This exploit module abuses the mishandling of password reset in JSON for Strapi CMS version 3.0.0-beta.17.4 to change the password of a privileged user.
An unauthenticated attacker can exploit a SQL injection vulnerability in Hotel Reservation System 1.0 by sending a malicious payload to the username parameter. The payload ' or '1'='1'# can be used to bypass the login page.
This module exploits an authentication bypass in Servisnet Tessa, triggered by add new sysadmin user. The app.js is publicly available which acts as the backend of the application. By exposing a default value for the 'Authorization' HTTP header, it is possible to make unauthenticated requests to some areas of the application. Even MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method. A new admin user can be added to the database with this header obtained in the source code.
This module exploits privilege escalation in Servisnet Tessa, triggered by add new sysadmin user with any user authorization. An API request to "/data-service/users/[userid]" with any low-authority user returns other users' information in response. The encrypted password information is included here, but privilage escelation is possible with the active sessionid value. The logic required for the Authorization header is as above. Therefore, after accessing an authorized user ID value and active sessionId value, if the username and sessionId values are encoded with base64, a valid Token will be obtained and a new admin user can be added.
IP2Location Country Blocker is a plugin enables user to block unwanted traffic from accesing Wordpress frontend (blog pages) or backend (admin area) by countries or proxy servers. An authenticated user is able to inject arbitrary Javascript or HTML code to the 'Frontend Settings' interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability.
FLAME II MODEM USB is vulnerable to Unquoted Service Path vulnerability. This vulnerability allows an attacker to gain elevated privileges on the system by exploiting the service path of the application. The service path of the application is not quoted which allows an attacker to inject malicious code in the service path.
WBCE CMS version 1.5.2 is vulnerable to Remote Code Execution (RCE) when an authenticated user uploads a malicious file. This exploit uses a payload encoded in base64 which is uploaded to the server and then executed. The payload is a PHP shell which allows the attacker to execute arbitrary commands on the server.
This plugin creates a post grid from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
This plugin is a easy carousel slider for WooCommerce products. The slider import search feature is vulnerable to reflected cross-site scripting.
The plugin settings are visible to all registered users in the dashboard. A registered user can leave a payload in the plugin settings. To exploit this vulnerability, a registered user can navigate to the dashboard, go to CF7 Check Tester -> Settings, add a form, add a field to the form, put in a payload in either Field selector or Field value "><script>alert(1)</script> and save. Anyone who visits the settings page will execute the payload.
Services By CQR