Search Hints

  • Try searching for a product or vendor.
  • Only vulnerabilities that match all search terms will be returned.
  • Enclose search terms in double quotes for an exact search.
  • For CVE searches, only enter the CVE-YYYY-XXXX code.

Displaying module details 41 - 50 of 2719 in total

VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation Exploit

Disclosed: July 15, 2014

A vulnerability within the VBoxGuest driver allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested wi...

Wordpress WPTouch Authenticated File Upload Exploit

Disclosed: July 14, 2014

The Wordpress WPTouch plugin contains an auhtenticated file upload vulnerability. A wp-nonce (CSRF token) is created on the backend index page and the same token is used on handling ajax file uploads through the plugin. By sending the captured nonce with the upload, we can upload arbitrary files to the upl...

Flash "Rosetta" JSONP GET/POST Response Disclosure Exploit

Disclosed: July 08, 2014

A website that serves a JSONP endpoint that accepts a custom alphanumeric callback of 1200 chars can be abused to serve an encoded swf payload that steals the contents of a same-domain URL. Flash < is required. This module spins up a web server that, upon navigation from a user, attempts to abuse the s...

Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload Exploit

Disclosed: July 01, 2014

The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8 is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme functionality to upload a zip file containing the payload. The plugin uses the admin_init hook, which is also executed for unauthenticated users when access...

Gitlist Unauthenticated Remote Command Execution Exploit

Disclosed: June 30, 2014

This module exploits an unauthenticated remote command execution vulnerability in version 0.4.0 of Gitlist. The problem exists in the handling of an specially crafted file name when trying to blame it.

VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution Exploit

Disclosed: June 25, 2014

VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated OS Command injection in the web interface. Use reverse payloads for the most reliable results. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic payload. P...

Supermicro Onboard IPMI Port 49152 Sensitive File Exposure Exploit

Disclosed: June 19, 2014

This module abuses a file exposure vulnerability accessible through the web interface on port 49152 of Supermicro Onboard IPMI controllers. The vulnerability allows an attacker to obtain detailed device information and download data files containing the clear-text usernames and passwords for the controller. In May of 201...

Wing FTP Server Authenticated Command Execution Exploit

Disclosed: June 19, 2014

This module exploits the embedded Lua interpreter in the admin web interface for versions 4.3.8 and below. When supplying a specially crafted HTTP POST request an attacker can use os.execute() to execute arbitrary system commands on the target with SYSTEM privileges.

ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection Exploit

Disclosed: June 08, 2014

This module exploits an unauthenticated blind SQL injection in LinkViewFetchServlet, which is exposed in ManageEngine Desktop Central v7 build 70200 to v9 build 90033 and Password Manager Pro v6 build 6500 to v7 build 7002 (including the MSP versions). The SQL injection can be used to achieve remote code execution as SYST...