Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Due to the absence of an authentication mechanism and inadequate file validation, attackers can upload malicious files, potentially leading to remote code execution and unauthorized access to the server.
The Textpattern CMS v4.8.8 is vulnerable to stored cross-site scripting (XSS) attacks. An authenticated user can inject malicious JavaScript code into the Excerpt field of the Articles section in the admin page. When this payload is executed, it will trigger an alert displaying the user's cookie information.
The password parameter in the Online Thesis Archiving System v1.0 is vulnerable to SQL injection attacks. An attacker can inject a payload that executes a SQL sub-query, allowing them to dump all information from the database.
This exploit allows an authenticated user to inject arbitrary HTML or JavaScript code into the Xoops CMS admin panel. By adding a malicious payload in the Category Name field of the Image Manager, an attacker can execute a stored XSS attack. The payload '<script>alert(1)</script>' is used as an example.
This exploit allows an attacker to inject malicious scripts into the Monstra CMS admin panel. By editing a page and inserting a payload in the Name field, an attacker can execute arbitrary JavaScript code on the affected website.
The projectSend application version r1605 is vulnerable to a stored XSS attack. An attacker can exploit this vulnerability by injecting malicious JavaScript code in the Custom Html/Css/Js section. This code will be executed whenever a user visits the affected page, potentially leading to unauthorized actions or data theft.
CSV injection vulnerability in projectSend r1605 allows remote attackers to execute arbitrary commands via a crafted payload in a CSV file. An attacker can exploit this vulnerability by creating a malicious CSV file containing a payload that will be executed when opened by an administrator using the Export action-log functionality.
Once the admin establishes a secure shell session, she gets dropped into a sandboxed environment using the login binary that allows a specific set of commands. One of those commands that can be exploited to escape the jailed shell is traceroute. A remote attacker can breakout of the restricted environment and have full root access to the device.
The affected device suffers from authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges.
The affected device suffers from an authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges.
Services By CQR