Skip to content

nvn1729/advisories

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 

Repository files navigation

Advisories

This repo contains writeups/references for CVEs I've found. Severity ratings are my own.

Software Vulnerabilities Details
Traccar (GPS Tracking Platform) CVE-2024-31214 (CRITICAL): RCE via file upload (unauth when self-registration is enabled, which is on by default). GitHub Advisory: https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9
ChatGPT Next Web (AI Assistant) CVE-2023-49785 (CRITICAL): Unauth Full-Read SSRF Writeup: https://www.horizon3.ai/attack-research/attack-blogs/nextchat-an-ai-chatbot-that-lets-you-talk-to-anyone-you-want-to/
HuggingFace Gradio (AI/ML Demo Tool) CVE-2023-51449 (HIGH): Unauth LFI GitHub Advisory: https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2
NextGen Mirth Connect (Healthcare Data Integration Platform) CVE-2023-43208 (CRITICAL): Unauth RCE in Mirth Connect < 4.4.1 via Java XStream deserialization, patch bypass for a previously reported vuln. Writeup: https://www.horizon3.ai/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/
PaperCut (Printer Management) CVE-2023-39143 (CRITICAL): Unauth path traversal to file upload/RCE chain in PaperCut Windows versions < 22.1.3 Writeup: https://www.horizon3.ai/writeup-for-cve-2023-39143-papercut-webdav-vulnerability/
Apache Superset CVE-2023-27524 (CRITICAL): Insecure Default Configuration of Flask SECRET_KEY that allows unauthenticated attackers to takeover the admin account, affecting Superset < 2.1

CVE-2023-30776 (MEDIUM): Privileged users can see database credentials in cleartext, affecting Superset 1.3.0 to 2.0.1

CVE-2023-39265 and CVE-2023-37941 (HIGH): Admin RCE chain through exposure of internal Superset configuration database and pickle deserialization RCE, affecting Superset < 2.1.1
Writeup: https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/

Writeup: https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-and-more/

POC: https://github.com/horizon3ai/CVE-2023-27524
ManageEngine ADAudit Plus CVE-2022-28219 (CRITICAL): Unauth XXE to file upload/deserialization RCE chain in ADAudit Plus < 7060 Writeup: https://www.horizon3.ai/red-team-blog-cve-2022-28219/

POC: https://github.com/horizon3ai/CVE-2022-28219
ResourceSpace (Digital Asset Management) CVE-2021-41765 (CRITICAL): Unauth SQLi to RCE chain in ResourceSpace 9.5/9.6

CVE-2021-41950 (HIGH): Unauth arbitrary file deletion in ResourceSpace <= 9.6

CVE-2021-41951 (MEDIUM): Unauth reflected XSS in ResourceSpace <= 9.6, user interaction required
Writeup: https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/
Zabbix CVE-2021-27927 (HIGH): Unauth CSRF to RCE chain using an attacker controlled LDAP server to update the server's authentication settings, user interaction required Writeup: https://www.horizon3.ai/cve-2021-27927-csrf-to-rce-chain-in-zabbix/
LibreNMS (Network Monitoring) CVE-2020-35700 (HIGH): Authenticated (low-privilege) second-order SQLi in LibreNMS < 21.1.0 Writeup: https://www.horizon3.ai/cve-2020-35700-exploiting-a-second-order-sql-injection-in-librenms-21-1-0/
Acquia Mautic (Marketing Automation) CVE-2020-35124 and CVE-2020-35125 (CRITICAL): Unauth persistent XSS to RCE chain in Mautic < 3.24, user interaction required Writeup: https://www.horizon3.ai/unauthenticated-xss-to-remote-code-execution-chain-in-mautic-3-2-4/
OrangeHRM (Human Resource Management) CVE-2020-29437 (HIGH): Authenticated (low-privilege) SQLi in OrangeHRM < 4.6.0.1 Writeup: https://www.horizon3.ai/cve-2020-29437-authenticated-sql-injection-in-orangehrm-4-6-0-1/
petl (Python ETL Library) CVE-2020-29128 (HIGH): XXE in petl < 1.68 Writeup: https://github.com/nvn1729/advisories/blob/master/cve-2020-29128.md
Eramba (Governance, Risk, and Compliance Platform) CVE-2020-28031 (MEDIUM): Host header injection leading to authenticated full read SSRF/LFI in versions of Eramba < c2.8.1. An authenticated, low privilege user can alter the Host header to render and download arbitrary documents using the wkhtml2pdf PDF printer.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published