Multiple persistent XSS vulnerable fields exist on the 'Modify User' form. nome, usuario, email etc... We can leverage existing CSRF vulnerability to update a victimz profile and store malicious XSS payload or an malicious user can inject there own payloads when updating thier profilez affecting other users and the security of the whole application. Multiple reflected XSS exists as well for following PHP pages all with same vulnerable parameter 'dir' when issuing GET requests.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ShellShock.
vBulletin's memcache setting is vulnerable in certain versions(all before 4.2.2) to an RCE. The remote upload as implemented by the vB_Upload_* classes and vB_vURL (at least in vB 4.2.x, most probably earlier releases are also affected, and vB 5 might be affected as well) does not restrict the destination ports and hosts for remote uploads. This allows an attacker to abuse the function to as a proxy commit TCP port scans on other hosts. Much worse, it also allows to connect to local loopback-only services or to services only exposed on an internal network. On a setup running e.g. Memcached in default configuration (bound to localhost:11211, no authentication), the latter can be exploited to execute arbitrary code by forging a request to memcached, updating the `pluginlist` value.
This module will exploit the Werkzeug debug console to put down a Python shell. This debugger 'must never be used on production machines' but sometimes slips passed testing.
This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when processing a specially crafted .VSC file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.
FTP Commander is vulnerable to a buffer overflow vulnerability when a user enters a long string of characters into the 'Costum Command' input box. This can lead to a SEH overwrite, allowing an attacker to execute arbitrary code on the vulnerable system.
Nuts CMS is vulnerable to php code injection due to improper input validation. An attacker can exploit this vulnerability by sending a malicious HTTP request to the vulnerable server with a payload that will be executed on the server.
The Sagemcom modem does not authenticate users when requesting pages, only whilst posting forms. The password.html page loads the admin password in clear text and stores it in Javascript, which is viewable without any credentials.
A remote code execution vulnerability exists in Microsoft Windows HTA (HTML Application) due to improper validation of user-supplied input. An attacker could exploit this vulnerability by convincing a user to open a specially crafted HTA file. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the current user.
MASM32 quick editor .QSE SEH Based Buffer Overflow (ASLR & SAFESEH bypass) is a vulnerability that allows an attacker to execute arbitrary code by overflowing a buffer and overwriting the SEH handler. The exploit uses a 95 bytes Little Joke shellcode to shutdown the system. The exploit bypasses ASLR and SAFESEH by using an opcode (e2) that makes the instruction 8ce2 (MOV DX,FS) and the execution flow can be continued.
Services By CQR