CVE-2021-41773
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
Github link:
https://github.com/ashique-thaha/CVE-2021-41773-POC
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
Github link:
https://github.com/ashique-thaha/CVE-2021-41773-POC
GitHub
GitHub - ashique-thaha/CVE-2021-41773-POC: The POC and Lab setup documentation of CVE 2021 41773
The POC and Lab setup documentation of CVE 2021 41773 - GitHub - ashique-thaha/CVE-2021-41773-POC: The POC and Lab setup documentation of CVE 2021 41773
CVE-2023-21839
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Github link:
https://github.com/illegalbrea/CVE-2023-21839
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Github link:
https://github.com/illegalbrea/CVE-2023-21839
CVE-2016-10924
The ebook-download plugin before 1.2 for WordPress has directory traversal.
Github link:
https://github.com/808ale/cve-2016-10924-POC
The ebook-download plugin before 1.2 for WordPress has directory traversal.
Github link:
https://github.com/808ale/cve-2016-10924-POC
GitHub
GitHub - 808ale/cve-2016-10924-POC: Proof-of-Concept (PoC) exploit script for the Directory Traversal vulnerability (CVE-2016-10924)…
Proof-of-Concept (PoC) exploit script for the Directory Traversal vulnerability (CVE-2016-10924) found in the WordPress plugin ebook-download (versions < 1.2). This vulnerability allows unau...