Exploit Engine
The FortiDAST Scripting Engine (FSE) is a proprietary exploit engine that allows you to detect specific CVE vulnerabilities using built-in signatures covering ZeroShell, WordPress, Joomla, SAP, Java Primefaces, ApacheStruts, Phpunit, Thinkphp, Sharepoint, MSExchange, Apache HTTP Server, Nginx, Allegro, SMB, VMware, GitLab, Zoho, Spring-framework, Atlassian, GLPI, CentOS, Cacti, Microsoft, OpenSSL, Apache Log4J, dotCMS, IIS, and Redis. For more information on exploit engine configuration, see Configuring Exploit Engine.
The following table lists the vulnerabilities supported by FSE. For more information on the vulnerabilities listed in this table, see CVE Details.
CVE |
Description |
---|---|
SAP | |
CVE-2015-8840 | The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java. |
CVE-2016-3973 | The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5. |
CVE-2016-3975 | Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5. |
CVE-2018-2366 | SAP Business Process Automation (BPA) By Redwood, 9.0, 9.1. |
CVE-2020-6287 | SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50. |
CVE-2022-22536 |
A memory pipes (MPI) de-synchronization vulnerability. |
WordPress | |
CVE-2018-7422 | A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress. |
CVE-2019-9978 |
The social-warfare plugin before 3.5.3 for WordPress. |
CVE-2014-9119 |
Directory traversal vulnerability in download.php in the DB Backup plugin 4.5 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. |
CVE-2015-1579 |
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. |
CVE-2015-6522 |
SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the size parameter to get_album_item.php. |
CVE-2020-10257 |
The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint. |
CVE-2020-10564 |
A directory traversal in the File Upload plugin before 4.13.0 for WordPress can lead to remote code execution by uploading a crafted txt file into the lib directory, because of a wfu_include_lib call. |
CVE-2023-28121 |
An authentication bypass vulnerability affecting the WooCommerce Payments plugin version 4.8.0 through 5.6.1. Successful exploitation of the vulnerability could allow an unauthorized attacker to gain admin privileges on the WordPress websites installed with the vulnerable version of the plugin enabled. |
MS-Exchange | |
CVE-2021-26855 |
A Server-Side Request Forgery (SSRF) vulnerability. |
CVE-2021-33766 |
An Information Disclosure vulnerability (ProxyToken). |
CVE-2021-34473 |
A Remote Code Execution vulnerability (ProxyShell). |
CVE-2021-42321 |
A high severity Remote Code Execution vulnerability that occurs due to improper validation of cmdlet arguments. |
CVE-2022-41082 |
MS Exchange Proxynotshell Remote Code Execution vulnerability. |
Sharepoint | |
CVE-2019-0604 |
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. |
CVE-2020-1147 |
A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. |
CVE-2020-16952 |
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability. |
CVE-2021-31181 |
The EditingPageParser.VerifyControlOnSafeList method fails to properly validate user-supplied data. This can be leveraged by an attacker to leak sensitive information in rendered-preview content. |
CVE-2020-0646 |
A remote code execution vulnerability exists when the Microsoft .NET Framework (versions 3.5 and 4.x Sharepoint servers using vulnerable .NET frameworks are affected. |
CVE-2021-31950 |
A Server Spoofing (SSRF) vulnerability. |
Joomla! |
|
CVE-2015-8562 |
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header. |
CVE-2023-23752 |
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints. |
Apache |
|
CVE-2006-3747 |
Off-by-one error in the LDAP scheme handling in the Rewrite module in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2. When RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules. |
CVE-2017-5638 |
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands. |
CVE-2021-41773 |
A path traversal vulnerability in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. |
CVE-2021-42013 |
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. |
CVE-2021-44228 |
Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the LDAP JNDI parser. The affected products are, Apache Struts (2.5.8), Elastic Search (5.0.0-5.6.10, 6.0.0-6.3.2), Apache Solr (7.4.0-7.7.3, 8.0.0-8.11.0), Apache JSPwiki (2.11.0), Apache Druid (0.22), and Apache OFBIZ(18.12.03). |
CVE-2021-45046 |
The fix to address CVE-2021-44228 Log4Shell in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. |
Zeroshell |
|
CVE-2009-0545 (Zeroshell2.0rc2) |
cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action. |
CVE-2019-12725 (zeroshell3.9.0) |
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters. |
CVE-2020-29390 (zeroshell3.9.3) |
Zeroshell 3.9.3 allows an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character. |
PHPUnit |
|
CVE-2017-9841 |
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder. |
ThinkPHP |
|
CVE-2018-20062 |
NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code |
SMB |
|
CVE-2020-0796 |
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability. |
Java PrimeFaces |
|
CVE-2017-1000486 |
A Remote Code Execution vulnerability. |
Nginx |
|
CVE-2009-2629 |
Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests. |
CVE-2014-0133 |
Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request. |
OpenSSL | |
CVE-2014-0160 |
The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, that is, the Heartbleed bug. |
Allegro | |
CVE-2014-9222 |
Allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the Misfortune Cookie vulnerability. |
IIS |
|
CVE-2017-7269 |
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in IIS 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request. |
dotCMS |
|
CVE-2022-35740 |
A XSS filter mechanism bypass was found in dotCMS version 22.05 and below using Matrix Parameters. The XSS filter is an input sanitizer designed by the vendor to minimize CORS attack, XSS and CSRF vulnerabilities in the administrator portal, by abusing this an attacker can cause critical compromise. |
CVE-2022-37033 |
A Server-Side Request Forgery bypass was found in dotCMS version 22.05 and below due to the incomplete validate private address. By using redirection technique, an attacker can request to server internal resources. |
CVE-2022-37034 |
A Denial-of-Service was found in dotCMS version 22.05 and below. The issue is located in TempFileAPI when it tries to access and download the contents of remote URL. Directing it to access a heavy file using multiple requests at once results in memory exhaustion or DoS. |
CVE-2022-37431 |
Multiple endpoints were found to be vulnerable to XSS in the dotCMS admin portal. This occurs when the configuration has XSS_PROTECTION_ENABLED=false. |
Redis |
|
CVE-2022-0543 |
Redis (Debian version lower than 5:5.0.14-1+deb10u2 (buster) and Debian version lower than 5:6.0.16-1+deb11u2 (bullseye)), a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. |
VMware |
|
CVE-2021-21974 |
VMware ESXi servers vulnerable to the OpenSLP heap-overflow vulnerability and are being exploited through the OpenSLP, port 427 to deliver a new ransomware “ESXiArgs”. The ransomware encrypts files in affected ESXi servers and demand a ransom for file decryption. Also, this vulnerability can result in remote code execution, allowing the attacker to get full control of the target. |
CVE-2021-22005 |
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file. |
Cacti |
|
CVE-2022-46169 |
In affected versions of Cacti v1.2.22, a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti. Gaining access to the Cacti instance of an organization could give attackers with the opportunity to learn about the types of devices on the network and their local IP addresses. |
Atlassian |
|
CVE-2022-26134 |
A critical 0-day vulnerability on Atlassian Confluence Data Center and Server is actively being exploited in the wild. The vulnerability is established via the Object Graph Navigation Language (OGNL) injection that allows an unauthenticated user to execute arbitrary code. |
CentOS |
|
CVE-2022-44877 |
A command injection vulnerability that allows remote attackers to easily exploit CWP (Control Web Panel) with a crafted HTTP request which can result in Remote Code Execution. This vulnerability can be leveraged to perform ransomware attacks or exfiltration of data. |
Zoho |
|
CVE-2021-40539 |
APT Actors are actively exploiting Zoho ManageEngine ServiceDesk Plus which is an IT help desk software with asset management. The exploit is rated critical due to its capability for unauthenticated remote code execution (RCE). |
GitLab |
|
CVE-2021-22205 |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. |
Spring-framework |
|
CVE-2022-22963 |
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. |
CVE-2022-22965 |
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. |
CVE-2022-22980 |
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized. |
GLPI-Project |
|
CVE-2022-35914 |
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. |
Microsoft |
|
CVE-2023-21554 |
Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-32057 |
It is an out-of-bounds write vulnerability in the Message Queuing service of Microsoft Windows. The vulnerability could potentially lead to unauthenticated remote code execution in the Message Queuing service due to the lack of bound checks when reading user-controlled section sizes. |
Realtek |
|
CVE-2021-35394 |
Realtek Jungle SDK Vulnerability is an arbitrary command injection vulnerability in Realtek Jungle SDK. Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on vulnerable devices, leading to system compromise. Realtek Jungle SDK based IoT devices are available from multiple vendors. |
Tplink |
|
CVE-2023-1389 |
TP-Link Archer AX-21 Command Injection Attack. TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 contains a command injection vulnerability in the web management interface specifically in the Country field. There is no sanitization of this field, so an attacker can exploit it for malicious activities and gain foothold. The vulnerability has been seen to be exploited in the wild to deploy Mirai botnet. |
RocketMQ |
|
CVE-2023-33246 |
A command injection vulnerability that affects Apache RocketMQ versions 5.1 and lower. Successful exploitation of the vulnerability allows a remote attacker to execute commands as the system user under which RocketMQ is running by using the update configuration function. |
PaperCut |
|
CVE-2023-27350 |
PaperCut MF/NG Improper Access Control Vulnerability. An unauthenticated attacker can perform a Remote Code Execution (RCE) on a vulnerable PaperCut Application Server. According to the vendor, the specific flaw exists within the SetupCompleted class and could be achieved remotely without authentication. PaperCut MF/NG Improper Access Control Vulnerability has been seen exploited in the wild. |
Ivanti |
|
CVE-2023-35078 |
Ivanti Endpoint Manager Mobile (EPMM, formerly MobileIron Core) contains an authentication bypass vulnerability (CVE-2023-35078) that allows unauthenticated access to specific API paths. An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes including installing software and modifying security profiles on registered devices. |