The vulnerability allows unauthenticated remote attackers to execute arbitrary code on the target system via the subprocess_execute function in the Roxy WI application. By sending a specially crafted request to the options.py endpoint, an attacker can inject malicious commands that will be executed with the privileges of the application.
A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 allows an attacker to execute arbitrary web scripts or HTML by injecting persistent javascript code inside the title and/or description while creating a task/expense/project.
MobileTrans version 4.0.11 was being suffered a weak service permission vulnerability that allows a normal window user to elevate to local admin. The 'ElevationService' service name was installed, while the MobileTrans version 4.0.11 was installed in the window operating system. The service 'ElevationService' allows the local user to elevate to the local admin as The 'ElevationService' run with system privileges. Effectively, the local user is able to elevate to local admin upon successfully modifying the service or replacing the affected executable.
A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the 'Add Contact' function while creating a contact, in first/second name field, it will be triggered once page gets loaded.
The ChurchCRM v4.5.4 software is vulnerable to a reflected cross-site scripting (XSS) attack. An authenticated attacker can upload a specially crafted image file containing XSS payload and exploit the vulnerability by tricking a user into viewing the image, resulting in the execution of malicious script code within the user's browser.
The Bludit CMS v3.14.1 is vulnerable to stored cross-site scripting (XSS) attacks. An authenticated attacker can upload a specially crafted SVG file containing malicious JavaScript code. When this file is processed by the application, the JavaScript code is executed within the context of the user's browser, leading to potential XSS attacks.
This exploit allows remote attackers to execute arbitrary code on the target system running GetSimple CMS version 3.3.16. The vulnerability is due to insufficient input validation in the software, which allows an attacker to inject malicious code and execute it remotely. This can lead to unauthorized access, data theft, and further compromise of the affected system.
The Quicklancer v1.0 script is vulnerable to SQL Injection. This can be exploited by an attacker to manipulate the SQL queries and gain unauthorized access to the database.
The Stackposts Social Marketing Tool v1.0 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the database.
The Smart School v1.0 application is vulnerable to SQL injection. This vulnerability allows an attacker to execute arbitrary SQL queries, potentially compromising the integrity and confidentiality of the database. By exploiting the 'searchdata[0][searchfield]' parameter, an attacker can inject malicious SQL code and manipulate the database.
Services By CQR
