The Grandstream GXV3275 is an Android-based VoIP phone. Several vulnerabilities were found affecting this device. The device ships with a default root SSH key, which could be used as a backdoor. The SSH interface only provides access to a limited CLI, which can be exploited to break out to a shell. The web interface exposes an undocumented command execution API, and allows unprivileged users to escalate privileges by modifying a cookie on the client side.
The code in ./wp-ecommerce-shop-styling/includes/download.php doesn't sanitize user input to prevent sensitive system files from being downloaded. An attacker can use the curl command to download the file from the server.
Centron 2.5.4 is susceptible to multiple vulnerabilities, including unauthenticated blind SQL injection and authenticated remote system command execution. An attacker can exploit CVE-2015-1560 to obtain a valid session_id, which is required to exploit CVE-2015-1561. By exploiting CVE-2015-1561, an attacker can inject commands into the 'ns_id' and 'end' parameters, which are passed to the popen function.
The SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera is vulnerable to an OS Command Injection Vulnerability in the snwrite.cgi binary. The 'mac' parameter is not properly sanitized before being used in a call to system(). The snwrite.cgi binary also contains hard-coded credentials that can be used to authenticate to the device.
Symantec EP agent & services can be rendered useless even after globally locking down endpoint protection via a Symantec central management server and enabling globally managed password protection controls. Tested successfully on Windows 7 SP1 result may vary OS to OS.
I found a local file include with root level permissions on cradlepoint routers. So far looks like it works on MBR1400 and MBR1200 routers, though others could be affected. I say it is with root level because it can read /etc/passwd and there is no 'x' indicating the hash is stored in the /etc/shadow file. Therefore the root hash is included in this file. To access the root hash on Cradlepoint MBRs simply: curl http://192.168.1.1/../../../../../../../../../../../../etc/passwd
This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public on its July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: Windows XP, Chrome 43 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
The SSDP protocol can discover Plug & Play devices, with uPnP (Universal Plug and Play). SSDP is HTTP like protocol and work with NOTIFY and M-SEARCH methods. This exploit can be used to launch a denial of service attack against a vulnerable device.
The router suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'getpage' parameter to 'webproc' script is not properly verified before being used to include files. This can be exploited to include files from local resources.
No CSRF token exists when making calls to various SQL operations, therefore we can get user to drop the whole database tables if they click on our malicious link and table is known. There are three XSS vulnerabilities, first is use of 'PHP_SELF', second is unsanitized parameter for SQL statement when calling drop table method and third is an unsanitized 'table' parameter. If we can control the 'PHP_SELF' variable we can inject our XSS payload into the 'PAGE' constant.
Services By CQR