The Hotkey Clipboard Service 'HKClipSvc' installed as part of Control Center3.0 v3.97 (and earlier versions) by Clevo has an unquoted service path. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges on the system.
An unauthenticated attacker can insert a persistent malicious JavaScript code via the text-area field and because the input is not properly sanitized the XSS will be executed each time the victim visits the affected post. An attacker can steal admin’s session or credentials e.g., using a phishing attack (display fake login page) and may install a JavaScript backdoor like the Browser Exploitation Framework (BeeF). ,etc.
The PMB software version 7.4.6 is vulnerable to SQL Injection. The vulnerability exists in the 'opac_css/ajax.php' URL endpoint. An attacker can exploit this vulnerability by manipulating the 'id' parameter, allowing them to execute arbitrary SQL queries on the database.
The application is prone to a PHP Object Injection vulnerability due to the unsafe use of unserialize() function. A potential attacker, authenticated, could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input.
This exploit allows an attacker to send a specially crafted payload to the qubes-mirage-firewall, causing a denial of service (DoS) condition. By sending a large amount of data (in this case, 'a' characters), the firewall becomes overwhelmed and stops responding.
The vulnerability allows an attacker to execute arbitrary code on the target system by injecting PHP code through a crafted request to the affected plugin.
Lavasoft 4.1.0.409 installs DCIservice as a service with an unquoted service path. This vulnerability allows an attacker to escalate privileges and potentially execute arbitrary code.
The Uniview NVR301-04S2-P4 device is vulnerable to reflected cross-site scripting (XSS) attacks. An attacker can exploit this vulnerability by injecting malicious code into a crafted URL, which will be executed when accessed by a victim user.
This exploit targets Inbit Messenger version 4.9.0 and earlier. It allows an unauthenticated remote attacker to trigger a SEH overflow, potentially leading to remote code execution.
This exploit allows an attacker to inject malicious code into the Book Store Management System 1.0.0, specifically in the 'Name' input field of the 'Add New System User' page. By inserting the payload '<script>alert("XSS")</script>', an alert box with the message 'XSS' will be executed when the page is visited.
Services By CQR