A vulnerability in Pre Car Lister allows an attacker to bypass authentication by entering anything' OR 'x'='x as the username and password. This allows the attacker to gain access to the admin panel.
An authentication bypass vulnerability exists in E-topbiz Online Store 1. An attacker can exploit this vulnerability to bypass authentication and gain access to the application. This is achieved by supplying a specially crafted username and password. The username should be the real admin name followed by ' or ' 1=1 and the password should be ZoRLu. For demo, the username should be admin ' or ' 1=1-- and the password should be ZoRLu.
Feederator - RSS manager Component 1.0.5 is vulnerable to multiple Remote File Inclusion vulnerabilities. The vulnerable files are add_tmsp.php, edit_tmsp.php, subscription.php and tmsp.php. An attacker can exploit these vulnerabilities by sending a malicious URL to the vulnerable application. The malicious URL contains the malicious code which will be executed on the vulnerable application.
Multiple Remote File Inclusion vulnerabilities exist in com_clickheat version 1.0.1. The vulnerable files are install.clickheat.php, _main.php, main.php, overview/main.php, Cache.php, Clickheat_Heatmap.php, and GlobalVariables.php. An attacker can exploit these vulnerabilities by sending a maliciously crafted HTTP request containing a URL with a malicious file path in the mosConfig_absolute_path parameter. This can allow an attacker to execute arbitrary code on the vulnerable system.
The vulnerability exists due to insufficient sanitization of user-supplied input passed via the 'r' parameter to 'listtest.php' script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code, and to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
U&M Software Event Lister v1.0 is vulnerable to an authentication bypass vulnerability. An attacker can bypass the authentication process by accessing any of the following paths: http://localhost/[path]/admin/start.php, http://localhost/[path]/admin/aktivitet.php, http://localhost/[path]/admin/prop_aktivitet.php, http://localhost/[path]/admin/kategorier.php, http://localhost/[path]/admin/konfig.php, http://localhost/[path]/admin/security.php, http://localhost/[path]/admin/manual.php, http://www.justlistit.uochm.com/demo/admin/start.php, http://www.justlistit.uochm.com/demo/admin/index.php
U&M Software JustBookIt v1.0 is vulnerable to an authentication bypass vulnerability. An attacker can use one of the paths mentioned in the exploit to bypass the admin login. These paths are http://localhost/[path]/admin/user_manual.php, http://localhost/[path]/admin/user_config.php, http://localhost/[path]/admin/user_kundnamn.php, http://localhost/[path]/admin/user_kundlista.php, http://localhost/[path]/admin/user_aktiva_kunder.php, http://localhost/[path]/admin/database.php. Live examples of this exploit can be found at http://www.justbookit.uochm.com/demo/admin/index.php and http://www.justbookit.uochm.com/demo/admin/user_config.php.
U&M Software Signup v1.1 is vulnerable to an authentication bypass vulnerability. An attacker can bypass the authentication process by using one of the following paths: http://localhost/[path]/admin/adminstart.php, http://localhost/[path]/admin/admineventtype.php, http://localhost/[path]/admin/admineventdetails.php, http://localhost/[path]/admin/admineventlist.php, http://localhost/[path]/admin/adminuserslist.php, http://localhost/[path]/admin/adminleaderslist.php, http://localhost/[path]/admin/admindatabase.php. This vulnerability can be exploited remotely.
e-Vision <= 2.0.2 is vulnerable to multiple local file inclusion. This exploit works with magic quotes gpc turned off. An attacker can exploit this vulnerability by sending a crafted HTTP request with malicious parameters to the vulnerable server. This can allow an attacker to read sensitive files from the server.
An attacker can exploit this vulnerability by sending a crafted SQL query to the application. The crafted query can be sent via the 'manufacturers_id' parameter in the 'index.php' page. The crafted query can be used to extract information from the database such as usernames and passwords.
Services By CQR