The exploit allows an unauthenticated attacker to execute arbitrary commands on the vulnerable ZoneMinder instances prior to versions 1.36.33 and 1.37.33. By manipulating a crafted request, the attacker can inject and execute commands on the system. This vulnerability is identified as CVE-2023-26035.
The Rapid7 Nexpose Security Console version 6.6.240 on Windows 10 x64 is vulnerable to an unquoted service path issue. By inserting malicious code into the system root path, an attacker could potentially execute the code with elevated privileges during application startup or reboot.
The ESET NOD32 Antivirus version 17.0.16.0 on Windows 10 has an unquoted service path vulnerability. An attacker could exploit this by placing a malicious executable in a directory included in the system's PATH environment variable, leading to arbitrary code execution. This vulnerability has been identified as CVE-2024-XXXXX.
Terratec dmx_6fire USB software installs a service with an unquoted service path that runs with SYSTEM privileges. This vulnerability could be exploited by a non-privileged local user to execute arbitrary code with elevated privileges on the system.
An SQL injection vulnerability exists in the *miniform* module of WBCE CMS version 1.6.0. The vulnerability allows unauthenticated attackers to access and potentially take over the entire database. The issue arises from the lack of authentication checks in the file /modules/miniform/ajax_delete_message.php, specifically in a DELETE query on line 40. The vulnerability can be exploited by using a tick sign (`) to manipulate the query. The vulnerable parameter is DB_RECORD_TABLE.
The vulnerability allows attackers to manipulate SQL queries in the application's database by injecting malicious SQL code through the client-side input fields. Successful exploitation can lead to unauthorized access, data manipulation, administrative actions on the database, file system content retrieval, and potentially executing commands on the operating system.
The Savsoft Quiz v6.0 Enterprise software is prone to a Persistent Cross-Site Scripting (XSS) vulnerability due to improper validation of user-supplied data in the 'quiz_name' parameter. An attacker can exploit this issue by injecting malicious scripts, potentially leading to the execution of arbitrary code in the context of the affected site. This vulnerability was tested on Kali Linux and Windows 10.
A vulnerability in djangorestframework-simplejwt version <= 5.3.1 allows for various security issues such as Business Object Level Authorization (BOLA), Business Function Level Authorization (BFLA), and Information Disclosure. This vulnerability permits users to access web application resources even after their account has been deactivated due to inadequate user validation checks.
The 'your_name' parameter in WEBIGniter v28.7.23 lacks proper input validation, leading to a vulnerability where an attacker can execute malicious JavaScript code by injecting it into the parameter. This can result in reflected cross-site scripting (XSS) attacks, potentially compromising user data and system integrity.
A vulnerability in Metabase version 0.46.6 allows remote attackers to execute arbitrary code before authentication. By sending a crafted request to the '/exploitable' endpoint, an attacker can trigger the execution of malicious code on the target server. This vulnerability has been assigned CVE-2023-38646.
Services By CQR