header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

Petrol Pump Management Software v1.0 – Remote Code Execution (RCE)

Petrol Pump Management Software v1.0 is vulnerable to Remote Code Execution (RCE) due to a file upload flaw. An attacker can upload a malicious payload to the logo Photos parameter in the web_crud.php component, allowing them to execute arbitrary code on the server. By exploiting this vulnerability, an attacker can potentially take full control of the application.

Microsoft Windows Defender TrojanWin32Powessere.G Mitigation Bypass Part 3

Windows Defender fails to detect and prevent execution of TrojanWin32Powessere.G when leveraging rundll32.exe, leading to an 'Access is denied' error. The bypass was first disclosed in 2022 by passing an extra path traversal with mshtml, which was later mitigated. Subsequently, on Feb 7, 2024, using multiple commas as part of the path allowed bypassing the mitigation until it was fixed. Another trivial bypass was discovered soon after.

Workout Journal App 1.0 – Stored XSS

The Workout Journal App version 1.0 is vulnerable to stored XSS. By registering with malicious XSS payloads in the First and Last name fields during registration, an attacker can execute arbitrary scripts. This vulnerability arises due to lack of data validation, allowing the browser to execute injected code.

KiTTY 0.76.1.13 – ‘Start Duplicated Session Username’ Buffer Overflow

The exploit allows an attacker to execute arbitrary code by exploiting a buffer overflow vulnerability in KiTTY version 0.76.1.13. By sending a specially crafted payload, an attacker can trigger the overflow and potentially gain remote access to the affected system. This vulnerability has been assigned CVE-2024-25004.

Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE)

The Viessmann Vitogate 300 with versions up to 2.1.3.0 is vulnerable to remote code execution. By sending a crafted request to the target device, an attacker can execute arbitrary commands on the system. This vulnerability has been assigned CVE-2023-5702 & CVE-2023-5222.

FoF Pretty Mail 1.1.2 – Server Side Template Injection (SSTI)

FoF Pretty Mail 1.1.2 extension for Flarum is vulnerable to Server-Side Template Injection (SSTI) because it does not properly handle template variables. An attacker with administrative privileges can insert malicious code into the email template, which could result in executing arbitrary code on the server.

Arbitrary File Download via Path Traversal in Simple Backup Plugin < 2.7.10

The Simple Backup Plugin version 2.7.10 allows an attacker to download arbitrary files from the server through a path traversal vulnerability. By manipulating the 'download_backup_file' parameter in the 'tools.php' page, an attacker can traverse directories and access sensitive files on the server.

Recent Exploits: