Disclosed: July 14, 2014
The Wordpress WPTouch plugin contains an auhtenticated file upload
vulnerability. A wp-nonce (CSRF token) is created on the backend index
page and the same token is used on handling ajax file uploads through
the plugin. By sending the captured nonce with the upload, we can
upload arbitrary files to the upl...
Disclosed: July 08, 2014
A website that serves a JSONP endpoint that accepts a custom alphanumeric
callback of 1200 chars can be abused to serve an encoded swf payload that
steals the contents of a same-domain URL. Flash < 220.127.116.11 is required.
This module spins up a web server that, upon navigation from a user, attempts
to abuse the s...
Disclosed: July 01, 2014
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
functionality to upload a zip file containing the payload. The plugin uses the
admin_init hook, which is also executed for unauthenticated users when access...
Disclosed: June 30, 2014
This module exploits an unauthenticated remote command execution vulnerability
in version 0.4.0 of Gitlist. The problem exists in the handling of an specially
crafted file name when trying to blame it.
Disclosed: June 25, 2014
VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated
OS Command injection in the web interface. Use reverse payloads for the most
reliable results. Since it is a blind OS command injection vulnerability,
there is no output for the executed command when using the cmd generic payload.
Disclosed: June 19, 2014
This module abuses a file exposure vulnerability accessible through the web interface
on port 49152 of Supermicro Onboard IPMI controllers. The vulnerability allows an attacker
to obtain detailed device information and download data files containing the clear-text
usernames and passwords for the controller. In May of 201...
Disclosed: June 19, 2014
This module exploits the embedded Lua interpreter in the admin web interface for
versions 4.3.8 and below. When supplying a specially crafted HTTP POST request
an attacker can use os.execute() to execute arbitrary system commands on
the target with SYSTEM privileges.
Disclosed: June 08, 2014
This module exploits an unauthenticated blind SQL injection in LinkViewFetchServlet,
which is exposed in ManageEngine Desktop Central v7 build 70200 to v9 build 90033 and
Password Manager Pro v6 build 6500 to v7 build 7002 (including the MSP versions). The
SQL injection can be used to achieve remote code execution as SYST...
Disclosed: June 07, 2014
This module can exploit NoSQL injections on MongoDB versions less than 2.4
and enumerate the collections available in the data via boolean injections.
Disclosed: June 05, 2014
This module checks for the OpenSSL ChangeCipherSpec (CCS)
Injection vulnerability. The problem exists in the handling of early
CCS messages during session negotiation. Vulnerable installations of OpenSSL accepts
them, while later implementations do not. If successful, an attacker can leverage this