A cross site scripting web vulnerability has been discovered in the official CriticalGears Authorize.net Payment Terminal v2.4.1, Stripe Payment Terminal v2.2.1 & PayPal PRO Payment Terminal v3.1 web-application. The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable module. The vulnerability is located in the `name` and `email` value of the `payment` module. Remote attackers are able to inject own malicious script codes to the application-side of the vulnerable module. The request method to inject is POST and the attack vector is located on the application-side of the service.
A vulnerability in 10-Strike Network Inventory Explorer Pro 9.31 allows an attacker to gain elevated privileges due to an unquoted service path. An attacker can use the Windows Management Instrumentation Command-line (WMIC) to query the service and find the unquoted service path. The service can then be exploited to gain elevated privileges.
TMD Vendor System 3.x is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability to gain access to the database and extract sensitive information. The vulnerability is patched in the new version of the software.
A persistent cross site scripting vulnerability has been discovered in the Ultimate POS v4.4 web-application. The vulnerability allows remote attackers to inject malicious script codes to the application-side of the vulnerable module. The vulnerability is located in the `name` value of the `products` module. Remote attackers are able to inject own malicious script codes to the vulnerable `name` value of the `products` module. The request method to inject is POST and the attack vector is located on the application-side of the service.
A non-persistent post inject web vulnerability has been discovered in the official Vanguard v2.1 cms web-application. The vulnerability allows remote attackers to inject malicious script code in post method requests to compromise the web-application or connected web-application user context.
The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable module. The persistent vulnerability is located in the `title` value of the `product` module. Remote attackers are able to inject own malicious script codes to the application-side of the vulnerable module. The request method to inject is POST and the attack vector is located on the application-side.
Multiple classic sql-injection web vulnerabilities has been discovered in the Mult-e-Cart Ultimate v2.4 (v2021) web-application. The web vulnerability allows remote attackers to inject or exfiltrate/execute malicious sql commands on the application dbms. The sql-injection web vulnerability is located in the `id` value of the `/admin/category.php` file. Remote attackers are able to inject own sql commands to manipulate the dbms of the vulnerable application.
A non-persistent cross site scripting web vulnerability has been discovered in the SonicWall SonicOS 6.5.4. The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable service module. The vulnerability is located in the `Common Name` value of the `SSL VPN` service module. Remote attackers are able to inject own malicious script codes to the application-side of the vulnerable service module.
This vulnerability allows an attacker to extract a variety of information (such as a user’s password hash) from vulnerable OpenAM servers via LDAP injection, using a character-by-character brute force attack.
A user with a low privileged user can perform XSS-Stored attacks. Go on the 'Popup Anything - Settings' tab and select 'Simple Link' as 'Link Type'. Select 'Link Test' and use this payload: test" onclick="alert(1). Save the popup and reload the page. Now click on 'Link Text' and it will execute the javascript code. The same attack can be exploited with 'Button Text' and 'Popup width' fields.
Services By CQR