In GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to all GeoServer instances. In order to exploit this vulnerability, this module sends an evil XPath expression that after being processed by the commons-jxpath library allows us to deploy an agent.

Veeam Backup and Replication deserialization of System.Runtime.Remoting.ObjRef .NET class type allows unauthenticated remote attackers to execute system commands in the context of the NT AUTHORITY\SYSTEM user.

A directory traversal Vulnerability in the WhatsUp.ExportUtilities.Export.GetFileWithoutZip method of Progress WhatsUp Gold allows unauthenticated remote attackers to write arbitrary files in the system leading to execute system commands in the context of the IIS APPPOOL\NmConsole user.

This module chains together three vulnerabilities to deploy a Core Impact agent with root privileges. First vulnerability CVE-2023-46805 is used to obtain the exact version of Ivanti Connect Secure installed on the system. Next, the module exploits a second vulnerability CVE-2024-21893 that allows the attacker to access certain restricted resources without authentication, leveraging a flaw in the SAML component. Finally, the module uses a third vulnerability CVE-2024-21887 that enables remote code execution with elevated privileges in the management component, facilitating the injection and execution of the Core Impact agent with root privileges. Also this update fixes a duplicated CVE in the Module Output

A server-side request forgery (SSRF) vulnerability has been identified in the SAML component of Ivanti Connect Secure (versions 9.x and 22.x), Ivanti Policy Secure (versions 9.x and 22.x), and Ivanti Neurons for ZTA. This vulnerability, designated CVE-2024-21893, allows an attacker to access restricted resources without authentication.

An XML External Entity Reference and a heap buffer overflow in the iconv() function of the GNU C Library allows unauthenticated remote attackers to execute system commands in Magento eCommerce Web Sites. This update adds module documentation and fixes some errors.

An XML External Entity Reference and a heap buffer overflow in the iconv() function of the GNU C Library allows unauthenticated remote attackers to execute system commands in Magento eCommerce Web Sites.

An SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

A combination of a server-side request forgery vulnerability and an arbitrary file write vulnerability, allows unauthenticated attackers to execute commands with SYSTEM privileges in Microsoft Exchange Server.



This update adds several parameters for module flexibility; more log verbosity on errors and fixes a bug when using autodiscover to retrieve email SID.

CVE-2024-21887

An authenticated user can exploit a command injection vulnerability in the web components of Ivanti Connect Secure and Policy Secure (9.x and 22.x) to execute arbitrary commands.



CVE-2023-46805 is an authentication bypass vulnerability in the web component of Ivanti Connect Secure. This vulnerability allows an attacker to bypass control checks and access restricted resources. It affects all supported versions of Ivanti ICS and Policy Secure 9.x and 22.x