1337day-Exploits

qdPM version 9.1 suffers from a remote code execution vulnerability. View the full article

Umbraco CMS version 8.2.2 suffers from cross site request forgery vulnerabilities. View the full article

Pachev FTP Server version 1.0 suffers from a path traversal vulnerability. View the full article

BOOTP Turbo version 2.0 SEH denial of service proof of concept exploit. View the full article

D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP interface. The vulnerability exists in /gena.cgi (function genacgi_main() in /htdocs/cgibin), which is accessible without credentials. View the full article

This Metasploit module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the rds_atomic_free_op function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko). Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted (default); then it will be loaded automatically. This exploit supports 64-bit Ubuntu Linux systems, including distributions based on Ubuntu, such as Linux Mint and Zorin OS. This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various 4.4 and 4.8 kernels. View the full article

ZOHO ManageEngine ServiceDeskPlus versions 11.0 Build 11007 and below suffer from a cross site scripting vulnerability. View the full article

Employee Leaves Management System version 2.0 suffers from a cross site request forgery vulnerability. View the full article

Citrix XenMobile Server version 10.8 suffers from an XML external entity injection vulnerability. View the full article

An insufficient fix for CVE-2019-6205 means XNU vm_map_copy optimization which requires atomicity still is not atomic. View the full article

KeePass version 2.44 suffers from a denial of service vulnerability. View the full article

ECTouch ECShop version 2.7.3 suffers from a remote SQL injection vulnerability. View the full article

This application, known as the SolarWinds n-Central Dumpster Diver, utilizes the nCentral agent dot net libraries to simulate the agent registration and pull the agent/appliance configuration settings. This information can contain plain text active directory domain credentials. This was reported to SolarWinds PSIRT([email protected]) on 10/10/2019. In most cases the agent download URL is not secured allowing anyone without authorization and known customer id to download the agent software. Once you have a customer id you can self register and pull the config. Application will test availability of customer id via agent download URL. If successful it will then pull the config. We do not attempt to just pull the config because timing out on the operation takes to long. Removing the initial check, could produce more results as the agent download could be being blocked where as agent communication would not be. Harmony is only used to block the nCentral libraries from saving and creating a config directory that is not needed. View the full article

Park Ticketing Management System version 1.0 suffers from a persistent cross site scripting vulnerability. View the full article

This is a proof of concept for CVE-2018-8413 where the Microsoft Windows Theme API had a file parsing vulnerability. View the full article