This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.
Apache Unomi allows conditions to use OGNL and MVEL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.
In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible
This module uses an unauthenticated file upload vulnerability via uploadova plugin in VMware vCenter Server to upload and extract a TAR file. This TAR file contains a path traversal that allows writing files at arbitraries locations. In the vulnerable 6.5.X and 6.7.X (build 13010631 and lower) versions of VMware vCenter Server, a JSP file is deployed to gain arbitrary code execution. In the vulnerable 6.7.X (build 13643870 and greater) and 7.X versions, a file with public keys are uploaded to the vsphere-ui user home directory and then used to deploy an agent via SSH. Notice that in 6.7.X versions SSH access is disabled by default.
SolarWinds Orion is prone to a remote vulnerability that allows unauthenticated attackers to execute system commands. Using the lack of permissions that the Collector Service set on its private queues, it is possible to remotely send messages that will be deserialized allowing to execute commands as SYSTEM.
This module exploits a file disclosure vulnerability in Pulse Connect Secure SSL VPN which allows an unauthenticated attacker to download system files through specially crafted HTTP resource requests.
A remote code execution vulnerability exists in Windows when the DNS Server component fails to properly handle certain types of request.
This module first exploits a server side request forgery vulnerability present in Microsoft.Exchange.HttpProxy of Microsoft Exchange Server to bypass authentication. Then an arbitrary file write vulnerability present in WriteFileActivity of Microsoft.Exchange.Management.ControlPanel.DIService is used to deploy a .aspx file and execute commands. The deployed agent will run with the SYSTEM privileges.
This module exploits a path traversal vulnerability in the FortiOS SSL VPN web portal which allows an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
An attacker who successfully exploited the vulnerability could execute code with elevated permissions.