Suggest Exploit

Explore Vulnerabilities


Explore all Exploits:

FreePBX 16 – Authenticated Remote Code Execution (RCE)

The FreePBX versions 14, 15, and 16 are vulnerable to an Authenticated Remote Code Execution (RCE) exploit. By exploiting this vulnerability, an attacker can execute arbitrary code on the target system. This exploit allows an attacker to execute commands on the target system, potentially leading to a full compromise.

Craft CMS Logs Plugin 3.0.3 – Path Traversal (Authenticated)

Craft CMS Logs Plugin version 3.0.3 allows an authenticated attacker to perform path traversal by exploiting a lack of proper validation in the log file reading functionality. This can lead to the unauthorized access of arbitrary files on the underlying file system with the permissions of the web service user. This has been assigned CVE-2022-23409.

ElkArte Forum 1.1.9 – Remote Code Execution (RCE) (Authenticated)

An authenticated remote code execution vulnerability exists in ElkArte Forum version 1.1.9. By uploading a malicious PHP file via the theme installation feature, an attacker can execute arbitrary commands on the server, leading to a compromise of the system.

Apache OFBiz 18.12.12 – Directory Traversal

Apache OFBiz version 18.12.12 and below is vulnerable to directory traversal. An attacker can exploit this vulnerability by sending a crafted XML request to the '/webtools/control/xmlrpc' endpoint, allowing them to access files outside of the web root directory, such as sensitive system files like '/etc/passwd' or executing commands on the server.

PyroCMS v3.0.1 Stored Cross-Site Scripting

An attacker can exploit the vulnerability in PyroCMS v3.0.1 by injecting a malicious payload into the 'Redirect From' field, triggering a stored cross-site scripting (XSS) attack. This could lead to unauthorized access, data theft, and other malicious activities. No CVE has been assigned yet.

Chyrp 2.5.2 – Stored Cross-Site Scripting (XSS)

Chyrp 2.5.2 is vulnerable to stored cross-site scripting (XSS) due to improper sanitization of user-supplied data. An attacker can inject malicious scripts into the 'Title' field, leading to the execution of arbitrary code in the context of the user's browser. This vulnerability has been assigned CVE-ID: N/A.

Cluster Manager Exploitation

The script aims to exploit a vulnerability in a cluster manager by searching for a specific 'Alias' parameter in the href attribute of HTML links. If the parameter is found, the script proceeds with the exploitation process. It utilizes BeautifulSoup for parsing HTML content and requests library for making HTTP requests. The vulnerability can potentially lead to information disclosure.

Recent Exploits: