Search Hints

  • Try searching for a product or vendor.
  • Only vulnerabilities that match all search terms will be returned.
  • Enclose search terms in double quotes for an exact search.
  • For CVE searches, only enter the CVE-YYYY-XXXX code.

Displaying module details 1 - 10 of 2642 in total

Wordpress WPTouch Authenticated File Upload Exploit

Disclosed: July 14, 2014

The Wordpress WPTouch plugin contains an auhtenticated file upload vulnerability. A wp-nonce (CSRF token) is created on the backend index page and the same token is used on handling ajax file uploads through the plugin. By sending the captured nonce with the upload, we can upload arbitrary files to the upl...

Flash "Rosetta" JSONP GET/POST Response Disclosure Exploit

Disclosed: July 08, 2014

A website that serves a JSONP endpoint that accepts a custom alphanumeric callback of 1200 chars can be abused to serve an encoded swf payload that steals the contents of a same-domain URL. Flash < is required. This module spins up a web server that, upon navigation from a user, attempts to abuse the s...

Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload Exploit

Disclosed: July 01, 2014

The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8 is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme functionality to upload a zip file containing the payload. The plugin uses the admin_init hook, which is also executed for unauthenticated users when access...

Gitlist Unauthenticated Remote Command Execution Exploit

Disclosed: June 30, 2014

This module exploits an unauthenticated remote command execution vulnerability in version 0.4.0 of Gitlist. The problem exists in the handling of an specially crafted file name when trying to blame it.

Supermicro Onboard IPMI Port 49152 Sensitive File Exposure Exploit

Disclosed: June 19, 2014

This module abuses a file exposure vulnerability accessible through the web interface on port 49152 of Supermicro Onboard IPMI controllers. The vulnerability allows an attacker to obtain detailed device information and download data files containing the clear-text usernames and passwords for the controller. In May of 201...

OpenSSL Server-Side ChangeCipherSpec Injection Scanner Exploit

Disclosed: June 05, 2014

This module checks for the OpenSSL ChageCipherSpec (CCS) Injection vulnerability. The problem exists in the handling of early CCS messages during session negotation. Vulnerable installations of OpenSSL accepts them, while later implementations do not. If successful, an attacker can leverage this vulnerability to p...

OpenSSL DTLS Fragment Buffer Overflow DoS Exploit

Disclosed: June 05, 2014

This module performs a Denial of Service Attack against Datagram TLS in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h. This occurs when a DTLS ClientHello message has multiple fragments and the fragment lengths of later fragments are larger than that of the first, a buffer overflow occurs, c...

Ericom AccessNow Server Buffer Overflow Exploit

Disclosed: June 02, 2014

This module exploits a stack based buffer overflow in Ericom AccessNow Server. The vulnerability is due to an insecure usage of vsprintf with user controlled data, which can be triggered with a malformed HTTP request. This module has been tested successfully with Ericom AccessNow Server on Windows XP SP3 and Windo...

Cerberus FTP Server SFTP Username Enumeration Exploit

Disclosed: May 27, 2014

This module uses a dictionary to brute force valid usernames from Cerberus FTP server via SFTP. This issue affects all versions of the software older than or and is caused by a discrepancy in the way the SSH service handles failed logins for valid and invalid users. This issue was discovered by S...