CVE-2025-53770
None
Github link:
https://github.com/bossnick98/-SOC342---CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-and-RCE
None
Github link:
https://github.com/bossnick98/-SOC342---CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-and-RCE
GitHub
GitHub - bossnick98/-SOC342---CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-and-RCE: An activity to train analysis skills and…
An activity to train analysis skills and reporting - bossnick98/-SOC342---CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-and-RCE
CVE-2023-34362
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
Github link:
https://github.com/Naveenbana5250/CVE-2023-34362-Defense-Package
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
Github link:
https://github.com/Naveenbana5250/CVE-2023-34362-Defense-Package
GitHub
GitHub - Naveenbana5250/CVE-2023-34362-Defense-Package: Threat-Informed Detection & Mitigation Package for MOVEit Transfer Vulnerability
Threat-Informed Detection & Mitigation Package for MOVEit Transfer Vulnerability - Naveenbana5250/CVE-2023-34362-Defense-Package
CVE-2025-32462
Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.
Github link:
https://github.com/j3r1ch0123/CVE-2025-32462
Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.
Github link:
https://github.com/j3r1ch0123/CVE-2025-32462
GitHub
GitHub - j3r1ch0123/CVE-2025-32462: The vulnerability was found by Rich Mirch. More details on it here: https://cxsecurity.com/issue/WLB…
The vulnerability was found by Rich Mirch. More details on it here: https://cxsecurity.com/issue/WLB-2025070022 - j3r1ch0123/CVE-2025-32462
CVE-2002-20001
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.
Github link:
https://github.com/itmaniac/dheat_dos_attack_poc
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.
Github link:
https://github.com/itmaniac/dheat_dos_attack_poc
GitHub
GitHub - itmaniac/dheat_dos_attack_poc: POC for Testing the Existence of D(HE)at DOS Attack for (CVE-2002-20001)
POC for Testing the Existence of D(HE)at DOS Attack for (CVE-2002-20001) - itmaniac/dheat_dos_attack_poc
CVE-2022-35411
rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.
Github link:
https://github.com/CSpanias/rpc-rce.py
rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.
Github link:
https://github.com/CSpanias/rpc-rce.py
GitHub
GitHub - CSpanias/rpc-rce.py: Exploit for CVE-2022-35411 — Unauthenticated RCE in rpc.py (<= 0.6.0)
Exploit for CVE-2022-35411 — Unauthenticated RCE in rpc.py (<= 0.6.0) - CSpanias/rpc-rce.py
CVE-2025-34077
An authentication bypass vulnerability exists in the WordPress Pie Register plugin = 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators. Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.
Github link:
https://github.com/0xgh057r3c0n/CVE-2025-34077
An authentication bypass vulnerability exists in the WordPress Pie Register plugin = 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators. Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.
Github link:
https://github.com/0xgh057r3c0n/CVE-2025-34077
GitHub
GitHub - 0xgh057r3c0n/CVE-2025-34077: Poc for Unauthenticated Admin Session Hijack - Pie Register Plugin (≤ 3.7.1.4)
Poc for Unauthenticated Admin Session Hijack - Pie Register Plugin (≤ 3.7.1.4) - 0xgh057r3c0n/CVE-2025-34077
CVE-2025-24813
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial
Github link:
https://github.com/Shivshantp/CVE-2025-24813
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial
Github link:
https://github.com/Shivshantp/CVE-2025-24813
GitHub
GitHub - Shivshantp/CVE-2025-24813: Apache Tomcat PUT JSP RCE - CVE-2025-24813 - Exploit & PoC
Apache Tomcat PUT JSP RCE - CVE-2025-24813 - Exploit & PoC - Shivshantp/CVE-2025-24813
CVE-2020-15778
** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
Github link:
https://github.com/drackyjr/CVE-2020-15778-SCP-Command-Injection-Check
** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows."
Github link:
https://github.com/drackyjr/CVE-2020-15778-SCP-Command-Injection-Check
GitHub
GitHub - drackyjr/CVE-2020-15778-SCP-Command-Injection-Check: This script is a safe and simple tool that helps system users, students…
This script is a safe and simple tool that helps system users, students, and administrators check if their SCP (Secure Copy) client is vulnerable to CVE-2020-15778, a command injection vulnerabilit...
CVE-2025-47227
In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset mechanism is mishandled. Making both a GET and a POST request to login.php.is sufficient. An unauthenticated attacker can then bypass authentication via administrator account takeover.
Github link:
https://github.com/B1ack4sh/Blackash-CVE-2025-47227
In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset mechanism is mishandled. Making both a GET and a POST request to login.php.is sufficient. An unauthenticated attacker can then bypass authentication via administrator account takeover.
Github link:
https://github.com/B1ack4sh/Blackash-CVE-2025-47227
GitHub
GitHub - B1ack4sh/Blackash-CVE-2025-47227: CVE-2025-47227
CVE-2025-47227. Contribute to B1ack4sh/Blackash-CVE-2025-47227 development by creating an account on GitHub.
CVE-2025-32463
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
Github link:
https://github.com/KaiHT-Ladiant/CVE-2025-32463
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
Github link:
https://github.com/KaiHT-Ladiant/CVE-2025-32463
GitHub
GitHub - KaiHT-Ladiant/CVE-2025-32463: CVE-2025-32463 - Sudo Chroot Privilege Escalation Exploit
CVE-2025-32463 - Sudo Chroot Privilege Escalation Exploit - KaiHT-Ladiant/CVE-2025-32463
CVE-2025-29927
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Github link:
https://github.com/b4sh0xf/PoC-CVE-2025-29927
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Github link:
https://github.com/b4sh0xf/PoC-CVE-2025-29927
GitHub
GitHub - b4sh0xf/PoC-CVE-2025-29927: → poc for CVE-2025-29927
→ poc for CVE-2025-29927. Contribute to b4sh0xf/PoC-CVE-2025-29927 development by creating an account on GitHub.
CVE-2021-43857
Gerapy is a distributed crawler management framework. Gerapy prior to version 0.9.8 is vulnerable to remote code execution, and this issue is patched in version 0.9.8.
Github link:
https://github.com/ProwlSec/gerapy-cve-2021-43857
Gerapy is a distributed crawler management framework. Gerapy prior to version 0.9.8 is vulnerable to remote code execution, and this issue is patched in version 0.9.8.
Github link:
https://github.com/ProwlSec/gerapy-cve-2021-43857
GitHub
GitHub - ProwlSec/gerapy-cve-2021-43857: Proof of Concept exploit for CVE‑2021‑43857: Authenticated Remote Code Execution in Gerapy…
Proof of Concept exploit for CVE‑2021‑43857: Authenticated Remote Code Execution in Gerapy (<0.9.8). Updated and automated version of the original Exploit‑DB PoC for educational and authoriz...
CVE-2001-1473
The SSH-1 protocol allows remote servers to conduct man-in-the-middle attacks and replay a client challenge response to a target server by creating a Session ID that matches the Session ID of the target, but which uses a public key pair that is weaker than the target's public key, which allows the attacker to compute the corresponding private key and use the target's Session ID with the compromised key pair to masquerade as the target.
Github link:
https://github.com/alexandermoro/cve-2001-1473
The SSH-1 protocol allows remote servers to conduct man-in-the-middle attacks and replay a client challenge response to a target server by creating a Session ID that matches the Session ID of the target, but which uses a public key pair that is weaker than the target's public key, which allows the attacker to compute the corresponding private key and use the target's Session ID with the compromised key pair to masquerade as the target.
Github link:
https://github.com/alexandermoro/cve-2001-1473
GitHub
GitHub - alexandermoro/cve-2001-1473: cve 2001 1473 poc
cve 2001 1473 poc. Contribute to alexandermoro/cve-2001-1473 development by creating an account on GitHub.