This Metasploit module exploits a vulnerability found in Cisco Firepower Management Console. The management system contains a configuration flaw that allows the www user to execute the useradd binary, which can be abused to create backdoor accounts. Authentication is required to exploit this vulnerability.

During a summary code review of Ansible, Computest found and exploited several issues that allow a compromised host to execute commands on the Ansible controller and thus gain access to the other hosts controlled by that controller. Versions 2.1.4 and 2.2.1 are affected.

This documented vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction visiting a Web page or open a specially crafted SWF file, an attacker is able to create an “out of bound” memory corruption. A file with an “ActionRecord” structure that contains an invalid value in “ActionGetURL2” could lead to remote code execution in the context of the current user. Proof of concept code included.

Movie Portal Script version 7.35 suffers from a remote SQL injection vulnerability.

Travel Portal Script version 9.33 suffers from a remote SQL injection vulnerability.

The SIMATIC CP 343-1 Advanced product allows configuration of the IKEv1 cipher suite configuration, which specifies the IKE and Encapsulating Security Payload (ESP) supported algorithms, with one cipher for each setting. It is evaluated that the configuration is not consistent with the supported ciphers that are eventually applied on the IPSec responder of the SIMATIC CP 343-1 Advanced. In fact, regardless of the selected choice for the ESP cipher, it is always possible for the IPSec client to propose, and successfully use, DES, 3DES, AES128 and AES256. This invalidates the potential desire to enforce a stronger cipher, as the client can always decide to use weaker. Siemens SIMATIC CP 343-1 Advanced tested with fw V3.0.44 is affected.

Cobi Tools version 1.0.8 suffers from a malicious script insertion vulnerability that affects the client side application.

Boxoft Wav version 1.1.0.0 suffers from a buffer overflow vulnerability.

Huawei Flybox B660 suffers from a cross site request forgery vulnerability.