2025-08-29 Daily Vulns
NEW:
| CVE | vendor-product | description | metric | Referenceurl | title | GithubURL | |
|---|---|---|---|---|---|---|---|
| CVE-2024-13986 | Nagios - Nagios XI | Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user. | CVSS4.0: 8.7 - HIGH | 0 1 2 | Exploitation: pocAutomatable: yesTechnical Impact: total | Nagios XI Authenticated Arbitrary File Upload Path Traversal RCE | github |
| CVE-2018-25115 | D-Link - DIR-110D-Link - DIR-412D-Link - DIR-600D-Link - DIR-615D-Link - DIR-645D-Link - DIR-815 | Multiple D-Link DIR-series routers, including DIR-110, DIR-412, DIR-600, DIR-610, DIR-615, DIR-645, and DIR-815 firmware version 1.03, contain a vulnerability in the service.cgi endpoint that allows remote attackers to execute arbitrary system commands without authentication. The flaw stems from improper input handling in the EVENT=CHECKFW parameter, which is passed directly to the system shell without sanitization. A crafted HTTP POST request can inject commands that are executed with root privileges, resulting in full device compromise. These router models are no longer supported at the time of assignment and affected version ranges may vary. | CVSS4.0: 10 - CRITICAL | 0 1 2 3 4 | Exploitation: noneAutomatable: yesTechnical Impact: total | D-Link DIR-110/412/600/615/645/815 RCE via service.cgi | github |
This post is licensed under CC BY 4.0 by the author.