A SQL injection vulnerability exists in Openemr-4.1.0 due to improper sanitization of user-supplied input in the 'add_edit_issue.php' script. An attacker can exploit this vulnerability to execute arbitrary SQL commands in the application's database, potentially allowing them to access or modify sensitive data. The vulnerability is located in the '$irow' variable of the 'add_edit_issue.php' script. An attacker can send a specially crafted HTTP request containing malicious SQL statements to the vulnerable script and execute arbitrary SQL commands in the application's database.
Yet Another CMS 1.0 is prone to multiple SQL Injection and XSS vulnerabilities. The vulnerability is due to the application's failure to properly sanitize user-supplied input before using it in an SQL query. An attacker can exploit this vulnerability by submitting malicious SQL statements in the 'pattern' parameter of the 'search.php' script. This can allow the attacker to view, add, modify or delete records in the back-end database.
The nnframework plugin by NoNumber! contains multiple vulnerabilities. This plugin is shipped with all NoNumber extensions. Local File Inclusion can be done by passing the file parameter with the LFI payload. Open Proxy/Open cURL/Shell Upload can be done by passing the url parameter with the remote host and url_options[CURLOPT_POSTDATA] parameter with the post data. It is also possible to gain remote access by setting up a remote page that sets the cookie, forcing the victim site to write a cookie file, POST a single variable containing shellcode to the victim site and executing the shellcode.
This module exploits a file creation vulnerability in the Webkit rendering engine. It is possible to redirect the output of a XSLT transformation to an arbitrary file. The content of the created file must be ASCII or UTF-8. The destination path can be relative or absolute. This module has been tested on Safari and Maxthon. Code execution can be acheived by first uploading the payload to the remote machine in VBS format, and then upload a MOF file, which enables Windows Management Instrumentation service to execute the VBS.
Bug found By Flyh4t & alpha.liu, SIR GNUBoard(http://sir.co.kr) is a widely used bulletin board system of Korea. It is freely available for all platforms that supports PHP and MySQL. But we find a SQL INJECTION affects SIR GNUBoard version 4.33.02. The codes can be download here http://sir.co.kr/main/gnuboard4/. The vulnerability code is in /bbs/tb.php, where the $_SERVER[PATH_INFO] is not affected by the magic_quotes_gpc set of php, allowing arbitrary sql code to be injected through $_SERVER[PATH_INFO]. The $write_table can be injected through $bo_table, leading to sql injection, and no need of single quotes. The Proof of Concept is bbs/tb.php/[sql]/[sql].
Dominant Creature BBG/RPG browser game is vulnerable to Cross-Site Scripting (XSS) attacks. An attacker can exploit this vulnerability by sending a malicious script in the message box of the Duel opponents page. The malicious script will be executed when the victim views the message. This can be used to steal the victim's cookies and gain access to their account.
A vulnerability has been discovered in the WordPress plugin BackWPup 2.1.4 which can be exploited to execute local or remote code on the web server. There is a lack of data validation on the BackWPUpJobTemp POST parameter of job/wp_export_generate.php allowing an attacker to specify FTP resources as input. This resource is downloaded and deserialised by the wp_export_generate.php script and variables from this deserialisation are later passed to require_once.
This module exploits a vulnerability found in Apple Safari on OSX platform. A policy issue in the handling of file:// URLs may allow arbitrary remote code execution under the context of the user. In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or a fileformat that OSX might automount), and then execute it in /Volumes/[share]. If there's some kind of bug that leaks the victim machine's current username, then it's also possible to execute the payload in /Users/[username]/Downloads/, or else bruteforce your way to getting that information. Please note that non-java payloads (*.sh extension) might get launched by Xcode instead of executing it, in that case please try the Java ones instead.
This module exploits a stack-based buffer overflow vulnerability in version 7.5.1 86 of Real Networks Netzip Classic. In order for the command to be executed, an attacker must convince someone to load a specially crafted zip file with NetZip Classic. By doing so, an attacker can execute arbitrary code as the victim user.
Ruubikcms v 1.1.0 is vulnerable to a Local File Inclusion vulnerability due to a lack of proper sanitization of user-supplied input. An attacker can exploit this vulnerability by sending a crafted HTTP request with a malicious file path in the 'f' parameter of the '/extra/image.php' script. This will allow the attacker to read any file on the server.
Services By CQR