The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site. This registration works even when registration has been disabled. This module exploits this vulnerability to add an administrator user to the Joomla database. Notice that this account could need registration confirmation (activation).
An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms. This can be exploited by malicious local attackers to gain SYSTEM privileges on Windows targets.
The new_whitelist.php page in Symantec Web Gateway Management Console allows some specially crafted entries to update the whitelist without proper validation. A lower-privileged but authorized management console user can bypass the whitelist validation using a 'sid' parameter with a value different from zero. This module exploits this vulnerability to inject and execute arbitrary OS commands with the privileges of the 'root' user on the appliance.
This module exploits a race condition vulnerability in the Linux Kernel via MAP_PRIVATE COW. The bug relies in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
SugarCRM is vulnerable due to a user input passed through a request parameter is not properly sanitized before being used in a call to the "unserialize()" function. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow unauthenticated attackers to execute arbitrary PHP code via specially crafted serialized objects. Successful exploitation of this vulnerability requires the application running on PHP before version 5.6.25 or 7.0.10. The attack will not leave any trace. This exploit installs an OS Agent.
Directory traversal vulnerability in Action View in Ruby on Rails allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. Combining this with log injection, remote code execution can be achieved.
phpMyAdmin is prone to a regexp abuse via an eval modifier which can be found in old PHP versions. This vulnerability allows authenticated attackers to run arbitrary php code on the affected server. PHP versions 4.3.0-5.4.6 had a "feature" which allowed users to run a RegExp Pattern Modifier using PREG_REPLACE_EVAL and may lead to execute code. phpMyAdmin had an issue in their code that can be exploited from a table replace call. The general idea is to insert a crafted regexp eval record format, and then trigger it via a find and replace function with system commands For that purpose, the exploit will try to use any existing cookies of that host, or the username and password provided. Once logged in, if the user provided a database, it will be used. If not, we will search for existing databases. The attack will not leave any trace. This exploit installs an OS Agent.
Subscribe to Linux