There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system. Including a .php file. The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server.
The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.
Login to admin area requires a password but is easily bypassed using classic SQLInjection method because application uses concatenated user input to construct SQL queries. Another persistent XSS vector is here in author field for comments.
Opsview is a monitoring system based on Nagios Core. Opsview is prone to several stored and reflected XSS vulnerabilities in the latest version. Stored XSS can be injected through a malicious check plugin or in the host profile. Reflected XSS can be injected in the Test service check page.
Multiple CSRFs exist in the Nakid CMS, allowing an attacker to change the admin password, add arbitrary users to the system, and alter system settings. Persistent XSS vulnerabilities exist in the username, password, email, fname, lname, from_name, include_path, primary_email, from_email, and title parameters. An authentication bypass LFI vulnerability exists in the content parameter.
GoldWave 6.1.2 is vulnerable to a local crash exploit. An attacker can create a file named 'poc.txt' and copy 'http://AAAAAAAA...' into it. When the user runs GoldWave 6.1.2 and opens the URL, the application will crash.
ClickHeat is vulnerable to a CSRF attack because it does not implement a CSRF token when updating the config file. If an authenticated admin is tricked into opening this malicious URL, the form will be submitted which changes the administrator password to the one the attacker has specified.
Beginning is OSSEC 2.7 (d88cf1c9) a feature was added to syscheck, which is the daemon that monitors file changes on a system, called 'report_changes'. This feature is only available on *NIX systems. It's purpose is to help determine what about a file has changed. The logic to do accomplish this is as follows which can be found in src/syscheck/seechanges.c: Above, on line 258, the system() call is used to shell out to the system's 'diff' command. The raw filename is passed in as an argument which presents an attacker with the possibility to run arbitrary code. Since the syscheck daemon runs as the root user so it can inspect any file on the system for changes, any code run using this vulnerability will also be run as the root user. An example attack might be creating a file called 'foo-$(touch bar)' which should create another file 'bar'. Again, this vulnerability exists only on *NIX systems and is contingent on the following criteria: 1. A vulnerable version is in use. 2. The OSSEC agent is configured to use syscheck to monitor the file system for changes. 3. The list of directories monitored by syscheck includes those writable by underprivileged users. 4. The 'report_changes' option is enabled for any of those directories. The fix for this is to create temporary trusted file names that symlink back to the original files before calling system() and running the system's 'diff' command.
The forms in the admin area of the plugin are vulnerable to CSRF, via which the contact forms generated are susceptible to XSS via unsanitized POST parametre. For example, the admin function of updating an existing form can be done via CSRF. Hence, by submitting a crafted HTML string in the parametres via CSRF, a XSS attack gets launched which affects all the visitors of the page(s) containing the contact form.
AnimaGallery 2.6 is vulnerable to Local File Include Vulnerability due to lack of taint checking in the 'theme' and 'lang' cookie parameters. An attacker can exploit this vulnerability by sending a maliciously crafted cookie to the server, which can lead to the disclosure of sensitive information.
Services By CQR