Real Player uses Microsoft Internet Explorer functionality and exposes properties and methods through a special mean which is application specific: The 'external' object and it exposes several custom methods and properties. The 'Import()' method is handled in unsafe way regarding the 'Copy to My Music' parameter, which allows for arbitrary file types downloading which could be unsafe as only audio/image/video types should be allowed to download to the user´s disk. Additionally it does not properly sanitize file paths allowing planting of arbitrary files on arbitrary locations. Even though it displays an error because it cannot render the downloaded file, the file remains until the user closes the dialog box. Additionally when opening new windows, Real Player looks for an old, obsolete IE library (shdoclc.dll), which can also be abused to run code automatically without needing to wait until reboot (true when file is planted in 'startup' folder). The attacker needs to host the files to be copied/downloaded in an SMB or WebDav share. The directory 'appdata' must be placed in the share's root. The PoC will drop 'shdoclc.dll' (has simple code to run 'cmd.exe' at 'DllMain()' for demonstration purposes) to the user´s 'windowsapps' folder and 'write.exe' to 'startup' folder, so it works universally (any Windows version from at least XP up to 11) tested on RP ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309
Real Player G2 Control component contains a remote code execution vulnerability because it allows 'javascript:' URIs to be passed as the argument, which is usually not safe because in some scenarios could allow injection of script code in arbitrary domains (Universal Cross Site Scripting - uXSS) which can potentially be used to eg. steal cookies among other things. By setting the 'URL' parameter to 'javascript:' URI and the 'target' parameter to an 'iframe' html element, it´s possible to cause javascript code to run in the context of a local error page displayed after using the very same Control to navigate to an invalid URI such as 'mhtml:http://%SERVER%/frame.htm': when an 'mhtml:' URI is invoked by MS IE rendering engine, it expects an MHTML file with an extension whose MIME type is set to 'message/rfc822', which is the case for '.mht' files; '.htm' files have its MIME set to 'text/html' and thus IE will cancel loading the document and display a local error page (navigation cancelled). The local error page address is 'res://ieframe.dll/navcancl.htm' which belongs to the 'My computer' security zone of IE / Windows which allows reading of arbitrary local files and also arbitrary code execution by design. Prohibiting the 'javascript:' URI in the control mitigates the issue. The PoC uses the 'SYSMON' ActiveX control to plant an HTA file to the user´s startup folder, which will be executed on next logon or boot. an HTA file can contain code to eg. download or extract an embedded EXE file and run it. The PoC assumes Real Player has its current working directory set to a subdirectory of the user´s home drectory, which is the case for the default installation.
Confluence Data Center 7.18.0 is vulnerable to Remote Code Execution (RCE). An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable application. This vulnerability is due to improper validation of user-supplied input. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application.
A stored Cross-Site Scripting (XSS) vulnerability exists in WordPress Plugin Motopress Hotel Booking Lite version 4.2.4. An attacker can inject malicious JavaScript code into the title and excerpt input fields of the 'Add Accommodation Type' page, which is then stored in the database and executed when the page is visited. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of the affected site.
SolarView Compact 6.00 is vulnerable to directory traversal. An attacker can exploit this vulnerability to read arbitrary files from the server by sending a specially crafted HTTP request. The vulnerability exists due to insufficient sanitization of user-supplied input passed to the 'file' parameter in 'downloader.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal sequences (e.g. '../') to the vulnerable script. Successful exploitation of this vulnerability may allow an attacker to read arbitrary files from the server.
The automation controller suffers from an authenticated arbitrary command execution vulnerability. An attacker can abuse the Start-up (init) script editor and exploit the 'script' POST parameter to insert malicious Lua script code and execute commands with root privileges that will grant full control of the device.
Telesquare SDT-CW3B1 1.1.0 is vulnerable to OS Command Injection. An attacker can exploit this vulnerability by sending malicious commands to the vulnerable CGI script. This can be done by sending a GET request to the vulnerable CGI script with the malicious command as a parameter. The attacker can then parse the XML response to get the output of the command.
Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 Oauth Misconfiguration Leads To Account Takeover. Steps to exploit: 1. Create an account with the victim's email address. Register endpoint: https://target-website.com/register# 2. When the victim tries to login with default Oauth providers like Google, Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login) with that same e-mail id that we created account before, via this way we can take over the victim's account with the recently created login credentials.
An OS command injection vulnerability exists in Zyxel USG FLEX 5.21. An attacker can send a specially crafted HTTP request to the vulnerable server to execute arbitrary OS commands. This vulnerability affects ZLD5.00 thru ZLD5.21.
Newsletter Module is compatible with any Opencart allows SQL Injection via parameter 'zemez_newsletter_email' in /index.php?route=extension/module/zemez_newsletter/addNewsletter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Services By CQR