A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
A reflected cross-site scripting (XSS) vulnerability exists in Network Video Recorder NVR304-16EP, which allows an unauthenticated attacker to inject arbitrary web script or HTML via the 'LAPI/V1.0/System/Security/Login/' parameter.
The weakness is caused due to the login script and how it verifies provided credentials. An attacker can use this weakness to enumerate valid users on the affected application via 'txtUsrName' POST parameter.
Victor Hanna (Trustwave SpiderLabs) discovered a username enumeration vulnerability in ServiceNow Orlando. An attacker can use this vulnerability to enumerate valid usernames by sending a POST request to the /api/now/v2/table/sys_user endpoint with a valid JSESSION, X-UserToken and CSRF Token. This can be used to further attack the system.
A SQL injection vulnerability exists in the Simple Student Quarterly Result/Grade System 1.0, due to improper sanitization of user-supplied input in the 'username' parameter of the 'Actions.php' script. An attacker can exploit this vulnerability to bypass authentication and gain access to the application.
A blind SQL injection vulnerability exists in Multi-Vendor Online Groceries Management System 1.0, due to improper sanitization of user-supplied input to the 'id' parameter in the 'view_product.php' script. An attacker can leverage this vulnerability to execute arbitrary SQL commands on the underlying database, potentially resulting in the disclosure of sensitive information.
A CSRF vulnerability was discovered in 4.2.1 version of Subrion CMS, which allows authorized users to be added to the system. An attacker can craft a malicious request to add an admin user to the system.
Authenticate and get update user settings will be appear the id paramater put your payload at there it'll be work
This plugin creates a Jetpack from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
This plugin creates a Contact Form Builder from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
Services By CQR