
• ganrann/CVE-2016-0051

CVE-2016-0095 (2016-03-09)

The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0093, CVE-2016-0094, and CVE-2016-0096.

• fengjixuchui/cve-2016-0095-x64

CVE-2016-0099 (2016-03-09)

The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 does not properly process request handles, which allows local users to gain privileges via a crafted application, aka "Secondary Logon Elevation of Privilege Vulnerability."

• zcgonvh/MS16-032

CVE-2016-010033

• zi0Black/CVE-2016-010033-010045

CVE-2016-0189 (2016-05-11)

The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0187.

• theori-io/cve-2016-0189
• deamwork/MS16-051-poc

CVE-2016-0199 (2016-06-16)

Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0200 and CVE-2016-3211.

• LeoonZHANG/CVE-2016-0199

CVE-2016-0451 (2016-01-21)

Unspecified vulnerability in the Oracle GoldenGate component in Oracle GoldenGate 11.2 and 12.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0452.

• rwincey/Oracle-GoldenGate---CVE-2016-0451

CVE-2016-0638 (2016-04-21)

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, 12.1.3, and 12.2.1 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Messaging Service.

• 0xn0ne/weblogicScanner
• zhzhdoai/Weblogic_Vuln
• BabyTeam1024/CVE-2016-0638

CVE-2016-0701 (2016-02-15)

The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.

• luanjampa/cve-2016-0701

CVE-2016-0702 (2016-03-03)

The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.

• Trinadh465/OpenSSL-1_0_1g_CVE-2016-0702

CVE-2016-0705 (2016-03-03)

Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.

• hshivhare67/OpenSSL_1.0.1g_CVE-2016-0705

CVE-2016-0728 (2016-02-08)

The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.

• idl3r/cve-2016-0728
• kennetham/cve_2016_0728
• nardholio/cve-2016-0728
• googleweb/CVE-2016-0728
• neuschaefer/cve-2016-0728-testbed
• bittorrent3389/cve-2016-0728
• sibilleg/exploit_cve-2016-0728
• hal0taso/CVE-2016-0728
• sugarvillela/CVE
• th30d00r/Linux-Vulnerability-CVE-2016-0728-and-Exploit
• tndud042713/cve
• sidrk01/cve-2016-0728

CVE-2016-0752 (2016-02-16)

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

• forced-request/rails-rce-cve-2016-0752
• dachidahu/CVE-2016-0752

CVE-2016-0792 (2016-04-07)

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.

• jpiechowka/jenkins-cve-2016-0792
• Aviksaikat/CVE-2016-0792

CVE-2016-0793 (2016-04-01)

Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows allows remote attackers to read the sensitive files in the (1) WEB-INF or (2) META-INF directory via a request that contains (a) lowercase or (b) "meaningless" characters.

• tafamace/CVE-2016-0793

CVE-2016-0800 (2016-03-01)

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

• anthophilee/A2SV--SSL-VUL-Scan

CVE-2016-0801 (2016-02-07)

The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted wireless control message packets, aka internal bug 25662029.

• abdsec/CVE-2016-0801
• zsaurus/CVE-2016-0801-test

CVE-2016-0805 (2016-02-07)

The performance event manager for Qualcomm ARM processors in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows attackers to gain privileges via a crafted application, aka internal bug 25773204.

• hulovebin/cve-2016-0805

CVE-2016-0846 (2016-04-18)

libs/binder/IMemory.cpp in the IMemory Native Interface in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider the heap size, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26877992.

• secmob/CVE-2016-0846
• b0b0505/CVE-2016-0846-PoC

CVE-2016-0974 (2016-02-10)

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.306 on Windows and OS X and before 11.2.202.569 on Linux, Adobe AIR before 20.0.0.260, Adobe AIR SDK before 20.0.0.260, and Adobe AIR SDK & Compiler before 20.0.0.260 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0973, CVE-2016-0975, CVE-2016-0982, CVE-2016-0983, and CVE-2016-0984.

• Fullmetal5/FlashHax

CVE-2016-1240 (2016-10-03)

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.

• Naramsim/Offensive
• mhe18/CVE_Project

CVE-2016-1287 (2016-02-11)

Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA Software before 8.4(7.30), 8.7 before 8.7(1.18), 9.0 before 9.0(4.38), 9.1 before 9.1(7), 9.2 before 9.2(4.5), 9.3 before 9.3(3.7), 9.4 before 9.4(2.4), and 9.5 before 9.5(2.2) on ASA 5500 devices, ASA 5500-X devices, ASA Services Module for Cisco Catalyst 6500 and Cisco 7600 devices, ASA 1000V devices, Adaptive Security Virtual Appliance (aka ASAv), Firepower 9300 ASA Security Module, and ISA 3000 devices allows remote attackers to execute arbitrary code or cause a denial of service (device reload) via crafted UDP packets, aka Bug IDs CSCux29978 and CSCux42019.

• jgajek/killasa
• NetSPI/asa_tools

CVE-2016-1494 (2016-01-13)

The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.

• matthiasbe/secuimag3a

CVE-2016-1531 (2016-04-07)

Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.

• n3rdh4x0r/CVE-2016-1531

CVE-2016-1542 (2016-06-13)

The RPC API in RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and enumerate users by sending an action packet to xmlrpc after an authorization failure.

• patriknordlen/bladelogic_bmc-cve-2016-1542
• bao7uo/bmc_bladelogic

CVE-2016-1555 (2017-04-21)

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute arbitrary commands.

• ide0x90/cve-2016-1555

CVE-2016-1734 (2016-03-24)

AppleUSBNetworking in Apple iOS before 9.3 and OS X before 10.11.4 allows physically proximate attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted USB device.

• Manouchehri/CVE-2016-1734

CVE-2016-1757 (2016-03-24)

Race condition in the kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows attackers to execute arbitrary code in a privileged context via a crafted app.

• gdbinit/mach_race

CVE-2016-1764 (2016-03-24)

The Content Security Policy (CSP) implementation in Messages in Apple OS X before 10.11.4 allows remote attackers to obtain sensitive information via a javascript: URL.

• moloch--/cve-2016-1764

CVE-2016-1825 (2016-05-20)

IOHIDFamily in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

• bazad/physmem

CVE-2016-1827 (2016-05-20)

The kernel in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app, a different vulnerability than CVE-2016-1828, CVE-2016-1829, and CVE-2016-1830.

• bazad/flow_divert-heap-overflow
• superMan7912002/bazad3

CVE-2016-1828 (2016-05-20)

The kernel in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app, a different vulnerability than CVE-2016-1827, CVE-2016-1829, and CVE-2016-1830.

• bazad/rootsh
• berritus163t/bazad5
• SideGreenHand100/bazad5
• zqlblingzs/bazad5

CVE-2016-2004 (2016-04-21)

HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2623.

• marcocarolasec/CVE-2016-2004-Exploit

CVE-2016-2067 (2016-07-11)

drivers/gpu/msm/kgsl.c in the MSM graphics driver (aka GPU driver) for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, mishandles the KGSL_MEMFLAGS_GPUREADONLY flag, which allows attackers to gain privileges by leveraging accidental read-write mappings, aka Qualcomm internal bug CR988993.

• hhj4ck/CVE-2016-2067

CVE-2016-2098 (2016-04-07)

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

• hderms/dh-CVE_2016_2098
• CyberDefenseInstitute/PoC_CVE-2016-2098_Rails42
• Alejandro-MartinG/rails-PoC-CVE-2016-2098
• 0x00-0x00/CVE-2016-2098
• its-arun/CVE-2016-2098
• 3rg1s/CVE-2016-2098
• DanielHemmati/CVE-2016-2098-my-first-exploit
• Debalinax64/CVE-2016-2098
• j4k0m/CVE-2016-2098
• Shakun8/CVE-2016-2098
• JoseLRC97/Ruby-on-Rails-ActionPack-Inline-ERB-Remote-Code-Execution

CVE-2016-2107 (2016-05-05)

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.

• FiloSottile/CVE-2016-2107
• tmiklas/docker-cve-2016-2107

CVE-2016-2118 (2016-04-12)

The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "BADLOCK."

• nickanderson/cfengine-CVE-2016-2118

CVE-2016-2173 (2017-04-21)

org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code.

• HaToan/CVE-2016-2173

CVE-2016-2233 (2017-01-18)

Stack-based buffer overflow in the inbound_cap_ls function in common/inbound.c in HexChat 2.10.2 allows remote IRC servers to cause a denial of service (crash) via a large number of options in a CAP LS message.

• fath0218/CVE-2016-2233

CVE-2016-2334 (2016-12-13)

Heap-based buffer overflow in the NArchive::NHfs::CHandler::ExtractZlibFile method in 7zip before 16.00 and p7zip allows remote attackers to execute arbitrary code via a crafted HFS+ image.

• icewall/CVE-2016-2334

CVE-2016-2338 (2020-02-14)

An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow.

• SpiralBL0CK/CVE-2016-2338-nday

CVE-2016-2386 (2016-02-16)

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.

• murataydemir/CVE-2016-2386

CVE-2016-2402 (2017-01-30)

OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.

• ikoz/cert-pinning-flaw-poc
• ikoz/certPinningVulnerableOkHttp

CVE-2016-2431 (2016-05-09)

The Qualcomm TrustZone component in Android before 2016-05-01 on Nexus 5, Nexus 6, Nexus 7 (2013), and Android One devices allows attackers to gain privileges via a crafted application, aka internal bug 24968809.

• laginimaineb/cve-2016-2431
• laginimaineb/ExtractKeyMaster

CVE-2016-2434 (2016-05-09)

The NVIDIA video driver in Android before 2016-05-01 on Nexus 9 devices allows attackers to gain privileges via a crafted application, aka internal bug 27251090.

• jianqiangzhao/CVE-2016-2434

CVE-2016-2468 (2016-06-13)

The Qualcomm GPU driver in Android before 2016-06-01 on Nexus 5, 5X, 6, 6P, and 7 devices allows attackers to gain privileges via a crafted application, aka internal bug 27475454.

• gitcollect/CVE-2016-2468

CVE-2016-2555 (2017-04-13)

SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php.

• shadofren/CVE-2016-2555
• maximilianmarx/atutor-blind-sqli

CVE-2016-2569 (2016-02-27)

Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to String objects, which allows remote servers to cause a denial of service (assertion failure and daemon exit) via a long string, as demonstrated by a crafted HTTP Vary header.

• amit-raut/CVE-2016-2569

CVE-2016-2776 (2016-09-28)

buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query.

• KosukeShimofuji/CVE-2016-2776
• infobyte/CVE-2016-2776

CVE-2016-2783 (2017-01-23)

Avaya Fabric Connect Virtual Services Platform (VSP) Operating System Software (VOSS) before 4.2.3.0 and 5.x before 5.0.1.0 does not properly handle VLAN and I-SIS indexes, which allows remote attackers to obtain unauthorized access via crafted Ethernet frames.

• iknowjason/spb

CVE-2016-3088 (2016-06-01)

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

• Ma1Dong/ActiveMQ_putshell-CVE-2016-3088
• pudiding/CVE-2016-3088
• cyberaguiar/CVE-2016-3088
• vonderchild/CVE-2016-3088
• cl4ym0re/CVE-2016-3088
• YutuSec/ActiveMQ_Crack

CVE-2016-3113 (2017-08-07)

Cross-site scripting (XSS) vulnerability in ovirt-engine allows remote attackers to inject arbitrary web script or HTML.

• 0xEmanuel/CVE-2016-3113

CVE-2016-3116 (2016-03-22)

CRLF injection vulnerability in Dropbear SSH before 2016.72 allows remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data.

• mxypoo/CVE-2016-3116-DropbearSSH

CVE-2016-3141 (2016-03-31)

Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.

• peternguyen93/CVE-2016-3141

CVE-2016-3238 (2016-07-13)

The Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows man-in-the-middle attackers to execute arbitrary code by providing a crafted print driver during printer installation, aka "Windows Print Spooler Remote Code Execution Vulnerability."

• pyiesone/CVE-2016-3238-PoC

CVE-2016-3308 (2016-08-09)

The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3309, CVE-2016-3310, and CVE-2016-3311.

• 55-AA/CVE-2016-3308

CVE-2016-3309 (2016-08-09)

The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3308, CVE-2016-3310, and CVE-2016-3311.

• siberas/CVE-2016-3309_Reloaded

CVE-2016-3510 (2016-07-21)

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586.

• BabyTeam1024/CVE-2016-3510

CVE-2016-3714 (2016-05-05)

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."

• jackdpeterson/imagick_secure_puppet
• tommiionfire/CVE-2016-3714
• chusiang/CVE-2016-3714.ansible.role
• jpeanut/ImageTragick-CVE-2016-3714-RShell
• Hood3dRob1n/CVE-2016-3714
• JoshMorrison99/CVE-2016-3714

CVE-2016-3749 (2016-07-11)

server/LockSettingsService.java in LockSettingsService in Android 6.x before 2016-07-01 allows attackers to modify the screen-lock password or pattern via a crafted application, aka internal bug 28163930.

• nirdev/CVE-2016-3749-PoC

CVE-2016-3861 (2016-09-11)

LibUtils in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01 mishandles conversions between Unicode character encodings with different encoding widths, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted file, aka internal bug 29250543.

• zxkevn/CVE-2016-3861

CVE-2016-3955 (2016-07-03)

The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel before 4.5.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted length value in a USB/IP packet.

• pqsec/uboatdemo

CVE-2016-3957 (2018-02-06)

The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.

• sj/web2py-e94946d-CVE-2016-3957

CVE-2016-3959 (2016-05-23)

The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.

• alexmullins/dsa

CVE-2016-3962 (2016-07-03)

Stack-based buffer overflow in the NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via a crafted parameter in a POST request.

• securifera/CVE-2016-3962-Exploit

CVE-2016-4004 (2016-04-12)

Directory traversal vulnerability in Dell OpenManage Server Administrator (OMSA) 8.2 allows remote authenticated administrators to read arbitrary files via a ..\ (dot dot backslash) in the file parameter to ViewFile.

• und3sc0n0c1d0/AFR-in-OMSA

CVE-2016-4010 (2017-01-23)

Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.

• brianwrf/Magento-CVE-2016-4010
• shadofren/CVE-2016-4010

CVE-2016-4014 (2016-04-14)

XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of service (system hang) via a crafted DTD in an XML request to uddi/api/replication, aka SAP Security Note 2254389.

• murataydemir/CVE-2016-4014

CVE-2016-4117 (2016-05-11)

Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016.

• amit-raut/CVE-2016-4117-Report

CVE-2016-4437 (2016-06-07)

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

• bkfish/Awesome_shiro
• m3terpreter/CVE-2016-4437
• 4nth0ny1130/shisoserial
• pizza-power/CVE-2016-4437
• xk-mt/CVE-2016-4437

CVE-2016-4438 (2016-07-04)

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.

• jason3e7/CVE-2016-4438
• tafamace/CVE-2016-4438

CVE-2016-4463 (2016-07-08)

Stack-based buffer overflow in Apache Xerces-C++ before 3.1.4 allows context-dependent attackers to cause a denial of service via a deeply nested DTD.

• arntsonl/CVE-2016-4463

CVE-2016-4468 (2017-04-11)

SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

• shanika04/cloudfoundry_uaa

CVE-2016-4622 (2016-07-22)

WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4623, and CVE-2016-4624.

• saelo/jscpwn
• hdbreaker/WebKit-CVE-2016-4622

CVE-2016-4631 (2016-07-22)

ImageIO in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted TIFF file.

• hansnielsen/tiffdisabler

CVE-2016-4655 (2016-08-25)

The kernel in Apple iOS before 9.3.5 allows attackers to obtain sensitive information from memory via a crafted app.

• jndok/PegasusX
• Cryptiiiic/skybreak
• liangle1986126z/jndok

CVE-2016-4657 (2016-08-25)

WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

• Mimoja/CVE-2016-4657-NintendoSwitch
• iDaN5x/Switcheroo
• viai957/webkit-vulnerability

CVE-2016-4669 (2017-02-20)

An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "Kernel" component. It allows local users to execute arbitrary code in a privileged context or cause a denial of service (MIG code mishandling and system crash) via unspecified vectors.

• i-o-s/CVE-2016-4669

CVE-2016-4845 (2016-09-24)

Cross-site request forgery (CSRF) vulnerability on I-O DATA DEVICE HVL-A2.0, HVL-A3.0, HVL-A4.0, HVL-AT1.0S, HVL-AT2.0, HVL-AT3.0, HVL-AT4.0, HVL-AT2.0A, HVL-AT3.0A, and HVL-AT4.0A devices with firmware before 2.04 allows remote attackers to hijack the authentication of arbitrary users for requests that delete content.

• kaito834/cve-2016-4845_csrf

CVE-2016-4861 (2017-02-16)

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.

• KosukeShimofuji/CVE-2016-4861

CVE-2016-4971 (2016-06-30)

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.

• gitcollect/CVE-2016-4971
• mbadanoiu/CVE-2016-4971
• dinidhu96/IT19013756_-CVE-2016-4971-

CVE-2016-4977 (2017-05-25)

When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.

• N0b1e6/CVE-2016-4977-POC
• tpt11fb/SpringVulScan

CVE-2016-4999 (2016-08-05)

SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI.

• shanika04/dashbuilder

CVE-2016-5195 (2016-11-10)

Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."

• KosukeShimofuji/CVE-2016-5195
• ASRTeam/CVE-2016-5195
• timwr/CVE-2016-5195
• xlucas/dirtycow.cr
• istenrot/centos-dirty-cow-ansible
• pgporada/ansible-role-cve
• sideeffect42/DirtyCOWTester
• scumjr/dirtycow-vdso
• gbonacini/CVE-2016-5195
• DavidBuchanan314/cowroot
• aishee/scan-dirtycow
• oleg-fiksel/ansible_CVE-2016-5195_check
• ldenevi/CVE-2016-5195
• whu-enjoy/CVE-2016-5195
• firefart/dirtycow
• ndobson/inspec_CVE-2016-5195
• sribaba/android-CVE-2016-5195
• esc0rtd3w/org.cowpoop.moooooo
• hyln9/VIKIROOT
• droidvoider/dirtycow-replacer
• FloridSleeves/os-experiment-4
• arbll/dirtycow
• titanhp/Dirty-COW-CVE-2016-5195-Testing
• acidburnmi/CVE-2016-5195-master
• xpcmdshell/derpyc0w
• Brucetg/DirtyCow-EXP
• jas502n/CVE-2016-5195
• imust6226/dirtcow
• zakariamaaraki/Dirty-COW-CVE-2016-5195-
• shanuka-ashen/Dirty-Cow-Explanation-CVE-2016-5195-
• dulanjaya23/Dirty-Cow-CVE-2016-5195-
• KaviDk/dirtyCow
• DanielEbert/CVE-2016-5195
• arttnba3/CVE-2016-5195
• talsim/root-dirtyc0w
• KasunPriyashan/Y2S1-Project-Linux-Exploitaion-using-CVE-2016-5195-Vulnerability
• th3-5had0w/DirtyCOW-PoC
• r1is/CVE-2022-0847
• vinspiert/scumjrs
• gurpreetsinghsaluja/dirtycow
• TotallyNotAHaxxer/CVE-2016-5195
• passionchenjianyegmail8/scumjrs
• malinthag62/The-exploitation-of-Dirty-Cow-CVE-2016-5195
• 1equeneRise/scumjr9
• fei9747/CVE-2016-5195
• LinuxKernelContent/DirtyCow
• h1n4mx0/Research-CVE-2016-5195
• EDLLT/CVE-2016-5195-master
• ZhiQiAnSecFork/DirtyCOW_CVE-2016-5195
• sakilahamed/Linux-Kernel-Exploit-LAB
• ASUKA39/CVE-2016-5195

CVE-2016-5345 (2018-01-23)

Buffer overflow in the Qualcomm radio driver in Android before 2017-01-05 on Android One devices allows local users to gain privileges via a crafted application, aka Android internal bug 32639452 and Qualcomm internal bug CR1079713.

• NickStephens/cve-2016-5345

CVE-2016-5394 (2017-07-19)

In the XSS Protection API module before 1.0.12 in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

• epicosy/VUL4J-23

CVE-2016-5636 (2016-09-02)

Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.

• insuyun/CVE-2016-5636

CVE-2016-5639 (2016-08-03)

Directory traversal vulnerability in cgi-bin/login.cgi on Crestron AirMedia AM-100 devices with firmware before 1.4.0.13 allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter.

• xfox64x/CVE-2016-5639

CVE-2016-5640 (2016-08-03)

Directory traversal vulnerability in cgi-bin/rftest.cgi on Crestron AirMedia AM-100 devices with firmware before 1.4.0.13 allows remote attackers to execute arbitrary commands via a .. (dot dot) in the ATE_COMMAND parameter.

• vpnguy-zz/CrestCrack
• xfox64x/CVE-2016-5640

CVE-2016-5696 (2016-08-06)

net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.

• Gnoxter/mountain_goat
• violentshell/rover
• jduck/challack
• bplinux/chackd
• unkaktus/grill

CVE-2016-5699 (2016-09-02)

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

• bunseokbot/CVE-2016-5699-poc
• shajinzheng/cve-2016-5699-jinzheng-sha

CVE-2016-5734 (2016-07-03)

phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.

• KosukeShimofuji/CVE-2016-5734
• HKirito/phpmyadmin4.4_cve-2016-5734
• miko550/CVE-2016-5734-docker

CVE-2016-5983 (2016-10-05)

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.11, 9.0 before 9.0.0.2, and Liberty before 16.0.0.4 allows remote authenticated users to execute arbitrary Java code via a crafted serialized object.

• BitWrecker/CVE-2016-5983

CVE-2016-6187 (2016-08-06)

The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 4.6.5 does not validate the buffer size, which allows local users to gain privileges by triggering an AppArmor setprocattr hook.

• vnik5287/cve-2016-6187-poc
• Milo-D/CVE-2016-6187_LPE

CVE-2016-6210 (2017-02-13)

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

• justlce/CVE-2016-6210-Exploit
• goomdan/CVE-2016-6210-exploit
• samh4cks/CVE-2016-6210-OpenSSH-User-Enumeration

CVE-2016-6271 (2017-01-18)

The Bzrtp library (aka libbzrtp) 1.0.x before 1.0.4 allows man-in-the-middle attackers to conduct spoofing attacks by leveraging a missing HVI check on DHPart2 packet reception.

• gteissier/CVE-2016-6271

CVE-2016-6317 (2016-09-07)

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.

• kavgan/vuln_test_repo_public_ruby_gemfile_cve-2016-6317

CVE-2016-6328 (2018-10-31)

A vulnerability was found in libexif. An integer overflow when parsing the MNOTE entry data of the input file. This can cause Denial-of-Service (DoS) and Information Disclosure (disclosing some critical heap chunk metadata, even other applications' private data).

• Pazhanivelmani/libexif_Android10_r33_CVE-2016-6328

CVE-2016-6366 (2016-08-18)

Buffer overflow in Cisco Adaptive Security Appliance (ASA) Software through 9.4.2.3 on ASA 5500, ASA 5500-X, ASA Services Module, ASA 1000V, ASAv, Firepower 9300 ASA Security Module, PIX, and FWSM devices allows remote authenticated users to execute arbitrary code via crafted IPv4 SNMP packets, aka Bug ID CSCva92151 or EXTRABACON.

• RiskSense-Ops/CVE-2016-6366

CVE-2016-6415 (2016-09-19)

The server IKEv1 implementation in Cisco IOS 12.2 through 12.4 and 15.0 through 15.6, IOS XE through 3.18S, IOS XR 4.3.x and 5.0.x through 5.2.x, and PIX before 7.0 allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request, aka Bug IDs CSCvb29204 and CSCvb36055 or BENIGNCERTAIN.

• 3ndG4me/CVE-2016-6415-BenignCertain-Monitor

CVE-2016-6515 (2016-08-07)

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.

• opsxcq/exploit-CVE-2016-6515
• cved-sources/cve-2016-6515
• jptr218/openssh_dos

CVE-2016-6516 (2016-08-06)

Race condition in the ioctl_file_dedupe_range function in fs/ioctl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (heap-based buffer overflow) or possibly gain privileges by changing a certain count value, aka a "double fetch" vulnerability.

• wpengfei/CVE-2016-6516-exploit

CVE-2016-6584

• ViralSecurityGroup/KNOXout

CVE-2016-6662 (2016-09-20)

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15.

• konstantin-kelemen/mysqld_safe-CVE-2016-6662-patch
• meersjo/ansible-mysql-cve-2016-6662
• KosukeShimofuji/CVE-2016-6662
• Ashrafdev/MySQL-Remote-Root-Code-Execution
• boompig/cve-2016-6662
• MAYASEVEN/CVE-2016-6662

CVE-2016-6663 (2016-12-13)

Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.

• firebroo/CVE-2016-6663

CVE-2016-6754 (2016-11-25)

A remote code execution vulnerability in Webview in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-05 could enable a remote attacker to execute arbitrary code when the user is navigating to a website. This issue is rated as High due to the possibility of remote code execution in an unprivileged process. Android ID: A-31217937.

• secmob/BadKernel

CVE-2016-6798 (2017-07-19)

In the XSS Protection API module before 1.0.12 in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application.

• tafamace/CVE-2016-6798

CVE-2016-6801 (2016-09-21)

Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.

• TSNGL21/CVE-2016-6801

CVE-2016-7117 (2016-10-10)

Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel before 4.5.2 allows remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing.

• KosukeShimofuji/CVE-2016-7117

CVE-2016-7190 (2016-10-14)

The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-3386, CVE-2016-3389, and CVE-2016-7194.

• 0xcl/cve-2016-7190

CVE-2016-7200 (2016-11-10)

The Chakra JavaScript scripting engine in Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7201, CVE-2016-7202, CVE-2016-7203, CVE-2016-7208, CVE-2016-7240, CVE-2016-7242, and CVE-2016-7243.

• theori-io/chakra-2016-11

CVE-2016-7255 (2016-11-10)

The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."

• heh3/CVE-2016-7255
• FSecureLABS/CVE-2016-7255
• homjxi0e/CVE-2016-7255
• yuvatia/page-table-exploitation
• bbolmin/cve-2016-7255_x86_x64

CVE-2016-7434 (2017-01-13)

The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.

• opsxcq/exploit-CVE-2016-7434
• shekkbuilder/CVE-2016-7434
• cved-sources/cve-2016-7434

CVE-2016-7608 (2017-02-20)

An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "IOFireWireFamily" component, which allows local users to obtain sensitive information from kernel memory via unspecified vectors.

• bazad/IOFireWireFamily-overflow

CVE-2016-7855 (2016-11-01)

Use-after-free vulnerability in Adobe Flash Player before 23.0.0.205 on Windows and OS X and before 11.2.202.643 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in October 2016.

• swagatbora90/CheckFlashPlayerVersion

CVE-2016-8007 (2017-03-14)

Authentication bypass vulnerability in McAfee Host Intrusion Prevention Services (HIPS) 8.0 Patch 7 and earlier allows authenticated users to manipulate the product's registry keys via specific conditions.

• dmaasland/mcafee-hip-CVE-2016-8007

CVE-2016-8016 (2017-03-14)

Information exposure in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows authenticated remote attackers to obtain the existence of unauthorized files on the system via a URL parameter.

• opsxcq/exploit-CVE-2016-8016-25

CVE-2016-8367 (2017-02-13)

An issue was discovered in Schneider Electric Magelis HMI Magelis GTO Advanced Optimum Panels, all versions, Magelis GTU Universal Panel, all versions, Magelis STO5xx and STU Small panels, all versions, Magelis XBT GH Advanced Hand-held Panels, all versions, Magelis XBT GK Advanced Touchscreen Panels with Keyboard, all versions, Magelis XBT GT Advanced Touchscreen Panels, all versions, and Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe). An attacker can open multiple connections to a targeted web server and keep connections open preventing new connections from being made, rendering the web server unavailable during an attack.

• 0xICF/PanelShock

CVE-2016-8462 (2017-01-12)

An information disclosure vulnerability in the bootloader could enable a local attacker to access data outside of its permission level. This issue is rated as High because it could be used to access sensitive data. Product: Android. Versions: N/A. Android ID: A-32510383.

• CunningLogic/PixelDump_CVE-2016-8462

CVE-2016-8467 (2017-01-13)

An elevation of privilege vulnerability in the bootloader could enable a local attacker to execute arbitrary modem commands on the device. This issue is rated as High because it is a local permanent denial of service (device interoperability: completely permanent or requiring re-flashing the entire operating system). Product: Android. Versions: N/A. Android ID: A-30308784.

• roeeh/bootmodechecker

CVE-2016-8610 (2017-11-13)

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.

• cujanovic/CVE-2016-8610-PoC

CVE-2016-8636 (2017-02-22)

Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the "RDMA protocol over infiniband" (aka Soft RoCE) technology.

• jigerjain/Integer-Overflow-test

CVE-2016-8655 (2016-12-08)

Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.

• scarvell/cve-2016-8655
• LakshmiDesai/CVE-2016-8655
• KosukeShimofuji/CVE-2016-8655
• agkunkle/chocobo
• martinmullins/CVE-2016-8655_Android

CVE-2016-8735 (2017-04-06)

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

• ianxtianxt/CVE-2016-8735

CVE-2016-8740 (2016-12-05)

The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.

• lcfpadilha/mac0352-ep4
• jptr218/apachedos

CVE-2016-8776 (2017-04-02)

Huawei P9 phones with software EVA-AL10C00,EVA-CL10C00,EVA-DL10C00,EVA-TL10C00 and P9 Lite phones with software VNS-L21C185 allow attackers to bypass the factory reset protection (FRP) to enter some functional modules without authorization and perform operations to update the Google account.

• akzedevops/CVE-2016-8776

CVE-2016-8823 (2016-12-16)

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgDdiEscape where the size of an input buffer is not validated leading to a denial of service or possible escalation of privileges

• SpiralBL0CK/NDAY_CVE_2016_8823

CVE-2016-8858 (2016-12-09)

The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue."

• dag-erling/kexkill

CVE-2016-8863 (2017-03-07)

Heap-based buffer overflow in the create_url_list function in gena/gena_device.c in Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a valid URI followed by an invalid one in the CALLBACK header of an SUBSCRIBE request.

• mephi42/CVE-2016-8863

CVE-2016-8869 (2016-11-04)

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.

• zugetor/Joomla-3.4.4-3.6.4_CVE-2016-8869_and_CVE-2016-8870
• rustyJ4ck/JoomlaCVE20168869
• cved-sources/cve-2016-8869

CVE-2016-8870 (2016-11-04)

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.

• cved-sources/cve-2016-8870

CVE-2016-9066 (2018-06-11)

A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.

• saelo/foxpwn

CVE-2016-9079 (2018-06-11)

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1.

• LakshmiDesai/CVE-2016-9079
• dangokyo/CVE-2016-9079
• Tau-hub/Firefox-CVE-2016-9079

CVE-2016-9192 (2016-12-14)

A vulnerability in Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to install and execute an arbitrary executable file with privileges equivalent to the Microsoft Windows operating system SYSTEM account. More Information: CSCvb68043. Known Affected Releases: 4.3(2039) 4.3(748). Known Fixed Releases: 4.3(4019) 4.4(225).

• serializingme/cve-2016-9192

CVE-2016-9244 (2017-02-09)

A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.

• EgeBalci/Ticketbleed
• glestel/minion-ticket-bleed-plugin

CVE-2016-9299 (2017-01-12)

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

• r00t4dm/Jenkins-CVE-2016-9299

CVE-2016-9795 (2017-01-27)

The casrvc program in CA Common Services, as used in CA Client Automation 12.8, 12.9, and 14.0; CA SystemEDGE 5.8.2 and 5.9; CA Systems Performance for Infrastructure Managers 12.8 and 12.9; CA Universal Job Management Agent 11.2; CA Virtual Assurance for Infrastructure Managers 12.8 and 12.9; CA Workload Automation AE 11, 11.3, 11.3.5, and 11.3.6 on AIX, HP-UX, Linux, and Solaris allows local users to modify arbitrary files and consequently gain root privileges via vectors related to insufficient validation.

• blogresponder/CA-Common-Services-privilege-escalation-cve-2016-9795-revisited

CVE-2016-9838 (2016-12-16)

An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account and reset the user's group mappings, username, and password, as demonstrated by submitting a form that targets the registration.register task.

• cved-sources/cve-2016-9838

CVE-2016-9920 (2016-12-08)

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.

• t0kx/exploit-CVE-2016-9920

CVE-2016-10006 (2016-12-24)

In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.

• epicosy/VUL4J-60

CVE-2016-10033 (2016-12-30)

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property.

• opsxcq/exploit-CVE-2016-10033
• Zenexer/safeshell
• GeneralTesler/CVE-2016-10033
• chipironcin/CVE-2016-10033
• Bajunan/CVE-2016-10033
• qwertyuiop12138/CVE-2016-10033
• liusec/WP-CVE-2016-10033
• pedro823/cve-2016-10033-45
• awidardi/opsxcq-cve-2016-10033
• 0x00-0x00/CVE-2016-10033
• cved-sources/cve-2016-10033
• j4k0m/CVE-2016-10033
• zeeshanbhattined/exploit-CVE-2016-10033
• CAOlvchonger/CVE-2016-10033
• eb613819/CTF_CVE-2016-10033
• ElnurBDa/CVE-2016-10033
• Astrowmist/POC-CVE-2016-10033

CVE-2016-10034 (2016-12-30)

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted e-mail address.

• heikipikker/exploit-CVE-2016-10034

CVE-2016-10140 (2017-01-13)

Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI.

• asaotomo/CVE-2016-10140-Zoneminder-Poc

CVE-2016-10190 (2017-02-09)

Heap-based buffer overflow in libavformat/http.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote web servers to execute arbitrary code via a negative chunk size in an HTTP response.

• muzalam/FFMPEG-exploit

CVE-2016-10191 (2017-02-09)

Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches.

• KaviDk/Heap-Over-Flow-with-CVE-2016-10191

CVE-2016-10277 (2017-05-12)

An elevation of privilege vulnerability in the Motorola bootloader could enable a local malicious application to execute arbitrary code within the context of the bootloader. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33840490.

• alephsecurity/initroot
• leosol/initroot

CVE-2016-10555 (2018-05-31)

Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.

• CircuitSoul/poc-cve-2016-10555
• scent2d/PoC-CVE-2016-10555

CVE-2016-10709 (2018-01-22)

pfSense before 2.3 allows remote authenticated users to execute arbitrary OS commands via a '|' character in the status_rrd_graph_img.php graph parameter, related to _rrd_graph_img.php.

• wetw0rk/Exploit-Development

CVE-2016-10761 (2019-06-29)

Logitech Unifying devices before 2016-02-26 allow keystroke injection, bypassing encryption, aka MouseJack.

• ISSAPolska/CVE-2016-10761

CVE-2016-10924 (2019-08-22)

The ebook-download plugin before 1.2 for WordPress has directory traversal.

• rvizx/CVE-2016-10924
• LGenAgul/Wordpress-ebook-CVE-2016-10924

CVE-2016-10956 (2019-09-16)

The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.

• p0dalirius/CVE-2016-10956-mail-masta
• Hackhoven/wp-mail-masta-exploit

CVE-2016-10993 (2019-09-17)

The ScoreMe theme through 2016-04-01 for WordPress has XSS via the s parameter.

• 0xc4t/CVE-2016-10993

CVE-2016-20012 (2021-09-15)

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product

• aztec-eagle/cve-2016-20012

CVE-2016-1000027 (2020-01-02)

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

• artem-smotrakov/cve-2016-1000027-poc
• tina94happy/Spring-Web-5xx-Mitigated-version
• yihtserns/spring-web-without-remoting

2015

CVE-2015-0006 (2015-01-13)

The Network Location Awareness (NLA) service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not perform mutual authentication to determine a domain connection, which allows remote attackers to trigger an unintended permissive configuration by spoofing DNS and LDAP responses on a local network, aka "NLA Security Feature Bypass Vulnerability."

• bugch3ck/imposter

CVE-2015-0057 (2015-02-11)

win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."

• 55-AA/CVE-2015-0057

CVE-2015-0072 (2015-02-07)

Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka "Universal XSS (UXSS)."

• dbellavista/uxss-poc

CVE-2015-0204 (2015-01-09)

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.

• felmoltor/FreakVulnChecker
• scottjpack/Freak-Scanner
• AbhishekGhosh/FREAK-Attack-CVE-2015-0204-Testing-Script
• niccoX/patch-openssl-CVE-2014-0291_CVE-2015-0204
• anthophilee/A2SV--SSL-VUL-Scan

CVE-2015-0205 (2015-01-09)

The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.

• saurabh2088/OpenSSL_1_0_1g_CVE-2015-0205

CVE-2015-0231 (2015-01-27)

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.

• 3xp10it/php_cve-2014-8142_cve-2015-0231

CVE-2015-0235 (2015-01-28)

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

• fser/ghost-checker
• mikesplain/CVE-2015-0235-cookbook
• aaronfay/CVE-2015-0235-test
• mholzinger/CVE-2015-0235_GHOST
• adherzog/ansible-CVE-2015-0235-GHOST
• favoretti/lenny-libc6
• nickanderson/cfengine-CVE_2015_0235
• koudaiii-archives/cookbook-update-glibc
• F88/ghostbusters15
• tobyzxj/CVE-2015-0235
• makelinux/CVE-2015-0235-workaround
• arm13/ghost_exploit
• alanmeyer/CVE-glibc
• 1and1-serversupport/ghosttester
• sUbc0ol/CVE-2015-0235
• chayim/GHOSTCHECK-cve-2015-0235
• limkokholefork/GHOSTCHECK-cve-2015-0235

CVE-2015-0311 (2015-01-23)

Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January 2015.

• jr64/CVE-2015-0311

CVE-2015-0313 (2015-02-02)

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2015, a different vulnerability than CVE-2015-0315, CVE-2015-0320, and CVE-2015-0322.

• SecurityObscurity/cve-2015-0313

CVE-2015-0345 (2015-04-15)

Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 16 and 11 before Update 5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

• BishopFox/coldfusion-10-11-xss

CVE-2015-0568 (2016-08-07)

Use-after-free vulnerability in the msm_set_crop function in drivers/media/video/msm/msm_camera.c in the MSM-Camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that makes a crafted ioctl call.

• betalphafai/CVE-2015-0568

CVE-2015-1130 (2015-04-10)

The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors.

• Shmoopi/RootPipe-Demo
• sideeffect42/RootPipeTester

CVE-2015-1140 (2015-04-10)

Buffer overflow in IOHIDFamily in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors.

• kpwn/vpwn

CVE-2015-1157 (2015-05-28)

CoreText in Apple iOS 8.x through 8.3 allows remote attackers to cause a denial of service (reboot and messaging disruption) via crafted Unicode text that is not properly handled during display truncation in the Notifications feature, as demonstrated by Arabic characters in (1) an SMS message or (2) a WhatsApp message.

• perillamint/CVE-2015-1157

CVE-2015-1318 (2015-04-17)

The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1 allows local users to gain privileges via a crafted usr/share/apport/apport file in a namespace (container).

• ScottyBauer/CVE-2015-1318

CVE-2015-1328 (2016-11-28)

The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.

• SR7-HACKING/LINUX-VULNERABILITY-CVE-2015-1328
• notlikethis/CVE-2015-1328
• elit3pwner/CVE-2015-1328-GoldenEye
• BlackFrog-hub/cve-2015-1328
• YastrebX/CVE-2015-1328
• devtz007/overlayfs_CVE-2015-1328

CVE-2015-1397 (2015-04-29)

SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary SQL commands via the popularity[field_expr] parameter when the popularity[from] or popularity[to] parameter is set.

• tmatejicek/CVE-2015-1397
• WHOISshuvam/CVE-2015-1397
• Wytchwulf/CVE-2015-1397-Magento-Shoplift
• 0xDTC/Magento-eCommerce-RCE-CVE-2015-1397

CVE-2015-1427 (2015-02-17)

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

• t0kx/exploit-CVE-2015-1427
• cved-sources/cve-2015-1427
• cyberharsh/Groovy-scripting-engine-CVE-2015-1427
• xpgdgit/CVE-2015-1427
• Sebikea/CVE-2015-1427-for-trixie

CVE-2015-1474 (2015-02-16)

Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of (1) file descriptors or (2) integer values.

• p1gl3t/CVE-2015-1474_poc

CVE-2015-1528 (2015-10-01)

Integer overflow in the native_handle_create function in libcutils/native_handle.c in Android before 5.1.1 LMY48M allows attackers to obtain a different application's privileges or cause a denial of service (Binder heap memory corruption) via a crafted application, aka internal bug 19334482.

• secmob/PoCForCVE-2015-1528
• kanpol/PoCForCVE-2015-1528

CVE-2015-1538 (2015-10-01)

Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows remote attackers to execute arbitrary code via crafted atoms in MP4 data that trigger an unchecked multiplication, aka internal bug 20139950, a related issue to CVE-2015-4496.

• oguzhantopgul/cve-2015-1538-1
• renjithsasidharan/cve-2015-1538-1
• jduck/cve-2015-1538-1
• niranjanshr13/Stagefright-cve-2015-1538-1
• Tharana/Android-vulnerability-exploitation
• Tharana/vulnerability-exploitation

CVE-2015-1560 (2015-07-14)

SQL injection vulnerability in the isUserAdmin function in include/common/common-Func.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon web 2.7.0) allows remote attackers to execute arbitrary SQL commands via the sid parameter to include/common/XmlTree/GetXmlTree.php.

• Iansus/Centreon-CVE-2015-1560_1561

CVE-2015-1578 (2015-02-11)

Multiple open redirect vulnerabilities in u5CMS before 3.9.4 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) pidvesa cookie to u5admin/pidvesa.php or (2) uri parameter to u5admin/meta2.php.

• Zeppperoni/CVE-2015-1578

CVE-2015-1579 (2015-02-11)

Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.

• paralelo14/WordPressMassExploiter
• paralelo14/CVE-2015-1579

CVE-2015-1592 (2015-02-19)

Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors.

• lightsey/cve-2015-1592

CVE-2015-1635 (2015-04-14)

HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."

• xPaw/HTTPsys
• Zx7ffa4512-Python/Project-CVE-2015-1635
• technion/erlvulnscan
• wiredaem0n/chk-ms15-034
• u0pattern/Remove-IIS-RIIS
• bongbongco/MS15-034
• aedoo/CVE-2015-1635-POC
• limkokholefork/CVE-2015-1635
• n3rdh4x0r/CVE-2015-1635-POC
• n3rdh4x0r/CVE-2015-1635
• w01ke/CVE-2015-1635-POC
• SkinAir/ms15-034-Scan
• Cappricio-Securities/CVE-2015-1635

CVE-2015-1641 (2015-04-14)

Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1 allow remote attackers to execute arbitrary code via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability."

• Cyberclues/rtf_exploit_extractor

CVE-2015-1701 (2015-04-21)

Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."

• hfiref0x/CVE-2015-1701
• Anonymous-Family/CVE-2015-1701
• Anonymous-Family/CVE-2015-1701-download

CVE-2015-1769 (2015-08-15)

Mount Manager in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 mishandles symlinks, which allows physically proximate attackers to execute arbitrary code by connecting a crafted USB device, aka "Mount Manager Elevation of Privilege Vulnerability."

• int0/CVE-2015-1769

CVE-2015-1788 (2015-06-12)

The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.

• pazhanivel07/OpenSSL_1_0_1g_CVE-2015-1788

CVE-2015-1790 (2015-06-12)

The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.

• Trinadh465/OpenSSL-1_0_1g_CVE-2015-1790

CVE-2015-1791 (2015-06-12)

Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.

• Trinadh465/OpenSSL-1_0_1g_CVE-2015-1791

CVE-2015-1792 (2015-06-12)

The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.

• Trinadh465/OpenSSL-1_0_1g_CVE-2015-1792

CVE-2015-1805 (2015-08-08)

The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun."

• panyu6325/CVE-2015-1805
• dosomder/iovyroot
• FloatingGuy/cve-2015-1805
• mobilelinux/iovy_root_research
• ireshchaminda1/Android-Privilege-Escalation-Remote-Access-Vulnerability-CVE-2015-1805

CVE-2015-1855 (2019-11-29)

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.

• vpereira/CVE-2015-1855

CVE-2015-1986 (2015-06-30)

The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to execute arbitrary commands via unspecified vectors, a different vulnerability than CVE-2015-1938.

• 3t3rn4lv01d/CVE-2015-1986

CVE-2015-2153 (2015-03-24)

The rpki_rtr_pdu_print function in print-rpki-rtr.c in the TCP printer in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via a crafted header length in an RPKI-RTR Protocol Data Unit (PDU).

• arntsonl/CVE-2015-2153

CVE-2015-2166 (2015-04-06)

Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the default URI.

• K3ysTr0K3R/CVE-2015-2166-EXPLOIT

CVE-2015-2208 (2015-03-12)

The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter.

• ptantiku/cve-2015-2208

CVE-2015-2231

• rednaga/adups-get-super-serial

CVE-2015-2291 (2017-08-09)

(1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call.

• Tare05/Intel-CVE-2015-2291
• gmh5225/CVE-2015-2291

CVE-2015-2315 (2015-03-17)

Cross-site scripting (XSS) vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the target parameter in a reminder_popup action to the default URI.

• weidongl74/cve-2015-2315-report

CVE-2015-2546 (2015-09-09)

The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-2511, CVE-2015-2517, and CVE-2015-2518.

• k0keoyo/CVE-2015-2546-Exploit

CVE-2015-2794 (2017-02-06)

The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.

• styx00/DNN_CVE-2015-2794
• wilsc0w/CVE-2015-2794-finder

CVE-2015-2900 (2015-10-29)

The AddUserFinding add_userfinding2 function in Medicomp MEDCIN Engine before 2.22.20153.226 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted packet on port 8190.

• securifera/CVE-2015-2900-Exploit

CVE-2015-2925 (2015-11-16)

The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."

• Kagami/docker_cve-2015-2925

CVE-2015-3043 (2015-04-14)

Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, as exploited in the wild in April 2015, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, and CVE-2015-3042.

• whitehairman/Exploit

CVE-2015-3073 (2015-05-13)

Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to bypass intended restrictions on JavaScript API execution via unspecified vectors, a different vulnerability than CVE-2015-3060, CVE-2015-3061, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3071, CVE-2015-3072, and CVE-2015-3074.

• reigningshells/CVE-2015-3073

CVE-2015-3090 (2015-05-13)

Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3078, CVE-2015-3089, and CVE-2015-3093.

• Xattam1/Adobe-Flash-Exploits_17-18

CVE-2015-3145 (2015-04-24)

The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character.

• serz999/CVE-2015-3145

CVE-2015-3152 (2016-05-16)

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

• duo-labs/mysslstrip

CVE-2015-3194 (2015-12-06)

crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.

• Trinadh465/OpenSSL-1_0_1g_CVE-2015-3194

CVE-2015-3195 (2015-12-06)

The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.

• Trinadh465/OpenSSL-1_0_1g_CVE-2015-3195

CVE-2015-3197 (2016-02-15)

ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.

• Trinadh465/OpenSSL-1_0_1g_CVE-2015-3197

CVE-2015-3224 (2015-07-26)

request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.

• 0x00-0x00/CVE-2015-3224
• 0xEval/cve-2015-3224
• n000xy/CVE-2015-3224-

CVE-2015-3239 (2015-08-26)

Off-by-one error in the dwarf_to_unw_regnum function in include/dwarf_i.h in libunwind 1.1 allows local users to have unspecified impact via invalid dwarf opcodes.

• RenukaSelvar/libunwind_CVE-2015-3239
• RenukaSelvar/libunwind_CVE-2015-3239_AfterPatch
• RenukaSelvar/libunwind_CVE-2015-3239_After

CVE-2015-3306 (2015-05-18)

The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.

• shk0x/cpx_proftpd
• nootropics/propane
• t0kx/exploit-CVE-2015-3306
• davidtavarez/CVE-2015-3306
• cved-sources/cve-2015-3306
• hackarada/cve-2015-3306
• cdedmondson/Modified-CVE-2015-3306-Exploit
• cd6629/CVE-2015-3306-Python-PoC
• 0xm4ud/ProFTPD_CVE-2015-3306
• jptr218/proftpd_bypass
• JoseLRC97/ProFTPd-1.3.5-mod_copy-Remote-Command-Execution

CVE-2015-3337 (2015-05-01)

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.

• jas502n/CVE-2015-3337

CVE-2015-3456 (2015-05-13)

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.

• vincentbernat/cve-2015-3456
• orf53975/poisonfrog

CVE-2015-3636 (2015-08-06)

The ping_unhash function in net/ipv4/ping.c in the Linux kernel before 4.0.3 does not initialize a certain list data structure during an unhash operation, which allows local users to gain privileges or cause a denial of service (use-after-free and system crash) by leveraging the ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or IPPROTO_ICMPV6 protocol, and then making a connect system call after a disconnect.

• betalphafai/cve-2015-3636_crash
• askk/libping_unhash_exploit_POC
• ludongxu/cve-2015-3636
• fi01/CVE-2015-3636
• android-rooting-tools/libpingpong_exploit
• debugfan/rattle_root
• a7vinx/CVE-2015-3636

CVE-2015-3825

• roeeh/conscryptchecker

CVE-2015-3837 (2015-10-01)

The OpenSSLX509Certificate class in org/conscrypt/OpenSSLX509Certificate.java in Android before 5.1.1 LMY48I improperly includes certain context data during serialization and deserialization, which allows attackers to execute arbitrary code via an application that sends a crafted Intent, aka internal bug 21437603.

• itibs/IsildursBane

CVE-2015-3839 (2017-08-07)

The updateMessageStatus function in Android 5.1.1 and earlier allows local users to cause a denial of service (NULL pointer exception and process crash).

• mabin004/cve-2015-3839_PoC

CVE-2015-3864 (2015-10-01)

Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824.

• pwnaccelerator/stagefright-cve-2015-3864
• eudemonics/scaredycat
• HenryVHuang/CVE-2015-3864
• Bhathiya404/Exploiting-Stagefright-Vulnerability-CVE-2015-3864
• Cmadhushanka/CVE-2015-3864-Exploitation

CVE-2015-4000 (2015-05-21)

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

• fatlan/HAProxy-Keepalived-Sec-HighLoads

CVE-2015-4495 (2015-08-08)

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.

• vincd/CVE-2015-4495

CVE-2015-4843 (2015-10-21)

Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.

• Soteria-Research/cve-2015-4843-type-confusion-phrack

CVE-2015-4852 (2015-11-18)

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

• roo7break/serialator
• AndersonSingh/serialization-vulnerability-scanner
• zhzhdoai/Weblogic_Vuln
• nex1less/CVE-2015-4852

CVE-2015-4870 (2015-10-21)

Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Parser.

• OsandaMalith/CVE-2015-4870

CVE-2015-5119 (2015-07-08)

Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

• jvazquez-r7/CVE-2015-5119
• CiscoCXSecurity/CVE-2015-5119_walkthrough
• dangokyo/CVE-2015-5119

CVE-2015-5195 (2017-07-21)

ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers to cause a denial of service (segmentation fault) via a crafted statistics or filegen configuration command that is not enabled during compilation.

• theglife214/CVE-2015-5195

CVE-2015-5254 (2016-01-08)

Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.

• jas502n/CVE-2015-5254
• Ma1Dong/ActiveMQ_CVE-2015-5254
• guigui237/Exploitation-de-la-vuln-rabilit-CVE-2015-5254-

CVE-2015-5347 (2016-04-12)

Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title.

• alexanderkjall/wicker-cve-2015-5347

CVE-2015-5374 (2015-07-18)

A vulnerability has been identified in Firmware variant PROFINET IO for EN100 Ethernet module : All versions < V1.04.01; Firmware variant Modbus TCP for EN100 Ethernet module : All versions < V1.11.00; Firmware variant DNP3 TCP for EN100 Ethernet module : All versions < V1.03; Firmware variant IEC 104 for EN100 Ethernet module : All versions < V1.21; EN100 Ethernet module included in SIPROTEC Merging Unit 6MU80 : All versions < 1.02.02. Specially crafted packets sent to port 50000/UDP could cause a denial-of-service of the affected device. A manual reboot may be required to recover the service of the device.

• can/CVE-2015-5374-DoS-PoC

CVE-2015-5377 (2018-03-06)

Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability

• fi3ro/CVE-2015-5377

CVE-2015-5477 (2015-07-29)

named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries.

• robertdavidgraham/cve-2015-5477
• elceef/tkeypoc
• hmlio/vaas-cve-2015-5477
• knqyf263/cve-2015-5477
• ilanyu/cve-2015-5477
• likekabin/ShareDoc_cve-2015-5477
• xycloops123/TKEY-remote-DoS-vulnerability-exploit

CVE-2015-5531 (2015-08-17)

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.

• xpgdgit/CVE-2015-5531
• M0ge/CVE-2015-5531-POC

CVE-2015-5602 (2015-11-17)

sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home///file.txt."

• t0kx/privesc-CVE-2015-5602
• cved-sources/cve-2015-5602

CVE-2015-5932 (2015-10-23)

The kernel in Apple OS X before 10.11.1 allows local users to gain privileges by leveraging an unspecified "type confusion" during Mach task processing.

• jndok/tpwn-bis

CVE-2015-5995 (2015-12-31)

Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and Tenda N3 Wireless N150 devices allow remote attackers to obtain administrative access via a certain admin substring in an HTTP Cookie header.

• shaheemirza/TendaSpill

CVE-2015-6086 (2015-11-11)

Microsoft Internet Explorer 9 through 11 allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability."

• payatu/CVE-2015-6086

CVE-2015-6095 (2015-11-11)

Kerberos in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandles password changes, which allows physically proximate attackers to bypass authentication, and conduct decryption attacks against certain BitLocker configurations, by connecting to an unintended Key Distribution Center (KDC), aka "Windows Kerberos Security Feature Bypass."

• JackOfMostTrades/bluebox

CVE-2015-6132 (2015-12-09)

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Windows Library Loading Remote Code Execution Vulnerability."

• hexx0r/CVE-2015-6132

CVE-2015-6357 (2015-11-18)

The rule-update feature in Cisco FireSIGHT Management Center (MC) 5.2 through 5.4.0.1 does not verify the X.509 certificate of the support.sourcefire.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide an invalid package, and consequently execute arbitrary code, via a crafted certificate, aka Bug ID CSCuw06444.

• mattimustang/firepwner

CVE-2015-6576 (2017-10-02)

Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.

• CallMeJonas/CVE-2015-6576

CVE-2015-6606 (2015-10-06)

The Secure Element Evaluation Kit (aka SEEK or SmartCard API) plugin in Android before 5.1.1 LMY48T allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 22301786.

• michaelroland/omapi-cve-2015-6606-exploit

CVE-2015-6612 (2015-11-03)

libmedia in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows attackers to gain privileges via a crafted application, aka internal bug 23540426.

• secmob/CVE-2015-6612
• flankerhqd/cve-2015-6612poc-forM

CVE-2015-6620 (2015-12-08)

libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bugs 24123723 and 24445127.

• flankerhqd/CVE-2015-6620-POC
• flankerhqd/mediacodecoob

CVE-2015-6637 (2016-01-06)

The MediaTek misc-sd driver in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to gain privileges via a crafted application, aka internal bug 25307013.

• betalphafai/CVE-2015-6637

CVE-2015-6639 (2016-01-06)

The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to gain privileges via a crafted application that leverages QSEECOM access, aka internal bug 24446875.

• laginimaineb/cve-2015-6639
• laginimaineb/ExtractKeyMaster

CVE-2015-6640 (2016-01-06)

The prctl_set_vma_anon_name function in kernel/sys.c in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 does not ensure that only one vma is accessed in a certain update action, which allows attackers to gain privileges or cause a denial of service (vma list corruption) via a crafted application, aka internal bug 20017123.

• betalphafai/CVE-2015-6640

CVE-2015-6668 (2017-10-19)

The Job Manager plugin before 0.7.25 allows remote attackers to read arbitrary CV files via a brute force attack to the WordPress upload directory structure, related to an insecure direct object reference.

• G01d3nW01f/CVE-2015-6668
• n3rdh4x0r/CVE-2015-6668
• jimdiroffii/CVE-2015-6668

CVE-2015-6748 (2017-09-25)

Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.

• epicosy/VUL4J-59

CVE-2015-6835 (2016-05-16)

The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.

• ockeghem/CVE-2015-6835-checker

CVE-2015-6967 (2015-09-16)

Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in content/private/plugins/my_image/image.php.

• dix0nym/CVE-2015-6967
• banomaly/CVE-2015-6967
• FredBrave/CVE-2015-6967
• 3mpir3Albert/HTB_Nibbles

CVE-2015-7214 (2015-12-16)

Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to bypass the Same Origin Policy via data: and view-source: URIs.

• llamakko/CVE-2015-7214

CVE-2015-7297 (2015-10-29)

SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.

• CCrashBandicot/ContentHistory
• areaventuno/exploit-joomla
• Cappricio-Securities/CVE-2015-7297

CVE-2015-7501 (2017-11-09)

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

• ianxtianxt/CVE-2015-7501

CVE-2015-7545 (2016-04-13)

The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.

• avuserow/bug-free-chainsaw

CVE-2015-7547 (2016-02-18)

Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.

• fjserna/CVE-2015-7547
• cakuzo/CVE-2015-7547
• t0r0t0r0/CVE-2015-7547
• rexifiles/rex-sec-glibc
• babykillerblack/CVE-2015-7547
• jgajek/cve-2015-7547
• eSentire/cve-2015-7547-public
• bluebluelan/CVE-2015-7547-proj-master
• miracle03/CVE-2015-7547-master
• Stick-U235/CVE-2015-7547-Research
• Amilaperera12/Glibc-Vulnerability-Exploit-CVE-2015-7547

CVE-2015-7755 (2015-12-19)

Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session.

• hdm/juniper-cve-2015-7755
• cinno/CVE-2015-7755-POC

CVE-2015-7808 (2015-11-24)

The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments.

• Prajithp/CVE-2015-7808

CVE-2015-8088 (2016-01-12)

Heap-based buffer overflow in the HIFI driver in Huawei Mate 7 phones with software MT7-UL00 before MT7-UL00C17B354, MT7-TL10 before MT7-TL10C00B354, MT7-TL00 before MT7-TL00C01B354, and MT7-CL00 before MT7-CL00C92B354 and P8 phones with software GRA-TL00 before GRA-TL00C01B220SP01, GRA-CL00 before GRA-CL00C92B220, GRA-CL10 before GRA-CL10C92B220, GRA-UL00 before GRA-UL00C00B220, and GRA-UL10 before GRA-UL10C00B220 allows attackers to cause a denial of service (reboot) or execute arbitrary code via a crafted application.

• Pray3r/CVE-2015-8088

CVE-2015-8103 (2015-11-25)

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".

• cved-sources/cve-2015-8103
• r00t4dm/Jenkins-CVE-2015-8103

CVE-2015-8239 (2017-10-10)

The SHA-2 digest support in the sudoers plugin in sudo after 1.8.7 allows local users with write permissions to parts of the called command to replace them before it is executed.

• justinsteven/sudo_digest_toctou_poc_CVE-2015-8239

CVE-2015-8277 (2016-02-24)

Multiple buffer overflows in (1) lmgrd and (2) Vendor Daemon in Flexera FlexNet Publisher before 11.13.1.2 Security Update 1 allow remote attackers to execute arbitrary code via a crafted packet with opcode (a) 0x107 or (b) 0x10a.

• securifera/CVE-2015-8277-Exploit

CVE-2015-8299 (2017-08-29)

Buffer overflow in the Group messages monitor (Falcon) in KNX ETS 4.1.5 (Build 3246) allows remote attackers to execute arbitrary code via a crafted KNXnet/IP UDP packet.

• kernoelpanic/CVE-2015-8299

CVE-2015-8351 (2017-09-11)

PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.

• G01d3nW01f/CVE-2015-8351
• G4sp4rCS/exploit-CVE-2015-8351

CVE-2015-8543 (2015-12-28)

The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products, does not validate protocol identifiers for certain protocol families, which allows local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application.

• bittorrent3389/CVE-2015-8543_for_SLE12SP1

CVE-2015-8562 (2015-12-16)

Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.

• ZaleHack/joomla_rce_CVE-2015-8562
• RobinHoutevelts/Joomla-CVE-2015-8562-PHP-POC
• atcasanova/cve-2015-8562-exploit
• thejackerz/scanner-exploit-joomla-CVE-2015-8562
• paralelo14/CVE-2015-8562
• VoidSec/Joomla_CVE-2015-8562
• xnorkl/Joomla_Payload
• guanjivip/CVE-2015-8562
• lorenzodegiorgi/setup-cve-2015-8562
• Caihuar/Joomla-cve-2015-8562

CVE-2015-8651 (2015-12-28)

Integer overflow in Adobe Flash Player before 18.0.0.324 and 19.x and 20.x before 20.0.0.267 on Windows and OS X and before 11.2.202.559 on Linux, Adobe AIR before 20.0.0.233, Adobe AIR SDK before 20.0.0.233, and Adobe AIR SDK & Compiler before 20.0.0.233 allows attackers to execute arbitrary code via unspecified vectors.

• Gitlabpro/The-analysis-of-the-cve-2015-8651

CVE-2015-8660 (2015-12-28)

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

• whu-enjoy/CVE-2015-8660
• nhamle2/CVE-2015-8660
• carradolly/CVE-2015-8660

CVE-2015-8710 (2016-04-11)

The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.

• Karm/CVE-2015-8710

CVE-2015-9235 (2018-05-29)

In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).

• aalex954/jwt-key-confusion-poc
• WinDyAlphA/CVE-2015-9235_JWT_key_confusion

CVE-2015-9251 (2018-01-18)

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

• halkichi0308/CVE-2015-9251
• moften/CVE-2015-9251

CVE-2015-10034 (2023-01-09)

In j-nowak workout-organizer wurde eine kritische Schwachstelle gefunden. Hierbei betrifft es unbekannten Programmcode. Mit der Manipulation mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Patch wird als 13cd6c3d1210640bfdb39872b2bb3597aa991279 bezeichnet. Als bestmögliche Massnahme wird Patching empfohlen.

• andrenasx/CVE-2015-10034

CVE-2015-20107 (2022-04-13)

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

• codeskipper/python-patrol

CVE-2015-57115

• TrixSec/CVE-2015-57115

2014

CVE-2014-0038 (2014-02-06)

The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.

• saelo/cve-2014-0038
• kiruthikan99/IT19115276

CVE-2014-0043 (2017-10-02)

In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.

• JJK96/JavaClasspathEnum

CVE-2014-0050 (2014-03-28)

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

• jrrdev/cve-2014-0050

CVE-2014-0094 (2014-03-10)

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

• HasegawaTadamitsu/CVE-2014-0094-test-program-for-struts1
• y0d3n/CVE-2014-0094

CVE-2014-0114 (2014-04-30)

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

• rgielen/struts1filter
• ricedu/struts1-patch
• aenlr/strutt-cve-2014-0114

CVE-2014-0130 (2014-05-07)

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.

• omarkurt/cve-2014-0130

CVE-2014-0160 (2014-04-07)

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

• FiloSottile/Heartbleed
• titanous/heartbleeder
• DominikTo/bleed
• cyphar/heartthreader
• jdauphant/patch-openssl-CVE-2014-0160
• musalbas/heartbleed-masstest
• obayesshelton/CVE-2014-0160-Scanner
• Lekensteyn/pacemaker
• isgroup/openmagic
• fb1h2s/CVE-2014-0160
• takeshixx/ssl-heartbleed.nse
• roganartu/heartbleedchecker-chrome
• zouguangxian/heartbleed
• sensepost/heartbleed-poc
• proactiveRISK/heartbleed-extention
• amerine/coronary
• 0x90/CVE-2014-0160
• ice-security88/CVE-2014-0160
• waqasjamal-zz/HeartBleed-Vulnerability-Checker
• siddolo/knockbleed
• sammyfung/openssl-heartbleed-fix
• a0726h77/heartbleed-test
• pblittle/aws-suture
• hreese/heartbleed-dtls
• wwwiretap/bleeding_onions
• idkqh7/heatbleeding
• GeeksXtreme/ssl-heartbleed.nse
• xlucas/heartbleed
• indiw0rm/-Heartbleed-
• einaros/heartbleed-tools
• mozilla-services/Heartbleed
• yryz/heartbleed.js
• DisK0nn3cT/MaltegoHeartbleed
• OffensivePython/HeartLeak
• vortextube/ssl_scanner
• mpgn/heartbleed-PoC
• xanas/heartbleed.py
• iSCInc/heartbleed
• marstornado/cve-2014-0160-Yunfeng-Jiang
• hmlio/vaas-cve-2014-0160
• hybridus/heartbleedscanner
• froyo75/Heartbleed_Dockerfile_with_Nginx
• Xyl2k/CVE-2014-0160-Chrome-Plugin
• caiqiqi/OpenSSL-HeartBleed-CVE-2014-0160-PoC
• Saymeis/HeartBleed
• cved-sources/cve-2014-0160
• cheese-hub/heartbleed
• artofscripting-zz/cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS
• cldme/heartbleed-bug
• ThanHuuTuan/Heartexploit
• rouze-d/heartbleed
• WildfootW/CVE-2014-0160_OpenSSL_1.0.1f_Heartbleed
• GuillermoEscobero/heartbleed
• anthophilee/A2SV--SSL-VUL-Scan
• ingochris/heartpatch.us
• belmind/heartbleed
• pierceoneill/bleeding-heart
• n3rdh4x0r/CVE-2014-0160_Heartbleed
• GardeniaWhite/fuzzing
• undacmic/heartbleed-proof-of-concept
• cbk914/heartbleed-checker
• MrE-Fog/CVE-2014-0160-Chrome-Plugin
• timsonner/cve-2014-0160-heartbleed
• Yash-Thakkar77/CVE-2014-0160-HeartBleed

CVE-2014-0166 (2014-04-09)

The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie.

• Ettack/POC-CVE-2014-0166

CVE-2014-0195 (2014-06-05)

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.

• ricedu/CVE-2014-0195
• PezwariNaan/CVE-2014-0195

CVE-2014-0196 (2014-05-07)

The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.

• SunRain/CVE-2014-0196
• tempbottle/CVE-2014-0196

CVE-2014-0224 (2014-06-05)

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

• Tripwire/OpenSSL-CCS-Inject-Test
• iph0n3/CVE-2014-0224
• droptables/ccs-eval
• ssllabs/openssl-ccs-cve-2014-0224
• secretnonempty/CVE-2014-0224

CVE-2014-0226 (2014-07-20)

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.

• shreesh1/CVE-2014-0226-poc

CVE-2014-0282 (2014-06-11)

Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1775, CVE-2014-1779, CVE-2014-1799, CVE-2014-1803, and CVE-2014-2757.

• Charmve/PyStegosploit

CVE-2014-0291

• niccoX/patch-openssl-CVE-2014-0291_CVE-2015-0204

CVE-2014-0472 (2014-04-23)

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

• christasa/CVE-2014-0472

CVE-2014-0521 (2014-05-14)

Adobe Reader and Acrobat 10.x before 10.1.10 and 11.x before 11.0.07 on Windows and OS X do not properly implement JavaScript APIs, which allows remote attackers to obtain sensitive information via a crafted PDF document.

• molnarg/cve-2014-0521

CVE-2014-0816 (2014-02-27)

Unspecified vulnerability in Norman Security Suite 10.1 and earlier allows local users to gain privileges via unknown vectors.

• tandasat/CVE-2014-0816

CVE-2014-0993 (2014-09-15)

Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

• helpsystems/Embarcadero-Workaround

CVE-2014-160

• menrcom/CVE-2014-160
• GitMirar/heartbleed_exploit

CVE-2014-1266 (2014-02-22)

The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by (1) using an arbitrary private key for the signing step or (2) omitting the signing step.

• landonf/Testability-CVE-2014-1266
• linusyang/SSLPatch
• gabrielg/CVE-2014-1266-poc
• meetlight942/PentesterLab-Intercept-CVE-2014-1266

CVE-2014-1303 (2014-03-26)

Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified vectors, as demonstrated by Liang Chen during a Pwn2Own competition at CanSecWest 2014.

• RKX1209/CVE-2014-1303

CVE-2014-1322 (2014-04-23)

The kernel in Apple OS X through 10.9.2 places a kernel pointer into an XNU object data structure accessible from user space, which makes it easier for local users to bypass the ASLR protection mechanism by reading an unspecified attribute of the object.

• raymondpittman/IPC-Memory-Mac-OSX-Exploit

CVE-2014-1447 (2014-01-24)

Race condition in the virNetServerClientStartKeepAlive function in libvirt before 1.2.1 allows remote attackers to cause a denial of service (libvirtd crash) by closing a connection before a keepalive response is sent.

• tagatac/libvirt-CVE-2014-1447

CVE-2014-1677 (2017-04-03)

Technicolor TC7200 with firmware STD6.01.12 could allow remote attackers to obtain sensitive information.

• tihmstar/freePW_tc7200Eploit

CVE-2014-1767 (2014-07-08)

Double free vulnerability in the Ancillary Function Driver (AFD) in afd.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."

• ExploitCN/CVE-2014-1767-EXP-PAPER

CVE-2014-1773 (2014-06-11)

Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1783, CVE-2014-1784, CVE-2014-1786, CVE-2014-1795, CVE-2014-1805, CVE-2014-2758, CVE-2014-2759, CVE-2014-2765, CVE-2014-2766, and CVE-2014-2775.

• day6reak/CVE-2014-1773

CVE-2014-1812 (2014-05-14)

The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."

• mauricelambert/gpp-encrypt

CVE-2014-2064 (2014-10-17)

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

• Naramsim/Offensive

CVE-2014-2321 (2014-03-11)

web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.

• injectionmethod/ZTE-Vuln-4-Skids
• injectionmethod/Windows-ZTE-Loader

CVE-2014-2323 (2014-03-14)

SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.

• cirocosta/lighty-sqlinj-demo

CVE-2014-2324 (2014-03-14)

Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname.

• sp4c30x1/uc_httpd_exploit

CVE-2014-2383 (2014-04-28)

dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.

• Relativ3Pa1n/CVE-2014-2383-LFI-to-RCE-Escalation

CVE-2014-2630 (2014-08-12)

Unspecified vulnerability in HP Operations Agent 11.00, when Glance is used, allows local users to gain privileges via unknown vectors.

• redtimmy/perf-exploiter

CVE-2014-2734 (2014-04-24)

The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher

• gdisneyleugers/CVE-2014-2734
• adrienthebo/cve-2014-2734

CVE-2014-2815 (2014-08-12)

Microsoft OneNote 2007 SP3 allows remote attackers to execute arbitrary code via a crafted OneNote file that triggers creation of an executable file in a startup folder, aka "OneNote Remote Code Execution Vulnerability."

• Edubr2020/CABTrap_OneNote2007

CVE-2014-3120 (2014-07-28)

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

• jeffgeiger/es_inject
• echohtp/ElasticSearch-CVE-2014-3120
• xpgdgit/CVE-2014-3120

CVE-2014-3153 (2014-06-07)

The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.

• timwr/CVE-2014-3153
• android-rooting-tools/libfutex_exploit
• geekben/towelroot
• lieanu/CVE-2014-3153
• zerodavinci/CVE-2014-3153-exploit
• c3c/CVE-2014-3153
• dangtunguyen/TowelRoot
• elongl/CVE-2014-3153
• c4mx/Linux-kernel-code-injection_CVE-2014-3153

CVE-2014-3206 (2018-02-23)

Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php.

• laccart/CVE-2014-3206

CVE-2014-3341 (2014-08-19)

The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

• ehabhussein/snmpvlan

CVE-2014-3466 (2014-06-03)

Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message.

• azet/CVE-2014-3466_PoC

CVE-2014-3507 (2014-08-13)

Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.

• Satheesh575555/openSSL_1.0.1g_CVE-2014-3507

CVE-2014-3544 (2014-07-29)

Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.

• aforesaid/MoodleHack

CVE-2014-3551 (2014-07-29)

Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric.

• JavaGarcia/CVE-2014-3551

CVE-2014-3566 (2014-10-15)

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

• mikesplain/CVE-2014-3566-poodle-cookbook
• stdevel/poodle_protector
• cloudpassage/mangy-beast
• mpgn/poodle-PoC
• uthrasri/openssl_g2.5_CVE-2014-3566
• GoRuGoo/poodle-attack-sandbox

CVE-2014-3570 (2015-01-09)

The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.

• uthrasri/openssl_G2.5_CVE-2014-3570
• uthrasri/Openssl_G2.5_CVE-2014-3570_01
• uthrasri/CVE-2014-3570
• uthrasri/CVE-2014-3570_G2.5_openssl_no_patch

CVE-2014-3625 (2014-11-20)

Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

• ilmila/springcss-cve-2014-3625
• gforresu/SpringPathTraversal

CVE-2014-3704 (2014-10-16)

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.

• happynote3966/CVE-2014-3704
• AleDiBen/Drupalgeddon
• Neldeborg/Drupalgeddon-Python3

CVE-2014-4014 (2014-06-23)

The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.

• vnik5287/cve-2014-4014-privesc

CVE-2014-4076 (2014-11-11)

Microsoft Windows Server 2003 SP2 allows local users to gain privileges via a crafted IOCTL call to (1) tcpip.sys or (2) tcpip6.sys, aka "TCP/IP Elevation of Privilege Vulnerability."

• fungoshacks/CVE-2014-4076

CVE-2014-4109 (2014-09-10)

Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2799, CVE-2014-4059, CVE-2014-4065, CVE-2014-4079, CVE-2014-4081, CVE-2014-4083, CVE-2014-4085, CVE-2014-4088, CVE-2014-4090, CVE-2014-4094, CVE-2014-4097, CVE-2014-4100, CVE-2014-4103, CVE-2014-4104, CVE-2014-4105, CVE-2014-4106, CVE-2014-4107, CVE-2014-4108, CVE-2014-4110, and CVE-2014-4111.

• day6reak/CVE-2014-4109

CVE-2014-4113 (2014-10-15)

win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka "Win32k.sys Elevation of Privilege Vulnerability."

• johnjohnsp1/CVE-2014-4113
• nsxz/Exploit-CVE-2014-4113
• sam-b/CVE-2014-4113
• wikiZ/cve-2014-4113

CVE-2014-4140 (2014-10-15)

Microsoft Internet Explorer 8 through 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability."

• day6reak/CVE-2014-4140

CVE-2014-4210 (2014-07-17)

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0 and 10.3.6.0 allows remote attackers to affect confidentiality via vectors related to WLS - Web Services.

• NoneNotNull/SSRFX
• 0xn0ne/weblogicScanner
• unmanarc/CVE-2014-4210-SSRF-PORTSCANNER-POC
• NHPT/WebLogic-SSRF_CVE-2014-4210

CVE-2014-4321

• android-rooting-tools/libmsm_vfe_read_exploit

CVE-2014-4322 (2014-12-24)

drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application.

• retme7/CVE-2014-4322_poc
• laginimaineb/cve-2014-4322
• askk/CVE-2014-4322_adaptation
• koozxcv/CVE-2014-4322

CVE-2014-4323 (2014-12-12)

The mdp_lut_hw_update function in drivers/video/msm/mdp.c in the MDP display driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain start and length values within an ioctl call, which allows attackers to gain privileges via a crafted application.

• marcograss/cve-2014-4323

CVE-2014-4377 (2014-09-18)

Integer overflow in CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document.

• feliam/CVE-2014-4377
• davidmurray/CVE-2014-4377

CVE-2014-4378 (2014-09-18)

CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted PDF document.

• feliam/CVE-2014-4378

CVE-2014-4481 (2015-01-30)

Integer overflow in CoreGraphics in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document.

• feliam/CVE-2014-4481

CVE-2014-4511 (2014-07-22)

Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.

• michaelsss1/gitlist-RCE

CVE-2014-4671 (2014-07-09)

Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.

• cph/rabl-old

CVE-2014-4688 (2014-07-02)

pfSense before 2.1.4 allows remote authenticated users to execute arbitrary commands via (1) the hostname value to diag_dns.php in a Create Alias action, (2) the smartmonemail value to diag_smart.php, or (3) the database value to status_rrd_graph_img.php.

• andyfeili/CVE-2014-4688

CVE-2014-4699 (2014-07-09)

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.

• vnik5287/cve-2014-4699-ptrace

CVE-2014-4936 (2014-12-16)

The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer 1.04.1.1012 and earlier allow man-in-the-middle attackers to execute arbitrary code by spoofing the update server and uploading an executable.

• 0x3a/CVE-2014-4936

CVE-2014-4943 (2014-07-19)

The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.

• redes-2015/l2tp-socket-bug

CVE-2014-5139 (2014-08-13)

The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client.

• uthrasri/CVE-2014-5139
• uthrasri/G2.5_openssl_CVE-2014-5139

CVE-2014-5284 (2014-12-02)

host-deny.sh in OSSEC before 2.8.1 writes to temporary files with predictable filenames without verifying ownership, which allows local users to modify access restrictions in hosts.deny and gain root privileges by creating the temporary files before automatic IP blocking is performed.

• mbadanoiu/CVE-2014-5284

CVE-2014-5460 (2014-09-11)

Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/.

• F-0x57/CVE-2014-5460

CVE-2014-6271 (2014-09-24)

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

• dlitz/bash-cve-2014-6271-fixes
• npm/ansible-bashpocalypse
• ryancnelson/patched-bash-4.3
• jblaine/cookbook-bash-CVE-2014-6271
• rrreeeyyy/cve-2014-6271-spec
• scottjpack/shellshock_scanner
• Anklebiter87/Cgi-bin_bash_Reverse
• justzx2011/bash-up
• mattclegg/CVE-2014-6271
• ilismal/Nessus_CVE-2014-6271_check
• RainMak3r/Rainstorm
• gabemarshall/shocknaww
• woltage/CVE-2014-6271
• ariarijp/vagrant-shellshock
• themson/shellshock
• securusglobal/BadBash
• villadora/CVE-2014-6271
• APSL/salt-shellshock
• teedeedubya/bash-fix-exploit
• internero/debian-lenny-bash_3.2.52-cve-2014-6271
• u20024804/bash-3.2-fixed-CVE-2014-6271
• u20024804/bash-4.2-fixed-CVE-2014-6271
• u20024804/bash-4.3-fixed-CVE-2014-6271
• francisck/shellshock-cgi
• proclnas/ShellShock-CGI-Scan
• sch3m4/RIS
• ryeyao/CVE-2014-6271_Test
• cj1324/CGIShell
• renanvicente/puppet-shellshock
• indiandragon/Shellshock-Vulnerability-Scan
• ramnes/pyshellshock
• akiraaisha/shellshocker-python
• 352926/shellshock_crawler
• kelleykong/cve-2014-6271-mengjia-kong
• huanlu/cve-2014-6271-huan-lu
• sunnyjiang/shellshocker-android
• P0cL4bs/ShellShock-CGI-Scan
• hmlio/vaas-cve-2014-6271
• opsxcq/exploit-CVE-2014-6271
• Pilou-Pilou/docker_CVE-2014-6271.
• zalalov/CVE-2014-6271
• heikipikker/shellshock-shell
• 0x00-0x00/CVE-2014-6271
• kowshik-sundararajan/CVE-2014-6271
• w4fz5uck5/ShockZaum-CVE-2014-6271
• Aruthw/CVE-2014-6271
• cved-sources/cve-2014-6271
• shawntns/exploit-CVE-2014-6271
• Sindadziy/cve-2014-6271
• wenyu1999/bash-shellshock
• Sindayifu/CVE-2019-14287-CVE-2014-6271
• Any3ite/CVE-2014-6271
• somhm-solutions/Shell-Shock
• rashmikadileeshara/CVE-2014-6271-Shellshock-
• Dilith006/CVE-2014-6271
• cyberharsh/Shellbash-CVE-2014-6271
• MuirlandOracle/CVE-2014-6271-IPFire
• mochizuki875/CVE-2014-6271-Apache-Debian
• b4keSn4ke/CVE-2014-6271
• hadrian3689/shellshock
• akr3ch/CVE-2014-6271
• banomaly/CVE-2014-6271
• Gurguii/cgi-bin-shellshock
• anujbhan/shellshock-victim-host
• FilipStudeny/-CVE-2014-6271-Shellshock-Remote-Command-Injection-
• mritunjay-k/CVE-2014-6271
• Brandaoo/CVE-2014-6271
• Jsmoreira02/CVE-2014-6271
• hanmin0512/CVE-2014-6271_pwnable
• 0xTabun/CVE-2014-6271
• 0xN7y/CVE-2014-6271
• AlissonFaoli/Shellshock
• hackintoanetwork/shellshock
• ajansha/shellshock
• K3ysTr0K3R/CVE-2014-6271-EXPLOIT
• TheRealCiscoo/Shellshock-Exploit
• RadYio/CVE-2014-6271

CVE-2014-6287 (2014-10-07)

The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.

• roughiz/cve-2014-6287.py
• Nicoslo/Windows-exploitation-Rejetto-HTTP-File-Server-HFS-2.3.x-CVE-2014-6287
• wizardy0ga/THM-Steel_Mountain-CVE-2014-6287
• mrintern/thm_steelmountain_CVE-2014-6287
• hadrian3689/rejetto_hfs_rce
• randallbanner/Rejetto-HTTP-File-Server-HFS-2.3.x---Remote-Command-Execution
• 0xTabun/CVE-2014-6287
• zhsh9/CVE-2014-6287
• francescobrina/hfs-cve-2014-6287-exploit

CVE-2014-6332 (2014-11-11)

OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."

• MarkoArmitage/metasploit-framework
• tjjh89017/cve-2014-6332
• mourr/CVE-2014-6332

CVE-2014-6577 (2015-01-21)

Unspecified vulnerability in the XML Developer's Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher's claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.

• SecurityArtWork/oracle-xxe-sqli

CVE-2014-6598 (2015-01-21)

Unspecified vulnerability in the Oracle Communications Diameter Signaling Router component in Oracle Communications Applications 3.x, 4.x, and 5.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Signaling - DPI.

• KPN-CISO/DRA_writeup

CVE-2014-6721 (2014-09-26)

The Pharmaguideline (aka com.pharmaguideline) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

• sagisar1/CVE-2014-6721-exploit-Shellshock

CVE-2014-7169 (2014-09-25)

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

• chef-boneyard/bash-shellshock
• gina-alaska/bash-cve-2014-7169-cookbook
• Gobinath-B/SHELL-SCHOCK

CVE-2014-7205 (2014-10-08)

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.

• maximilianmarx/bassmaster-rce
• AndrewTrube/CVE-2014-7205

CVE-2014-7236 (2020-02-17)

Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.

• m0nad/CVE-2014-7236_Exploit

CVE-2014-7911 (2014-12-15)

luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the requirements for serialization, which allows attackers to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy, aka Bug 15874291.

• retme7/CVE-2014-7911_poc
• ele7enxxh/CVE-2014-7911
• heeeeen/CVE-2014-7911poc
• GeneBlue/cve-2014-7911-exp
• koozxcv/CVE-2014-7911
• koozxcv/CVE-2014-7911-CVE-2014-4322_get_root_privilege
• mabin004/cve-2014-7911

CVE-2014-7920 (2017-04-13)

mediaserver in Android 2.2 through 5.x before 5.1 allows attackers to gain privileges. NOTE: This is a different vulnerability than CVE-2014-7921.

• laginimaineb/cve-2014-7920-7921
• Vinc3nt4H/cve-2014-7920-7921_update

CVE-2014-8110 (2015-02-12)

Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

• tafamace/CVE-2014-8110

CVE-2014-8142 (2014-12-20)

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.

• 3xp10it/php_cve-2014-8142_cve-2015-0231

CVE-2014-8244 (2014-11-01)

Linksys SMART WiFi firmware on EA2700 and EA3500 devices; before 2.1.41 build 162351 on E4200v2 and EA4500 devices; before 1.1.41 build 162599 on EA6200 devices; before 1.1.40 build 160989 on EA6300, EA6400, EA6500, and EA6700 devices; and before 1.1.42 build 161129 on EA6900 devices allows remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request.

• JollyJumbuckk/LinksysLeaks

CVE-2014-8275 (2015-01-09)

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.

• uthrasri/Openssl_G2.5_CVE-2014-8275
• uthrasri/CVE-2014-8275_openssl_g2.5

CVE-2014-8609 (2014-12-15)

The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824.

• locisvv/Vulnerable-CVE-2014-8609
• MazX0p/CVE-2014-8609-POC
• ratiros01/CVE-2014-8609-exploit

CVE-2014-8682 (2014-11-21)

Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.

• nihal1306/gogs

CVE-2014-8729

• inso-/TORQUE-Resource-Manager-2.5.x-2.5.13-stack-based-buffer-overflow-exploit-CVE-2014-8729-CVE-2014-878

CVE-2014-8731 (2017-03-23)

PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via vectors related "serialized data and the last part of the concatenated filename," which creates a file in webroot.

• sbani/CVE-2014-8731-PoC

CVE-2014-8757 (2015-02-17)

LG On-Screen Phone (OSP) before 4.3.010 allows remote attackers to bypass authorization via a crafted request.

• irsl/lgosp-poc

CVE-2014-9016 (2014-11-24)

The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.

• c0r3dump3d/wp_drupal_timing_attack
• Primus27/WordPress-Long-Password-Denial-of-Service

CVE-2014-9222 (2014-12-24)

AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the "Misfortune Cookie" vulnerability.

• BenChaliah/MIPS-CVE-2014-9222
• donfanning/MIPS-CVE-2014-9222

CVE-2014-9295 (2014-12-20)

Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function.

• MacMiniVault/NTPUpdateSnowLeopard

CVE-2014-9301 (2014-12-07)

Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter.

• ottimo/burp-alfresco-referer-proxy-cve-2014-9301

CVE-2014-9322 (2014-12-17)

arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.

• RKX1209/CVE-2014-9322

CVE-2014-9390 (2020-02-12)

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

• hakatashi/CVE-2014-9390

CVE-2014-10069 (2018-01-07)

Hitron CVE-30360 devices use a 578A958E3DD933FC DES key that is shared across different customers' installations, which makes it easier for attackers to obtain sensitive information by decrypting a backup configuration file, as demonstrated by a password hash in the um_auth_account_password field.

• aimoda/hitron-cfg-decrypter

CVE-2014-91371

• jamaal001/CVE-2014-91371-Wordpress-

2013

CVE-2013-0156 (2013-01-13)

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

• terracatta/name_reverser
• heroku/heroku-CVE-2013-0156
• josal/crack-0.1.8-fixed
• bsodmike/rails-exploit-cve-2013-0156
• R3dKn33-zz/CVE-2013-0156
• Jjdt12/kuang_grade_mk11
• oxBEN10/CVE-2013-0156

CVE-2013-0212 (2013-02-24)

store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive information by reading the error messages.

• LogSec/CVE-2013-0212

CVE-2013-0229 (2013-01-31)

The ProcessSSDPRequest function in minissdp.c in the SSDP handler in MiniUPnP MiniUPnPd before 1.4 allows remote attackers to cause a denial of service (service crash) via a crafted request that triggers a buffer over-read.

• lochiiconnectivity/vulnupnp

CVE-2013-0269 (2013-02-13)

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."

• heroku/heroku-CVE-2013-0269

CVE-2013-0303 (2014-03-23)

Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344.

• CiscoCXSecurity/ownCloud_RCE_CVE-2013-0303

CVE-2013-0333 (2013-01-30)

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.

• heroku/heroku-CVE-2013-0333

CVE-2013-225

• PentestinGxRoot/ShellEvil

CVE-2013-1081 (2013-03-11)

Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter.

• steponequit/CVE-2013-1081

CVE-2013-1300 (2013-07-10)

win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle objects in memory, which allows local users to gain privileges via a crafted application, aka "Win32k Memory Allocation Vulnerability."

• Meatballs1/cve-2013-1300

CVE-2013-1488 (2013-03-08)

The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.

• v-p-b/buherablog-cve-2013-1488

CVE-2013-1491 (2013-03-08)

The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via vectors related to 2D, as demonstrated by Joshua Drake during a Pwn2Own competition at CanSecWest 2013.

• guhe120/CVE20131491-JIT

CVE-2013-1690 (2013-06-26)

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.

• vlad902/annotated-fbi-tbb-exploit

CVE-2013-1763 (2013-02-28)

Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.

• qkrtjsrbs315/CVE-2013-1763

CVE-2013-1775 (2013-03-04)

sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically proximate attackers to bypass intended time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch.

• bekhzod0725/perl-CVE-2013-1775

CVE-2013-1965 (2013-07-10)

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.

• cinno/CVE-2013-1965

CVE-2013-2006 (2013-05-21)

OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file.

• LogSec/CVE-2013-2006

CVE-2013-2028 (2013-07-18)

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.

• danghvu/nginx-1.4.0
• kitctf/nginxpwn
• tachibana51/CVE-2013-2028-x64-bypass-ssp-and-pie-PoC
• m4drat/CVE-2013-2028-Exploit
• jptr218/nginxhack
• Sunqiz/CVE-2013-2028-reproduction
• xiw1ll/CVE-2013-2028_Checker

CVE-2013-2072 (2013-08-28)

Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap.

• bl4ck5un/cve-2013-2072

CVE-2013-2094 (2013-05-14)

The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call.

• realtalk/cve-2013-2094
• hiikezoe/libperf_event_exploit
• Pashkela/CVE-2013-2094
• tarunyadav/fix-cve-2013-2094
• timhsutw/cve-2013-2094
• vnik5287/CVE-2013-2094

CVE-2013-2165 (2013-07-22)

ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.

• Pastea/CVE-2013-2165

CVE-2013-2171 (2013-07-02)

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEASE-p4 does not properly determine whether a task should have write access to a memory location, which allows local users to bypass filesystem write permissions and consequently gain privileges via a crafted application that leverages read permissions, and makes mmap and ptrace system calls.

• 0xGabe/FreeBSD-9.0-9.1-Privilege-Escalation

CVE-2013-2186 (2013-10-28)

The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

• GrrrDog/ACEDcup
• sa1g0n1337/Payload_CVE_2013_2186
• sa1g0n1337/CVE_2013_2186

CVE-2013-2217 (2013-09-23)

cache.py in Suds 0.4, when tempdir is set to None, allows local users to redirect SOAP queries and possibly have other unspecified impact via a symlink attack on a cache file with a predictable name in /tmp/suds/.

• Osirium/suds

CVE-2013-2251 (2013-07-18)

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

• nth347/CVE-2013-2251

CVE-2013-2595 (2014-08-31)

The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which allows attackers to gain privileges via a crafted application.

• fi01/libmsm_cameraconfig_exploit

CVE-2013-2596 (2013-04-13)

Integer overflow in the fb_mmap function in drivers/video/fbmem.c in the Linux kernel before 3.8.9, as used in a certain Motorola build of Android 4.1.2 and other products, allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls, as demonstrated by the Motochopper pwn program.

• hiikezoe/libfb_mem_exploit

CVE-2013-2597 (2014-08-31)

Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that leverages /dev/msm_acdb access and provides a large size value in an ioctl argument.

• fi01/libmsm_acdb_exploit

CVE-2013-2729 (2013-05-16)

Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727.

• feliam/CVE-2013-2729

CVE-2013-2730 (2013-05-16)

Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2733.

• feliam/CVE-2013-2730

CVE-2013-2842 (2013-05-22)

Use-after-free vulnerability in Google Chrome before 27.0.1453.93 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of widgets.

• 173210/spider

CVE-2013-2977 (2013-05-10)

Integer overflow in IBM Notes 8.5.x before 8.5.3 FP4 Interim Fix 1 and 9.x before 9.0 Interim Fix 1 on Windows, and 8.5.x before 8.5.3 FP5 and 9.x before 9.0.1 on Linux, allows remote attackers to execute arbitrary code via a malformed PNG image in a previewed e-mail message, aka SPR NPEI96K82Q.

• defrancescojp/CVE-2013-2977

CVE-2013-3214 (2020-01-28)

vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'.

• shadofren/CVE-2013-3214

CVE-2013-3319 (2013-08-16)

The GetComputerSystem method in the HostControl service in SAP Netweaver 7.03 allows remote attackers to obtain sensitive information via a crafted SOAP request to TCP port 1128.

• devoteam-cybertrust/cve-2013-3319

CVE-2013-3651 (2013-06-29)

LOCKON EC-CUBE 2.11.2 through 2.12.4 allows remote attackers to conduct unspecified PHP code-injection attacks via a crafted string, related to data/class/SC_CheckError.php and data/class/SC_FormParam.php.

• motikan2010/CVE-2013-3651

CVE-2013-3660 (2013-05-24)

The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability."

• ExploitCN/CVE-2013-3660-x64-WIN7

CVE-2013-3664 (2014-07-01)

Trimble SketchUp (formerly Google SketchUp) before 2013 (13.0.3689) allows remote attackers to execute arbitrary code via a crafted color palette table in a MAC Pict texture, which triggers an out-of-bounds stack write. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-3662. NOTE: this issue was SPLIT due to different affected products and codebases (ADT1); CVE-2013-7388 has been assigned to the paintlib issue.

• defrancescojp/CVE-2013-3664_MAC
• defrancescojp/CVE-2013-3664_BMP

CVE-2013-3827 (2013-10-16)

Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.

• thistehneisen/CVE-2013-3827

CVE-2013-3900 (2013-12-11)

Why is Microsoft republishing a CVE from 2013?\nWe are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, except for clarifications about how to configure the EnableCertPaddingCheck registry value, the information herein remains unchanged from the original text published on December 10, 2013,\nMicrosoft does not plan to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. This behavior remains available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since December 10, 2013. This includes all currently supported versions of Windows 10 and Windows 11. The supporting code for this reg key was incorporated at the time of release for Windows 10 and Windows 11, so no security update is required; however, the reg key must be set. See the Security Updates table for the list of affected software.\nVulnerability Description\nA remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\nExploitation of this vulnerability requires that a user or application run or install a specially crafted, signed PE file. An attacker could modify an... See more at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900

• snoopopsec/vulnerability-CVE-2013-3900
• CyberCondor/Fix-WinVerifyTrustSignatureValidationVuln
• Securenetology/CVE-2013-3900
• OtisSymbos/CVE-2013-3900-WinTrustVerify

CVE-2013-4002 (2013-07-23)

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

• tafamace/CVE-2013-4002

CVE-2013-4175 (2020-01-23)

MySecureShell 1.31 has a Local Denial of Service Vulnerability

• hartwork/mysecureshell-issues

CVE-2013-4348 (2013-11-04)

The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation.

• bl4ck5un/cve-2013-4348

CVE-2013-4362 (2013-09-30)

WEB-DAV Linux File System (davfs2) 1.4.6 and 1.4.7 allow local users to gain privileges via unknown attack vectors in (1) kernel_interface.c and (2) mount_davfs.c, related to the "system" function.

• notclement/Automatic-davfs2-1.4.6-1.4.7-Local-Privilege-Escalation

CVE-2013-4378 (2013-09-30)

Cross-site scripting (XSS) vulnerability in HtmlSessionInformationsReport.java in JavaMelody 1.46 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted X-Forwarded-For header.

• theratpack/grails-javamelody-sample-app
• epicosy/VUL4J-50

CVE-2013-4434 (2013-10-25)

Dropbear SSH Server before 2013.59 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to discover valid usernames.

• styx00/Dropbear_CVE-2013-4434

CVE-2013-4547 (2013-11-23)

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.

• cyberharsh/Nginx-CVE-2013-4547

CVE-2013-4710 (2014-03-03)

Android 3.0 through 4.1.x on Disney Mobile, eAccess, KDDI, NTT DOCOMO, SoftBank, and other devices does not properly implement the WebView class, which allows remote attackers to execute arbitrary methods of Java objects or cause a denial of service (reboot) via a crafted web page, as demonstrated by use of the WebView.addJavascriptInterface method, a related issue to CVE-2012-6636.

• Snip3R69/CVE-2013-4710-WebView-RCE-Vulnerability

CVE-2013-4730 (2014-05-15)

Buffer overflow in PCMan's FTP Server 2.0.7 allows remote attackers to execute arbitrary code via a long string in a USER command.

• t0rt3ll1n0/PCmanBoF

CVE-2013-4784 (2013-07-08)

The HP Integrated Lights-Out (iLO) BMC implementation allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password.

• alexoslabs/ipmitest

CVE-2013-4786 (2013-07-08)

The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC.

• fin3ss3g0d/CosmicRakp

CVE-2013-5065 (2013-11-27)

NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.

• Friarfukd/RobbinHood

CVE-2013-5211 (2014-01-02)

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.

• dani87/ntpscanner
• suedadam/ntpscanner
• sepehrdaddev/ntpdos
• 0xhav0c/CVE-2013-5211
• requiempentest/-exploit-check-CVE-2013-5211
• requiempentest/NTP_CVE-2013-5211

CVE-2013-5664 (2013-08-31)

Cross-site scripting (XSS) vulnerability in the web-based device-management API browser in Palo Alto Networks PAN-OS before 4.1.13 and 5.0.x before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via crafted data, aka Ref ID 50908.

• phusion/rails-cve-2012-5664-test

CVE-2013-5842 (2013-10-16)

Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-5850.

• guhe120/CVE-2013-5842

CVE-2013-6117 (2014-07-11)

Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

• milo2012/CVE-2013-6117

CVE-2013-6282 (2013-11-19)

The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.

• fi01/libput_user_exploit
• fi01/libget_user_exploit
• jeboo/bypasslkm
• timwr/CVE-2013-6282

CVE-2013-6375 (2013-11-23)

Xen 4.2.x and 4.3.x, when using Intel VT-d for PCI passthrough, does not properly flush the TLB after clearing a present translation table entry, which allows local guest administrators to cause a denial of service or gain privileges via unspecified vectors related to an "inverted boolean parameter."

• bl4ck5un/cve-2013-6375

CVE-2013-6490 (2014-02-06)

The SIMPLE protocol functionality in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a negative Content-Length header, which triggers a buffer overflow.

• Everdoh/CVE-2013-6490

CVE-2013-6668 (2014-03-05)

Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.

• sdneon/CveTest

CVE-2013-6987 (2013-12-31)

Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/.

• stoicboomer/CVE-2013-6987

2012

CVE-2012-0002 (2012-03-13)

The Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly process packets in memory, which allows remote attackers to execute arbitrary code by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, aka "Remote Desktop Protocol Vulnerability."

• zhangkaibin0921/MS12-020-CVE-2012-0002

CVE-2012-0003 (2012-01-10)

Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."

• k0keoyo/CVE-2012-0003_eXP

CVE-2012-0056 (2012-01-27)

The mem_write function in the Linux kernel before 3.2.2, when ASLR is disabled, does not properly check permissions when writing to /proc/<pid>/mem, which allows local users to gain privileges by modifying process memory, as demonstrated by Mempodipper.

• srclib/CVE-2012-0056
• pythonone/CVE-2012-0056

CVE-2012-0152 (2012-03-13)

The Remote Desktop Protocol (RDP) service in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows remote attackers to cause a denial of service (application hang) via a series of crafted packets, aka "Terminal Server Denial of Service Vulnerability."

• rutvijjethwa/RDP_jammer

CVE-2012-0158 (2012-04-10)

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."

• RobertoLeonFR-ES/Exploit-Win32.CVE-2012-0158.F.doc
• Sunqiz/CVE-2012-0158-reproduction

CVE-2012-1495 (2020-01-27)

install/index.php in WebCalendar before 1.2.5 allows remote attackers to execute arbitrary code via the form_single_user_login parameter.

• axelbankole/CVE-2012-1495-Webcalendar-

CVE-2012-1675 (2012-05-08)

The TNS Listener, as used in Oracle Database 11g 11.1.0.7, 11.2.0.2, and 11.2.0.3, and 10g 10.2.0.3, 10.2.0.4, and 10.2.0.5, as used in Oracle Fusion Middleware, Enterprise Manager, E-Business Suite, and possibly other products, allows remote attackers to execute arbitrary database commands by performing a remote registration of a database (1) instance or (2) service name that already exists, then conducting a man-in-the-middle (MITM) attack to hijack database connections, aka "TNS Poison."

• bongbongco/CVE-2012-1675

CVE-2012-1723 (2012-06-16)

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

• EthanNJC/CVE-2012-1723

CVE-2012-1823 (2012-05-11)

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.

• drone789/CVE-2012-1823
• tardummy01/oscp_scripts-1
• Unix13/metasploitable2
• cyberharsh/PHP_CVE-2012-1823
• 0xl0k1/CVE-2012-1823
• Jimmy01240397/CVE-2012-1823-Analyze

CVE-2012-1831 (2012-07-05)

Heap-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555.

• Astrowmist/POC-CVE-2012-1831

CVE-2012-1870 (2012-07-10)

The CBC mode in the TLS protocol, as used in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, and other products, allows remote web servers to obtain plaintext data by triggering multiple requests to a third-party HTTPS server and sniffing the network during the resulting HTTPS session, aka "TLS Protocol Vulnerability."

• dja2TaqkGEEfA45/CVE-2012-1870

CVE-2012-1876 (2012-06-12)

Microsoft Internet Explorer 6 through 9, and 10 Consumer Preview, does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by attempting to access a nonexistent object, leading to a heap-based buffer overflow, aka "Col Element Remote Code Execution Vulnerability," as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2012.

• WizardVan/CVE-2012-1876
• ExploitCN/CVE-2012-1876-win7_x86_and_win7x64

CVE-2012-1889 (2012-06-13)

Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 accesses uninitialized memory locations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

• whu-enjoy/CVE-2012-1889
• l-iberty/cve-2012-1889

CVE-2012-2122 (2012-06-26)

sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.

• Avinza/CVE-2012-2122-scanner
• cyberharsh/Oracle-mysql-CVE-2012-2122
• zhangkaibin0921/CVE-2012-2122

CVE-2012-2593 (2020-02-06)

Cross-site scripting (XSS) vulnerability in the administrative interface in Atmail Webmail Server 6.4 allows remote attackers to inject arbitrary web script or HTML via the Date field of an email.

• AndrewTrube/CVE-2012-2593

CVE-2012-2661 (2012-06-22)

The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.

• r4x0r1337/-CVE-2012-2661-ActiveRecord-SQL-injection-

CVE-2012-2688 (2012-07-20)

Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow."

• shelld3v/CVE-2012-2688

CVE-2012-2982 (2012-09-11)

file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character.

• cd6629/CVE-2012-2982-Python-PoC
• OstojaOfficial/CVE-2012-2982
• AlexJS6/CVE-2012-2982_Python
• Ari-Weinberg/CVE-2012-2982
• JohnHammond/CVE-2012-2982
• R00tendo/CVE-2012-2982
• blu3ming/CVE-2012-2982
• 0xF331-D3AD/CVE-2012-2982
• 0xTas/CVE-2012-2982
• LeDucKhiem/CVE-2012-2982
• CpyRe/CVE-2012-2982
• Shadow-Spinner/CVE-2012-2982_python
• elliotosama/CVE-2012-2982

CVE-2012-3137 (2012-09-21)

The authentication protocol in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."

• hantwister/o5logon-fetch
• r1-/cve-2012-3137

CVE-2012-3153 (2012-10-16)

Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Servlet. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the PARSEQUERY function allows remote attackers to obtain database credentials via reports/rwservlet/parsequery, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3152 to execute arbitrary code by uploading a .jsp file.

• Mekanismen/pwnacle-fusion

CVE-2012-3716 (2012-09-20)

CoreText in Apple Mac OS X 10.7.x before 10.7.5 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write or read) via a crafted text glyph.

• d4rkcat/killosx

CVE-2012-4220 (2012-11-30)

diagchar_core.c in the Qualcomm Innovation Center (QuIC) Diagnostics (aka DIAG) kernel-mode driver for Android 2.3 through 4.2 allows attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference) via an application that uses crafted arguments in a local diagchar_ioctl call.

• hiikezoe/diaggetroot
• poliva/root-zte-open

CVE-2012-4431 (2012-12-19)

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.

• imjdl/CVE-2012-4431

CVE-2012-4681 (2012-08-28)

Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.

• benjholla/CVE-2012-4681-Armoring
• ZH3FENG/PoCs-CVE_2012_4681

CVE-2012-4792 (2012-12-30)

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.

• WizardVan/CVE-2012-4792

CVE-2012-4869 (2012-09-06)

The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.

• bitc0de/Elastix-Remote-Code-Execution
• banomaly/CVE-2012-4869

CVE-2012-4929 (2012-09-15)

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

• mpgn/CRIME-poc
• anthophilee/A2SV--SSL-VUL-Scan

CVE-2012-5106 (2014-06-20)

Stack-based buffer overflow in FreeFloat FTP Server 1.0 allows remote authenticated users to execute arbitrary code via a long string in a PUT command.

• war4uthor/CVE-2012-5106

CVE-2012-5321 (2012-10-08)

tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web site pages into frames and conduct phishing attacks via the url parameter, aka "frame injection."

• Cappricio-Securities/CVE-2012-5321

CVE-2012-5519 (2012-11-20)

CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface.

• p1ckzi/CVE-2012-5519

CVE-2012-5575 (2013-08-19)

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack."

• tafamace/CVE-2012-5575

CVE-2012-5613 (2012-12-03)

MySQL 5.5.19 and possibly other versions, and MariaDB 5.5.28a and possibly other versions, when configured to assign the FILE privilege to users who should not have administrative privileges, allows remote authenticated users to gain privileges by leveraging the FILE privilege to create files as the MySQL administrator. NOTE: the vendor disputes this issue, stating that this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. NOTE: it could be argued that this should not be included in CVE because it is a configuration issue.

• Hood3dRob1n/MySQL-Fu.rb
• w4fz5uck5/UDFPwn-CVE-2012-5613

CVE-2012-5664

• phusion/rails-cve-2012-5664-test

CVE-2012-5958 (2013-01-31)

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction.

• lochiiconnectivity/vulnupnp

CVE-2012-5960 (2013-01-31)

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka upnp:rootdevice) field in a UDP packet.

• finn79426/CVE-2012-5960-PoC

CVE-2012-6066 (2012-12-04)

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.

• bongbongco/CVE-2012-6066

CVE-2012-6636 (2014-03-03)

The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.

• xckevin/AndroidWebviewInjectDemo
• Snip3R69/CVE-2013-4710-WebView-RCE-Vulnerability

2011

CVE-2011-0104 (2011-04-13)

Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HLink record in an Excel file, aka "Excel Buffer Overwrite Vulnerability."

• Sunqiz/CVE-2011-0104-reproduction

CVE-2011-0228 (2011-08-29)

The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using a non-CA certificate to sign a certificate for an arbitrary domain.

• jan0/isslfix

CVE-2011-1237 (2011-04-13)

Use-after-free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that leverages incorrect driver object management, a different vulnerability than other "Vulnerability Type 1" CVEs listed in MS11-034, aka "Win32k Use After Free Vulnerability."

• BrunoPujos/CVE-2011-1237

CVE-2011-1249 (2011-06-16)

The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."

• Madusanka99/OHTS
• n3rdh4x0r/CVE-2011-1249

CVE-2011-1473 (2012-06-16)

OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment

• zjt674449039/cve-2011-1473
• XDLDCG/bash-tls-reneg-attack

CVE-2011-1475 (2011-04-08)

The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users."

• samaujs/CVE-2011-1475

CVE-2011-1485 (2011-05-31)

Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID.

• Pashkela/CVE-2011-1485

CVE-2011-1571 (2011-05-07)

Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors.

• noobpk/CVE-2011-1571

CVE-2011-1575 (2011-05-23)

The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.

• masamoon/cve-2011-1575-poc

CVE-2011-1720 (2011-05-13)

The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL authentication methods are enabled, does not create a new server handle after client authentication fails, which allows remote attackers to cause a denial of service (heap memory corruption and daemon crash) or possibly execute arbitrary code via an invalid AUTH command with one method followed by an AUTH command with a different method.

• nbeguier/postfix_exploit

CVE-2011-1974 (2011-08-10)

NDISTAPI.sys in the NDISTAPI driver in Remote Access Service (RAS) in Microsoft Windows XP SP2 and SP3 and Windows Server 2003 SP2 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "NDISTAPI Elevation of Privilege Vulnerability."

• hittlle/CVE-2011-1974-PoC

CVE-2011-2461 (2011-12-01)

Cross-site scripting (XSS) vulnerability in the Adobe Flex SDK 3.x and 4.x before 4.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to the loading of modules from different domains.

• ikkisoft/ParrotNG
• u-maxx/magento-swf-patched-CVE-2011-2461
• edmondscommerce/CVE-2011-2461_Magento_Patch

CVE-2011-2523 (2019-11-27)

vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.

• HerculesRD/vsftpd2.3.4PyExploit
• nobodyatall648/CVE-2011-2523
• Gr4ykt/CVE-2011-2523
• padsalatushal/CVE-2011-2523
• MFernstrom/OffensivePascal-CVE-2011-2523
• 0xSojalSec/-CVE-2011-2523
• 0xSojalSec/CVE-2011-2523
• XiangSi-Howard/CTF---CVE-2011-2523
• cowsecurity/CVE-2011-2523
• Lynk4/CVE-2011-2523
• vaishnavucv/CVE-2011-2523
• chleba124/vsftpd-exploit
• 4m3rr0r/CVE-2011-2523-poc
• Shubham-2k1/Exploit-CVE-2011-2523
• Tenor-Z/SmileySploit
• 0xB0y426/CVE-2011-2523-PoC
• sug4r-wr41th/CVE-2011-2523
• AnugiArrawwala/CVE-Research
• Gill-Singh-A/vsFTP-2.3.4-Remote-Root-Shell-Exploit
• everythingBlackkk/vsFTPd-Backdoor-Exploit-CVE-2011-2523-
• NullBrunk/CVE-2011-2523

CVE-2011-2894 (2011-10-04)

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.

• pwntester/SpringBreaker

CVE-2011-3026 (2012-02-16)

Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation.

• argp/cve-2011-3026-firefox

CVE-2011-3192 (2011-08-29)

The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.

• tkisason/KillApachePy
• limkokholefork/CVE-2011-3192
• stcmjp/cve-2011-3192
• futurezayka/CVE-2011-3192

CVE-2011-3368 (2011-10-05)

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

• SECFORCE/CVE-2011-3368
• colorblindpentester/CVE-2011-3368

CVE-2011-3389 (2011-09-06)

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

• mpgn/BEAST-PoC

CVE-2011-3556 (2011-10-19)

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI, a different vulnerability than CVE-2011-3557.

• sk4la/cve_2011_3556

CVE-2011-3872 (2011-10-27)

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."

• puppetlabs-toy-chest/puppetlabs-cve20113872

CVE-2011-4107 (2011-11-17)

The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

• SECFORCE/CVE-2011-4107

CVE-2011-4862 (2011-12-25)

Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.

• hdbreaker/GO-CVE-2011-4862
• lol-fi/cve-2011-4862
• kpawar2410/CVE-2011-4862

CVE-2011-4919 (2019-11-19)

mpack 1.6 has information disclosure via eavesdropping on mails sent by other users

• hartwork/mpacktrafficripper

CVE-2011-5331 (2019-11-18)

Distributed Ruby (aka DRuby) 1.8 mishandles instance_eval.

• tomquinn8/CVE-2011-5331

2010

CVE-2010-0219 (2010-10-18)

Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.

• veritas-rt/CVE-2010-0219

CVE-2010-0232 (2010-01-21)

The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka "Windows Kernel Exception Handler Vulnerability."

• azorfus/CVE-2010-0232

CVE-2010-0426 (2010-02-24)

sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory.

• t0kx/privesc-CVE-2010-0426
• cved-sources/cve-2010-0426
• g1vi/CVE-2010-0426

CVE-2010-0738 (2010-04-28)

The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.

• 1872892142/jboss-autopwn-1
• gitcollect/jboss-autopwn

CVE-2010-1205 (2010-06-30)

Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row.

• mk219533/CVE-2010-1205

CVE-2010-1240 (2010-04-05)

Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.

• Jasmoon99/Embedded-PDF
• omarothmann/Embedded-Backdoor-Connection
• asepsaepdin/CVE-2010-1240

CVE-2010-1411 (2010-06-17)

Multiple integer overflows in the Fax3SetupState function in tif_fax3.c in the FAX3 decoder in LibTIFF before 3.9.3, as used in ImageIO in Apple Mac OS X 10.5.8 and Mac OS X 10.6 before 10.6.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF file that triggers a heap-based buffer overflow.

• MAVProxyUser/httpfuzz-robomiller

CVE-2010-1622 (2010-06-21)

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

• DDuarte/springshell-rce-poc
• strainerart/Spring4Shell
• HandsomeCat00/Spring-CVE-2010-1622
• E-bounce/cve-2010-1622_learning_environment

CVE-2010-1938 (2010-05-28)

Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other platforms, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd.

• Nexxus67/cve-2010-1938

CVE-2010-2075 (2010-06-15)

UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse) in the DEBUG3_DOLOG_SYSTEM macro, which allows remote attackers to execute arbitrary commands.

• MFernstrom/OffensivePascal-CVE-2010-2075
• chancej715/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution
• FredBrave/CVE-2010-2075-UnrealIRCd-3.2.8.1
• JoseLRC97/UnrealIRCd-3.2.8.1-Backdoor-Command-Execution

CVE-2010-2387 (2012-12-21)

vicious-extensions/ve-misc.c in GNOME Display Manager (gdm) 2.20.x before 2.20.11, when GDM debug is enabled, logs the user password when it contains invalid UTF8 encoded characters, which might allow local users to gain privileges by reading the information from syslog logs.

• LogSec/CVE-2010-2387

CVE-2010-2553 (2010-08-11)

The Cinepak codec in Microsoft Windows XP SP2 and SP3, Windows Vista SP1 and SP2, and Windows 7 does not properly decompress media files, which allows remote attackers to execute arbitrary code via a crafted file, aka "Cinepak Codec Decompression Vulnerability."

• Sunqiz/cve-2010-2553-reproduction

CVE-2010-3124 (2010-08-26)

Untrusted search path vulnerability in bin/winvlc.c in VLC Media Player 1.1.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wintab32.dll that is located in the same folder as a .mp3 file.

• Nhom6KTLT/CVE-2010-3124
• KOBUKOVUI/DLL_Injection_On_VLC

CVE-2010-3332 (2010-09-22)

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."

• bongbongco/MS10-070

CVE-2010-3333 (2010-11-10)

Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability."

• whiteHat001/cve-2010-3333
• Sunqiz/CVE-2010-3333-reproduction

CVE-2010-3490 (2010-09-28)

Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a .. (dot dot) in the usersnum parameter to admin/config.php, as demonstrated by creating a .php file under the web root.

• moayadalmalat/CVE-2010-3490

CVE-2010-3600 (2011-01-19)

Unspecified vulnerability in the Client System Analyzer component in Oracle Database Server 11.1.0.7 and 11.2.0.1 and Enterprise Manager Grid Control 10.2.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue involves an exposed JSP script that accepts XML uploads in conjunction with NULL bytes in an unspecified parameter that allow execution of arbitrary code.

• LAITRUNGMINHDUC/CVE-2010-3600-PythonHackOracle11gR2

CVE-2010-3847 (2011-01-07)

elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.

• magisterquis/cve-2010-3847

CVE-2010-3904 (2010-12-06)

The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.

• redhatkaty/-cve-2010-3904-report

CVE-2010-3971 (2010-12-22)

Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 6 through 8 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a self-referential @import rule in a stylesheet, aka "CSS Memory Corruption Vulnerability."

• nektra/CVE-2010-3971-hotpatch

CVE-2010-4221 (2010-11-09)

Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.

• M41doror/cve-2010-4221

CVE-2010-4231 (2010-11-16)

Directory traversal vulnerability in the web-based administration interface on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.

• K3ysTr0K3R/CVE-2010-4231-EXPLOIT

CVE-2010-4476 (2011-02-17)

The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.

• grzegorzblaszczyk/CVE-2010-4476-check

CVE-2010-4669 (2011-01-07)

The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7 allows remote attackers to cause a denial of service (CPU consumption and system hang) by sending many Router Advertisement (RA) messages with different source addresses, as demonstrated by the flood_router6 program in the thc-ipv6 package.

• wrong-commit/CVE-2010-4669

CVE-2010-4804 (2011-06-09)

The Android browser in Android before 2.3.4 allows remote attackers to obtain SD card contents via crafted content:// URIs, related to (1) BrowserActivity.java and (2) BrowserSettings.java in com/android/browser/.

• thomascannon/android-cve-2010-4804

CVE-2010-5230 (2012-09-07)

Multiple untrusted search path vulnerabilities in MicroStation 7.1 allow local users to gain privileges via a Trojan horse (1) mptools.dll, (2) baseman.dll, (3) wintab32.dll, or (4) wintab.dll file in the current working directory, as demonstrated by a directory that contains a .hln or .rdl file. NOTE: some of these details are obtained from third party information.

• otofoto/CVE-2010-5230

CVE-2010-5301 (2014-06-13)

Stack-based buffer overflow in Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a HEAD request.

• lem0nSec/CVE-2010-5301

2009

CVE-2009-0182 (2009-01-20)

Buffer overflow in VUPlayer 2.49 and earlier allows user-assisted attackers to execute arbitrary code via a long URL in a File line in a .pls file, as demonstrated by an http URL on a File1 line.

• nobodyatall648/CVE-2009-0182

CVE-2009-0229 (2009-06-10)

The Windows Printing Service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 allows local users to read arbitrary files via a crafted separator page, aka "Print Spooler Read File Vulnerability."

• zveriu/CVE-2009-0229-PoC

CVE-2009-0347 (2009-01-29)

Open redirect vulnerability in cs.html in the Autonomy (formerly Verity) Ultraseek search engine allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter.

• Cappricio-Securities/CVE-2009-0347

CVE-2009-0473 (2009-02-06)

Open redirect vulnerability in the web interface in the Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

• akbarq/CVE-2009-0473-check

CVE-2009-0689 (2009-07-01)

Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.

• Fullmetal5/str2hax

CVE-2009-1151 (2009-03-26)

Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.

• pagvac/pocs
• e-Thug/PhpMyAdmin

CVE-2009-1244 (2009-04-13)

Unspecified vulnerability in the virtual machine display function in VMware Workstation 6.5.1 and earlier; VMware Player 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745; VMware Fusion before 2.0.4 build 159196; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to execute arbitrary code on the host OS via unknown vectors, a different vulnerability than CVE-2008-4916.

• piotrbania/vmware_exploit_pack_CVE-2009-1244

CVE-2009-1324 (2009-04-17)

Stack-based buffer overflow in Mini-stream ASX to MP3 Converter 3.0.0.7 allows remote attackers to execute arbitrary code via a long URI in a playlist (.m3u) file.

• war4uthor/CVE-2009-1324

CVE-2009-1330 (2009-04-17)

Stack-based buffer overflow in Easy RM to MP3 Converter allows remote attackers to execute arbitrary code via a long filename in a playlist (.pls) file.

• adenkiewicz/CVE-2009-1330
• war4uthor/CVE-2009-1330
• exploitwritter/CVE-2009-1330_EasyRMToMp3Converter

CVE-2009-1437 (2009-04-27)

Stack-based buffer overflow in PortableApps CoolPlayer Portable (aka CoolPlayer+ Portable) 2.19.6 and earlier allows remote attackers to execute arbitrary code via a long string in a malformed playlist (.m3u) file. NOTE: this may overlap CVE-2008-3408.

• HanseSecure/CVE-2009-1437

CVE-2009-1904 (2009-06-11)

The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.

• NZKoz/bigdecimal-segfault-fix

CVE-2009-2265 (2009-07-05)

Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.

• zaphoxx/zaphoxx-coldfusion
• n3rdh4x0r/CVE-2009-2265
• p1ckzi/CVE-2009-2265
• banomaly/CVE-2009-2265
• 0xDTC/Adobe-ColdFusion-8-RCE-CVE-2009-2265

CVE-2009-2692 (2009-08-14)

The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

• jdvalentini/CVE-2009-2692

CVE-2009-2698 (2009-08-27)

The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.

• xiaoxiaoleo/CVE-2009-2698

CVE-2009-3036 (2010-02-23)

Cross-site scripting (XSS) vulnerability in the console in Symantec IM Manager 8.3 and 8.4 before 8.4.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

• brinhosa/CVE-2009-3036

CVE-2009-3103 (2009-09-08)

Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.

• sooklalad/ms09050
• sec13b/ms09-050_CVE-2009-3103
• Sic4rio/CVE-2009-3103---srv2.sys-SMB-Code-Execution-Python-MS09-050-

CVE-2009-3555 (2009-11-09)

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

• johnwchadwick/cve-2009-3555-test-server

CVE-2009-4049 (2009-11-23)

Heap-based buffer overflow in aswRdr.sys (aka the TDI RDR driver) in avast! Home and Professional 4.8.1356.0 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted arguments to IOCTL 0x80002024.

• fengjixuchui/CVE-2009-4049

CVE-2009-4092 (2009-11-27)

Cross-site request forgery (CSRF) vulnerability in user.php in Simplog 0.9.3.2, and possibly earlier, allows remote attackers to hijack the authentication of administrators and users for requests that change passwords.

• xiaoyu-iid/Simplog-Exploit

CVE-2009-4118 (2009-12-01)

The StartServiceCtrlDispatcher function in the cvpnd service (cvpnd.exe) in Cisco VPN client for Windows before 5.0.06.0100 does not properly handle an ERROR_FAILED_SERVICE_CONTROLLER_CONNECT error, which allows local users to cause a denial of service (service crash and VPN connection loss) via a manual start of cvpnd.exe while the cvpnd service is running.

• alt3kx/CVE-2009-4118

CVE-2009-4137 (2009-12-24)

The loadContentFromCookie function in core/Cookie.php in Piwik before 0.5 does not validate strings obtained from cookies before calling the unserialize function, which allows remote attackers to execute arbitrary code or upload arbitrary files via vectors related to the __destruct function in the Piwik_Config class; php://filter URIs; the __destruct functions in Zend Framework, as demonstrated by the Zend_Log destructor; the shutdown functions in Zend Framework, as demonstrated by the Zend_Log_Writer_Mail class; the render function in the Piwik_View class; Smarty templates; and the _eval function in Smarty.

• Alexeyan/CVE-2009-4137

CVE-2009-4623 (2010-01-18)

Multiple PHP remote file inclusion vulnerabilities in Advanced Comment System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the ACS_path parameter to (1) index.php and (2) admin.php in advanced_comment_system/. NOTE: this might only be a vulnerability when the administrator has not followed installation instructions in install.php. NOTE: this might be the same as CVE-2020-35598.

• hupe1980/CVE-2009-4623
• kernel-cyber/CVE-2009-4623
• MonsempesSamuel/CVE-2009-4623

CVE-2009-4660 (2010-03-03)

Stack-based buffer overflow in the AntServer Module (AntServer.exe) in BigAnt IM Server 2.50 allows remote attackers to execute arbitrary code via a long GET request to TCP port 6660.

• war4uthor/CVE-2009-4660

CVE-2009-5147 (2017-03-29)

DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.

• vpereira/CVE-2009-5147
• zhangyongbo100/-Ruby-dl-handle.c-CVE-2009-5147-

2008

CVE-2008-0128 (2008-01-23)

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

• ngyanch/4062-1

CVE-2008-0166 (2008-05-13)

OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

• g0tmi1k/debian-ssh
• avarx/vulnkeys
• badkeys/debianopenssl
• demining/Vulnerable-to-Debian-OpenSSL-bug-CVE-2008-0166

CVE-2008-0228 (2008-01-10)

Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators.

• SpiderLabs/TWSL2011-007_iOS_code_workaround

CVE-2008-1611 (2008-04-01)

Stack-based buffer overflow in TFTP Server SP 1.4 for Windows allows remote attackers to cause a denial of service or execute arbitrary code via a long filename in a read or write request.

• Axua/CVE-2008-1611

CVE-2008-1613 (2008-04-21)

SQL injection vulnerability in ioRD.asp in RedDot CMS 7.5 Build 7.5.0.48, and possibly other versions including 6.5 and 7.0, allows remote attackers to execute arbitrary SQL commands via the LngId parameter.

• SECFORCE/CVE-2008-1613

CVE-2008-2019 (2008-04-30)

Simple Machines Forum (SMF), probably 1.1.4, relies on "randomly generated static" to hinder brute-force attacks on the WAV file (aka audio) CAPTCHA, which allows remote attackers to pass the CAPTCHA test via an automated attack that considers Hamming distances. NOTE: this issue reportedly exists because of an insufficient fix for CVE-2007-3308.

• TheRook/AudioCaptchaBypass-CVE-2008-2019

CVE-2008-2938 (2008-08-13)

Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.

• Naramsim/Offensive

CVE-2008-3531 (2008-09-05)

Stack-based buffer overflow in sys/kern/vfs_mount.c in the kernel in FreeBSD 7.0 and 7.1, when vfs.usermount is enabled, allows local users to gain privileges via a crafted (1) mount or (2) nmount system call, related to copying of "user defined data" in "certain error conditions."

• test-one9/ps4-11.50.github.io

CVE-2008-4109 (2008-09-17)

A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051.

• bigb0x/CVE-2024-6387

CVE-2008-4250 (2008-10-23)

The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."

• thunderstrike9090/Conflicker_analysis_scripts

CVE-2008-4609 (2008-10-20)

The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.

• mrclki/sockstress

CVE-2008-4654 (2008-10-21)

Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value.

• bongbongco/CVE-2008-4654
• KernelErr/VLC-CVE-2008-4654-Exploit
• rnnsz/CVE-2008-4654

CVE-2008-4687 (2008-10-22)

manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php.

• nmurilo/CVE-2008-4687-exploit
• twisted007/mantis_rce

CVE-2008-5416 (2008-12-10)

Heap-based buffer overflow in Microsoft SQL Server 2000 SP4, 8.00.2050, 8.00.2039, and earlier; SQL Server 2000 Desktop Engine (MSDE 2000) SP4; SQL Server 2005 SP2 and 9.00.1399.06; SQL Server 2000 Desktop Engine (WMSDE) on Windows Server 2003 SP1 and SP2; and Windows Internal Database (WYukon) SP2 allows remote authenticated users to cause a denial of service (access violation exception) or execute arbitrary code by calling the sp_replwritetovarbin extended stored procedure with a set of invalid parameters that trigger memory overwrite, aka "SQL Server sp_replwritetovarbin Limited Memory Overwrite Vulnerability."

• SECFORCE/CVE-2008-5416

CVE-2008-5862 (2009-01-06)

Directory traversal vulnerability in webcamXP 5.3.2.375 and 5.3.2.410 build 2132 allows remote attackers to read arbitrary files via a ..%2F (encoded dot dot slash) in the URI.

• K3ysTr0K3R/CVE-2008-5862-EXPLOIT

CVE-2008-6806 (2009-05-12)

Unrestricted file upload vulnerability in includes/imageupload.php in 7Shop 1.1 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/artikel/.

• threatcode/CVE-2008-6806

CVE-2008-6827 (2009-06-08)

The ListView control in the Client GUI (AClient.exe) in Symantec Altiris Deployment Solution 6.x before 6.9.355 SP1 allows local users to gain SYSTEM privileges and execute arbitrary commands via a "Shatter" style attack on the "command prompt" hidden GUI button to (1) overwrite the CommandLine parameter to cmd.exe to use SYSTEM privileges and (2) modify the DLL that is loaded using the LoadLibrary API function.

• alt3kx/CVE-2008-6827

CVE-2008-6970 (2009-08-13)

SQL injection vulnerability in dosearch.inc.php in UBB.threads 7.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the Forum[] array parameter.

• KyomaHooin/CVE-2008-6970

CVE-2008-7220 (2009-09-13)

Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors.

• followboy1999/CVE-2008-7220

2007

CVE-2007-0038 (2007-03-30)

Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.

• Axua/CVE-2007-0038

CVE-2007-0843 (2007-02-23)

The ReadDirectoryChangesW API function on Microsoft Windows 2000, XP, Server 2003, and Vista does not check permissions for child objects, which allows local users to bypass permissions by opening a directory with LIST (READ) access and using ReadDirectoryChangesW to monitor changes of files that do not have LIST permissions, which can be leveraged to determine filenames, access times, and other sensitive information.

• z3APA3A/spydir

CVE-2007-1567 (2007-03-21)

Stack-based buffer overflow in War FTP Daemon 1.65, and possibly earlier, allows remote attackers to cause a denial of service or execute arbitrary code via unspecified vectors, as demonstrated by warftp_165.tar by Immunity. NOTE: this might be the same issue as CVE-1999-0256, CVE-2000-0131, or CVE-2006-2171, but due to Immunity's lack of details, this cannot be certain.

• war4uthor/CVE-2007-1567

CVE-2007-1858 (2007-05-09)

The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts.

• anthophilee/A2SV--SSL-VUL-Scan

CVE-2007-2447 (2007-05-14)

The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.

• amriunix/CVE-2007-2447
• Unix13/metasploitable2
• b1fair/smb_usermap
• JoseBarrios/CVE-2007-2447
• 3x1t1um/CVE-2007-2447
• xlcc4096/exploit-CVE-2007-2447
• WildfootW/CVE-2007-2447_Samba_3.0.25rc3
• Ziemni/CVE-2007-2447-in-Python
• 0xKn/CVE-2007-2447
• ozuma/CVE-2007-2447
• un4gi/CVE-2007-2447
• G01d3nW01f/CVE-2007-2447
• cherrera0001/CVE-2007-2447
• Alien0ne/CVE-2007-2447
• 3t4n/samba-3.0.24-CVE-2007-2447-vunerable-
• xbufu/CVE-2007-2447
• s4msec/CVE-2007-2447
• banomaly/CVE-2007-2447
• Nosferatuvjr/Samba-Usermap-exploit
• testaross4/CVE-2007-2447
• mr-l0n3lly/CVE-2007-2447
• HerculesRD/PyUsernameMapScriptRCE
• Aviksaikat/CVE-2007-2447
• n3rdh4x0r/CVE-2007-2447
• bdunlap9/CVE-2007-2447_python
• MikeRega7/CVE-2007-2447-RCE
• 0xTabun/CVE-2007-2447
• ShivamDey/Samba-CVE-2007-2447-Exploit
• Juantos/cve-2007-2447
• IamLucif3r/CVE-2007-2447-Exploit

CVE-2007-3280 (2007-06-19)

The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in libc.so.6 to gain shell access.

• DenuwanJayasekara/CVE-Exploitation-Reports

CVE-2007-3830 (2007-07-17)

Cross-site scripting (XSS) vulnerability in alert.php in ISS Proventia Network IPS GX5108 1.3 and GX5008 1.5 allows remote attackers to inject arbitrary web script or HTML via the reminder parameter.

• alt3kx/CVE-2007-3830

CVE-2007-3831 (2007-07-17)

PHP remote file inclusion in main.php in ISS Proventia Network IPS GX5108 1.3 and GX5008 1.5 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.

• alt3kx/CVE-2007-3831

CVE-2007-4559 (2007-08-28)

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

• advanced-threat-research/Creosote
• Ooscaar/MALW
• davidholiday/CVE-2007-4559
• luigigubello/trellix-tarslip-patch-bypass
• JamesDarf/tarpioka

CVE-2007-4560 (2007-08-28)

clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call, involving the "recipient field of sendmail."

• 0x1sac/ClamAV-Milter-Sendmail-0.91.2-Remote-Code-Execution

CVE-2007-4607 (2007-08-31)

Buffer overflow in the EasyMailSMTPObj ActiveX control in emsmtp.dll 6.0.1 in the Quiksoft EasyMail SMTP Object, as used in Postcast Server Pro 3.0.61 and other products, allows remote attackers to execute arbitrary code via a long argument to the SubmitToExpress method, a different vulnerability than CVE-2007-1029. NOTE: this may have been fixed in version 6.0.3.15.

• joeyrideout/CVE-2007-4607

CVE-2007-5036 (2007-09-24)

Multiple buffer overflows in the AirDefense Airsensor M520 with firmware 4.3.1.1 and 4.4.1.4 allow remote authenticated users to cause a denial of service (HTTPS service outage) via a crafted query string in an HTTPS request to (1) adLog.cgi, (2) post.cgi, or (3) ad.cgi, related to the "files filter."

• alt3kx/CVE-2007-5036

CVE-2007-5962 (2008-05-22)

Memory leak in a certain Red Hat patch, applied to vsftpd 2.0.5 on Red Hat Enterprise Linux (RHEL) 5 and Fedora 6 through 8, and on Foresight Linux and rPath appliances, allows remote attackers to cause a denial of service (memory consumption) via a large number of CWD commands, as demonstrated by an attack on a daemon with the deny_file configuration option.

• antogit-sys/CVE-2007-5962

CVE-2007-6377 (2007-12-15)

Stack-based buffer overflow in the PassThru functionality in ext.dll in BadBlue 2.72b and earlier allows remote attackers to execute arbitrary code via a long query string.

• Nicoslo/Windows-exploitation-BadBlue-2.7-CVE-2007-6377

CVE-2007-6638 (2008-01-04)

March Networks DVR 3204 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain usernames, passwords, device names, and IP addresses via a direct request for scripts/logfiles.tar.gz.

• alt3kx/CVE-2007-6638

CVE-2007-6750 (2011-12-27)

The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15.

• Jeanpseven/slowl0ris

2006

CVE-2006-0450 (2006-01-27)

phpBB 2.0.19 and earlier allows remote attackers to cause a denial of service (application crash) by (1) registering many users through profile.php or (2) using search.php to search in a certain way that confuses the database.

• Parcer0/CVE-2006-0450-phpBB-2.0.15-Multiple-DoS-Vulnerabilities

CVE-2006-0987 (2006-03-03)

The default configuration of ISC BIND before 9.4.1-P1, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses.

• pcastagnaro/dns_amplification_scanner

CVE-2006-1236 (2006-03-15)

Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010.

• Axua/CVE-2006-1236

CVE-2006-2842 (2006-06-06)

PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable, perhaps this type of issue should not be included in CVE. However, the original developer has posted a security advisory, so there might be relevant real-world environments under which this vulnerability is applicable

• karthi-the-hacker/CVE-2006-2842

CVE-2006-3392 (2006-07-06)

Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using "..%01" sequences, which bypass the removal of "../" sequences before bytes such as "%01" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.

• 0xtz/CVE-2006-3392
• IvanGlinkin/CVE-2006-3392
• Adel-kaka-dz/CVE-2006-3392
• gb21oc/ExploitWebmin
• kernel-cyber/CVE-2006-3392
• g1vi/CVE-2006-3392
• brosck/CVE-2006-3392

CVE-2006-3592 (2006-07-14)

Unspecified vulnerability in the command line interface (CLI) in Cisco Unified CallManager (CUCM) 5.0(1) through 5.0(3a) allows local users to execute arbitrary commands with elevated privileges via unspecified vectors, involving "certain CLI commands," aka bug CSCse11005.

• adenkiewicz/CVE-2006-3592

CVE-2006-3747 (2006-07-28)

Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.

• defensahacker/CVE-2006-3747

CVE-2006-4777 (2006-09-14)

Heap-based buffer overflow in the DirectAnimation Path Control (DirectAnimation.PathControl) COM object (daxctle.ocx) for Internet Explorer 6.0 SP1, on Chinese and possibly other Windows distributions, allows remote attackers to execute arbitrary code via unknown manipulations in arguments to the KeyFrame method, possibly related to an integer overflow, as demonstrated by daxctle2, and a different vulnerability than CVE-2006-4446.

• Mario1234/js-driveby-download-CVE-2006-4777

CVE-2006-4814 (2006-12-20)

The mincore function in the Linux kernel before 2.4.33.6 does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock.

• tagatac/linux-CVE-2006-4814

CVE-2006-5051 (2006-09-27)

Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.

• bigb0x/CVE-2024-6387
• sardine-web/CVE-2024-6387_Check
• anhvutuan/CVE-2024-6387-poc-1

CVE-2006-6184 (2006-12-01)

Multiple stack-based buffer overflows in Allied Telesyn TFTP Server (AT-TFTP) 1.9, and possibly earlier, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a long filename in a (1) GET or (2) PUT command.

• shauntdergrigorian/cve-2006-6184
• b03902043/CVE-2006-6184

CVE-2006-20001 (2023-01-17)

A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.\n\nThis issue affects Apache HTTP Server 2.4.54 and earlier.\n

• r1az4r/CVE-2006-20001

2005

CVE-2005-0575 (2005-02-27)

Buffer overflow in Stormy Studios Knet 1.04c and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP GET request.

• 3t3rn4lv01d/CVE-2005-0575

CVE-2005-0603 (2005-03-01)

viewtopic.php in phpBB 2.0.12 and earlier allows remote attackers to obtain sensitive information via a highlight parameter containing invalid regular expression syntax, which reveals the path in a PHP error message.

• Parcer0/CVE-2005-0603-phpBB-2.0.12-Full-path-disclosure

CVE-2005-1125 (2005-04-16)

Race condition in libsafe 2.0.16 and earlier, when running in multi-threaded applications, allows attackers to bypass libsafe protection and exploit other vulnerabilities before the _libsafe_die function call is completed.

• tagatac/libsafe-CVE-2005-1125

CVE-2005-1794 (2005-06-01)

Microsoft Terminal Server using Remote Desktop Protocol (RDP) 5.2 stores an RSA private key in mstlsapi.dll and uses it to sign a certificate, which allows remote attackers to spoof public keys of legitimate servers and conduct man-in-the-middle attacks.

• InitRoot/CVE-2005-1794Scanner

CVE-2005-2428 (2005-08-03)

Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696.

• schwankner/CVE-2005-2428-IBM-Lotus-Domino-R8-Password-Hash-Extraction-Exploit

CVE-2005-3299 (2005-10-23)

PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.

• RizeKishimaro/CVE-2005-3299
• Cr0w-ui/-CVE-2005-3299-

2004

CVE-2004-0558 (2004-09-17)

The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port.

• fibonascii/CVE-2004-0558

CVE-2004-1561 (2005-02-20)

Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.

• ivanitlearning/CVE-2004-1561
• ratiros01/CVE-2004-1561
• darrynb89/CVE-2004-1561
• thel1nus/CVE-2004-1561-Notes
• Danyw24/CVE-2004-1561-Icecast-Header-Overwrite-buffer-overflow-RCE-2.0.1-Win32-

CVE-2004-1769 (2005-03-10)

The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass.

• sinkaroid/shiguresh
• Redsplit/shiguresh

CVE-2004-2167 (2005-07-10)

Multiple buffer overflows in LaTeX2rtf 1.9.15, and possibly other versions, allow remote attackers to execute arbitrary code via (1) the expandmacro function, and possibly (2) Environments and (3) TranslateCommand.

• uzzzval/cve-2004-2167

CVE-2004-2271 (2005-07-19)

Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.

• kkirsche/CVE-2004-2271
• PercussiveElbow/CVE-2004-2271-MiniShare-1.4.1-Buffer-Overflow
• war4uthor/CVE-2004-2271
• pwncone/CVE-2004-2271-MiniShare-1.4.1-BOF

CVE-2004-2449 (2005-08-20)

Roger Wilco 1.4.1.6 and earlier or Roger Wilco Base Station 0.30a and earlier allows remote attackers to cause a denial of service (application crash) via a long, malformed UDP datagram.

• ParallelVisions/DoSTool

CVE-2004-2549 (2005-11-21)

Nortel Wireless LAN (WLAN) Access Point (AP) 2220, 2221, and 2225 allow remote attackers to cause a denial of service (service crash) via a TCP request with a large string, followed by 8 newline characters, to (1) the Telnet service on TCP port 23 and (2) the HTTP service on TCP port 80, possibly due to a buffer overflow.

• alt3kx/CVE-2004-2549

CVE-2004-2687 (2007-09-23)

distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.

• n3rdh4x0r/distccd_rce_CVE-2004-2687
• k4miyo/CVE-2004-2687
• ss0wl/CVE-2004-2687_distcc_v1

CVE-2004-2761 (2009-01-05)

The MD5 Message-Digest Algorithm is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of MD5 in the signature algorithm of an X.509 certificate.

• chaos198800/Windows-xia-SSL-zheng-shu-zhi-zuo-gong-ju--CVE-2004-2761-lou-dong-xiu-fu

CVE-2004-6768

• yougboiz/Metasploit-CVE-2004-6768

2003

CVE-2003-0001 (2003-01-08)

Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.

• marb08/etherleak-checker

CVE-2003-0172 (2003-03-29)

Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes, allows remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument.

• cyberdesu/Remote-Buffer-overflow-CVE-2003-0172

CVE-2003-0201 (2003-04-15)

Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code.

• KernelPan1k/trans2open-CVE-2003-0201

CVE-2003-0222 (2003-04-30)

Stack-based buffer overflow in Oracle Net Services for Oracle Database Server 9i release 2 and earlier allows attackers to execute arbitrary code via a "CREATE DATABASE LINK" query containing a connect string with a long USING parameter.

• phamthanhsang280477/CVE-2003-0222

CVE-2003-0264 (2003-05-08)

Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN argument to slmail.exe, (3) a long string to POPPASSWD, or (4) a long password to the POP3 server.

• adenkiewicz/CVE-2003-0264
• fyoderxx/slmail-exploit
• war4uthor/CVE-2003-0264
• pwncone/CVE-2003-0264-SLmail-5.5
• vrikodar/CVE-2003-0264_EXPLOIT
• nobodyatall648/CVE-2003-0264

CVE-2003-0282 (2003-05-14)

Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence.

• silasol/cve-2003-0282

CVE-2003-0358 (2003-05-30)

Buffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye 1.9.3 and earlier, which is based on nethack, allows local users to gain privileges via a long -s command line option.

• gmh5225/CVE-2003-0358
• fengjixuchui/CVE-2003-0358

2002

CVE-2002-0200 (2002-05-03)

Cyberstop Web Server for Windows 0.1 allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.

• alt3kx/CVE-2002-0200

CVE-2002-0201 (2002-05-03)

Cyberstop Web Server for Windows 0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request, possibly triggering a buffer overflow.

• alt3kx/CVE-2002-0201

CVE-2002-0288 (2002-05-03)

Directory traversal vulnerability in Phusion web server 1.0 allows remote attackers to read arbitrary files via a ... (triple dot dot) in the HTTP request.

• alt3kx/CVE-2002-0288

CVE-2002-0289 (2002-05-03)

Buffer overflow in Phusion web server 1.0 allows remote attackers to cause a denial of service and execute arbitrary code via a long HTTP request.

• alt3kx/CVE-2002-0289

CVE-2002-0346 (2002-05-03)

Cross-site scripting vulnerability in Cobalt RAQ 4 allows remote attackers to execute arbitrary script as other Cobalt users via Javascript in a URL to (1) service.cgi or (2) alert.cgi.

• alt3kx/CVE-2002-0346

CVE-2002-0347 (2002-05-03)

Directory traversal vulnerability in Cobalt RAQ 4 allows remote attackers to read password-protected files, and possibly files outside the web root, via a .. (dot dot) in an HTTP request.

• alt3kx/CVE-2002-0347

CVE-2002-0348 (2002-05-03)

service.cgi in Cobalt RAQ 4 allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long service argument.

• alt3kx/CVE-2002-0348

CVE-2002-0448 (2002-06-11)

Xerver Free Web Server 2.10 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request that contains many "C:/" sequences.

• alt3kx/CVE-2002-0448

CVE-2002-0740 (2002-07-26)

Buffer overflow in slrnpull for the SLRN package, when installed setuid or setgid, allows local users to gain privileges via a long -d (SPOOLDIR) argument.

• alt3kx/CVE-2002-0740

CVE-2002-0748 (2003-04-02)

LabVIEW Web Server 5.1.1 through 6.1 allows remote attackers to cause a denial of service (crash) via an HTTP GET request that ends in two newline characters, instead of the expected carriage return/newline combinations.

• fauzanwijaya/CVE-2002-0748

CVE-2002-0991 (2002-08-31)

Buffer overflows in the cifslogin command for HP CIFS/9000 Client A.01.06 and earlier, based on the Sharity package, allows local users to gain root privileges via long (1) -U, (2) -D, (3) -P, (4) -S, (5) -N, or (6) -u parameters.

• alt3kx/CVE-2002-0991

CVE-2002-1614 (2005-03-25)

Buffer overflow in HP Tru64 UNIX allows local users to execute arbitrary code via a long argument to /usr/bin/at.

• wlensinas/CVE-2002-1614

CVE-2002-2420 (2007-11-01)

site_searcher.cgi in Super Site Searcher allows remote attackers to execute arbitrary commands via shell metacharacters in the page parameter.

• krdsploit/CVE-2002-2420

CVE-2002-20001 (2021-11-11)

The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.

• c0r0n3r/dheater

2001

CVE-2001-0550 (2002-06-25)

wu-ftpd 2.6.1 allows remote attackers to execute arbitrary commands via a "~{" argument to commands such as CWD, which is not properly handled by the glob function (ftpglob).

• gilberto47831/Network-Filesystem-Forensics

CVE-2001-0680 (2002-03-09)

Directory traversal vulnerability in ftpd in QPC QVT/Net 4.0 and AVT/Term 5.0 allows a remote attacker to traverse directories on the web server via a "dot dot" attack in a LIST (ls) command.

• alt3kx/CVE-2001-0680

CVE-2001-0758 (2001-10-12)

Directory traversal vulnerability in Shambala 4.5 allows remote attackers to escape the FTP root directory via "CWD ..." command.

• alt3kx/CVE-2001-0758

CVE-2001-0931 (2002-02-02)

Directory traversal vulnerability in Cooolsoft PowerFTP Server 2.03 allows attackers to list or read arbitrary files and directories via a .. (dot dot) in (1) LS or (2) GET.

• alt3kx/CVE-2001-0931

CVE-2001-0932 (2002-02-02)

Buffer overflow in Cooolsoft PowerFTP Server 2.03 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long command.

• alt3kx/CVE-2001-0932

CVE-2001-0933 (2002-02-02)

Cooolsoft PowerFTP Server 2.03 allows remote attackers to list the contents of arbitrary drives via a ls (LIST) command that includes the drive letter as an argument, e.g. "ls C:".

• alt3kx/CVE-2001-0933

CVE-2001-0934 (2002-02-02)

Cooolsoft PowerFTP Server 2.03 allows remote attackers to obtain the physical path of the server root via the pwd command, which lists the full pathname.

• alt3kx/CVE-2001-0934

CVE-2001-1442 (2005-04-21)

Buffer overflow in innfeed for ISC InterNetNews (INN) before 2.3.0 allows local users in the "news" group to gain privileges via a long -c command line argument.

• alt3kx/CVE-2001-1442

CVE-2001-3389

• becrevex/Gaston

2000

CVE-2000-0114 (2000-02-08)

Frontpage Server Extensions allows remote attackers to determine the name of the anonymous account via an RPC POST request to shtml.dll in the /_vti_bin/ virtual directory.

• Cappricio-Securities/CVE-2000-0114
• Josekutty-K/frontpage-server-extensions-vulnerability-scanner
• adhamelhansye/CVE-2000-0114

CVE-2000-0170 (2000-04-10)

Buffer overflow in the man program in Linux allows local users to gain privileges via the MANPAGER environmental variable.

• mike182/exploit

CVE-2000-0649 (2000-08-03)

IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined.

• rafaelh/CVE-2000-0649
• stevenvegar/cve-2000-0649
• Downgraderz/PoC-CVE-2000-0649

CVE-2000-0979 (2001-01-22)

File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability.

• Z6543/CVE-2000-0979

1999

CVE-1999-0016 (1999-09-29)

Land IP denial of service.

• pexmee/CVE-1999-0016-Land-DOS-tool
• Pommaq/CVE-1999-0016-POC

CVE-1999-0524 (2000-02-04)

ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts.

• threatlabindonesia/CVE-1999-0524-ICMP-Timestamp-and-Address-Mask-Request-Exploit

CVE-1999-0532 (2000-02-04)

A DNS server allows zone transfers.

• websecnl/Bulk_CVE-1999-0532_Scanner
• Rodney-O-C-Melby/dns-zone-transfer-test

CVE-1999-1053 (2001-09-12)

guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->".

• siunam321/CVE-1999-1053-PoC