CVE-2024-23334
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
Github link:
https://github.com/s4botai/CVE-2024-23334-PoC
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
Github link:
https://github.com/s4botai/CVE-2024-23334-PoC
GitHub
GitHub - s4botai/CVE-2024-23334-PoC: A proof of concept of the LFI vulnerability on aiohttp 3.9.1
A proof of concept of the LFI vulnerability on aiohttp 3.9.1 - s4botai/CVE-2024-23334-PoC
CVE-2024-23897
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Github link:
https://github.com/ShieldAuth-PHP/PBL05-CVE-Analsys
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Github link:
https://github.com/ShieldAuth-PHP/PBL05-CVE-Analsys
GitHub
ShieldAuth-PHP/PBL05-CVE-Analsys
CVE-2024-23897 분석. Contribute to ShieldAuth-PHP/PBL05-CVE-Analsys development by creating an account on GitHub.
CVE-2017-0199
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."
Github link:
https://github.com/kash-123/CVE-2017-0199
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."
Github link:
https://github.com/kash-123/CVE-2017-0199
GitHub
GitHub - kash-123/CVE-2017-0199: Python3 toolkit update
Python3 toolkit update. Contribute to kash-123/CVE-2017-0199 development by creating an account on GitHub.
CVE-2019-0567
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0539, CVE-2019-0568.
Github link:
https://github.com/NatteeSetobol/CVE-2019-0567-MS-Edge
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2019-0539, CVE-2019-0568.
Github link:
https://github.com/NatteeSetobol/CVE-2019-0567-MS-Edge
GitHub
GitHub - NatteeSetobol/CVE-2019-0567-MS-Edge: My proof of concept for CVE-2019 Microsoft-Edge
My proof of concept for CVE-2019 Microsoft-Edge. Contribute to NatteeSetobol/CVE-2019-0567-MS-Edge development by creating an account on GitHub.