This module uses an arbitrary file upload vulnerability, an authentication bypass (which depends on the target version) and a information disclosure vulnerability in order to upload and execute a WAR file in the Tomcat webapps folder. Since the Apache Tomcat server is running with root (SYSTEM in Windows targets) user, the deployed agent will run with the same privileges.
The pdkinstall development plugin is incorrectly enabled in release builds of Atlassian Crowd and Crowd Data Center. An attacker can leverage this vulnerability to install a malicious plugin and execute code in the system.
An unauthenticated attacker can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host. The attacker must have network access to the Oracle Weblogic Server T3 interface.
This module exploits a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. The ContactAdministrators action doesn't require authentication but it's not enabled by default. The SendBulkMail does require authentication and the "JIRA Administrators" access level.
The TarArchive class blindly extracts tar archives without checking for directory traversals. An attacker can leverage this vulnerability to execute code in the system.
The Widget Connector macro in Atlassian Confluence Server allows remote attackers to achieve path traversal and remote code execution via server-side template injection.
In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in a memset call gets a negative value. As it is an unsigned value, memset ends up writing up to 0xffffffff zero's (0xffffffffffffffff in 64 bit platforms), making dnsmasq crash.
Heap buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.
CMS Made Simple is vulnerable to an authenticated php command injection, allowing attackers to execute arbitrary php code in the system.
WordPress is prone to an abuse in the Lost Password recovery action. This vulnerability allows remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via an injection crafted in HTTP_HOST request property. The attack will not leave any trace. This exploit installs an OS Agent.