SynTail 1.5 Build 566 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests. The following PoC uses the CSRF vulnerability to create a new file bundle, and combines it with one of the stored XSS vulnerabilities. The following PoC uses the CSRF vulnerability to delete a file bundle, and combines it with one of the stored XSS vulnerabilities.
The affected file is /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php which includes the file /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/helpers/demo.php. The exploit can be used like that : /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php?demo=../test which would include the test.php file in the same directory because we need to back navigate from the directory ./filters/../test.php. Now we can include all php files on the system.
SynaMan 3.4 Build 1436 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests. The following PoC uses the CSRF vulnerability together with one of the stored XSS vulnerabilities, to create a new shared folder in the application. The following PoC uses the CSRF vulnerability to create a new user with the details shown.
Syncrify 3.6 Build 833 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests. The following PoC uses the CSRF vulnerability to change the SMTP settings in the application, and combines it with two of the stored XSS vulnerabilities. The following PoC uses the CSRF vulnerability to change the administrator password.
Xeams 4.5 Build 5755 is vulnerable to CSRF attacks, which can also be combined with stored XSS attacks (authenticated administrators only). The JSESSIONID created when a user logs on to the system is persistent and does not change across requests. The following PoC uses the CSRF vulnerability to create a new SMTP domain in the application, and combines it with one of the stored XSS vulnerabilities. The following PoC uses the CSRF vulnerability to create a new user with the details shown.
The Vulnerability Laboratory Research Team discovered a directory traversal web vulnerability in the official Album Streamer v2.0 iOS mobile web-application. The security vulnerability allows a remote attacker to unauthorized request system path variables to compromise the mobile application or apple iOS device. The vulnerability is located in the `id` request to the `path` value of the photoDownload module. The vulnerability can be exploited by local or remote attackers without user interaction. The attacke can inject own malicious script codes to the vulnerable parameter value to compromise the mobile application or apple iOS device.
Freshmail plugin is an email marketing plugin for wordpress, allowing the administrator to create mail campaigns and keep track of them. There is a SQL Injection vulnerability available for collaborators (or higher privileged users) for webs with freshmail plugin installed. The SQL Injection in located in the attribute "id" of the inserted shortcode [FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before inserting it in a SQL query. A collaborator can insert shortcodes when he/she is editing a new post or page and can preview the results (no administrator approval needed), launching this SQL Injection.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of elFinder. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the 'cmd' parameter. By creating a file with a crafted name, an attacker can inject arbitrary code into the application. An attacker can leverage this vulnerability to execute code under the context of the web server.
A local file include web vulnerability has been discovered in the official AppzCreative - PDF Converter & Text Editor v2.1 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `submit upload` module. Remote attackers are able to injecct own malicious file requests to compromise the mobile web-application.
The Vulnerability Laboratory Research team discovered a local file include web vulnerability in the official vPhoto-Album v4.2 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The vulnerability is located in the `name` value of the wifi interface module. Local attackers are able to manipulate the wifi web interface by usage of the vulnerable sync function. The sync does not encode or parse the context of the `name` value.
Services By CQR