bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/java/webapps/46251.txt
Offensive Security b68cbec24d DB: 2019-01-29 
26 changes to exploits/shellcodes

Sricam gSOAP 2.8 - Denial of Service
Smart VPN 1.1.3.0 - Denial of Service (PoC)
MySQL User-Defined (Linux) x32 / x86_64 - sys_exec Function Local Privilege Escalation
Easy Video to iPod Converter 1.6.20 - Buffer Overflow (SEH)
R 3.4.4 XP SP3 - Buffer Overflow (Non SEH)
BEWARD Intercom 2.3.1 - Credentials Disclosure
Faleemi Desktop Software 1.8 - Local Buffer Overflow (SEH)(DEP Bypass)

CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)
Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting
WordPress Plugin Ad Manager WD 1.0.11 - Arbitrary File Download
AirTies Air5341 Modem 1.0.0.12 - Cross-Site Request Forgery
LogonBox Limited / Hypersocket Nervepoint Access Manager - Unauthenticated Insecure Direct Object Reference
CMSsite 1.0 - 'cat_id' SQL Injection
CMSsite 1.0 - 'search' SQL Injection
Cisco RV300 / RV320 - Information Disclosure
Cisco Firepower Management Center 6.2.2.2 / 6.2.3 - Cross-Site Scripting
Newsbull Haber Script 1.0.0 - 'search' SQL Injection
Care2x 2.7 (HIS) Hospital Information System - Multiple SQL Injection
Teameyo Project Management System 1.0 - SQL Injection
Mess Management System 1.0 - SQL Injection
MyBB IP History Logs Plugin 1.0.2 - Cross-Site Scripting
ResourceSpace 8.6 - 'collection_edit.php' SQL Injection

Linux/x86 - exit(0) Shellcode (5 bytes)
Linux/x86 - Read /etc/passwd Shellcode (58 Bytes) (2)
Linux/ARM - Reverse TCP (/bin/sh) - 192.168.1.124:4321 Shellcode (64 bytes)
Linux/ARM -  Bind TCP (/bin/sh)-0.0.0.0:4321 Null Free Shellcode (84 bytes)
2019-01-29 05:01:52 +00:00

45 lines
No EOL
1.7 KiB
Text
Raw Blame History

# Exploit Title: Rundeck Community Edition before 3.0.13 Multiple Stored
XSS
# Vendor Homepage: https://www.rundeck.com/open-source
# Software Link: https://docs.rundeck.com/downloads.html
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: webapps
# Platform: Java
# CVE: CVE-2019-6804
1. Description:
Cross-Site Scripting issues affecting multiple fields in the workflow
module under job edit form by injecting javascript code in the Arguments,
Invocation String, and File Extension field, the input from these fields
are rendered in the Execution Preview which is the sink of this
vulnerability.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6804
2. Proof of Concept:
Vulnerable Endpoints / Systems
http://{Rundeck_hostname}/project/{Jobname}/job/edit/{Job_ID}
Steps to Reproduce:
Login to Rundeck Server with valid credentials.
1. Navigate to any project in the instance.
2. Navigate to the jobs module
3. Select a job
4. From the right hand side drop down menu, select edit this job
5. Navigate to Workflow module
6. Scroll down to arguments field
7. Enter the following payload: <img/src="x"onerror=alert(19)
8. The same payload can be entered in the Advanced mode in the same module
in two other fields "Invokation String" and "File Extension"
9. Observe the payload getting executed in the "Execution Preview"
3. Solution:
The issue is now patched by the vendor in version 3.0.13
https://docs.rundeck.com/docs/history/version-3.0.13.html
https://github.com/rundeck/rundeck/issues/4406
--
Best Regards,
Ishaq Mohammed
https://about.me/security-prince
Reference in a new issue View git blame Copy permalink