Increase Coverage of KEV Templates

[princechaddha]

In this issue, We have compiled a list of KEV CVEs that have publicly available POCs. We are inviting contributions from the community to expand the coverage of Known Exploited Vulnerabilities (KEV) CVEs and make them accessible to everyone.

Expanding the coverage of widely exploited KEV CVEs in the nuclei-templates repository will enhance the detection capabilities and provide more comprehensive security scanning for a broader range of vulnerabilities. This contribution will significantly benefit the entire community by improving the overall effectiveness of vulnerability scanning.

We highly appreciate your involvement and eagerly look forward to your valuable contributions! To contribute, please refer to our Contribution Guide and explore the Nuclei Templates Documentation for further guidance.

If you require any assistance with writing templates or have questions about contributing, feel free to join our Discord server. Our community members will be more than happy to help you.

KEV CVEs

• [ ] CVE ID: CVE-2022-41352

  Details

  **Description:** An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd automatically prefers it over cpio. **PoC:** http://packetstormsecurity.com/files/169458/Zimbra-Collaboration-Suite-TAR-Path-Traversal.html **Reference:** https://forums.zimbra.org/viewtopic.php?t=71153&p=306532

• [ ] CVE ID: CVE-2022-31460

  Details

  **Description:** Owl Labs Meeting Owl 5.2.0.15 allows attackers to activate Tethering Mode with hard-coded hoothoot credentials via a certain c 150 value. **PoC:** https://www.modzero.com/static/meetingowl/Meeting_Owl_Pro_Security_Disclosure_Report_RELEASE.pdf **Reference:** https://arstechnica.com/information-technology/2022/06/vulnerabilities-in-meeting-owl-videoconference-device-imperil-100k-users/

• [ ] CVE ID: CVE-2022-28958

  Details

  **Description:** ** DISPUTED ** D-Link DIR816L_FW206b01 was discovered to contain a remote code execution (RCE) vulnerability via the value parameter at shareport.php. NOTE: this has been disputed by a third party. **PoC:** https://github.com/shijin0925/IOT/blob/master/DIR816/3.md **Reference:** https://www.dlink.com/en/security-bulletin/

• [ ] CVE ID: CVE-2022-24706

  Details

  **Description:** In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations. **PoC:** http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-Execution.html **Reference:** http://www.openwall.com/lists/oss-security/2022/04/26/1

• [ ] CVE ID: CVE-2022-28810

  Details

  **Description:** Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field. **PoC:** http://packetstormsecurity.com/files/166816/ManageEngine-ADSelfService-Plus-Custom-Script-Execution.html **Reference:** https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html

• [ ] CVE ID: CVE-2022-26258

  Details

  **Description:** D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp. **PoC:** https://github.com/skyedai910/Vuln/tree/master/DIR-820L/command_execution_0 **Reference:** http://dlink.com

• [ ] CVE ID: CVE-2022-26143

  Details

  **Description:** The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack. **PoC:** https://arstechnica.com/information-technology/2022/03/ddosers-use-new-method-capable-of-amplifying-traffic-by-a-factor-of-4-billion/ **Reference:** https://blog.cloudflare.com/cve-2022-26143/

• [ ] CVE ID: CVE-2021-45382

  Details

  **Description:** A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file. Note: DIR-810L, DIR-820L, DIR-830L, DIR-826L, DIR-836L, all hardware revisions, have reached their End of Life ("EOL") /End of Service Life ("EOS") Life-Cycle and as such this issue will not be patched. **PoC:** https://github.com/doudoudedi/D-LINK_Command_Injection1/blob/main/D-LINK_Command_injection.md **Reference:** https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10264

• [ ] CVE ID: CVE-2022-24682

  Details

  **Description:** An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1), as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing arbitrary markup to be injected into the document. **PoC:** https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/ **Reference:** https://blog.zimbra.com/2022/02/hotfix-available-5-feb-for-zero-day-exploit-vulnerability-in-zimbra-8-8-15/

• [ ] CVE ID: CVE-2021-35395

  Details

  **Description:** Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. Two versions of this management interface exists: one based on Go-Ahead named webs and another based on Boa named boa. Both of them are affected by these vulnerabilities. Specifically, these binaries are vulnerable to the following issues: - stack buffer overflow in formRebootCheck due to unsafe copy of submit-url parameter - stack buffer overflow in formWsc due to unsafe copy of submit-url parameter - stack buffer overflow in formWlanMultipleAP due to unsafe copy of submit-url parameter - stack buffer overflow in formWlSiteSurvey due to unsafe copy of ifname parameter - stack buffer overflow in formStaticDHCP due to unsafe copy of hostname parameter - stack buffer overflow in formWsc due to unsafe copy of 'peerPin' parameter - arbitrary command execution in formSysCmd via the sysCmd parameter - arbitrary command injection in formWsc via the 'peerPin' parameter Exploitability of identified issues will differ based on what the end vendor/manufacturer did with the Realtek SDK webserver. Some vendors use it as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK webserver will probably contains its own set of issues on top of the Realtek ones (if kept). Successful exploitation of these issues allows remote attackers to gain arbitrary code execution on the device. **PoC:** https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain **Reference:** https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en

• [ ] CVE ID: CVE-2021-35394

  Details

  **Description:** Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers. **PoC:** https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain **Reference:** https://www.realtek.com/en/cu-1-en/cu-1-taiwan-en

• [ ] CVE ID: CVE-2021-21551

  Details

  **Description:** Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required. **PoC:** http://packetstormsecurity.com/files/162604/Dell-DBUtil_2_3.sys-IOCTL-Memory-Read-Write.html **Reference:** https://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability

• [ ] CVE ID: CVE-2021-22204

  Details

  **Description:** Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image **PoC:** http://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html **Reference:** http://packetstormsecurity.com/files/162558/ExifTool-DjVu-ANT-Perl-Injection.html

• [ ] CVE ID: CVE-2021-27878

  Details

  **Description:** An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The attacker could use one of these commands to execute an arbitrary command on the system using system privileges. **PoC:** http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.html **Reference:** https://www.veritas.com/content/support/en_US/security/VTS21-001#issue3

• [ ] CVE ID: CVE-2021-27877

  Details

  **Description:** An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands. **PoC:** http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.html **Reference:** https://www.veritas.com/content/support/en_US/security/VTS21-001#issue1

• [ ] CVE ID: CVE-2021-27876

  Details

  **Description:** An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. By using crafted input parameters in one of these commands, an attacker can access an arbitrary file on the system using System privileges. **PoC:** http://packetstormsecurity.com/files/168506/Veritas-Backup-Exec-Agent-Remote-Code-Execution.html **Reference:** https://www.veritas.com/content/support/en_US/security/VTS21-001#issue2

• [ ] CVE ID: CVE-2020-28949

  Details

  **Description:** Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. **PoC:** http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html **Reference:** https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html

• [ ] CVE ID: CVE-2020-8260

  Details

  **Description:** A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction. **PoC:** http://packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html **Reference:** https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601

• [ ] CVE ID: CVE-2020-14871

  Details

  **Description:** Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). **PoC:** http://packetstormsecurity.com/files/160510/Solaris-SunSSH-11.0-x86-libpam-Remote-Root.html **Reference:** http://packetstormsecurity.com/files/159961/SunSSH-Solaris-10-x86-Remote-Root.html

• [x] CVE ID: CVE-2020-17463

  Details

  **Description:** FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items. **PoC:** http://packetstormsecurity.com/files/158840/Fuel-CMS-1.4.7-SQL-Injection.html **Reference:** https://cwe.mitre.org/data/definitions/89.html

• [ ] CVE ID: CVE-2020-8218

  Details

  **Description:** A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface. **PoC:** https://www.gosecure.net/blog/2020/11/13/forget-your-perimeter-part-2-four-vulnerabilities-in-pulse-connect-secure/ **Reference:** https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516

• [ ] CVE ID: CVE-2020-10987

  Details

  **Description:** The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter. **PoC:** https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68 **Reference:** https://www.ise.io/research/

• [ ] CVE ID: CVE-2020-8195

  Details

  **Description:** Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 resulting in limited information disclosure to low privileged users. **PoC:** http://packetstormsecurity.com/files/160047/Citrix-ADC-NetScaler-Local-File-Inclusion.html **Reference:** https://support.citrix.com/article/CTX276688

• [ ] CVE ID: CVE-2020-9377

  Details

  **Description:** ** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. **PoC:** https://gist.github.com/GouveaHeitor/131557f9de7d571f118f59805df852dc **Reference:** https://www.dlink.com.br/produto/dir-610/

• [ ] CVE ID: CVE-2020-11899

  Details

  **Description:** The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read. **PoC:** https://www.jsof-tech.com/ripple20/ **Reference:** http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-006.txt

• [ ] CVE ID: CVE-2020-8816

  Details

  **Description:** Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease. **PoC:** https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/ **Reference:** http://packetstormsecurity.com/files/157861/Pi-Hole-4.3.2-DHCP-MAC-OS-Command-Execution.html

• [ ] CVE ID: CVE-2020-5741

  Details

  **Description:** Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code. **PoC:** http://packetstormsecurity.com/files/158470/Plex-Unpickle-Dict-Windows-Remote-Code-Execution.html **Reference:** N/A

• [ ] CVE ID: CVE-2020-11652

  Details

  **Description:** An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. **PoC:** http://packetstormsecurity.com/files/157678/SaltStack-Salt-Master-Minion-Unauthenticated-Remote-Code-Execution.html **Reference:** http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html

• [ ] CVE ID: CVE-2020-11651

  Details

  **Description:** An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. **PoC:** http://packetstormsecurity.com/files/157560/Saltstack-3000.1-Remote-Code-Execution.html **Reference:** http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html

• [ ] CVE ID: CVE-2020-3161

  Details

  **Description:** A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition. **PoC:** http://packetstormsecurity.com/files/157265/Cisco-IP-Phone-11.7-Denial-Of-Service.html **Reference:** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs

• [ ] CVE ID: CVE-2020-5722

  Details

  **Description:** The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions before 1.0.19.20 or inject HTML in password recovery emails in versions before 1.0.20.17. **PoC:** http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html **Reference:** N/A

• [ ] CVE ID: CVE-2020-5849

  Details

  **Description:** Unraid 6.8.0 allows authentication bypass. **PoC:** http://packetstormsecurity.com/files/157275/Unraid-6.8.0-Authentication-Bypass-Arbitrary-Code-Execution.html **Reference:** https://forums.unraid.net/forum/7-announcements/

• [ ] CVE ID: CVE-2020-10181

  Details

  **Description:** goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_user<*1*>administrator<*1*>123456 request. **PoC:** http://packetstormsecurity.com/files/156746/Enhanced-Multimedia-Router-3.0.4.27-Cross-Site-Request-Forgery.html **Reference:** N/A

• [ ] CVE ID: CVE-2016-11021

  Details

  **Description:** setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remote attacker to execute code via an OS command in the SystemCommand parameter. **PoC:** https://www.exploit-db.com/exploits/39437 **Reference:** N/A

• [ ] CVE ID: CVE-2020-10221

  Details

  **Description:** lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter. **PoC:** http://packetstormsecurity.com/files/156687/rConfig-3.93-Authenticated-Remote-Code-Execution.html **Reference:** https://cwe.mitre.org/data/definitions/78.html

• [ ] CVE ID: CVE-2020-10189

  Details

  **Description:** Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. **PoC:** http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html **Reference:** https://cwe.mitre.org/data/definitions/502.html

• [ ] CVE ID: CVE-2019-19356

  Details

  **Description:** Netis WF2419 is vulnerable to authenticated Remote Code Execution (RCE) as root through the router Web management page. The vulnerability has been found in firmware version V1.2.31805 and V2.2.36123. After one is connected to this page, it is possible to execute system commands as root through the tracert diagnostic tool because of lack of user input sanitizing. **PoC:** http://packetstormsecurity.com/files/156588/Netis-WF2419-2.2.36123-Remote-Code-Execution.html **Reference:** N/A

• [ ] CVE ID: CVE-2019-18988

  Details

  **Description:** TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system. **PoC:** https://whynotsecurity.com/blog/teamviewer/ **Reference:** https://community.teamviewer.com/t5/Announcements/Specification-on-CVE-2019-18988/td-p/82264

• [ ] CVE ID: CVE-2020-2555

  Details

  **Description:** Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). **PoC:** http://packetstormsecurity.com/files/157054/Oracle-Coherence-Fusion-Middleware-Remote-Code-Execution.html **Reference:** https://www.oracle.com/security-alerts/cpujan2020.html

• [ ] CVE ID: CVE-2019-4716

  Details

  **Description:** IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094. **PoC:** http://packetstormsecurity.com/files/156953/IBM-Cognos-TM1-IBM-Planning-Analytics-Server-Configuration-Overwrite-Code-Execution.html **Reference:** https://exchange.xforce.ibmcloud.com/vulnerabilities/172094

• [ ] CVE ID: CVE-2019-18935

  Details

  **Description:** Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.) **PoC:** https://github.com/bao7uo/RAU_crypto **Reference:** http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html

• [ ] CVE ID: CVE-2019-3010

  Details

  **Description:** Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). **PoC:** http://packetstormsecurity.com/files/154960/Solaris-xscreensaver-Privilege-Escalation.html **Reference:** http://seclists.org/fulldisclosure/2019/Oct/39

• [ ] CVE ID: CVE-2019-16057

  Details

  **Description:** The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection. **PoC:** https://blog.cystack.net/d-link-dns-320-rce/ **Reference:** https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf

• [ ] CVE ID: CVE-2019-16256

  Details

  **Description:** Some Samsung devices include the SIMalliance Toolbox Browser (aka S@T Browser) on the UICC, which might allow remote attackers to retrieve location and IMEI information, or retrieve other data or execute certain commands, via SIM Toolkit (STK) instructions in an SMS message, aka Simjacker. **PoC:** https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile **Reference:** N/A

• [ ] CVE ID: CVE-2019-15949

  Details

  **Description:** Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root. **PoC:** http://packetstormsecurity.com/files/156676/Nagios-XI-Authenticated-Remote-Command-Execution.html **Reference:** N/A

• [ ] CVE ID: CVE-2019-15752

  Details

  **Description:** Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command. **PoC:** https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e **Reference:** http://packetstormsecurity.com/files/157404/Docker-Credential-Wincred.exe-Privilege-Escalation.html

• [ ] CVE ID: CVE-2019-12991

  Details

  **Description:** Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6). **PoC:** http://packetstormsecurity.com/files/153638/Citrix-SD-WAN-Appliance-10.2.2-Authentication-Bypass-Remote-Command-Execution.html **Reference:** http://www.securityfocus.com/bid/109133

• [ ] CVE ID: CVE-2019-12989

  Details

  **Description:** Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow SQL Injection. **PoC:** http://packetstormsecurity.com/files/153638/Citrix-SD-WAN-Appliance-10.2.2-Authentication-Bypass-Remote-Command-Execution.html **Reference:** http://www.securityfocus.com/bid/109133

• [ ] CVE ID: CVE-2018-18325

  Details

  **Description:** DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811. **PoC:** http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html **Reference:** https://github.com/dnnsoftware/Dnn.Platform/releases

• [ ] CVE ID: CVE-2018-15811

  Details

  **Description:** DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters. **PoC:** http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.html **Reference:** https://github.com/dnnsoftware/Dnn.Platform/releases

• [ ] CVE ID: CVE-2018-7841

  Details

  **Description:** A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered. **PoC:** http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html **Reference:** https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02

• [ ] CVE ID: CVE-2018-14839

  Details

  **Description:** LG N1A1 NAS 3718.510 is affected by: Remote Command Execution. The impact is: execute arbitrary code (remote). The attack vector is: HTTP POST with parameters. **PoC:** https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247 **Reference:** N/A

• [ ] CVE ID: CVE-2019-11539

  Details

  **Description:** In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands. **PoC:** https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/ **Reference:** http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html

• [ ] CVE ID: CVE-2019-0211

  Details

  **Description:** In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected. **PoC:** http://packetstormsecurity.com/files/152441/CARPE-DIEM-Apache-2.4.x-Local-Privilege-Escalation.html **Reference:** http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html

• [ ] CVE ID: CVE-2018-18809

  Details

  **Description:** The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0. **PoC:** https://cybersecurityworks.com/zerodays/cve-2018-18809-tibco.html **Reference:** http://packetstormsecurity.com/files/154406/Tibco-JasperSoft-Path-Traversal.html

• [ ] CVE ID: CVE-2019-9082

  Details

  **Description:** ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command. **PoC:** http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.html **Reference:** N/A

• [ ] CVE ID: CVE-2019-8394

  Details

  **Description:** Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. **PoC:** https://www.exploit-db.com/exploits/46413/ **Reference:** http://www.securityfocus.com/bid/107129

• [ ] CVE ID: CVE-2018-20753

  Details

  **Description:** Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild. **PoC:** https://blog.huntresslabs.com/deep-dive-kaseya-vsa-mining-payload-c0ac839a0e88 **Reference:** https://helpdesk.kaseya.com/hc/en-gb/articles/360000333152

• [ ] CVE ID: CVE-2017-18362

  Details

  **Description:** ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication. **PoC:** https://github.com/kbni/owlky **Reference:** http://archive.today/rdkeQ

• [ ] CVE ID: CVE-2018-20062

  Details

  **Description:** An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string. **PoC:** https://github.com/nangge/noneCms/issues/21 **Reference:** http://packetstormsecurity.com/files/157218/ThinkPHP-5.0.23-Remote-Code-Execution.html

• [ ] CVE ID: CVE-2018-14558

  Details

  **Description:** An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firmware through V15.03.05.19(6318)_CN(AC9), and AC10 devices with firmware through V15.03.06.23_CN(AC10). A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted goform/setUsbUnload request. This occurs because the "formsetUsbUnload" function executes a dosystemCmd function with untrusted input. **PoC:** https://github.com/zsjevilhex/iot/blob/master/route/tenda/tenda-01/Tenda.md **Reference:** N/A

• [ ] CVE ID: CVE-2018-14847

  Details

  **Description:** MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface. **PoC:** https://github.com/BasuCert/WinboxPoC **Reference:** N/A

• [ ] CVE ID: CVE-2018-8298

  Details

  **Description:** A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8291, CVE-2018-8296. **PoC:** https://www.exploit-db.com/exploits/45217/ **Reference:** http://www.securityfocus.com/bid/104639

• [ ] CVE ID: CVE-2018-11138

  Details

  **Description:** The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system. **PoC:** https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities **Reference:** N/A

• [ ] CVE ID: CVE-2018-10561

  Details

  **Description:** An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device. **PoC:** https://www.exploit-db.com/exploits/44576/ **Reference:** http://www.securityfocus.com/bid/107053

• [ ] CVE ID: CVE-2018-5430

  Details

  **Description:** The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. Affected releases include TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.2.4; 6.3.0; 6.3.2; 6.3.3;6.4.0; 6.4.2, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.2, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.2, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 6.4.2, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 6.4.2. **PoC:** https://rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/ **Reference:** https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430

• [ ] CVE ID: CVE-2018-6882

  Details

  **Description:** Cross-site scripting (XSS) vulnerability in the ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite (ZCS) before 8.7 Patch 1 and 8.8.x before 8.8.7 might allow remote attackers to inject arbitrary web script or HTML via a Content-Location header in an email attachment. **PoC:** https://www.securify.nl/advisory/SFY20180101/cross-site-scripting-vulnerability-in-zimbra-collaboration-suite-due-to-the-way-it-handles-attachment-links.html **Reference:** http://seclists.org/fulldisclosure/2018/Mar/52

• [ ] CVE ID: CVE-2018-6530

  Details

  **Description:** OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter. **PoC:** https://github.com/TheBeeMan/Pwning-multiple-dlink-router-via-SOAP-proto **Reference:** ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-860L/REVA/DIR-860L_REVA_FIRMWARE_PATCH_NOTES_1.11B01_EN_WW.pdf

• [ ] CVE ID: CVE-2018-2380

  Details

  **Description:** SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. **PoC:** https://github.com/erpscanteam/CVE-2018-2380 **Reference:** http://www.securityfocus.com/bid/103001

• [ ] CVE ID: CVE-2017-16651

  Details

  **Description:** Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. **PoC:** http://packetstormsecurity.com/files/161226/Roundcube-Webmail-1.2-File-Disclosure.html **Reference:** http://www.securityfocus.com/bid/101793

• [ ] CVE ID: CVE-2015-1187

  Details

  **Description:** The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr parameter to ping.ccp. **PoC:** http://packetstormsecurity.com/files/131465/D-Link-TRENDnet-NCC-Service-Command-Injection.html **Reference:** http://packetstormsecurity.com/files/130607/D-Link-DIR636L-Remote-Command-Injection.html

• [ ] CVE ID: CVE-2017-6316

  Details

  **Description:** Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID. **PoC:** https://www.exploit-db.com/exploits/42345/ **Reference:** http://www.securityfocus.com/bid/99943

• [ ] CVE ID: CVE-2017-6334

  Details

  **Description:** dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the host_name field of an HTTP POST request, a different vulnerability than CVE-2017-6077. **PoC:** https://www.exploit-db.com/exploits/41459/ **Reference:** http://www.securityfocus.com/bid/96463

• [ ] CVE ID: CVE-2017-6077

  Details

  **Description:** ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ping_IPAddr field of an HTTP POST request. **PoC:** https://www.exploit-db.com/exploits/41394/ **Reference:** http://www.securityfocus.com/bid/96408

• [ ] CVE ID: CVE-2016-6367

  Details

  **Description:** Cisco Adaptive Security Appliance (ASA) Software before 8.4(1) on ASA 5500, ASA 5500-X, PIX, and FWSM devices allows local users to gain privileges via invalid CLI commands, aka Bug ID CSCtu74257 or EPICBANANA. **PoC:** http://blogs.cisco.com/security/shadow-brokers **Reference:** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-cli

• [ ] CVE ID: CVE-2016-3643

  Details

  **Description:** SolarWinds Virtualization Manager 6.3.1 and earlier allow local users to gain privileges by leveraging a misconfiguration of sudo, as demonstrated by "sudo cat /etc/passwd." **PoC:** http://packetstormsecurity.com/files/137487/Solarwinds-Virtualization-Manager-6.3.1-Privilege-Escalation.html **Reference:** http://seclists.org/fulldisclosure/2016/Jun/26

• [ ] CVE ID: CVE-2016-3976

  Details

  **Description:** Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971. **PoC:** http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html **Reference:** https://erpscan.io/advisories/erpscan-16-012/

• [ ] CVE ID: CVE-2016-2388

  Details

  **Description:** The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846. **PoC:** http://packetstormsecurity.com/files/137128/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.html **Reference:** https://erpscan.io/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/

• [ ] CVE ID: CVE-2016-2386

  Details

  **Description:** SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079. **PoC:** http://packetstormsecurity.com/files/137129/SAP-NetWeaver-AS-JAVA-7.5-SQL-Injection.html **Reference:** https://erpscan.io/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/

• [ ] CVE ID: CVE-2015-4852

  Details

  **Description:** The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. **PoC:** http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ **Reference:** http://packetstormsecurity.com/files/152268/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html

• [ ] CVE ID: CVE-2015-2051

  Details

  **Description:** The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface. **PoC:** http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051 **Reference:** http://www.securityfocus.com/bid/72623

• [ ] CVE ID: CVE-2014-0160

  Details

  **Description:** The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. **PoC:** http://www.exploit-db.com/exploits/32745 **Reference:** http://advisories.mageia.org/MGASA-2014-0165.html

• [ ] CVE ID: CVE-2013-5223

  Details

  **Description:** Multiple cross-site scripting (XSS) vulnerabilities in D-Link DSL-2760U Gateway (Rev. E1) allow remote authenticated users to inject arbitrary web script or HTML via the (1) ntpServer1 parameter to sntpcfg.cgi, username parameter to (2) ddnsmngr.cmd or (3) todmngr.tod, (4) TodUrlAdd parameter to urlfilter.cmd, (5) appName parameter to scprttrg.cmd, (6) fltName in an add action or (7) rmLst parameter in a remove action to scoutflt.cmd, (8) groupName parameter to portmapcfg.cmd, (9) snmpRoCommunity parameter to snmpconfig.cgi, (10) fltName parameter to scinflt.cmd, (11) PolicyName in an add action or (12) rmLst parameter in a remove action to prmngr.cmd, (13) ippName parameter to ippcfg.cmd, (14) smbNetBiosName or (15) smbDirName parameter to samba.cgi, or (16) wlSsid parameter to wlcfg.wl. **PoC:** http://packetstormsecurity.com/files/123976 **Reference:** http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10002

• [ ] CVE ID: CVE-2012-0391

  Details

  **Description:** The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. **PoC:** http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html **Reference:** http://struts.apache.org/2.x/docs/s2-008.html

• [ ] CVE ID: CVE-2007-3010

  Details

  **Description:** masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server R7.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the user parameter during a ping action. **PoC:** http://marc.info/?l=full-disclosure&m=119002152126755&w=2 **Reference:** http://www.redteam-pentesting.de/advisories/rt-sa-2007-001.php

• [ ] CVE ID: CVE-2006-1547

  Details

  **Description:** ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils. **PoC:** http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html **Reference:** http://issues.apache.org/bugzilla/show_bug.cgi?id=38534

[king-alexander]

In the PoC for CVE-2022-26258, the payload is directed at a different endpoint than the one described, so I suggest it be removed from this list. There is an excellent writeup at https://vulncheck.com/blog/moobot-uses-fake-vulnerability with more details.

[king-alexander]

The template for CVE-2021-22205 already exists, authored by the GitLab Red Team.