The Simple College Website 1.0 is vulnerable to local file inclusion through the 'page' parameter. By manipulating the parameter, an attacker can include arbitrary local files and potentially view sensitive information.
The NewsLister application is vulnerable to an authenticated persistent cross-site scripting (XSS) attack. By logging into the admin panel and entering a malicious payload in the title value, an attacker can execute arbitrary JavaScript code when viewing the news.
WonderCMS is vulnerable to SSRF Vulnerability. In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS. The theme/plugin installer not sanitize the destination of github/gitlab url, so attacker can pointing te destinaition to localhost. when the attacker can pointing the request to localhost, this lead to SSRF vulnerability. the most high impact lead to RCE with gopher scheme and FastCGI running in port 9000
The EPSON_PM_RPCV4_06 service in EPSON Status Monitor 3 has an unquoted service path vulnerability. This vulnerability could allow an attacker to execute arbitrary code with elevated privileges.
This parameter "id" is vulnerable to Error-Based blind SQL injection in this path "/alphaware/details.php?id=431860" that leads to retrieve all databases.
The ElkarBackup version 1.3.3 is vulnerable to stored cross-site scripting. An attacker can inject malicious JavaScript code into the 'Policy[name]' and 'Policy[Description]' parameters, which will be executed when the policy is saved. This can lead to the execution of arbitrary code in the context of the victim's browser.
House Rental v1.0 suffers from an unauthenticated SQL Injection vulnerability allowing remote attackers to execute arbitrary code on the hosting webserver via sending a malicious POST request.
PDF generator for Foxit Reader Remote Code Execution (CVE 2018-9958)
The SAP Lumira version 1.31 and below is vulnerable to stored cross-site scripting (XSS). An attacker can exploit this vulnerability by creating a new variable and injecting malicious scripts into it. When the variable is opened, the script will be executed, allowing the attacker to perform various actions, such as stealing cookies or executing arbitrary code.
Remote attackers can register applications to the Chroma Server. If the attacker has write access to the ProgramData folder where the Chroma Server stores its data, he can exploit a race condition and get the server to execute a binary of his choosing. The attacker will need to pre-create a folder with the same name as the application to be registered in Razer Chroma SDKApps<appname>, and create an exe file with the same application's name in that folder. The Apps folder is user writable and does not require admin privileges. The attacker can keep running the code below to get the Server to execute the file while writing the payload to the target directory with another process (eg samba or ftp) in order to exploit the race condition.
Services By CQR