This repo contains writeups/references for CVEs I've found. Severity ratings are my own.
Software | Vulnerabilities | Details |
---|---|---|
Traccar (GPS Tracking Platform) | CVE-2024-31214 (CRITICAL): RCE via file upload (unauth when self-registration is enabled, which is on by default). | GitHub Advisory: https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9 |
ChatGPT Next Web (AI Assistant) | CVE-2023-49785 (CRITICAL): Unauth Full-Read SSRF | Writeup: https://www.horizon3.ai/attack-research/attack-blogs/nextchat-an-ai-chatbot-that-lets-you-talk-to-anyone-you-want-to/ |
HuggingFace Gradio (AI/ML Demo Tool) | CVE-2023-51449 (HIGH): Unauth LFI | GitHub Advisory: https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2 |
NextGen Mirth Connect (Healthcare Data Integration Platform) | CVE-2023-43208 (CRITICAL): Unauth RCE in Mirth Connect < 4.4.1 via Java XStream deserialization, patch bypass for a previously reported vuln. | Writeup: https://www.horizon3.ai/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/ |
PaperCut (Printer Management) | CVE-2023-39143 (CRITICAL): Unauth path traversal to file upload/RCE chain in PaperCut Windows versions < 22.1.3 | Writeup: https://www.horizon3.ai/writeup-for-cve-2023-39143-papercut-webdav-vulnerability/ |
Apache Superset | CVE-2023-27524 (CRITICAL): Insecure Default Configuration of Flask SECRET_KEY that allows unauthenticated attackers to takeover the admin account, affecting Superset < 2.1 CVE-2023-30776 (MEDIUM): Privileged users can see database credentials in cleartext, affecting Superset 1.3.0 to 2.0.1 CVE-2023-39265 and CVE-2023-37941 (HIGH): Admin RCE chain through exposure of internal Superset configuration database and pickle deserialization RCE, affecting Superset < 2.1.1 |
Writeup: https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/ Writeup: https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-and-more/ POC: https://github.com/horizon3ai/CVE-2023-27524 |
ManageEngine ADAudit Plus | CVE-2022-28219 (CRITICAL): Unauth XXE to file upload/deserialization RCE chain in ADAudit Plus < 7060 | Writeup: https://www.horizon3.ai/red-team-blog-cve-2022-28219/ POC: https://github.com/horizon3ai/CVE-2022-28219 |
ResourceSpace (Digital Asset Management) | CVE-2021-41765 (CRITICAL): Unauth SQLi to RCE chain in ResourceSpace 9.5/9.6 CVE-2021-41950 (HIGH): Unauth arbitrary file deletion in ResourceSpace <= 9.6 CVE-2021-41951 (MEDIUM): Unauth reflected XSS in ResourceSpace <= 9.6, user interaction required |
Writeup: https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/ |
Zabbix | CVE-2021-27927 (HIGH): Unauth CSRF to RCE chain using an attacker controlled LDAP server to update the server's authentication settings, user interaction required | Writeup: https://www.horizon3.ai/cve-2021-27927-csrf-to-rce-chain-in-zabbix/ |
LibreNMS (Network Monitoring) | CVE-2020-35700 (HIGH): Authenticated (low-privilege) second-order SQLi in LibreNMS < 21.1.0 | Writeup: https://www.horizon3.ai/cve-2020-35700-exploiting-a-second-order-sql-injection-in-librenms-21-1-0/ |
Acquia Mautic (Marketing Automation) | CVE-2020-35124 and CVE-2020-35125 (CRITICAL): Unauth persistent XSS to RCE chain in Mautic < 3.24, user interaction required | Writeup: https://www.horizon3.ai/unauthenticated-xss-to-remote-code-execution-chain-in-mautic-3-2-4/ |
OrangeHRM (Human Resource Management) | CVE-2020-29437 (HIGH): Authenticated (low-privilege) SQLi in OrangeHRM < 4.6.0.1 | Writeup: https://www.horizon3.ai/cve-2020-29437-authenticated-sql-injection-in-orangehrm-4-6-0-1/ |
petl (Python ETL Library) | CVE-2020-29128 (HIGH): XXE in petl < 1.68 | Writeup: https://github.com/nvn1729/advisories/blob/master/cve-2020-29128.md |
Eramba (Governance, Risk, and Compliance Platform) | CVE-2020-28031 (MEDIUM): Host header injection leading to authenticated full read SSRF/LFI in versions of Eramba < c2.8.1. | An authenticated, low privilege user can alter the Host header to render and download arbitrary documents using the wkhtml2pdf PDF printer. |