Google's Extensible Service Proxy suffers from a header forgery vulnerability.
c2a95ac806be1e61288f44e7ec319f21ec2702adefa41386a2ad0039ac44ff37Microsoft Diaghub suffers from a privilege escalation vulnerability.
844a4c936f2538ce3463038b174f339bb043e808dd20dea21867c792cccc8425This Metasploit module exploit uses access to the UniversalOrchestrator ScheduleWork API call which does not verify the caller's token before scheduling a job to be run as SYSTEM. You cannot schedule something in a given time, so the payload will execute as system sometime in the next 24 hours.
3a60a69dcbeb7de997adcc7d739647b41b00df07ef99e3f346dd78c5b1f47616Google's osconfig agent was vulnerable to local privilege escalation due to relying on a predictable path inside the /tmp directory. An unprivileged malicious process could abuse this flaw to win a race condition and take over the files managed by the high privileged agent process and thus execute arbitrary commands as the root user (full capabilities). Exploitation was possible only during an osconfig recipe being deployed.
1cc92e5ebabd438a79296409a717f268826979019ed2cd8fa31fe695998e710eProof of concept denial of service exploit for the recent OpenSSL signature_algorithms_cert vulnerability.
1d08073755309441e120ada922d200c5276431e79d7c9bdd66bbb529a2013702The TrustedInstaller service running on the Microsoft Windows operating system hosts a COM service called Sxs Store Class; its ISxsStore interface provides methods to install/uninstall assembles via application manifests files into the WinSxS store. These API methods were meant to be available for users with administrative privileges only, but the logic was unintentionally exposed to anyone on the system due to improper implementation of the authorization logic.
9c1655d1ae3d7a8de85f05069a4d75abf6276f84421c75d2885fafffef09b981A flaw in the implementation of Microsoft's Troubleshooter technology could lead to remote code execution if a crafted .diagcab file is opened by the victim. The exploit leverages a rogue webdav server to trick MSDT to drop files to attacker controller locations on the file system.
cbe54b81542a05ea1e6eca61a96e5a5cf9a912e2b9399db4856ff9dcd2335482IcedTeaWeb suffers from multiple vulnerabilities including directory traversal and validation bypass issues that can lead to remote code execution. The affected versions are 1.7.2 and below, 1.8.2 and below. 1.6 is also vulnerable and not patched due to being EOL. Proof of concepts are provided.
1337c5ba88da32d6b2f207e5dfaef357aba71650ba7c348c9a4b63c551a403cdGNU patch suffers from command injection and various other vulnerabilities when handling specially crafted patch files.
46e27d51accb7a7405dd3c34e724a12c052ab52ecfe5b3acffb883ba165d5e6bWordPress WP Fastest Cache plugin versions 0.8.9.5 and below suffer from a directory traversal vulnerability.
a48aa7f98293e513ef94ab9b82442089b2529f76733376c84e5da8863c042fd3Wampserver versions 3.1.4 through 3.1.8 suffer from a cross site request forgery vulnerability.
5f29238634e5da41f867c1af60f848f8e1bd8f7c8c7c9ac99b7b56d2d1b57d67Security controls configured via php.ini directives at the PHP_INI_SYSTEM level are ineffective as they could be bypassed by malicious scripts via writing their own process memory on the Linux platform. Proof of concept code included.
a746a7f8973556b23ebea90b00627034fee20f44dce632fd39f31dcfa7483cebknc (Kerberised NetCat) versions before 1.11-1 are vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another service running on the targeted host. Proof of concept included.
5f21249af2b570413ccedbc2d38d69f7569143fd0ffd8e6431e4db2f29a7fb53Shell In A Box versions 2.2.0 and below suffer from an infinite loop denial of service vulnerability.
cf504b640b61a6a0ad0b121dbbe3f7bee85c6e61335a525740f2aa402cebc279ProjectPier versions 0.8.8 and below suffer from remote file inclusion, authentication bypass, remote shell upload, and remote SQL injection vulnerabilities.
7a13b186e33609dbaaf95ba6ece84bee3002a77278845c2990abfd1f456f1050Proof of concept that exploits the default typing issue in Jackson-databind via Spring application contexts and expressions.
556baf38b3cbd6a00b1977182d2e52222d11bc57c0158fa40ccf472a8568c448pmount is a wrapper around the standard mount program which permits normal users to mount removable devices without a matching /etc/fstab entry. Due to a missing input validation check local users could mount devices to arbitrary destinations and thus taking over the targeted system completely. Versions 0.9.23 is affected.
2721035920e3ee68f9a9ba12f5b428e825d1682c57e62014bc2baa2e25fb29e5Monsta Box WebFTP suffers from an arbitrary file read vulnerability.
17b16ca800abe893b240e9494d98637b640c281294456b8dcb365bb6eb74581fPHP File Manager version 0.9.8 suffers from authentication bypass and code execution vulnerabilities.
65273401e57b33b4f6cd1df07fa16fbea93fa1f5b6c5d27ff3f44a84188080a5PHP-FPM suffered from memory leak and buffer overflow vulnerabilities in the access logging feature. The fixed versions of PHP are 5.5.31, 5.6.17, and 7.0.2.
51daba0a03b7d26034ec17e1ea4ebf73742706c017813cd75bc99f3e30eb351bIn suEXEC_Daemon mode of the LiteSpeed web server spawns one PHP master process during startup. It is running as root and accepts LSAPI requests, which in turn specify what user under the script should run. The LSAPI request is authenticated with a MAC, which is based on pre-shared random key between the the PHP and the web server. The researchers found that the Litespeed PHP SAPI module did not clear this secret in its child processes so it was available in the PHP process memory space of the child processes. The fixed versions of PHP are 5.5.31, 5.6.17, and 7.0.2.
dcdfba0d864d56f1eab83f8a2d054770a95e1e8eb5d10e504881b19b952d0a78The Android ABD utility backup manager, which invokes the custom BackupAgent, does not filter the data stream returned by the applications. While a BackupAgent is being executed during the backup process, it is able to inject additional applications (APKs) into the backup archive without the user's consent. The BackupAgent needs no Android permissions. Upon restoration of the backup archive, the system installs the injected, additional application (since it is part of the backup archive and the system believes it is authentic) with escalated privileges. Proof of concept code included.
d376ef512eaaa814a39535b0eb8c3bd952e0156ea5d7dc7981001d630f3697b5Microsec e-Szigno and Netlock Mokka computer applications suffer from a e-akta signature verification weakness. Microsec e-Szigno version older than 3.2.7.12 and Netlock Mokka versions older than 2.7.8.1204 are affected.
7c9175ecb67d017613e97ac84c7dc3741a8dc378d1f6b845cd5bdd140f7d842bADB backup on Android version 4.0.4 allows for file overwrite via modified tar headers.
05f57d5729d25c00164ccfa74bfb76fe4328bb79a10efd4cf3e895cd21b26843The doSendObjectInfo() method of the MtpServer class implemented in frameworks/av/media/mtp/MtpServer.cpp on Android 4.4 does not validate the name parameter of the incoming MTP packet, leading to a path traversal vulnerability.
9645f86fa24dbcf40e5f7dd36ca986ccbcd0f124fb94b860bde8a37c6cb42100
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed