Exploit Engine
The FortiDAST Scripting Engine (FSE) is a proprietary exploit engine that allows you to detect specific CVE vulnerabilities using built-in signatures covering ZeroShell, WordPress, Joomla, SAP, Java Primefaces, ApacheStruts, Phpunit, Thinkphp, Sharepoint, MSExchange, Apache HTTP Server, Nginx, Allegro, SMB, VMware, GitLab, Zoho, Spring-framework, Atlassian, GLPI, CentOS, Cacti, Microsoft, OpenSSL, Apache Log4J, dotCMS, IIS, DVR, Telerik, SolarView, NetScaler, ColdFusion, JetBrains, Palo Alto, C-DATA, Check Point, ConnectWise, D-Link, PHP, Rejetto, ServiceNow, SolarWinds, GeoServer, CrushFTP, Apache Kafka, Apache OFBiz, and Redis. For more information on exploit engine configuration, see Configuring Exploit Engine.
The following table lists the vulnerabilities supported by FSE. For more information on the vulnerabilities listed in this table, see CVE Details.
CVE |
Description |
---|---|
SAP | |
CVE-2015-8840 | The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java. |
CVE-2016-3973 | The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5. |
CVE-2016-3975 | Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5. |
CVE-2018-2366 | SAP Business Process Automation (BPA) By Redwood, 9.0, 9.1. |
CVE-2020-6287 | SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50. |
CVE-2022-22536 |
A memory pipes (MPI) de-synchronization vulnerability. |
WordPress | |
CVE-2018-7422 | A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress. |
CVE-2019-9978 |
The social-warfare plugin before 3.5.3 for WordPress. |
CVE-2014-9119 |
Directory traversal vulnerability in download.php in the DB Backup plugin 4.5 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. |
CVE-2015-1579 |
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. |
CVE-2015-6522 |
SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the size parameter to get_album_item.php. |
CVE-2020-10257 |
The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint. |
CVE-2020-10564 |
A directory traversal in the File Upload plugin before 4.13.0 for WordPress can lead to remote code execution by uploading a crafted txt file into the lib directory, because of a wfu_include_lib call. |
CVE-2023-28121 |
An authentication bypass vulnerability affecting the WooCommerce Payments plugin version 4.8.0 through 5.6.1. Successful exploitation of the vulnerability could allow an unauthorized attacker to gain admin privileges on the WordPress websites installed with the vulnerable version of the plugin enabled. |
CVE-2023-6961 |
The WP Meta SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Referer’ header in all versions up to, and including, 4.5.12 due to insufficient input sanitization and output escaping. |
CVE-2024-2194 |
A Cross-Site Scripting Vulnerability in WordPress Project WP Statistics. The vulnerability is due to improper validation of user input. A remote, unauthenticated attacker could exploit the vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result in arbitrary script execution. |
MS-Exchange | |
CVE-2021-26855 |
A Server-Side Request Forgery (SSRF) vulnerability. |
CVE-2021-33766 |
An Information Disclosure vulnerability (ProxyToken). |
CVE-2021-34473 |
A Remote Code Execution vulnerability (ProxyShell). |
CVE-2021-42321 |
A high severity Remote Code Execution vulnerability that occurs due to improper validation of cmdlet arguments. |
CVE-2022-41082 |
MS Exchange Proxynotshell Remote Code Execution vulnerability. |
Sharepoint | |
CVE-2019-0604 |
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. |
CVE-2020-1147 |
A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. |
CVE-2020-16952 |
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability. |
CVE-2021-31181 |
The EditingPageParser.VerifyControlOnSafeList method fails to properly validate user-supplied data. This can be leveraged by an attacker to leak sensitive information in rendered-preview content. |
CVE-2020-0646 |
A remote code execution vulnerability exists when the Microsoft .NET Framework (versions 3.5 and 4.x Sharepoint servers using vulnerable .NET frameworks are affected. |
CVE-2021-31950 |
A Server Spoofing (SSRF) vulnerability. |
Joomla! |
|
CVE-2015-8562 |
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header. |
CVE-2023-23752 |
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints. |
Apache |
|
CVE-2006-3747 |
Off-by-one error in the LDAP scheme handling in the Rewrite module in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2. When RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules. |
CVE-2017-5638 |
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands. |
CVE-2021-41773 |
A path traversal vulnerability in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. |
CVE-2021-42013 |
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. |
CVE-2021-44228 |
Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the LDAP JNDI parser. The affected products are, Apache Struts (2.5.8), Elastic Search (5.0.0-5.6.10, 6.0.0-6.3.2), Apache Solr (7.4.0-7.7.3, 8.0.0-8.11.0), Apache JSPwiki (2.11.0), Apache Druid (0.22), and Apache OFBIZ(18.12.03). |
CVE-2021-45046 |
The fix to address CVE-2021-44228 Log4Shell in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. |
Zeroshell |
|
CVE-2009-0545 (Zeroshell2.0rc2) |
cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action. |
CVE-2019-12725 (zeroshell3.9.0) |
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters. |
CVE-2020-29390 (zeroshell3.9.3) |
Zeroshell 3.9.3 allows an unauthenticated attacker to execute a system command by using shell metacharacters and the %0a character. |
PHPUnit |
|
CVE-2017-9841 |
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder. |
ThinkPHP |
|
CVE-2018-20062 |
NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code |
SMB |
|
CVE-2020-0796 |
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability. |
Java PrimeFaces |
|
CVE-2017-1000486 |
A Remote Code Execution vulnerability. |
Nginx |
|
CVE-2009-2629 |
Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests. |
CVE-2014-0133 |
Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request. |
OpenSSL | |
CVE-2014-0160 |
The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, that is, the Heartbleed bug. |
Allegro | |
CVE-2014-9222 |
Allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the Misfortune Cookie vulnerability. |
IIS |
|
CVE-2017-7269 |
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in IIS 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request. |
dotCMS |
|
CVE-2022-35740 |
A XSS filter mechanism bypass was found in dotCMS version 22.05 and below using Matrix Parameters. The XSS filter is an input sanitizer designed by the vendor to minimize CORS attack, XSS and CSRF vulnerabilities in the administrator portal, by abusing this an attacker can cause critical compromise. |
CVE-2022-37033 |
A Server-Side Request Forgery bypass was found in dotCMS version 22.05 and below due to the incomplete validate private address. By using redirection technique, an attacker can request to server internal resources. |
CVE-2022-37034 |
A Denial-of-Service was found in dotCMS version 22.05 and below. The issue is located in TempFileAPI when it tries to access and download the contents of remote URL. Directing it to access a heavy file using multiple requests at once results in memory exhaustion or DoS. |
CVE-2022-37431 |
Multiple endpoints were found to be vulnerable to XSS in the dotCMS admin portal. This occurs when the configuration has XSS_PROTECTION_ENABLED=false. |
Redis |
|
CVE-2022-0543 |
Redis (Debian version lower than 5:5.0.14-1+deb10u2 (buster) and Debian version lower than 5:6.0.16-1+deb11u2 (bullseye)), a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. |
VMware |
|
CVE-2021-21974 |
VMware ESXi servers vulnerable to the OpenSLP heap-overflow vulnerability and are being exploited through the OpenSLP, port 427 to deliver a new ransomware “ESXiArgs”. The ransomware encrypts files in affected ESXi servers and demand a ransom for file decryption. Also, this vulnerability can result in remote code execution, allowing the attacker to get full control of the target. |
CVE-2021-22005 |
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file. |
CVE-2023-20887 |
Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution. |
Cacti |
|
CVE-2022-46169 |
In affected versions of Cacti v1.2.22, a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti. Gaining access to the Cacti instance of an organization could give attackers with the opportunity to learn about the types of devices on the network and their local IP addresses. |
Atlassian |
|
CVE-2022-26134 |
A critical 0-day vulnerability on Atlassian Confluence Data Center and Server is actively being exploited in the wild. The vulnerability is established via the Object Graph Navigation Language (OGNL) injection that allows an unauthenticated user to execute arbitrary code. |
CentOS |
|
CVE-2022-44877 |
A command injection vulnerability that allows remote attackers to easily exploit CWP (Control Web Panel) with a crafted HTTP request which can result in Remote Code Execution. This vulnerability can be leveraged to perform ransomware attacks or exfiltration of data. |
Zoho |
|
CVE-2021-40539 |
APT Actors are actively exploiting Zoho ManageEngine ServiceDesk Plus which is an IT help desk software with asset management. The exploit is rated critical due to its capability for unauthenticated remote code execution (RCE). |
GitLab |
|
CVE-2021-22205 |
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. |
Spring-framework |
|
CVE-2022-22963 |
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. |
CVE-2022-22965 |
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. |
CVE-2022-22980 |
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized. |
GLPI-Project |
|
CVE-2022-35914 |
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. |
Microsoft |
|
CVE-2023-21554 |
Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-32057 |
It is an out-of-bounds write vulnerability in the Message Queuing service of Microsoft Windows. The vulnerability could potentially lead to unauthenticated remote code execution in the Message Queuing service due to the lack of bound checks when reading user-controlled section sizes. |
Realtek |
|
CVE-2021-35394 |
Realtek Jungle SDK Vulnerability is an arbitrary command injection vulnerability in Realtek Jungle SDK. Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on vulnerable devices, leading to system compromise. Realtek Jungle SDK based IoT devices are available from multiple vendors. |
Tplink |
|
CVE-2023-1389 |
TP-Link Archer AX-21 Command Injection Attack. TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 contains a command injection vulnerability in the web management interface specifically in the Country field. There is no sanitization of this field, so an attacker can exploit it for malicious activities and gain foothold. The vulnerability has been seen to be exploited in the wild to deploy Mirai botnet. |
RocketMQ |
|
CVE-2023-33246 |
A command injection vulnerability that affects Apache RocketMQ versions 5.1 and lower. Successful exploitation of the vulnerability allows a remote attacker to execute commands as the system user under which RocketMQ is running by using the update configuration function. |
PaperCut |
|
CVE-2023-27350 |
PaperCut MF/NG Improper Access Control Vulnerability. An unauthenticated attacker can perform a Remote Code Execution (RCE) on a vulnerable PaperCut Application Server. According to the vendor, the specific flaw exists within the SetupCompleted class and could be achieved remotely without authentication. PaperCut MF/NG Improper Access Control Vulnerability has been seen exploited in the wild. |
Ivanti |
|
CVE-2023-35078 |
Ivanti Endpoint Manager Mobile (EPMM, formerly MobileIron Core) contains an authentication bypass vulnerability (CVE-2023-35078) that allows unauthenticated access to specific API paths. An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes including installing software and modifying security profiles on registered devices. |
CVE-2024-21893 |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure. |
CVE -2024-22024 |
A XML external entity injection (XXE) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateway. |
dvr |
|
CVE-2018-9995 |
Authentication bypass vulnerability in various TBK DVR4104 and DVR4216 devices, allowing attackers to gain administrative access without proper credentials. |
ColdFusion |
|
CVE-2023-26360 |
Critical improper access control vulnerability in Adobe ColdFusion, enabling potential remote code execution by unauthenticated attackers. |
CVE-2024-20767 |
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. |
CVE-2023-29298 |
Adobe ColdFusion is affected by an Improper Access Control vulnerability that could result in a Security feature bypass. |
CVE-2023-38205 |
|
NetScaler |
|
CVE-2023-4966 |
Citrix NetScaler ADC and Gateway vulnerability allowing sensitive information disclosure, potentially including user session tokens. |
Telerik |
|
CVE-2017-11317 |
Vulnerability in the Telerik UI for ASP.NET AJAX component that allows attackers to upload arbitrary files or execute code due to weak encryption in the RadAsyncUpload feature. |
SolarView |
|
CVE-2022-29303 |
A command injection vulnerability in SolarView Compact ver. 6.00 (conf_mail.php) allows attackers to execute arbitrary code on the affected system. |
CVE-2022-40881 |
SolarView Compact 6.00 was discovered to contain a command injection vulnerability via network_test.php |
JetBrains |
|
CVE-2023-42793 |
Critical authentication bypass in JetBrains TeamCity on-premises servers, potentially allowing unauthenticated remote code execution. |
CVE-2024-27198 |
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible. |
Palo Alto |
|
CVE-2024-3400 |
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. |
C-DATA |
|
CVE-2022-4257 |
A vulnerability was found in C-DATA Web Management System affecting some unknown processing of the file cgi-bin/jumpto.php of the component GET Parameter Handler. The manipulation of the argument hostname leads to argument injection. |
Check Point |
|
CVE-2024-24919 |
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. |
ConnectWise |
|
CVE-2024-1709 |
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems. |
D-Link | |
CVE-2024-3273 |
A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. |
CVE-2021-40655 |
This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions. |
CVE-2014-100005 |
Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators. |
PHP |
|
CVE-2024-4577 |
An argument injection vulnerability in PHP, specifically Windows-based PHP used in CGI mode, that can be exploited to achieve remote code execution (RCE). |
Rejetto |
|
CVE-2024-23692 |
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. |
ServiceNow |
|
CVE-2024-5217 |
Incomplete Input Validation in GlideExpression Script. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. |
CVE-2024-4879 |
Jelly Template Injection Vulnerability in UI macros that could enable an unauthenticated user to remotely execute code within the context of the Now Platform. |
SolarWinds |
|
CVE-2024-28995 |
A Directory Traversal Vulnerability in SolarWinds Serv-U software is being actively exploited in the wild. Tracked as CVE-2024-28995, the vulnerability is due to improper validation of the user-supplied inputs. |
CrushFTP |
|
CVE-2024-4040 |
A zero-day security vulnerability has been uncovered in an enterprise file-transfer software CrushFTP. The vulnerability allows unauthenticated remote attackers to read files from the file system outside of the VFS Sandbox, gain administrative access, and perform remote code execution on the server. |
GeoServer |
|
CVE-2024-36401 |
The vulnerability is due to lack of input validation when handling requests. A remote, unauthenticated attacker can exploit this vulnerability by sending maliciously crafted requests to the vulnerable server. Successful exploitation could result in arbitrary code execution in the security context of the application. |
CVE-2022-24816 |
Code injection in the jt-jiffle extension of GeoServer. |
Apache Kafka |
|
CVE-2023-52251 |
KAFKA UI Arbitrary Code Injection. The vulnerability is due to insufficient sanitizing of user supplied inputs in the application. A remote attacker may be able to exploit this to execute arbitrary code within the context of the application. |
CVE -2024-32030 |
KAFKA UI Remote Code Execution. |
Apache OFBiz |
|
CVE-2024-36104 |
A Path Traversal vulnerability in Apache OFBiz that exposes endpoints to unauthenticated users, who could leverage it to achieve remote code execution via specially crafted requests. |
CVE-2024-38856 |
An Incorrect Authorization vulnerability, meaning that an unauthenticated user can access restricted functionalities. |