![]() CVE-2020-11854 is the use of a hardcoded password for the "diagnostics" user, which allows attackers to log into UCMDB. Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code ExecutionĬommunity contributor Pedro Ribeiro has added exploits/multi/http/microfocus_ucmdb_unauth_deser, which exploits two vulnerabilities CVE-2020-11853 and CVE-2020-11854, that when chained allow an attacker to achieve unauthenticated remote code execution in Micro Focus UCMDB. ![]() ![]() CVE-2020-28949 is a vulnerability which affects the Archive_Tar plugin of the PEAR PHP development framework and is caused by Archive_Tar’s lack of validation of file stream wrappers contained within filenames, which for allows the writing of an arbitrary file containing user controlled content to an arbitrary location on disk. PEAR Archive_Tar < 1.4.11 Arbitrary File WriteĮxploits/multi/fileformat/archive_tar_arb_file_write has been added by gwillcox-r7, which adds support for CVE-2020-28949. More information about this exploit can be found here. National Security Agency’s list of vulnerabilities known to be exploited by Chinese state-sponsored threat actors. This exploit has been included on the U.S. MDM helps organizations manage and control all employees’ devices, requiring it to be publicly reachable to synchronize devices, making this an appealing target. Our very own wvu-r7 has added exploits/linux/http/mobileiron_mdm_hessian_rce, which exploits an ACL bypass in MobileIron MDM products to execute a Java deserialization attack using a Groovy gadget against a Hessian based endpoint. ![]() MobileIron MDM Hessian-Based Java Deserialization RCE ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |