DreamBox DM800 is a powerful receiver for digital TV and Radio programs based on Linux. This exploit allows an attacker to remotely disclose files from the DreamBox DM800 <= 1.5rc1 device. The exploit is done by sending a GET request to the device with the file path as a parameter.
Excel 2003 is a spreadsheet program, part of the Office 2003 suite still supported by Microsoft. Use-after-free probably located in the code that handles the vbscript macros. How to replicate: open the proof-of-concept via web or manually, select No when prompted with 'An error occurred while loading 'Module1'. Do you want to continue loading the project?', select OK when prompted with 'Unexpected error (32790)', select Yes or No when prompted with 'Excel found unreadable content in ...'
An attacker can exploit this vulnerability by sending a crafted SQL query to the vulnerable application. This can be done by sending a specially crafted HTTP request to the vulnerable application. The vulnerable parameter is ‘poll_ident’ which is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability can allow an attacker to gain access to sensitive information from the database.
This exploit shows a race condition to subvert recent changes preventing symlinks and checking path prefixes.
This exploit allows an attacker to mount a vfat filesystem anywhere they want. By mounting a file system image over /etc, the attacker is able to tinker /etc/passwd and make the root password temporarily 'toor'.
An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server. The request contains a maliciously crafted URL which contains the path of the local file which the attacker wants to download. The vulnerable server will then respond with the contents of the local file.
The Jara v1.6 application is vulnerable to SQL Injection, Authentication Bypass and Cross Site Scripting. The SQL Injection vulnerability exists in the category.php file, where user-supplied input is not properly sanitized before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The Authentication Bypass vulnerability exists in the auth_fns.php file, where user-supplied input is not properly sanitized before being used in an SQL query. This can be exploited to bypass authentication by entering ' or 1=1 # as the username. The Cross Site Scripting vulnerability exists in the search.php file, where user-supplied input is not properly sanitized before being used in an SQL query. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CaupoShop Pro (2.x/ <= 3.70) is vulnerable to a Local File Include vulnerability. This vulnerability allows an attacker to include a local file, usually through a script on the web server. An attacker can exploit this vulnerability by manipulating the 'template' parameter in a malicious URL request to the vulnerable CaupoShop Pro application. This can allow an attacker to view sensitive files on the web server, such as configuration files containing database usernames and passwords.
Calibre uses a suid mount helper, and like nearly all suid mount helpers that have come before it, it's badly broken. It allows an attacker to create a directory owned by root anywhere they want, remove any empty directory they want, create and remove anything_we_want/.some_stupid_marker, unmount and eject any device that they want (as root), as well as mount any vfat filesystem that they'd like. It also allows an attacker to pass params directly to mount, to some degree, and control argv[1] to some degree.
Services By CQR