A directory traversal vulnerability in the WebResourceServiceImpl class of org.sonatype.nexus.internal.webresources allows unauthenticated remote attackers to download any file, including system files outside of Sonatype Nexus Repository Manager application scope. This module exploits the directory traversal to download the file specified in the "FILE PATH" parameter and to save it locally in the location specified in the "OUTPUT PATH" parameter.
This module uses a server side template injection vulnerability in CrushFTP to check if the target is vulnerable to CVE-2024-4040 . If the target is vulnerable, the module will download the specified file and log several server variables.
An attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as
This module exploits an OS Command Injection to deploy an agent in Jetbrains TeamCity. The vulnerability is in the handleRequestInternal method of the BaseController class which allows bypass of authentication in HTTP requests with a path that return a 404 response and that contain an HTTP parameter named jsp. The path must end with the ".jsp" string and cannot contain the "admin/" string.
This module exploits an OS Command Injection to deploy an agent in Jetbrains TeamCity. The vulnerability is in the handleRequestInternal method of the BaseController class which allows bypass of authentication in HTTP requests with a path that return a 404 response and that contain an HTTP parameter named jsp. The path must end with the ".jsp" string and cannot contain the "admin/" string.
This vulnerability allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system by exploiting a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents. This could expose sensitive information and compromise the integrity of the system. This exploit does not install any agent.
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
Wordpress POST SMPT Plugin is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.
This module exploits a OGNL injection vulnerability present in the text-inline.vm file of Atlassian Confluence. The deployed agent will run with the confluence user privileges in linux and with NT AUTHORITY\\NETWORK SERVICE in windows.
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.