This Metasploit module exploits an authenticated path traversal vulnerability found in LimeSurvey versions between 4.0 and 4.1.11 with CVE-2020-11455 or less than or equal to 3.15.9 with CVE-2019-9960, inclusive. In CVE-2020-11455 the getZipFile function within the filemanager functionality allows for arbitrary file download. The file retrieved may be deleted after viewing, which was confirmed in testing. In CVE-2019-9960 the szip function within the downloadZip functionality allows for arbitrary file download. Verified against 4.1.11-200316, 3.15.0-181008, 3.9.0-180604, 3.6.0-180328, 3.0.0-171222, and 2.70.0-170921.
9f74526757273c5edcea64339d62718ea0a109843590d25d98a39b5da99e5413This Metasploit module exploits CVE-2020-5791, an OS command injection vulnerability on Nagios XI versions 5.6.0 through 5.7.3 in admin/mibs.php that enables an authenticated user with admin privileges to achieve remote code execution as either the apache user or the www-data user.
5f3ec659fe836f33c81a4956f9541aeece789fd3ec657e3f2f83dc70252319dcNagios XI version 5.7.5 suffers from multiple persistent cross site scripting vulnerabilities.
4febae028f2ec9906d31ce98cffc3f41e96ecccd5a3b2d4ca6eb3d9517b0d893Pandora FMS version 7.0 NG 750 suffers from a remote authenticated SQL injection vulnerability.
94815c26559505298a1cb1fc0a69e0cedbaea0f40be9da21f98b28c6648ad498Pandora FMS version 7.0 NG 749 suffers from a remote SQL injection vulnerability.
253dfa7a3e2d99996a09dec0b093012c662b738d84a7d09ccec7a3e7f7c02a96Nagios XI version 5.7.3 mibs.php remote command injection exploit.
6855f4caf30f9e7751d6594a73e43b55ca31b7b9ddebeacdfa7108721c29da09Nagios XI version 5.7.3 suffers from multiple remote SQL injection vulnerabilities.
82b5072b097cfc9ee8e14516de519e5f967e2c631a1db0b0f42f75a586287ae2Nagios XI version 5.7.3 suffers from a persistent cross site scripting vulnerability.
4fb54bf9b67120af093e8294b8bf12473e68f30bcea96459ee8225a52a579b83LimeSurvey version 4.3.10 suffers from a persistent cross site scripting vulnerability.
cad7a2d628bc94ce40dffb4a6b2b190126d7c4340fcc10dd46b615020e134487osTicket version 1.14.1 has been found to be susceptible to multiple additional persistent cross site scripting vulnerabilities.
ece38dfe0b78b4d12c78d458561067a0b97f2949cd82f199e0d6a0061f46a19dLimeSurvey version 4.1.11 suffers from a persistent cross site scripting vulnerability.
30d939865abf87145843d253320e96f1e28e072f156c8b7e3c9cd97c71aed39aLimeSurvey version 4.1.11 suffers from a Survey Groups persistent cross site scripting vulnerability.
df3e45472fe0c92c7d67f5d5dc0037bf3764a1c3defb70f0ed668401e0954839pfSense version 2.4.4-P3 suffers from a User Manager persistent cross site scripting vulnerability.
57226099c9505a4e67a7f8bfe20c56ced5e7cde849785f5bc51e18f02ff9ce95LimeSurvey version 4.1.11 suffers from a File Manager path traversal vulnerability.
bf5a0e91bdbc5c3f5a359190e6096a3b9eeab16103c3bf4d7cd42dc1a31b6492rConfig version 3.9.4 suffers from a search.crud.php remote command injection vulnerability.
46da4988737c90304318720180a381f97a3554b50c1410cead0b35bc43ad5e5dThis Metasploit module exploits a vulnerability that exists due to a lack of input validation when creating a user. Messages for a given user are stored in a directory partially defined by the username. By creating a user with a directory traversal payload as the username, commands can be written to a given directory. To use this module with the cron exploitation method, run the exploit using the given payload, host, and port. After running the exploit, the payload will be executed within 60 seconds. Due to differences in how cron may run in certain Linux operating systems such as Ubuntu, it may be preferable to set the target to Bash Completion as the cron method may not work. If the target is set to Bash completion, start a listener using the given payload, host, and port before running the exploit. After running the exploit, the payload will be executed when a user logs into the system. For this exploitation method, bash completion must be enabled to gain code execution. This exploitation method will leave an Apache James mail object artifact in the /etc/bash_completion.d directory and the malicious user account.
38aec6cad30d28bc144df66f4ad6d698b59a52c8a529a3cc66391e571ee852c6
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed