Binwalk 2.1.2b through 2.3.2 is vulnerable to a remote command execution vulnerability. An attacker can craft a malicious .png file and send it to the victim, which when opened with Binwalk, will execute arbitrary code on the victim's machine. The exploit is written in Python and uses the netcat utility to open a reverse shell on the victim's machine.
This vulnerability allows an attacker to gain access to sensitive information stored on a vulnerable system. It affects Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB. An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable system. Successful exploitation of this vulnerability can result in the disclosure of sensitive information.
This exploit allows an authenticated user to execute arbitrary system commands on a vulnerable PostgreSQL 9.6.1 instance. The exploit uses a PostgreSQL feature called PL/pgSQL to execute the commands. The exploit requires the user to provide the IP address, port, username and password of the PostgreSQL instance. The user can then provide a system command to be executed on the vulnerable instance.
Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?' Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable server. This can allow the attacker to upload malicious files to the server, which can be used to gain access to the server.
D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request.
The application permits to send a message to the admin from the section 'contacts'. Including a XSS payload in title or message, maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it.
The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.
The value of manual insertion `point 1` is copied into the HTML document as plain text between tags. The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in the manual insertion point 1. This input was echoed unmodified in the application's response.
Kardex Mlog MCC 5.7.12 is vulnerable to Remote Code Execution. An attacker can exploit this vulnerability by uploading a malicious payload to the target system and executing it. The payload contains a reverse shell which can be used to gain access to the target system. The attacker needs to run a netcat listener beforehand to receive the reverse shell.
Services By CQR