This module exploits the broken access control vulnerability in Seagate Central External NAS Storage device. Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state and register a new admin user which is capable of SSH access.
This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna
The Zenphoto 1.6 application is vulnerable to multiple stored Cross-Site Scripting (XSS) attacks. These vulnerabilities allow an attacker to inject malicious scripts into various parts of the application, which can lead to unauthorized access or information disclosure.
The WBCE CMS version 1.6.1 is vulnerable to multiple stored cross-site scripting (XSS) attacks. An attacker can upload a malicious SVG file containing a script that will be executed when viewed by an authenticated user with administrative privileges. This can lead to the execution of arbitrary code or the theft of sensitive information.
Wondershare NativePush Build 1.0.0.7, which is part of Filmora 12 (Build 12.2.1.2088), is vulnerable to unquoted service paths. This vulnerability allows a local user to escalate their privileges to local admin by replacing the affected executable.
Service Provider Management System v1.0 allows SQL Injection via ID parameter in /php-spms/?page=services/view&id=2. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit the latest vulnerabilities in the underlying database.
The vulnerability allows unauthenticated remote attackers to execute arbitrary code on the target system via the subprocess_execute function in the Roxy WI application. By sending a specially crafted request to the options.py endpoint, an attacker can inject malicious commands that will be executed with the privileges of the application.
A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 allows an attacker to execute arbitrary web scripts or HTML by injecting persistent javascript code inside the title and/or description while creating a task/expense/project.
MobileTrans version 4.0.11 was being suffered a weak service permission vulnerability that allows a normal window user to elevate to local admin. The 'ElevationService' service name was installed, while the MobileTrans version 4.0.11 was installed in the window operating system. The service 'ElevationService' allows the local user to elevate to the local admin as The 'ElevationService' run with system privileges. Effectively, the local user is able to elevate to local admin upon successfully modifying the service or replacing the affected executable.
A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the 'Add Contact' function while creating a contact, in first/second name field, it will be triggered once page gets loaded.
Services By CQR