CMU CERT/CC VINCE 2.0.6 web platform is prone to a stored cross-site scripting vulnerability. Attackers can inject arbitrary HTML/JS code through the 'content' POST parameter, which is not properly sanitized. This allows malicious code execution in the context of the affected user's browser session.
The exploit allows an attacker to perform Remote Code Execution on qBittorrent version 5.0.1 and below by intercepting the host machine using a Man-In-The-Middle (MITM) attack. By running the Proof of Concept (PoC) exploit, the attacker can inject any malicious executable instead of the legitimate Python installer.
The exploit involves injecting {{7*7}} in the search parameter of Loaded Commerce 6.6, resulting in a template injection vulnerability. Similarly, submitting {{constructor.constructor('alert(1)')()}} in the email field on the 'Forgot Password' page triggers client-side code execution.
An authenticated attacker can access critical information via the system logs page of ABB Cylon FLXeon controllers, including the OpenSSL password for stored certificates. This data exposure can lead to potential attacks like decrypting encrypted communications, impersonation, or gaining deeper system access.
The Pimcore Customer Data Framework version 4.2.0 is vulnerable to SQL injection. An attacker can exploit this by manipulating the input fields to inject SQL queries, potentially gaining unauthorized access to the database.
The Rejetto HTTP File Server version 2.3m is vulnerable to remote code execution, allowing attackers to execute arbitrary code on the server. This vulnerability has been assigned the CVE-2024-23692.
The Litespeed Cache version 6.5.0.1 allows unauthorized access to user accounts due to improper validation of user cookies. An attacker can exploit this vulnerability to impersonate legitimate users and gain unauthorized access to their accounts.
The ABB Cylon Aspect 3.07.02 product is prone to an authenticated arbitrary file disclosure vulnerability. This vulnerability exists in the 'downloadDb.php' script due to improper validation of user-supplied input in the 'file' GET parameter. Attackers can exploit this issue to read sensitive files by traversing directories.
The ABB BMS/BAS controller in ABB Cylon Aspect 3.07.01 operates with default and hard-coded credentials included in the installation package, making it vulnerable when exposed to the Internet.
The ABB Cylon Aspect BMS/BAS controller before 4.00.00 allows unauthenticated attackers to execute arbitrary shell commands via unsanitized input in the serial and ManufactureDate POST parameters. This vulnerability can be exploited during the manufacturing phase when factory test scripts are present.
Services By CQR