Petrol Pump Management Software v1.0 is vulnerable to Remote Code Execution (RCE) due to a file upload flaw. An attacker can upload a malicious payload to the logo Photos parameter in the web_crud.php component, allowing them to execute arbitrary code on the server. By exploiting this vulnerability, an attacker can potentially take full control of the application.
Windows Defender fails to detect and prevent execution of TrojanWin32Powessere.G when leveraging rundll32.exe, leading to an 'Access is denied' error. The bypass was first disclosed in 2022 by passing an extra path traversal with mshtml, which was later mitigated. Subsequently, on Feb 7, 2024, using multiple commas as part of the path allowed bypassing the mitigation until it was fixed. Another trivial bypass was discovered soon after.
The Workout Journal App version 1.0 is vulnerable to stored XSS. By registering with malicious XSS payloads in the First and Last name fields during registration, an attacker can execute arbitrary scripts. This vulnerability arises due to lack of data validation, allowing the browser to execute injected code.
The JetBrains TeamCity version 2023.05.3 is vulnerable to remote code execution (RCE) before version 2023.05.4. An attacker can exploit this vulnerability to create a TeamCity admin account. CVE-2023-42793 has been assigned to this vulnerability.
The exploit allows an attacker to execute arbitrary code by exploiting a buffer overflow vulnerability in KiTTY version 0.76.1.13. By sending a specially crafted payload, an attacker can trigger the overflow and potentially gain remote access to the affected system. This vulnerability has been assigned CVE-2024-25004.
The Viessmann Vitogate 300 with versions up to 2.1.3.0 is vulnerable to remote code execution. By sending a crafted request to the target device, an attacker can execute arbitrary commands on the system. This vulnerability has been assigned CVE-2023-5702 & CVE-2023-5222.
The vulnerability exists in the ofrs/admin/index.php script due to inadequate user input handling during the login process.
FoF Pretty Mail 1.1.2 extension for Flarum is vulnerable to Server-Side Template Injection (SSTI) because it does not properly handle template variables. An attacker with administrative privileges can insert malicious code into the email template, which could result in executing arbitrary code on the server.
Tourism Management System v2.0 is vulnerable to arbitrary file upload due to insufficient input sanitization. An attacker can exploit this vulnerability to upload malicious files to the server.
The Simple Backup Plugin version 2.7.10 allows an attacker to download arbitrary files from the server through a path traversal vulnerability. By manipulating the 'download_backup_file' parameter in the 'tools.php' page, an attacker can traverse directories and access sensitive files on the server.