CVE-2024-32002

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

Github link:
https://github.com/XiaomingX/CVE-2024-32002-poc

CVE-2024-40711

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

Github link:
https://github.com/XiaomingX/CVE-2024-40711-poc

CVE-2024-23692

Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported.

Github link:
https://github.com/XiaomingX/CVE-2024-23692-poc

CVE-2024-38856

Incorrect Authorization vulnerability in Apache OFBiz.

This issue affects Apache OFBiz: through 18.12.14.

Users are recommended to upgrade to version 18.12.15, which fixes the issue.

Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

Github link:
https://github.com/XiaomingX/cve-2024-38856-poc

CVE-2024-35250

Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

Github link:
https://github.com/yinsel/CVE-2024-35250-BOF

CVE-2022-45354

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.7.60.



Github link:
https://github.com/NekomataCode/CVE-2022-45354

CVE-2024-11201

None

Github link:
https://github.com/NSQAQ/CVE-2024-11201

CVE-2024-11199

None

Github link:
https://github.com/windz3r0day/CVE-2024-11199

CVE-2023-50094

None

Github link:
https://github.com/Zierax/CVE-2023-50094_POC

CVE-2024-33901

None

Github link:
https://github.com/gmikisilva/CVE-2024-33901-ProofOfConcept

CVE-2024-48990

None

Github link:
https://github.com/Cyb3rFr0g/CVE-2024-48990-PoC

CVE-2024-48990

None

Github link:
https://github.com/pentestfunctions/CVE-2024-48990-PoC-Testing

CVE-2024-21762

A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests

Github link:
https://github.com/XiaomingX/cve-2024-21762-poc

CVE-2024-21534

All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.**Note:**There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).

Github link:
https://github.com/XiaomingX/CVE-2024-21534-poc

CVE-2022-1388

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Github link:
https://github.com/XiaomingX/cve-2022-1388-poc

CVE-2022-26134

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.

Github link:
https://github.com/XiaomingX/cve-2022-26134-poc

CVE-2023-47246

In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.

Github link:
https://github.com/XiaomingX/cve-2023-47246-poc

CVE-2023-41425

Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.

Github link:
https://github.com/Diegomjx/CVE-2023-41425-WonderCMS-Authenticated-RCE

CVE-2024-48990

None

Github link:
https://github.com/r0xdeadbeef/CVE-2024-48990-exploit

CVE-2019-10149

A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.

Github link:
https://github.com/uyerr/PoC_CVE-2019-10149--rce