RDPGuard 9.9.9 allows privilege escalation by executing arbitrary code via a crafted .bat file in the Tools > Custom Actions / Notifications menu, leading to a reverse shell as NT AUTHORITY\SYSTEM.
YesWiki before 4.5.2 allows unauthenticated path traversal via the 'squelette' parameter. An attacker can exploit this to read arbitrary files on the server, like /etc/passwd.
The Apache ActiveMQ version 6.1.6 is prone to a Denial of Service (DOS) vulnerability. An attacker can exploit this vulnerability by sending specially crafted requests to the server, causing it to become unresponsive or crash.
A CSRF vulnerability exists in GeoVision GV-ASManager web application version 6.1.1.0 or earlier, enabling attackers to create Admin accounts via a crafted GET request. This exploit is often combined with CVE-2024-56903 for a successful CSRF attack.
The feature 'http://localhost/gestioip/res/ip_mod_dns_key_form.cgi' in GestioIP 3.5.7 is susceptible to Stored XSS. An authenticated attacker can inject malicious code into the 'tsig_key' form field, which when saved to the database, can be triggered by any user accessing the 'DNS Key' page, resulting in the execution of malicious code.
The Cacti version 1.2.26 is vulnerable to authenticated remote code execution. An attacker can exploit this vulnerability to execute arbitrary code on the target system. This vulnerability is identified as CVE-2024-25641.
The exploit involves uploading a ZIP file containing a malicious SVG file to achieve Cross Site Scripting (XSS) on Kentico Xperience version before 13.0.178. The malicious SVG file triggers an alert box when executed.
The DocsGPT version 0.8.1 through 0.12.0 allows remote attackers to execute arbitrary code via a crafted HTTP request. An attacker can exploit this vulnerability by sending a malicious payload in the 'data' parameter, leading to the execution of arbitrary commands on the target system. This vulnerability has been assigned CVE-2025-0868.
When using the 'insert media' feature in SilverStripe 5.3.8, the oEmbed JSON linked includes an unsanitized HTML attribute, allowing an attacker to execute a script payload on both the CMS and the website's front-end.
The exploit leverages a privilege escalation vulnerability in VirtualBox version 7.0.16. By exploiting this vulnerability, an attacker could elevate their privileges on the target system. The vulnerability is identified as CVE-2024-21111.
Services By CQR