SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation.
The attacker can send to victim a link containing a malicious URL in an email or instant message, which can perform a wide variety of actions, such as stealing the victim's session token or login credentials
The `pickup_id` parameter in the Bus Reservation System version 1.1 is vulnerable to SQL injection attacks. An attacker can exploit this vulnerability to steal information from the database. The payload for exploiting the vulnerability is provided in the description.
This exploit targets the WP Statistics Plugin version 13.1.5 and prior. It allows an unauthenticated attacker to perform a time-based SQL injection attack by manipulating the 'current_page_id' parameter in the '/wp-json/wp-statistics/v2/hit' endpoint. The vulnerability can be exploited to cause a delay in the response time of the target server, indicating a successful injection.
The server appears to be vulnerable to client-side desync attacks. A POST request was sent to the path '/1692959852_473/index.php' with a second request sent as the body. The server ignored the Content-Length header and did not close the connection, leading to the smuggled request being interpreted as the next request.
With default credential for the guest user "guest:guest" to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users.
The FileMage Gateway version 1.10.9 is vulnerable to a local file inclusion vulnerability. An attacker can exploit this vulnerability to include arbitrary files from the server, potentially leading to remote code execution.
The Kingo ROOT 1.5.8 software has an unquoted service path vulnerability. This allows an attacker to gain elevated privileges by placing a malicious executable in a directory with a space in its name, which the service will attempt to execute.
The exploit allows an attacker to execute arbitrary code by sending a specially crafted 'PWD' command to the Freefloat FTP Server 1.0. It triggers a buffer overflow in the server, leading to remote code execution.
In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint.
Services By CQR