Fixed

• Pro: Fixed an error when importing results from Nexpose.

• Pro: Fixed an error being shown to the user when visiting multiple pages without logging out.

• Pro: Fixed a User must exist error message appearing when using the pro_exploit command in the msfpro.

• PR 19209  - Updates multiple file format exploits to show the default settings to users when running show options.

• PR 19211  - Fixes an issue were the database management logic would default a model’s updated_at value to incorrectly be set to the created_at value.

• PR 19227  - Fixed an issue in Moodle::Login.moodle_login that reported a false negative when logging in with user’s credentials.

Modules

• PR 18646  - Add osx aarch64 exec payload.

• PR 18652  - Add osx aarch64 shell reverse tcp payload.

• PR 18776  - Add osx aarch64 bind tcp payload.

• PR 19103  - This adds an unauthenticated directory traversal and a SQLi exploit against the Jasmin ransomware web panel.

• PR 19150  - Unauthenticated Command Injection Module for Progress Flowmon CVE-2024-2389.

• PR 19151  - Privilege escalation module for Progress Flowmon unpatched feature.

• PR 19208  - This adds an exploit module that leverages a vulnerability in the WordPress Hash Form – Drag & Drop Form Builder plugin (CVE-2024-5084) to achieve remote code execution. Versions up to and including 1.1.0 are vulnerable. This allows unauthenticated attackers to upload arbitrary files, including PHP scripts, due to missing file type validation in the file_upload_action function.

Offline Update

• https://updates.metasploit.com/packages/ba8b235f3f5b58f1794fe2ab9f290a5431b95d3a.bin 

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version