Metasploit Weekly Wrap-up 11/29/2024

Metasploit Weekly Wrap-up 11/29/2024

New module content (4)


Acronis Cyber Protect/Backup machine info disclosure


Authors: Sandro Tolksdorf of usd AG. and h00die-gr3y [email protected]
Type: Auxiliary
Pull request: #19582 contributed by h00die-gr3y
Path: gather/acronis_cyber_protect_machine_info_disclosure
AttackerKB reference: CVE-2022-3405


Description: Adds an auxiliary module which exploits Sensitive information disclosure due to an improper authentication vulnerability in Acronis Cyber Protect 15 before build 29486 and Acronis Cyber Backup 12.5 before build 16545.


Strapi CMS Unauthenticated Password Reset


Authors: WackyH4cker and h00die
Type: Auxiliary
Pull request: #19654 contributed by h00die
Path: scanner/http/strapi_3_password_reset
AttackerKB reference: CVE-2019-18818


Description: Adds a module that lets you leverage the mishandling of a password reset request for Strapi CMS version 3.0.0-beta.17.4, which results in the ability to change the password of the admin user.


ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution


Authors: Florent Sicchio, Hugo Clout, and ostrichgolf
Type: Exploit
Pull request: #19531 contributed by ostrichgolf
Path: linux/http/projectsend_unauth_rce


Description: Adds a new exploit module targeting ProjectSend versions r1335 through r1605. The module exploits an improper authorization vulnerability, allowing unauthenticated RCE by manipulating the application's configuration settings.


< ..

Support the originator by clicking the read the rest link below.