Exploit Engine

A memory pipes (MPI) de-synchronization vulnerability.

The social-warfare plugin before 3.5.3 for WordPress.

Directory traversal vulnerability in download.php in the DB Backup plugin 4.5 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.

Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.

SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the size parameter to get_album_item.php.

The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint.

A directory traversal in the File Upload plugin before 4.13.0 for WordPress can lead to remote code execution by uploading a crafted txt file into the lib directory, because of a wfu_include_lib call.

An authentication bypass vulnerability affecting the WooCommerce Payments plugin version 4.8.0 through 5.6.1. Successful exploitation of the vulnerability could allow an unauthorized attacker to gain admin privileges on the WordPress websites installed with the vulnerable version of the plugin enabled.

A Server-Side Request Forgery (SSRF) vulnerability.

An Information Disclosure vulnerability (ProxyToken).

A Remote Code Execution vulnerability (ProxyShell).

A high severity Remote Code Execution vulnerability that occurs due to improper validation of cmdlet arguments.

MS Exchange Proxynotshell Remote Code Execution vulnerability.

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package.

A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input.

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability.

The EditingPageParser.VerifyControlOnSafeList method fails to properly validate user-supplied data. This can be leveraged by an attacker to leak sensitive information in rendered-preview content.

A remote code execution vulnerability exists when the Microsoft .NET Framework (versions 3.5 and 4.x Sharepoint servers using vulnerable .NET frameworks are affected.

A Server Spoofing (SSRF) vulnerability.

Joomla!

Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header.

An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

Apache

Off-by-one error in the LDAP scheme handling in the Rewrite module in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2. When RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands.

A path traversal vulnerability in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the LDAP JNDI parser. The affected products are, Apache Struts (2.5.8), Elastic Search (5.0.0-5.6.10, 6.0.0-6.3.2), Apache Solr (7.4.0-7.7.3, 8.0.0-8.11.0), Apache JSPwiki (2.11.0), Apache Druid (0.22), and Apache OFBIZ(18.12.03).

The fix to address CVE-2021-44228 Log4Shell in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments.

Zeroshell

cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.

Zeroshell 3.9.0 is prone to a remote command execution vulnerability. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.

Zeroshell 3.9.3 allows an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character.

PHPUnit

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder.

ThinkPHP

NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code

SMB

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability.

Java PrimeFaces

A Remote Code Execution vulnerability.

Nginx

Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests.

Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request.

The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, that is, the Heartbleed bug.

Allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the Misfortune Cookie vulnerability.

IIS

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in IIS 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request.

dotCMS

A XSS filter mechanism bypass was found in dotCMS version 22.05 and below using Matrix Parameters. The XSS filter is an input sanitizer designed by the vendor to minimize CORS attack, XSS and CSRF vulnerabilities in the administrator portal, by abusing this an attacker can cause critical compromise.

A Server-Side Request Forgery bypass was found in dotCMS version 22.05 and below due to the incomplete validate private address. By using redirection technique, an attacker can request to server internal resources.

A Denial-of-Service was found in dotCMS version 22.05 and below. The issue is located in TempFileAPI when it tries to access and download the contents of remote URL. Directing it to access a heavy file using multiple requests at once results in memory exhaustion or DoS.

Multiple endpoints were found to be vulnerable to XSS in the dotCMS admin portal. This occurs when the configuration has XSS_PROTECTION_ENABLED=false.

Redis

Redis (Debian version lower than 5:5.0.14-1+deb10u2 (buster) and Debian version lower than 5:6.0.16-1+deb11u2 (bullseye)), a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

VMware

VMware ESXi servers vulnerable to the OpenSLP heap-overflow vulnerability and are being exploited through the OpenSLP, port 427 to deliver a new ransomware “ESXiArgs”. The ransomware encrypts files in affected ESXi servers and demand a ransom for file decryption. Also, this vulnerability can result in remote code execution, allowing the attacker to get full control of the target.

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.

Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.

Cacti

In affected versions of Cacti v1.2.22, a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running

Cacti. Gaining access to the Cacti instance of an organization could give attackers with the opportunity to learn about the types of devices on the

network and their local IP addresses.

Atlassian

A critical 0-day vulnerability on Atlassian Confluence Data Center and Server is actively being exploited in the wild. The vulnerability is established via the Object Graph Navigation Language (OGNL) injection that allows an unauthenticated user to execute arbitrary code.

A command injection vulnerability that allows remote attackers to easily exploit CWP (Control Web Panel) with a crafted HTTP request which can result in Remote Code Execution. This vulnerability can be leveraged to perform ransomware attacks or exfiltration of data.

Zoho

APT Actors are actively exploiting Zoho ManageEngine ServiceDesk Plus which is an IT help desk software with asset management. The exploit is rated critical due to its capability for unauthenticated remote code execution (RCE).

GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Spring-framework

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

GLPI-Project

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

Microsoft

Microsoft Message Queuing Remote Code Execution Vulnerability

It is an out-of-bounds write vulnerability in the Message Queuing service of Microsoft Windows. The vulnerability could potentially lead to unauthenticated remote code execution in the Message Queuing service due to the lack of bound checks when reading user-controlled section sizes.

Realtek

Realtek Jungle SDK Vulnerability is an arbitrary command injection vulnerability in Realtek Jungle SDK. Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on vulnerable devices, leading to system compromise. Realtek Jungle SDK based IoT devices are available from multiple vendors.

Tplink

TP-Link Archer AX-21 Command Injection Attack. TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 contains a command injection vulnerability in the web management interface specifically in the Country field. There is no sanitization of this field, so an attacker can exploit it for malicious activities and gain foothold. The vulnerability has been seen to be exploited in the wild to deploy Mirai botnet.

RocketMQ

A command injection vulnerability that affects Apache RocketMQ versions 5.1 and lower. Successful exploitation of the vulnerability allows a remote attacker to execute commands as the system user under which RocketMQ is running by using the update configuration function.

PaperCut

PaperCut MF/NG Improper Access Control Vulnerability. An unauthenticated attacker can perform a Remote Code Execution (RCE) on a vulnerable PaperCut Application Server. According to the vendor, the specific flaw exists within the SetupCompleted class and could be achieved remotely without authentication. PaperCut MF/NG Improper Access Control Vulnerability has been seen exploited in the wild.

Ivanti

Ivanti Endpoint Manager Mobile (EPMM, formerly MobileIron Core) contains an authentication bypass vulnerability (CVE-2023-35078) that allows unauthenticated access to specific API paths. An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes including installing software and modifying security profiles on registered devices.

dvr

Authentication bypass vulnerability in various TBK DVR4104 and DVR4216 devices, allowing attackers to gain administrative access without proper credentials.

ColdFusion

Critical improper access control vulnerability in Adobe ColdFusion, enabling potential remote code execution by unauthenticated attackers.

ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write.

NetScaler

Citrix NetScaler ADC and Gateway vulnerability allowing sensitive information disclosure, potentially including user session tokens.

Telerik

Vulnerability in the Telerik UI for ASP.NET AJAX component that allows attackers to upload arbitrary files or execute code due to weak encryption in the RadAsyncUpload feature.

SolarView

A command injection vulnerability in SolarView Compact ver. 6.00 (conf_mail.php) allows attackers to execute arbitrary code on the affected system.

JetBrains

Critical authentication bypass in JetBrains TeamCity on-premises servers, potentially allowing unauthenticated remote code execution.

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible.

Palo Alto