The Windows 10 version 2004 is vulnerable to the HTTP Protocol Stack (HTTP.sys) due to a buffer overflow. This vulnerability allows an attacker to perform a denial of service (DoS) attack and restart the system. The vulnerability was first reported in CVE-2021-31166 and still exists in Windows 10 version 2004. The exploit for this vulnerability is a one-line command.
The Microsoft Outlook app allows an attacker to send an infected Word file with malicious content to everyone who is using the Outlook app, regardless of whether it is the web or local version. Microsoft has not yet released a patch for this 0-day vulnerability.
The Faculty Evaluation System v1.0 is vulnerable to SQL Injection. The vulnerability exists in the 'edit_evaluation' file and the 'view_faculty.php' file. The SQL Injection allows an attacker to manipulate the SQL queries and potentially extract or modify sensitive data.
The Piwigo version 13.7.0 is vulnerable to a stored cross-site scripting (XSS) attack. An authenticated user with the privilege to upload photos can inject malicious code into the 'Description' field of the photo editing screen. When the photo is viewed on the homepage, the XSS payload is executed.
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is data inside the targeted website like IDs, tokens, nonces, cookies, IP, User-Agent, and other sensitive information. The user would have to click on a specially crafted URL to be compromised by the attacker. In this example, the attacker uses STRIDE Threat Modeling to spoof the victim to click on his website and done. This will be hard to detect.
This exploit allows an attacker to perform SQL injection on the Lost and Found Information System v1.0. By injecting a malicious SQL query, the attacker can manipulate the database and potentially access unauthorized information.
The Gila CMS version 1.10.9 is vulnerable to remote code execution. An attacker with authenticated access can execute arbitrary code on the target system. This can lead to a complete compromise of the system.
The Beauty Salon Management System v1.0 developed by Campcodes is vulnerable to SQL Injection attacks. This allows an attacker to manipulate login authentication with SQL queries and bypass authentication. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system.
Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks.
The WBCE CMS 1.6.1 version is vulnerable to an open redirect and cross-site request forgery (CSRF) attack. By uploading a specially crafted HTML file and tricking a logged-in user to visit a malicious URL, an attacker can exploit this vulnerability to perform CSS keylogging.
Services By CQR