Increase Coverage of Trending CVEs

[princechaddha]

In this issue, we aim to expand the coverage of Trending CVEs in the nuclei-templates repository. These include CVEs that are currently being actively exploited or have been exploited in the past gaining significant attention in the security community.

By contributing to this effort, you will play a vital role in enhancing the overall effectiveness of vulnerability scanning and strengthening the security posture of the entire community.

We highly appreciate your involvement and eagerly look forward to your valuable contributions! To contribute, please refer to our Contribution Guide and explore the Nuclei Templates Documentation for further guidance.

If you require any assistance with writing templates or have questions about contributing, feel free to join our Discord server. Our community members will be more than happy to help you.

Trending CVEs

• CVE ID: CVE-2022-41082

  Details

  Description:

  Microsoft Exchange Server Remote Code Execution Vulnerability.

  PoC:

  http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html

  Reference:

  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41082

• CVE ID: CVE-2022-41040

  Details

  Description:

  Microsoft Exchange Server Elevation of Privilege Vulnerability.

  PoC:

  http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html

  Reference:

  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41040

• CVE ID: CVE-2021-42697

  Details

  Description:

  Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.

  PoC:

  http://packetstormsecurity.com/files/167018/Akka-HTTP-10.1.14-Denial-Of-Service.html

  Reference:

  https://akka.io/blog/

• CVE ID: CVE-2021-41182

  Details

  Description:

  jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.

  PoC:

  GHSA-9gj3-hwp5-pmwc

  Reference:

  https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/

• CVE ID: CVE-2021-34523

  Details

  Description:

  Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34470.

  PoC:

  http://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html

  Reference:

  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34523

• CVE ID: CVE-2021-31207

  Details

  Description:

  Microsoft Exchange Server Security Feature Bypass Vulnerability

  PoC:

  http://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html

  Reference:

  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31207

• CVE ID: CVE-2021-27065

  Details

  Description:

  Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27078.

  PoC:

  http://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html

  Reference:

  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065

• CVE ID: CVE-2021-23337

  Details

  Description:

  Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

  PoC:

  https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932

  Reference:

  https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

• CVE ID: CVE-2021-26722

  Details

  Description:

  LinkedIn Oncall through 1.4.0 allows reflected XSS via /query because of mishandling of the "No results found for" message in the search bar.

  PoC:

  [CVE-2021-26722] Reflected Cross-Site Scripting in search bar. linkedin/oncall#341

  Reference:

  null

• CVE ID: CVE-2021-21239

  Details

  Description:

  PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only x509 certificates for the verification process of the SAML document signature. This is fixed in PySAML2 6.5.0.

  PoC:

  https://www.aleksey.com/pipermail/xmlsec/2013/009717.html

  Reference:

  IdentityPython/pysaml2@46578df

• CVE ID: CVE-2020-8264

  Details

  Description:

  In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.

  PoC:

  https://hackerone.com/reports/904059

  Reference:

  https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ

• CVE ID: CVE-2020-35946

  Details

  Description:

  An issue was discovered in the All in One SEO Pack plugin before 3.6.2 for WordPress. The SEO Description and Title fields are vulnerable to unsanitized input from a Contributor, leading to stored XSS.

  PoC:

  https://wpscan.com/vulnerability/10320

  Reference:

  null

• CVE ID: CVE-2020-11993

  Details

  Description:

  Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

  PoC:

  http://packetstormsecurity.com/files/160393/Apache-2-HTTP2-Module-Concurrent-Pool-Usage.html

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html

• CVE ID: CVE-2020-11984

  Details

  Description:

  Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

  PoC:

  http://packetstormsecurity.com/files/159009/Apache2-mod_proxy_uwsgi-Incorrect-Request-Handling.html

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html

• CVE ID: CVE-2020-8203

  Details

  Description:

  Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

  PoC:

  https://hackerone.com/reports/712065

  Reference:

  https://github.com/lodash/lodash/issues/4874

• CVE ID: CVE-2020-11022

  Details

  Description:

  In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

  PoC:

  http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html

• CVE ID: CVE-2020-11023

  Details

  Description:

  In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

  PoC:

  http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html

• CVE ID: CVE-2020-10568

  Details

  Description:

  The sitepress-multilingual-cms (WPML) plugin before 4.3.7-b.2 for WordPress has CSRF due to a loose comparison. This leads to remote code execution in includes/class-wp-installer.php via a series of requests that leverage unintended comparisons of integers to strings.

  PoC:

  https://medium.com/@arall/sitepress-multilingual-cms-wplugin-wpml-4-3-7-b-2-9c9486c13577

  Reference:

  null

• CVE ID: CVE-2013-3587

  Details

  Description:

  The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.

  PoC:

  http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407

  Reference:

  http://breachattack.com/

• CVE ID: CVE-2020-0688

  Details

  Description:

  A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

  PoC:

  http://packetstormsecurity.com/files/156592/Microsoft-Exchange-2019-15.2.221.12-Remote-Code-Execution.html

  Reference:

  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

• CVE ID: CVE-2019-20372

  Details

  Description:

  NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.

  PoC:

  https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00013.html

• CVE ID: CVE-2019-18935

  Details

  Description:

  Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)

  PoC:

  https://github.com/bao7uo/RAU_crypto

  Reference:

  http://packetstormsecurity.com/files/155720/Telerik-UI-Remote-Code-Execution.html

• CVE ID: CVE-2019-10216

  Details

  Description:

  In ghostscript before version 9.50, the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.

  PoC:

  http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b85ddd19

  Reference:

  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10216

• CVE ID: CVE-2019-10768

  Details

  Description:

  In AngularJS before 1.7.9 the function merge() could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.

  PoC:

  https://snyk.io/vuln/SNYK-JS-ANGULAR-534884

  Reference:

  https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E

• CVE ID: CVE-2019-11043

  Details

  Description:

  In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

  PoC:

  https://bugs.php.net/bug.php?id=78599

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html

• CVE ID: CVE-2017-18635

  Details

  Description:

  An XSS vulnerability was discovered in noVNC before 0.6.2 in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.

  PoC:

  https://www.shielder.it/blog/exploiting-an-old-novnc-xss-cve-2017-18635-in-openstack/

  Reference:

  https://access.redhat.com/errata/RHSA-2020:0754

• CVE ID: CVE-2019-12922

  Details

  Description:

  A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page.

  PoC:

  http://packetstormsecurity.com/files/154483/phpMyAdmin-4.9.0.1-Cross-Site-Request-Forgery.html

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00078.html

• CVE ID: CVE-2019-16222

  Details

  Description:

  WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.

  PoC:

  https://wpvulndb.com/vulnerabilities/9867

  Reference:

  https://core.trac.wordpress.org/changeset/45997

• CVE ID: CVE-2019-14811

  Details

  Description:

  A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

  PoC:

  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html

• CVE ID: CVE-2019-10081

  Details

  Description:

  HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.

  PoC:

  https://httpd.apache.org/security/vulnerabilities_24.html

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html

• CVE ID: CVE-2019-12572

  Details

  Description:

  A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client 1.0.2 (build 02363) for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges. On startup, the PIA Windows service (pia-service.exe) loads the OpenSSL library from %PROGRAMFILES%\Private Internet Access\libeay32.dll. This library attempts to load the C:\etc\ssl\openssl.cnf configuration file which does not exist. By default on Windows systems, authenticated users can create directories under C:. A low privileged user can create a C:\etc\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine library resulting in arbitrary code execution as SYSTEM when the service starts.

  PoC:

  https://blog.mirch.io/2019/06/10/cve-2019-12572-pia-windows-privilege-escalation-malicious-openssl-engine/

  Reference:

  null

• CVE ID: CVE-2019-11508

  Details

  Description:

  In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an authenticated attacker (via the admin web interface) can exploit Directory Traversal to execute arbitrary code on the appliance.

  PoC:

  https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/

  Reference:

  http://www.securityfocus.com/bid/108073

• CVE ID: CVE-2019-11542

  Details

  Description:

  In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, an authenticated attacker (via the admin web interface) can send a specially crafted message resulting in a stack buffer overflow.

  PoC:

  https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/

  Reference:

  http://www.securityfocus.com/bid/108073

• CVE ID: CVE-2019-11540

  Details

  Description:

  In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4 and 8.3RX before 8.3R7.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2 and 5.4RX before 5.4R7.1, an unauthenticated, remote attacker can conduct a session hijacking attack.

  PoC:

  https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/

  Reference:

  http://www.securityfocus.com/bid/108073

• CVE ID: CVE-2019-11539

  Details

  Description:

  In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure version 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1, the admin web interface allows an authenticated attacker to inject and execute commands.

  PoC:

  https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/

  Reference:

  http://packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html

• CVE ID: CVE-2019-11538

  Details

  Description:

  In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1, an NFS problem could allow an authenticated attacker to access the contents of arbitrary files on the affected device.

  PoC:

  https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/

  Reference:

  http://www.securityfocus.com/bid/108073

• CVE ID: CVE-2019-0211

  Details

  Description:

  In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

  PoC:

  http://packetstormsecurity.com/files/152441/CARPE-DIEM-Apache-2.4.x-Local-Privilege-Escalation.html

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html

• CVE ID: CVE-2019-0215

  Details

  Description:

  In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

  PoC:

  https://lists.apache.org/thread.html/2d6bd429a0ba9af1580da896575cfca6e42bb05e7536562d4b095fcf@%3Ccvs.httpd.apache.org%3E

  Reference:

  http://www.openwall.com/lists/oss-security/2019/04/02/4

• CVE ID: CVE-2019-9193

  Details

  Description:

  ** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.

  PoC:

  https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

  Reference:

  http://packetstormsecurity.com/files/152757/PostgreSQL-COPY-FROM-PROGRAM-Command-Execution.html

• CVE ID: CVE-2019-5420

  Details

  Description:

  A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.

  PoC:

  http://packetstormsecurity.com/files/152704/Ruby-On-Rails-DoubleTap-Development-Mode-secret_key_base-Remote-Code-Execution.html

  Reference:

  https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw

• CVE ID: CVE-2019-9787

  Details

  Description:

  WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

  PoC:

  https://blog.ripstech.com/2019/wordpress-csrf-to-rce/

  Reference:

  http://www.securityfocus.com/bid/107411

• CVE ID: CVE-2019-9641

  Details

  Description:

  An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.

  PoC:

  https://bugs.php.net/bug.php?id=77509

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html

• CVE ID: CVE-2019-9023

  Details

  Description:

  An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.

  PoC:

  https://bugs.php.net/bug.php?id=77370

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html

• CVE ID: CVE-2019-9021

  Details

  Description:

  An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c.

  PoC:

  https://bugs.php.net/bug.php?id=77247

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html

• CVE ID: CVE-2019-9020

  Details

  Description:

  An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.

  PoC:

  https://bugs.php.net/bug.php?id=77242

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html

• CVE ID: CVE-2019-8331

  Details

  Description:

  In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

  PoC:

  https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E

  Reference:

  http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html

• CVE ID: CVE-2018-19858

  Details

  Description:

  PrinceXML, versions 10 and below, is vulnerable to XXE due to the lack of protection against external entities. If an attacker passes HTML referencing an XML file (e.g., in an IFRAME element), PrinceXML will fetch the XML and parse it, thus giving an attacker file-read access and full-fledged SSRF.

  PoC:

  https://hacking.us.com/blog/XSS-to-XXE-in-Prince/

  Reference:

  https://www.lynxsecurity.io/

• CVE ID: CVE-2019-1003000

  Details

  Description:

  A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM.

  PoC:

  http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.html

  Reference:

  http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming

• CVE ID: CVE-2016-10735

  Details

  Description:

  In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

  PoC:

  XSS in data-target attribute twbs/bootstrap#20184

  Reference:

  https://access.redhat.com/errata/RHBA-2019:1076

• CVE ID: CVE-2018-19370

  Details

  Description:

  A Race condition vulnerability in unzip_file in admin/import/class-import-settings.php in the Yoast SEO (wordpress-seo) plugin before 9.2.0 for WordPress allows an SEO Manager to perform command execution on the Operating System via a ZIP import.

  PoC:

  Yoast/wordpress-seo@3bfa70a

  Reference:

  https://wordpress.org/plugins/wordpress-seo/#developers

• CVE ID: CVE-2018-16509

  Details

  Description:

  An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction.

  PoC:

  http://seclists.org/oss-sec/2018/q3/142

  Reference:

  http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5516c614dc33662a2afdc377159f70218e67bde5

• CVE ID: CVE-2018-15473

  Details

  Description:

  OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

  PoC:

  https://www.exploit-db.com/exploits/45210/

  Reference:

  http://www.openwall.com/lists/oss-security/2018/08/15/5

• CVE ID: CVE-2018-14042

  Details

  Description:

  In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

  PoC:

  XSS possible in data-container property of tooltip twbs/bootstrap#26628

  Reference:

  http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html

• CVE ID: CVE-2018-14041

  Details

  Description:

  In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

  PoC:

  XSS possible in data-target property of scrollspy twbs/bootstrap#26627

  Reference:

  http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html

• CVE ID: CVE-2018-14040

  Details

  Description:

  In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

  PoC:

  XSS possible in collapse data-parent attribute twbs/bootstrap#26625

  Reference:

  http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html

• CVE ID: CVE-2018-12895

  Details

  Description:

  WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

  PoC:

  http://packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.html

  Reference:

  http://www.securityfocus.com/bid/104569

• CVE ID: CVE-2018-6389

  Details

  Description:

  In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.

  PoC:

  https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html

  Reference:

  http://www.securityfocus.com/bid/103060

• CVE ID: CVE-2018-5950

  Details

  Description:

  Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL.

  PoC:

  http://packetstormsecurity.com/files/159761/Mailman-2.1.23-Cross-Site-Scripting.html

  Reference:

  http://www.securityfocus.com/bid/104594

• CVE ID: CVE-2012-6708

  Details

  Description:

  jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

  PoC:

  https://bugs.jquery.com/ticket/11290

  Reference:

  http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html

• CVE ID: CVE-2017-16842

  Details

  Description:

  Cross-site scripting (XSS) vulnerability in admin/google_search_console/class-gsc-table.php in the Yoast SEO plugin before 5.8.0 for WordPress allows remote attackers to inject arbitrary web script or HTML.

  PoC:

  https://packetstormsecurity.com/files/145080/WordPress-Yoast-SEO-Cross-Site-Scripting.html

  Reference:

  https://plugins.trac.wordpress.org/changeset/1766831/wordpress-seo/trunk/admin/google_search_console/class-gsc-table.php

• CVE ID: CVE-2017-15277

  Details

  Description:

  ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette.

  PoC:

  https://github.com/neex/gifoeb

  Reference:

  ImageMagick/ImageMagick@9fd10cf

• CVE ID: CVE-2017-7679

  Details

  Description:

  In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.

  PoC:

  https://github.com/gottburgm/Exploits/tree/master/CVE-2017-7679

  Reference:

  http://www.debian.org/security/2017/dsa-3896

• CVE ID: CVE-2017-5868

  Details

  Description:

  CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to session_start/.

  PoC:

  http://www.openwall.com/lists/oss-security/2017/05/23/13

  Reference:

  http://www.securitytracker.com/id/1038547

• CVE ID: CVE-2017-8295

  Details

  Description:

  WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

  PoC:

  https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

  Reference:

  http://www.debian.org/security/2017/dsa-3870

• CVE ID: CVE-2017-3066

  Details

  Description:

  Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.

  PoC:

  https://www.exploit-db.com/exploits/43993/

  Reference:

  http://www.securityfocus.com/bid/98003

• CVE ID: CVE-2016-7103

  Details

  Description:

  Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

  PoC:

  XSS Vulnerability on closeText option of Dialog jQuery UI jquery/api.jqueryui.com#281

  Reference:

  http://rhn.redhat.com/errata/RHSA-2016-2932.html

• CVE ID: CVE-2016-10045

  Details

  Description:

  The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

  PoC:

  http://packetstormsecurity.com/files/140286/PHPMailer-Remote-Code-Execution.html

  Reference:

  http://openwall.com/lists/oss-security/2016/12/28/1

• CVE ID: CVE-2016-1247

  Details

  Description:

  The nginx package before 1.6.2-5+deb8u3 on Debian jessie, the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before 1.10.1-0ubuntu1.1 on Ubuntu 16.10, and the nginx ebuild before 1.10.2-r3 on Gentoo allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log.

  PoC:

  http://packetstormsecurity.com/files/139750/Nginx-Debian-Based-Distros-Root-Privilege-Escalation.html

  Reference:

  http://seclists.org/fulldisclosure/2016/Nov/78

• CVE ID: CVE-2012-6692

  Details

  Description:

  Cross-site scripting (XSS) vulnerability in js/wp-seo-metabox.js in the WordPress SEO by Yoast plugin before 2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the post_title parameter to wp-admin/post-new.php, which is not properly handled in the snippet preview functionality.

  PoC:

  http://packetstormsecurity.com/files/132294/WordPress-Yoast-2.1.1-Cross-Site-Scripting.html

  Reference:

  http://www.securityfocus.com/bid/75196

• CVE ID: CVE-2015-1635

  Details

  Description:

  HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."

  PoC:

  http://packetstormsecurity.com/files/131463/Microsoft-Windows-HTTP.sys-Proof-Of-Concept.html

  Reference:

  http://www.securityfocus.com/bid/74013

• CVE ID: CVE-2015-2791

  Details

  Description:

  The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php.

  PoC:

  http://klikki.fi/adv/wpml.html

  Reference:

  http://www.securityfocus.com/archive/1/534862/100/0/threaded

• CVE ID: CVE-2014-9427

  Details

  Description:

  sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.

  PoC:

  https://bugs.php.net/bug.php?id=68618

  Reference:

  http://advisories.mageia.org/MGASA-2015-0040.html

• CVE ID: CVE-2010-5312

  Details

  Description:

  Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

  PoC:

  http://bugs.jqueryui.com/ticket/6016

  Reference:

  http://rhn.redhat.com/errata/RHSA-2015-0442.html

• CVE ID: CVE-2014-7829

  Details

  Description:

  Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818.

  PoC:

  https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ

  Reference:

  http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html

• CVE ID: CVE-2014-0224

  Details

  Description:

  OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

  PoC:

  https://www.imperialviolet.org/2014/06/05/earlyccs.html

  Reference:

  http://aix.software.ibm.com/aix/efixes/security/openssl_advisory9.asc

• CVE ID: CVE-2014-0160

  Details

  Description:

  The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

  PoC:

  http://www.exploit-db.com/exploits/32745

  Reference:

  http://advisories.mageia.org/MGASA-2014-0165.html

• CVE ID: CVE-2013-6837

  Details

  Description:

  Cross-site scripting (XSS) vulnerability in the setTimeout function in js/jquery.prettyPhoto.js in prettyPhoto 3.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted PATH_INTO to the default URI.

  PoC:

  http://cxsecurity.com/issue/WLB-2013110149

  Reference:

  http://themeforest.net/forums/thread/security-vulnerability-affecting-prettyphoto-jquery-script/181180

• CVE ID: CVE-2013-2249

  Details

  Description:

  mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.

  PoC:

  http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/session/mod_session_dbd.c?r1=1409170&r2=1488158&diff_format=h

  Reference:

  http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10698

• CVE ID: CVE-2013-1896

  Details

  Description:

  mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI.

  PoC:

  http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?r1=1482522&r2=1485668&diff_format=h

  Reference:

  http://lists.opensuse.org/opensuse-updates/2013-08/msg00026.html

• CVE ID: CVE-2011-4969

  Details

  Description:

  Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

  PoC:

  jquery/jquery@db9e023

  Reference:

  http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/

• CVE ID: CVE-2012-4000

  Details

  Description:

  Cross-site scripting (XSS) vulnerability in the print_textinputs_var function in editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php in FCKeditor 2.6.7 and earlier allows remote attackers to inject arbitrary web script or HTML via textinputs array parameters.

  PoC:

  http://disse.cting.org/blog/2012/06/22/fckeditor-reflected-xss-vulnerability/

  Reference:

  http://www.debian.org/security/2012/dsa-2522

• CVE ID: CVE-2012-2904

  Details

  Description:

  player.swf in LongTail JW Player 5.9 allows remote attackers to conduct cross-site scripting (XSS) attacks to inject arbitrary web script or HTML via multiple "javascript:" sequences in the debug parameter.

  PoC:

  http://developer.longtailvideo.com/trac/ticket/1585

  Reference:

  https://exchange.xforce.ibmcloud.com/vulnerabilities/75672

• CVE ID: CVE-2011-5000

  Details

  Description:

  The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant.

  PoC:

  http://seclists.org/fulldisclosure/2011/Aug/2

  Reference:

  http://rhn.redhat.com/errata/RHSA-2012-0884.html

• CVE ID: CVE-2012-0031

  Details

  Description:

  scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function.

  PoC:

  http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/

  Reference:

  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041

• CVE ID: CVE-2011-2461

  Details

  Description:

  Cross-site scripting (XSS) vulnerability in the Adobe Flex SDK 3.x and 4.x before 4.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to the loading of modules from different domains.

  PoC:

  http://packetstormsecurity.com/files/131376/Magento-eCommerce-Vulnerable-Adobe-Flex-SDK.html

  Reference:

  http://blog.mindedsecurity.com/2015/03/the-old-is-new-again-cve-2011-2461-is.html

• CVE ID: CVE-2011-4317

  Details

  Description:

  The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign) character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368.

  PoC:

  http://thread.gmane.org/gmane.comp.apache.devel/46440

  Reference:

  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041

• CVE ID: CVE-2011-3368

  Details

  Description:

  The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

  PoC:

  http://web.archiveorange.com/archive/v/ZyS0hzECD5zzb2NkvQlt

  Reference:

  http://kb.juniper.net/JSA10585

• CVE ID: CVE-2011-3348

  Details

  Description:

  The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request.

  PoC:

  http://community.jboss.org/message/625307

  Reference:

  http://httpd.apache.org/security/vulnerabilities_22.html#2.2.21

• CVE ID: CVE-2011-3192

  Details

  Description:

  The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.

  PoC:

  http://seclists.org/fulldisclosure/2011/Aug/175

  Reference:

  http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0285.html

• CVE ID: CVE-2010-4755

  Details

  Description:

  The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.

  PoC:

  http://cxib.net/stuff/glob-0day.c

  Reference:

  http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c#rev1.13.12.1

• CVE ID: CVE-2010-4478

  Details

  Description:

  OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252.

  PoC:

  http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf

  Reference:

  http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673

• CVE ID: CVE-2003-1582

  Details

  Description:

  Microsoft Internet Information Services (IIS) 6.0, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue.

  PoC:

  http://www.securityfocus.com/archive/1/313867

  Reference:

  null

• CVE ID: CVE-2008-5100

  Details

  Description:

  The strong name (SN) implementation in Microsoft .NET Framework 2.0.50727 relies on the digital signature Public Key Token embedded in the pathname of a DLL file instead of the digital signature of this file itself, which makes it easier for attackers to bypass Global Assembly Cache (GAC) and Code Access Security (CAS) protection mechanisms, aka MSRC ticket MSRC8566gs.

  PoC:

  http://www.applicationsecurity.co.il/LinkClick.aspx?fileticket=ycIS1bewMBI%3d&tabid=161&mid=555

  Reference:

  http://securityreason.com/securityalert/4605

[geeknik]

Will supplemental background data, like the trending locations and causes, be provided so we can adopt it as groundwork for continued exploration into the flaw(s)?

[princechaddha]

@geeknik We've compiled this information from various sources, including cvetrends and Twitter. However, due to recent modifications in the Twitter API, this is no longer feasible.

[geeknik]

I have something written which could be used for CVE enrichment but as-is only shows the most X recent CVE. I could probably modify it to sort by trending instead, using various sources. If you’re open to it.