The Serendipity 2.5.0 allows remote attackers to execute arbitrary code via crafted input in a filename parameter in a serendipity_admin.php mediaFileUpload action. This vulnerability was discovered by Ahmet Ümit BAYRAM on 26.04.2024.
This vulnerability allows an attacker to include local files on the server by manipulating the 'lang' parameter in the 'index.php' file. By using a relative path traversal technique, an attacker can access sensitive files such as the '/etc/passwd' file. This vulnerability affects all files within the MolyX BOARD 2.5.0 web application.
The Anydesk installs as a service with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
LuxCal Web Calendar versions 2.4.2 and 2.5.0 are vulnerable to SQL injection. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable application. This can be done by sending a specially crafted HTTP request to the vulnerable application. This can allow an attacker to gain access to sensitive information stored in the database.
A Cross-Site Request Forgery (XSRF) vulnerability exists in Super Multimedia Library 2.5.0, which allows an attacker to add an admin user to the system. An attacker can craft a malicious HTML form and submit it to the vulnerable application, which will add the specified user to the system without any authentication.
Tandis CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.