A Stored cross-site scripting vulnerability allows remote authenticated users to inject arbitrary web scripts or HTML in the logs page via the log module. To exploit the vulnerability, the attacker must append an XSS payload to the log message.
A Directory Traversal vulnerability in /be/erpc.php allows remote authenticated users to execute arbitrary code. To exploit the vulnerability, the attacker must have the permissions to upload files. The attacker can first upload a file using one of the existing file upload mechanisms (e.g. Import in Designer). When uploading a file, the web application returns the file system path in the JSON body of the HTTP response (look for `fspath`). The attacker can then use the file system path to get RCE via Directory Traversal by sending a POST request to /be/erpc.php with the body containing the command to be executed.
A Remote Code Execution (RCE) vulnerability in /be/rpc.php and /be/erpc.php allows remote authenticated users to load arbitrary PHP classes from the rtn directory and to execute its methods. To exploit this vulnerability, the attacker needs knowledge about loadable classes, their methods and arguments.
The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message. Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload: '-(select*from(select+sleep(2)+from+dual)a)--+. The page will sleep for two seconds. This confirms the SQL injection.
Wolf CMS 0.8.3.1 is vulnerable to Remote Code Execution (RCE). An attacker can exploit this vulnerability by creating a malicious php file, entering shell code and saving the file. Then, the attacker can access the file at https://localhost/wolfcms/public/shell.php to execute the code.
A stored cross-site scripting (XSS) vulnerability exists in pluck v4.7.18. An attacker can upload a malicious SVG file containing JavaScript code to the application, which will be executed when the file is accessed by an authenticated user.
An unquoted service path vulnerability has been discovered in Advanced Host Monitor version > 12.56 affecting the executable "C:Program Files (x86)HostMonitorRMA-Winrma_active.exe". This vulnerability occurs when the service's path is misconfigured, allowing an attacker to run a malicious file instead of the legitimate executable associated with the service. An attacker with local user privileges could exploit this vulnerability to replace the legitimate RMA-Winrma_active.exe service executable with a malicious file of the same name and located in a directory that has a higher priority than the legitimate directory. That way, when the service starts, it will run the malicious file instead of the legitimate executable, allowing the attacker to execute arbitrary code, gain unauthorized access to the compromised system, or stop the service from functioning.
By using this vulnerability remotely, the malicious pwned_admin can list and manipulate all files inside the server. This is an absolutely DANGEROUS and STUPID decision from the application owner! In this scenario, the attacker prepares the machine for exploitation and sends a link for remote execution by using the CURL protocol to his supporter - another attacker. Then and he waits for execution from his colleague, to mask his action or even more worst than ever. What a nice hack is this! :)
This exploit allows an attacker to enumerate valid usernames on GLPI version 9.1 <= 9.5.7 by sending a POST request to the lostpassword.php page with a list of emails. If the email is valid, the response will contain a message indicating that an email has been sent to the address. This can be used to enumerate valid usernames on the system.
A SQL injection vulnerability exists in PHPJabbers Simple CMS 5.0. An attacker can send a specially crafted HTTP request to the vulnerable application in order to exploit this vulnerability. The payloads used in the exploit are boolean-based blind and error-based. The boolean-based blind payload is used to replace the original value of the parameter 'column' with a malicious value. The error-based payload is used to extract the value of the parameter 'column' using the EXTRACTVALUE function.
Services By CQR