An attacker can exploit this vulnerability by navigating to the URL http://localhost/edtms/edtms/admin/?page=maintenance and adding a new department with a malicious payload in the 'Name' field. When the department is saved and the page is refreshed, the payload will be triggered.
FusionPBX is a full-featured multi-tenant GUI for FreeSWITCH. A vulnerability in FusionPBX version 4.5.29 and earlier allows an authenticated user to execute arbitrary code on the server. The vulnerability exists due to insufficient validation of user-supplied input in the 'fax_extension' parameter of the 'fax_send.php' script. An attacker can send a specially crafted HTTP request containing an arbitrary command, which will be executed on the server.
zlog is a reliable, high-performance, thread safe, flexible, pure C logging library. A buffer overflow vulnerability exists in zlog 1.2.15 when the zlog_init API is used to parse a file. This can lead to a stack-buffer-overflow READ or WRITE when the pointer's address which overflow read is end with 0x20. This can be exploited by compiling the zlogv1.2.15 code to a library and using the zlog_init API to parse a file.
A vulnerability exists in WordPress Plugin Backup and Restore 1.0.3 which allows an attacker to delete arbitrary files on the server. An attacker can send a specially crafted POST request to the vulnerable endpoint /wordpress/wp-admin/admin-ajax.php with the parameters action=barfw_backup_ajax_redirect&call_type=delete_backup&file_name=wp-config.php&folder_name=C%3a%5cxampp%5chtdocs%5cwordpress%5c%5c&id=5&nonce=ee90968cce to delete arbitrary files on the server. This vulnerability is due to improper input validation and can be exploited by an authenticated user with admin privileges.
Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine.
Admin panel authentication can be bypassed due to a SQL injection in the login form. A POST request with username and password set to '=''or' can be used to bypass authentication.
The Kmaleon application from levelprogram is vulnerable to SQL injection via the 'tipocomb' parameter on the kmaleonW.php. The 'tipocomb' parameter is vulnerable to SQL injection. GET parameter 'tipocomb' is vulnerable. The back-end DBMS is MySQL.
A stored XSS vulnerability exists in the Simple Client Management System. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more.
An SQL Injection vulnerability exists in the Simple Client Management System. An attacker can leverage the vulnerable "password" parameter in the "Login.php" web page to authenticate as an admin user. The following payload inside password will allow you to login into the web server as admin: admin'or'1'%3D'1
A persistent input validation vulnerability has been discovered in the official ImportExportTools NG 10.0.4 for mozilla thunderbird. The vulnerability allows remote attackers to inject malicious script codes to the application-side of the vulnerable module. The vulnerability is located in the `import/export` module of the application. Remote attackers are able to inject own malicious script codes to the application-side of the vulnerable module. The request method to inject is POST and the attack vector is located on the application-side.
Services By CQR