The `pmpcc` cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The testing payload ..././..././..././..././..././..././..././..././..././..././etc/passwd was submitted in the pmpcc cookie. The requested file was returned in the application's response. The attacker easy can see all the JS structures of the server and can perform very dangerous actions.
The Active eCommerce CMS 6.5.0 application has a vulnerability in the profile picture upload feature that allows for stored cross-site scripting (XSS) attacks. Specifically, the vulnerability lies in the handling of "svg" image files, which can contain malicious code. An attacker can exploit this vulnerability by uploading a specially crafted "svg" image file as a profile picture, which will then be executed by the application when the user views the profile. This can allow the attacker to steal sensitive information, such as login credentials, or to perform other malicious actions on the user's behalf. This vulnerability highlights the importance of proper input validation and image file handling in web application development.
ERPGo is a software as a service (SaaS) platform that is vulnerable to CSV injection attacks. This type of attack occurs when an attacker is able to manipulate the data that is imported or exported in a CSV file, in order to execute malicious code or gain unauthorized access to sensitive information. This vulnerability can be exploited by an attacker by injecting specially crafted data into a CSV file, which is then imported into the ERPGo system. This can potentially allow the attacker to gain access to sensitive information, such as login credentials or financial data, or to execute malicious code on the system.
AmazCart - Laravel Ecommerce System CMS 3.4 is vulnerable to Reflected cross-site scripting because of insufficient user-supplied data sanitization. Anyone can submit a Reflected XSS payload without login in when searching for a new product on the search bar. This makes the application reflect our payload in the frontend search ber, and it is fired everything the search history is viewed.
Cross Site Scripting (XSS) in the web SQL monitor login page in Redgate SQL Monitor 12.1.31.893 allows remote attackers to inject arbitrary web Script or HTML via the returnUrl parameter.
Running this exploit on a vulnerable system allows a local attacker to gain a root shell on the machine. The exploit checks if the current user has privileges to run sudoedit or sudo -e on a file as root. If so it will open the sudoers file for the attacker to add a line to gain privileges on all the files and get a root shell.
An authenticated SQL injection vulnerability exists in Art Gallery Management System Project v1.0. An attacker can inject malicious SQL queries into the 'editid' parameter of the 'edit-art-type-detail.php' page, which can be used to extract data from the database. An attacker can use the 'sqlmap' command to fetch all the data from the database.
An RCE can be obtained on MyBB's Admin CP in Configuration -> Profile Options -> Avatar Upload Path. to change Avatar Upload Path to /inc to bypass blacklist upload dir. After doing that, then we are able to chain in 'admin avatar upload' page and LFI in 'Edit Language Variables' page. This chained bugs can lead to Authenticated RCE.
This exploit illustrates yet another way to abuse the infamous dtprintinfo binary distributed with the Common Desktop Environment (CDE), a veritable treasure trove for bug hunters since the 1990s. It's not the most reliable exploit I've ever written, but I'm quite proud of the new vulnerabilities I've unearthed in dtprintinfo with the latest Solaris patches (CPU January 2021) applied. The exploit chain is structured as follows: Inject a fake printer via the printer injection bug I found in lpstat, exploit the stack-based buffer overflow I found in libXm ParseColors(), and enjoy root privileges!
The value of manual insertion point 1 is copied into the HTML document as plain text between tags. The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in the manual insertion point 1. This input was echoed unmodified in the application's response.
Services By CQR