PrusaSlicer up to and including version 2.6.1 is vulnerable to arbitrary code execution when exporting g-code from a malicious 3mf project. By manipulating the 'Metadata/Slic3r_PE.config' file within the project, an attacker can insert a post-processing script that executes arbitrary code upon g-code export. This exploit has been demonstrated on both Windows and Linux platforms.
An attacker can exploit a stored Cross-Site Scripting vulnerability in Backdrop CMS 1.23.0 by inserting malicious scripts into the body of a post. By crafting a specific payload and saving the post, the attacker can execute arbitrary scripts in the context of other users' browsers.
SQL injection vulnerability in Purei CMS 1.0 allows attackers to manipulate backend SQL statements by injecting malicious code through user inputs, potentially compromising the integrity of the database or exposing sensitive information.
LaborOfficeFree software installs a MySQL instance running as SYSTEM, where the MySQL root password is calculated based on constants. The program uses a reverse algorithm to calculate the root password each time it needs to connect to MySQL as root. This vulnerability affects version 19.10, but potentially also impacts versions prior to 19.10.
E-INSUARANCE v1.0 is vulnerable to stored cross-site scripting (XSS) attacks. An attacker can inject malicious code into the Firstname and Lastname parameters in the profile component, allowing them to execute arbitrary scripts.
CE Phoenix v1.0.8.20 allows authenticated remote attackers to execute arbitrary code via the define_language.php lngdir parameter.
An attacker can exploit a SQL injection vulnerability in Elementor Website Builder version less than 3.12.2 by sending a malicious payload through the 'Replace URL' feature. By executing a specific SQL command, the attacker can make the server hang for 2 seconds, indicating a successful injection.
Daily Expense Manager 1.0 is vulnerable to SQL injection through the 'term' parameter in the readxp.php file. An attacker can inject malicious SQL queries via the 'term' parameter, leading to unauthorized access to the database.
A broken access control vulnerability was found in NodeBB v3.6.7, allowing unauthorized users to access restricted information meant for administrators only. By manipulating certain attributes in the JSON response after intercepting the group request, users with minimal privileges can access tabs limited to administrators. This issue was acknowledged and fixed by the developers upon discovery.
The Insurance Management System PHP and MySQL 1.0 allows for multiple stored cross-site scripting (XSS) vulnerabilities. An attacker can inject malicious payloads, such as <img src=x onerror=prompt("xss")>, into various input fields like Subject, Description, fname, lname, city, and street. When an admin views specific pages like Support Tickets or Users, the XSS payloads are executed.
Services By CQR