CVE-2008-2018
published 2008-04-30CVE-2008-2018: The AssignUser function in template.class.php in PHPizabi 0.848b C1 HFP3 performs unsafe macro expansions on strings delimited by '{' and '}' characters, which…
PriorityP417medium4CVSS 2.0
AVNACLAuSCPINAN
EXPLOIT
EPSS
2.16%
79.9th percentile
The AssignUser function in template.class.php in PHPizabi 0.848b C1 HFP3 performs unsafe macro expansions on strings delimited by '{' and '}' characters, which allows remote authenticated users to obtain sensitive information via a comment containing a macro, as demonstrated by a "{user.password}" comment in the profile of the admin user.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpizabi | phpizabi | — | — |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q3v4-8f88-pc47: The AssignUser function in template
ghsa_unreviewed·2022-05-01
CVE-2008-2018 [MEDIUM] CWE-200 GHSA-q3v4-8f88-pc47: The AssignUser function in template
The AssignUser function in template.class.php in PHPizabi 0.848b C1 HFP3 performs unsafe macro expansions on strings delimited by '{' and '}' characters, which allows remote authenticated users to obtain sensitive information via a comment containing a macro, as demonstrated by a "{user.password}" comment in the profile of the admin user.
Red Hat
gnome-keyring: login credentials retrieval via a Secret Service API call
vendor_redhat·2018-07-06·CVSS 6.8
CVE-2018-19358 [MEDIUM] CWE-200 gnome-keyring: login credentials retrieval via a Secret Service API call
gnome-keyring: login credentials retrieval via a Secret Service API call
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used. NOTE: the vendor disputes this because, according to the security model, untrusted applications must not be allowed to access the user's session bus socket.
Statement: Red Hat has determined that this flaw is not a security vulnerability pertaining to gnome-keyring as the underlying issue is that there is currently no way (except by using Flatkpak, sandboxing, containers, etc.) to c
No detection rules found.
Exploit-DB
Microsoft Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)
exploitdb·2019-07-17
CVE-2018-8453 Microsoft Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)
Microsoft Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Windows NtUserSetWindowFNID Win32k User Callback',
'Description' => %q{
An elevation of privilege vulnerability exists in Windows when the Win32k component
fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability."
This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows
Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2,
Windows 10, Windows 10 Servers.
This module is tested against Windows 10 v1703 x86.
},
'License' =>
Exploit-DB
Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution
exploitdb·2019-03-13·CVSS 8.8
CVE-2019-0541 [HIGH] Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution
Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution
---
# Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execution Vulnerability
# Google Dork: N/A
# Date: March, 13 2019
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://www.microsoft.com/
# Software Link: http://www.microsoft.com/
# Version: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.
# Tested on: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.
# CVE : CVE-2019-0541
The Microsoft Windows MSHTML Engine is prone to a vulnerability that allows attackers to execute arbitrar
Exploit-DB
CyberArk 9.7 - Memory Disclosure
exploitdb·2018-12-03·CVSS 5.3
CVE-2018-9842 [MEDIUM] CyberArk 9.7 - Memory Disclosure
CyberArk 9.7 - Memory Disclosure
---
# Exploit Title: CyberArk 9.7 - Memory Disclosure
# Date: 2018-06-04
# Exploit Author: Thomas Zuk (@Freakazoidile)
# Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
# Version: < 9.7 and < 10
# Tested on: Windows 2008, Windows 2012, Windows 7, Windows 8, Windows 10
# CVE: CVE-2018-9842
# Description: There currently exists a general advisory for the CVE with a description of exploitation and how
# to reproduce, but without full exploit code. I have developed a working, reliable standalone Python exploit that
# can be successfully used by modifying only the target IP address. Attached to this email submission is the working exploit code.
#!/usr/bin/python
import socket
import os
impor
Exploit-DB
Advantech WebAccess SCADA 8.3.2 - Remote Code Execution
exploitdb·2018-11-05·CVSS 6.5
CVE-2018-15707 [MEDIUM] Advantech WebAccess SCADA 8.3.2 - Remote Code Execution
Advantech WebAccess SCADA 8.3.2 - Remote Code Execution
---
# Exploit Title: Advantech WebAccess SCADA 8.3.2 - Remote Code Execution
# Date: 2018-11-02
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: http://www.advantech.com
# Device: NRVMini2
# Software Link: http://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-1MDG1BH
# Version: 8.3.2
# Tested on: Windows Server 2008 R2
# CVE: CVE-2018-15705, CVE-2018-15707
# TRA: https://www.tenable.com/security/research/tra-2018-35
# Description:
#
# This code exploits two vulnerabilities to gain remote code execution
# with Administrator privileges:
#
# 1) CVE-2018-15707 to steal credentials (XSS). User-interaction required.
# 2) CVE-2018-15705 to write an ASP file to the server.
from http.server import HTTPServer, BaseHTTPRe
Exploit-DB
Microsoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)
exploitdb·2018-10-22·CVSS 7.0
CVE-2018-8120 [HIGH] Microsoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)
Microsoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Windows SetImeInfoEx Win32k NULL Pointer Dereference',
'Description' => %q{
This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2
when the Win32k component fails to properly handle objects in memory. An attacker who
successfully exploited this vulnerability could run arbitrary code in kernel mode. An
attacker could then install programs; view, change, or delete data; or create new
accounts with full user rights.
This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard
Exploit-DB
VideoInsight WebClient 5 - SQL Injection
exploitdb·2018-06-20·CVSS 7.3
CVE-2017-5151 [HIGH] VideoInsight WebClient 5 - SQL Injection
VideoInsight WebClient 5 - SQL Injection
---
# Title: VideoInsight WebClient 5 - SQL Injection
# Date: 2018-05-06
# Author: vosec
# Vendor Homepage: https://www.security.us.panasonic.com/
# Software Link: https://www.security.us.panasonic.com/video-management-software/web-client/
# Version: 5
# Tested on: Windows Server 2008 R2
# CVE: N/A
# Description:
# This exploit is based on CVE-2017-5151 targeting versions prior.
# The txtUserName and possibly txtPassword field contain an unauthenticated SQL injection vulnerability
# that can be used for remote code execution.
# SQL Injection - PoC
# From the web login page submit the following string as the username with anything in the password field.
# The web server will hang for 5 seconds:
UyYr');WAITFOR DELAY '00:00:05'--
# Remote Code Ex
Exploit-DB
CyberArk < 10 - Memory Disclosure
exploitdb·2018-06-04·CVSS 5.3
CVE-2018-9842 [MEDIUM] CyberArk < 10 - Memory Disclosure
CyberArk < 10 - Memory Disclosure
---
# Exploit Title: CyberArk < 10 - Memory Disclosure
# Date: 2018-06-04
# Exploit Author: Thomas Zuk
# Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
# Version: < 9.7 and < 10
# Tested on: Windows 2008, Windows 2012, Windows 7, Windows 8, Windows 10
# CVE: CVE-2018-9842
# Linux cmd line manual test: cat logon.bin | nc -vv IP 1858 | xxd
# paste the following bytes into a hexedited file named logon.bin:
#fffffffff7000000ffffffff3d0100005061636c695363726970745573657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020202020ffffffff0000000000000000000073000000cececece00000000000000000
Exploit-DB
PHPizabi 0.848b C1 HFP3 - Database Information Disclosure
exploitdb·2008-04-26
CVE-2008-2018 PHPizabi 0.848b C1 HFP3 - Database Information Disclosure
PHPizabi 0.848b C1 HFP3 - Database Information Disclosure
---
PHPizabi v0.848b C1 HFP3 database information exposure
* I would like to state that I am in no way responsible for how this information is used.
It is just that, information and is provided for informational purposes only.*
An exploit exists in PHPizabi that allows a user using a specially crafted post to disclose
user credentials as well as any other information within the database. Using the following
format in a post to a users profile will disclose the corresponding field from that users
entry in the database.
FORMAT:
{user.DATABASEFIELD}
The breakdown:
template.class.php function AssignUser lines 104-108
if (is_array($user)) {
foreach ($user as $code => $value) {
Vulnerable code ----------> $this->Buffer = str_re
Nuclei
BIBLIOsoft BIBLIOpac 2008 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2018-16139 [MEDIUM] BIBLIOsoft BIBLIOpac 2008 - Cross-Site Scripting
BIBLIOsoft BIBLIOpac 2008 - Cross-Site Scripting
BIBLIOsoft BIBLIOpac 2008 contains a cross-site scripting vulnerability via the db or action parameter to bin/wxis.exe/bibliopac/, which allows a remote attacker to inject arbitrary web script or HTML.
Template:
id: CVE-2018-16139
info:
name: BIBLIOsoft BIBLIOpac 2008 - Cross-Site Scripting
author: atomiczsec
severity: medium
description: |
BIBLIOsoft BIBLIOpac 2008 contains a cross-site scripting vulnerability via the db or action parameter to bin/wxis.exe/bibliopac/, which allows a remote attacker to inject arbitrary web script or HTML.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement, or theft of sensitive info
Nuclei
PHPCMS 2008 - Remote Code Execution via Template Injection
nuclei·CVSS 9.8
CVE-2018-19127 [CRITICAL] PHPCMS 2008 - Remote Code Execution via Template Injection
PHPCMS 2008 - Remote Code Execution via Template Injection
PHPCMS 2008 suffers from an unauthenticated RCE via template injection in type.php, where attacker-supplied content is written into a PHP template cache file, which is then executable.
Template:
id: CVE-2018-19127
info:
name: PHPCMS 2008 - Remote Code Execution via Template Injection
author: tomaquet18
severity: critical
description: |
PHPCMS 2008 suffers from an unauthenticated RCE via template injection in type.php, where attacker-supplied content is written into a PHP template cache file, which is then executable.
impact: |
Successful exploitation allows an unauthenticated attacker to achieve remote code execution on the server, potentially taking full control.
remediation: |
The vendor is unresponsive and PHPCMS 2008 is no
Bleepingcomputer
CISA tags Windows, Cisco vulnerabilities as actively exploited
blogs_bleepingcomputer·2025-03-03·CVSS 7.8
CVE-2023-20025 [HIGH] CISA tags Windows, Cisco vulnerabilities as actively exploited
## CISA tags Windows, Cisco vulnerabilities as actively exploited
## Sergiu Gatlan
Cisco says in an advisory published in January 2023 and updated one year later that its Product Security Incident Response Team (PSIRT) is aware of CVE-2023-20025 publicly available proof-of-concept exploit code.
The second security bug ( CVE-2018-8639 ) is a Win32k elevation of privilege flaw that local attackers logged into the target system can exploit to run arbitrary code in kernel mode. Successful exploitation also allows them to alter data or create rogue accounts with full user rights to take over vulnerable Windows devices.
According to a security advisory issued by Microsoft in December 2018, this vulnerability impacts client (Windows 7 or later) and server (Windows Server 2008 and up) platform
Qualys
A “Patch for the Meltdown Patch” released out of band Thursday night | Qualys
blogs_qualys·2018-03-30·CVSS 7.8
CVE-2018-1038 [HIGH] A “Patch for the Meltdown Patch” released out of band Thursday night | Qualys
The Meltdown/Spectre saga continues…
Late Thursday, Microsoft released a patch for Windows 7 and Server 2008 R2 operating systems to resolve CVE-2018-1038. Apparently, this vulnerability was actually introduced by the patches released in January to mitigate the effects of Meltdown. Microsoft did include a partial fix in the March updates on Patch Tuesday, but did not completely resolve the issue.
According to a blog post by Ulf Frisk, some of the modifications to memory handling opened up read/write access to User mode code, essentially allowing any application on the machine to read and write from memory.
Qualys has created QID 91440 in Vulnerability Management. This detection requires authenticated scanning or a Qualys Cloud Agent installed on the asset, and looks for the presence of
Qualys
A “Patch for the Meltdown Patch” released out of band Thursday night
blogs_qualys·2018-03-30·CVSS 7.8
CVE-2018-1038 [HIGH] A “Patch for the Meltdown Patch” released out of band Thursday night
The Meltdown/Spectre saga continues…
Late Thursday, Microsoft released a patch for Windows 7 and Server 2008 R2 operating systems to resolve CVE-2018-1038 . Apparently, this vulnerability was actually introduced by the patches released in January to mitigate the effects of Meltdown. Microsoft did include a partial fix in the March updates on Patch Tuesday , but did not completely resolve the issue.
According to a blog post by Ulf Frisk , some of the modifications to memory handling opened up read/write access to User mode code, essentially allowing any application on the machine to read and write from memory.
Qualys has created QID 91440 in Vulnerability Management . This detection requires authenticated scanning or a Qualys Cloud Agent installed on the asset, and looks for the presence
2008-04-30
Published