RhinoSecurityLabs/CVEs

GitHub

github.com

Releases0

Stars897

Proof-of-Concept exploits for CVEs found by the team at Rhino Security Labs

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2024-23724 ↗	Feb 11, 2024Sunday, 11 February 2024, 01:15	9 CRITICAL	—
Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view this as a valid vector."
CVE-2023-47324 ↗	Dec 13, 2023Wednesday, 13 December 2023, 14:15	5.4 MEDIUM	—
Silverpeas Core 6.3.1 is vulnerable to Cross Site Scripting (XSS) via the message/notification feature.
CVE-2023-47323 ↗	Dec 13, 2023Wednesday, 13 December 2023, 14:15	7.5 HIGH	—
The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between other users; including those sent only to administrators.
CVE-2023-47327 ↗	Dec 13, 2023Wednesday, 13 December 2023, 14:15	4.3 MEDIUM	—
The "Create a Space" feature in Silverpeas Core 6.3.1 is reserved for use by administrators. This function suffers from broken access control, allowing any authenticated user to create a space by navigating to the correct URL.
CVE-2023-47326 ↗	Dec 13, 2023Wednesday, 13 December 2023, 14:15	8.8 HIGH	—
Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) via the Domain SQL Create function.
CVE-2023-47325 ↗	Dec 13, 2023Wednesday, 13 December 2023, 14:15	5.4 MEDIUM	—
Silverpeas Core 6.3.1 administrative "Bin" feature is affected by broken access control. A user with low privileges is able to navigate directly to the bin, revealing all deleted spaces. The user can then restore or permanently delete the spaces.
CVE-2023-47320 ↗	Dec 13, 2023Wednesday, 13 December 2023, 14:15	8.1 HIGH	—
Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users. This affects Silverpeas Core 6.3.1 and below.
CVE-2023-47321 ↗	Dec 13, 2023Wednesday, 13 December 2023, 14:15	4.9 MEDIUM	—
Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control via the "Porlet Deployer" which allows administrators to deploy .WAR portlets.
CVE-2023-47322 ↗	Dec 13, 2023Wednesday, 13 December 2023, 14:15	8.8 HIGH	—
The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF with execute making the attacker an administrator user in the application.
CVE-2022-25165 ↗	Apr 14, 2022Thursday, 14 April 2022, 16:15	7 HIGH	6.9 MEDIUM
An issue was discovered in Amazon AWS VPN Client 2.0.0. A TOCTOU race condition exists during the validation of VPN configuration files. This allows parameters outside of the AWS VPN Client allow list to be injected into the configuration file prior to the AWS VPN Client service (running as SYSTEM) processing the file. Dangerous arguments can be injected by a low-level user such as log, which allows an arbitrary destination to be specified for writing log files. This leads to an arbitrary file write as SYSTEM with partial control over the files content. This can be abused to cause an elevation of privilege or denial of service.
CVE-2022-25166 ↗	Apr 14, 2022Thursday, 14 April 2022, 16:15	5 MEDIUM	4.3 MEDIUM
An issue was discovered in Amazon AWS VPN Client 2.0.0. It is possible to include a UNC path in the OpenVPN configuration file when referencing file paths for parameters (such as auth-user-pass). When this file is imported and the client attempts to validate the file path, it performs an open operation on the path and leaks the user's Net-NTLMv2 hash to an external server. This could be exploited by having a user open a crafted malicious ovpn configuration file.
CVE-2019-16864 ↗	Feb 14, 2022Monday, 14 February 2022, 20:15	8.8 HIGH	8.5 HIGH
CompleteFTPService.exe in the server in EnterpriseDT CompleteFTP before 12.1.4 allows Remote Code Execution by leveraging a Windows user account that has SSH access. The exec command is always run as SYSTEM.
CVE-2019-9926 ↗	Oct 29, 2019Tuesday, 29 October 2019, 19:15	8.8 HIGH	6.8 MEDIUM
An issue was discovered in LabKey Server 19.1.0. It is possible to force a logged-in administrator to execute code through a /reports-viewScriptReport.view CSRF vulnerability.
CVE-2019-9758 ↗	Oct 29, 2019Tuesday, 29 October 2019, 19:15	5.4 MEDIUM	3.5 LOW
An issue was discovered in LabKey Server 19.1.0. The display name of a user is vulnerable to stored XSS that can execute on administrators from security/permissions.view, security/addUsers.view, or wiki/Administration/page.view in the admin panel, leading to privilege escalation.
CVE-2019-9757 ↗	Oct 29, 2019Tuesday, 29 October 2019, 19:15	7.5 HIGH	5 MEDIUM
An issue was discovered in LabKey Server 19.1.0. Sending an SVG containing an XXE payload to the endpoint visualization-exportImage.view or visualization-exportPDF.view allows local files to be read.
CVE-2018-5757 ↗	Apr 1, 2019Monday, 1 April 2019, 17:29	—	9 HIGH
An issue was discovered on AudioCodes 450HD IP Phone devices with firmware 3.0.0.535.106. The traceroute and ping functionality, which uses a parameter in a request to command.cgi from the Monitoring page in the web UI, unsafely puts user-alterable data directly into an OS command, leading to Remote Code Execution via shell metacharacters in the query string.
CVE-2018-20621 ↗	Mar 13, 2019Wednesday, 13 March 2019, 08:29	—	7.2 HIGH
An issue was discovered in Microvirt MEmu 6.0.6. The MemuService.exe service binary is vulnerable to local privilege escalation through binary planting due to insecure permissions set at install time. This allows code to be run as NT AUTHORITY/SYSTEM.