CVE-2023-4226
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
Github link:
https://github.com/SkyW4r33x/CVE-2023-4226
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
Github link:
https://github.com/SkyW4r33x/CVE-2023-4226
GitHub
GitHub - SkyW4r33x/CVE-2023-4226: Vulnerabilidad de carga de archivos sin restricciones en **Chamilo LMS** (<= v1.11.24).
Vulnerabilidad de carga de archivos sin restricciones en **Chamilo LMS** (<= v1.11.24). - SkyW4r33x/CVE-2023-4226
CVE-2023-46818
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
Github link:
https://github.com/rvizx/CVE-2023-46818
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.
Github link:
https://github.com/rvizx/CVE-2023-46818
GitHub
GitHub - rvizx/CVE-2023-46818: CVE-2023-46818 - ISPConfig PHP Code Injection PoC Exploit (Bash)
CVE-2023-46818 - ISPConfig PHP Code Injection PoC Exploit (Bash) - rvizx/CVE-2023-46818
CVE-2016-5195
Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."
Github link:
https://github.com/0x3n19m4/CVE-2016-5195
Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."
Github link:
https://github.com/0x3n19m4/CVE-2016-5195
GitHub
GitHub - 0x3n19m4/CVE-2016-5195: CVE-2016-5195 linux kernel exploit
CVE-2016-5195 linux kernel exploit. Contribute to 0x3n19m4/CVE-2016-5195 development by creating an account on GitHub.
CVE-2023-23752
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
Github link:
https://github.com/m4nInTh3mIdDle/joomla-CVE-2023
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
Github link:
https://github.com/m4nInTh3mIdDle/joomla-CVE-2023
GitHub
m4nInTh3mIdDle/joomla-CVE-2023
joomla CVE-2023-23752 credentialis exposed.. happy hacking !! - m4nInTh3mIdDle/joomla-CVE-2023
CVE-2014-6271
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
Github link:
https://github.com/moften/CVE-2014-6271
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
Github link:
https://github.com/moften/CVE-2014-6271
GitHub
GitHub - moften/CVE-2014-6271: Shellshock Vulnerability Scanner
Shellshock Vulnerability Scanner. Contribute to moften/CVE-2014-6271 development by creating an account on GitHub.
CVE-2021-23017
A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.
Github link:
https://github.com/moften/CVE-2021-23017
A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.
Github link:
https://github.com/moften/CVE-2021-23017
GitHub
GitHub - moften/CVE-2021-23017: NGINX DNS Overflow Vulnerability Check - CVE-2021-23017 PoC
NGINX DNS Overflow Vulnerability Check - CVE-2021-23017 PoC - moften/CVE-2021-23017
CVE-2021-44228
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Github link:
https://github.com/separatecalo/log4j-remediation-tools
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Github link:
https://github.com/separatecalo/log4j-remediation-tools
CVE-2022-41741
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
Github link:
https://github.com/moften/CVE-2022-41741-742-Nginx-Vulnerability-Scanner
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
Github link:
https://github.com/moften/CVE-2022-41741-742-Nginx-Vulnerability-Scanner
GitHub
GitHub - moften/CVE-2022-41741-742-Nginx-Vulnerability-Scanner: CVE-2022-41741/742 Nginx Vulnerability Scanner
CVE-2022-41741/742 Nginx Vulnerability Scanner. Contribute to moften/CVE-2022-41741-742-Nginx-Vulnerability-Scanner development by creating an account on GitHub.
CVE-2009-3103
Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
Github link:
https://github.com/Bakr-Ht/samba-trans2open-exploit-report
Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
Github link:
https://github.com/Bakr-Ht/samba-trans2open-exploit-report
GitHub
GitHub - Bakr-Ht/samba-trans2open-exploit-report: Exploitation report of the Samba Trans2Open vulnerability (CVE-2003-0201), including…
Exploitation report of the Samba Trans2Open vulnerability (CVE-2003-0201), including tools used, exploitation steps, and protection techniques to secure systems. - Bakr-Ht/samba-trans2open-exploit-...
CVE-2023-33246
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.
Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.
To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
Github link:
https://github.com/Devil0ll/CVE-2023-33246
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.
Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.
To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .
Github link:
https://github.com/Devil0ll/CVE-2023-33246
GitHub
GitHub - Devil0ll/CVE-2023-33246: CVE-2023-33246
CVE-2023-33246. Contribute to Devil0ll/CVE-2023-33246 development by creating an account on GitHub.
CVE-2023-20198
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory
Cisco will provide updates on the status of this investigation and when a software patch is available.
Github link:
https://github.com/punyconspir/cisco-ios-xe-implant-scanner
Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system.
For steps to close the attack vector for this vulnerability, see the Recommendations section of this advisory
Cisco will provide updates on the status of this investigation and when a software patch is available.
Github link:
https://github.com/punyconspir/cisco-ios-xe-implant-scanner
CVE-2021-44228
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Github link:
https://github.com/Fauzan-Aldi/Log4j-_Vulnerability
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Github link:
https://github.com/Fauzan-Aldi/Log4j-_Vulnerability
GitHub
GitHub - Fauzan-Aldi/Log4j-_Vulnerability: The Web Is Vulnerable to CVE-2021-44228
The Web Is Vulnerable to CVE-2021-44228. Contribute to Fauzan-Aldi/Log4j-_Vulnerability development by creating an account on GitHub.
CVE-2021-25646
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
Github link:
https://github.com/tiemio/RCE-PoC-CVE-2021-25646
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
Github link:
https://github.com/tiemio/RCE-PoC-CVE-2021-25646
GitHub
GitHub - tiemio/RCE-PoC-CVE-2021-25646: A proof-of-concept for the CVE-2021-25646, which allows for Command Injection
A proof-of-concept for the CVE-2021-25646, which allows for Command Injection - tiemio/RCE-PoC-CVE-2021-25646
CVE-2018-17246
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Github link:
https://github.com/Almandev/Sub-folderFetcher
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Github link:
https://github.com/Almandev/Sub-folderFetcher
GitHub
GitHub - Almandev/Sub-folderFetcher: A script to download specific Vulhub repository folder (kibana/CVE-2018-17246) from GitHub.
A script to download specific Vulhub repository folder (kibana/CVE-2018-17246) from GitHub. - Almandev/Sub-folderFetcher
CVE-2017-5487
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
Github link:
https://github.com/ndr-repo/CVE-2017-5487
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
Github link:
https://github.com/ndr-repo/CVE-2017-5487
GitHub
GitHub - ndr-repo/CVE-2017-5487: PoC for CVE-2017-5487 - WordPress User Enumeration via REST
PoC for CVE-2017-5487 - WordPress User Enumeration via REST - ndr-repo/CVE-2017-5487
CVE-2020-24913
A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.
Github link:
https://github.com/shpaw415/CVE-2020-24913-exploit
A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.
Github link:
https://github.com/shpaw415/CVE-2020-24913-exploit
GitHub
GitHub - shpaw415/CVE-2020-24913-exploit: automated SQL injection for QCubed profile.php file
automated SQL injection for QCubed profile.php file - shpaw415/CVE-2020-24913-exploit