Packet Storm – Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
OpenMediaVault rpc.php Authenticated PHP Code Injection25 November 2020, 4:40 pm
This Metasploit module exploits an authenticated PHP code injection vulnerability found in openmediavault versions before 4.1.36 and 5.x versions before 5.5.12 inclusive in the “sortfield” POST parameter of the rpc.php page, because “json_encode_safe()” is not used in config/databasebackend.inc. Successful exploitation grants attackers the ability to execute arbitrary commands on the underlying operating system as root.
Kong Gateway Admin API Remote Code Execution25 November 2020, 4:39 pm
This Metasploit module uses the Kong admin API to create a route and a serverless function plugin that is associated with the route. The plugin runs Lua code and is used to run a system command using os.execute(). After execution the route is deleted, which also deletes the plugin.
WordPress Simple File List Unauthenticated Remote Code Execution25 November 2020, 4:37 pm
This Metasploit module exploits WordPress Simple File List plugin versions prior to 4.2.3, which allows remote unauthenticated attackers to upload files within a controlled list of extensions. However, the rename function does not conform to the file extension restrictions, thus allowing arbitrary PHP code to be uploaded first as a png then renamed to php and executed.
SyncBreeze 10.0.28 Remote Buffer Overflow25 November 2020, 4:33 pm
SyncBreeze version 10.0.28 suffers from a remote buffer overflow vulnerability.
osCommerce 22.214.171.124 Cross Site Scripting25 November 2020, 4:32 pm
osCommerce version 126.96.36.199 suffers from a persistent cross site scripting vulnerability.
Wondershare Driver Install Service Help 10.7.1.321 Unquoted Service Path25 November 2020, 4:29 pm
Wondershare Driver Install Service Help version 10.7.1.321 suffers from an unquoted service path vulnerability.
ZTE MF253V 1.0.0B04 XSS / CSRF / Hardcoded Password24 November 2020, 3:36 pm
ZTE WLAN router MF253V version 1.0.0B04 suffers from cross site request forgery, hardcoded password, outdated component, and cross site scripting vulnerabilities.
ZeroShell 3.9.0 Remote Command Execution24 November 2020, 3:34 pm
This Metasploit module exploits an unauthenticated command injection vulnerability found in ZeroShell version 3.9.0 in the “/cgi-bin/kerbynet” url. As sudo is configured to execute /bin/tar without a password (NOPASSWD) it is possible to run root commands using the “checkpoint” tar options.
Seowon 130-SLC 1.0.11 Remote Code Execution24 November 2020, 3:31 pm
Seowon 130-SLC router version 1.0.11 suffers from a remote code execution vulnerability.
OpenCart 188.8.131.52 Cross Site Scripting24 November 2020, 3:03 pm
OpenCart version 184.108.40.206 suffers from multiple persistent cross site scripting vulnerabilities.
nopCommerce Store 4.30 Cross Site Scripting24 November 2020, 3:00 pm
nopCommerce Store version 4.30 suffers from a persistent cross site scripting vulnerability.
Apache OpenMeetings 5.0.0 Denial Of Service24 November 2020, 2:57 pm
Apache OpenMeetings version 5.0.0 suffers from a denial of service vulnerability.
LifeRay 7.2.1 GA2 Cross Site Scripting23 November 2020, 2:16 pm
LifeRay version 7.2.1 GA2 suffers from a persistent cross site scripting vulnerability.
TP-Link TL-WA855RE V5_200415 Device Reset Authentication Bypass23 November 2020, 2:14 pm
The TP-Link TL-WA855RE V5_200415 suffers from a flow where an unauthenticated attacker can reset the device and then set a new administrator password.
Boxoft Audio Converter 2.3.0 Buffer Overflow23 November 2020, 2:12 pm
Boxoft Audio Converter version 2.3.0 suffers from a buffer overflow vulnerability.
Barco wePresent Insecure Firmware Image20 November 2020, 9:31 pm
Barco wePresent WiPG-1600W versions 220.127.116.11, 18.104.22.168, 22.214.171.124, and 126.96.36.199 have firmware that does not perform verification of digitally signed firmware updates and is susceptible to processing and installing modified/malicious images.
Barco wePresent Global Hardcoded Root SSH Password20 November 2020, 9:29 pm
Barco wePresent WiPG-1600W versions 188.8.131.52, 184.108.40.206, 220.127.116.11, and 18.104.22.168 have a hardcoded root password hash included in the firmware image.
Barco wePresent Undocumented SSH Interface20 November 2020, 9:27 pm
Barco wePresent WiPG-1600W version 22.214.171.124 has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. The web interface does not provide a visible capability to alter this configuration file variable. However, a malicious actor can include this variable in a POST such that the SSH daemon will be started when the device boots.
Barco wePresent Authentication Bypass20 November 2020, 9:25 pm
The Barco wePresent WiPG-1600W version 126.96.36.199 web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a “SEID” token that is appended to the end of URLs in GET requests. Thus the “SEID” would be exposed in web proxy logs and browser history. An attacker that is able to capture the “SEID” and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials.
Barco wePresent Admin Credential Exposure20 November 2020, 9:23 pm
An attacker armed with hardcoded API credentials from KL-001-2020-004 (CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp for Barco wePresent WiPG-1600W version 188.8.131.52.
Barco wePresent Hardcoded API Credentials20 November 2020, 9:20 pm
Barco wePresent device firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Versions affected include 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124.
Vtiger CRM 7.0 Cross Site Scripting20 November 2020, 3:59 pm
Vtiger CRM version 7.0 suffers from a persistent cross site scripting vulnerability.
Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution20 November 2020, 3:46 pm
This Metasploit module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request, the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category.
IBM Tivoli Storage Manager 126.96.36.199 Buffer Overflow20 November 2020, 3:44 pm
IBM Tivoli Storage Manager version 188.8.131.52 suffers from a command line administrative interface buffer overflow vulnerability.
Boxoft Convert Master 1.3.0 Local Buffer Overflow20 November 2020, 3:43 pm
Boxoft Convert Master version 1.3.0 SEH local buffer overflow exploit.