The vulnerability exists due to insufficient filtration of user-supplied data passed via the 'cat_id' parameter to '/directory.php' script. A remote attacker can execute arbitrary SQL commands in application's database, cause denial of service, access or modify sensitive data, exploit latent vulnerabilities in the underlying database and compromise the system.
A vulnerability in Absolute Newsletter 6.1 allows an attacker to set an arbitrary cookie value. By setting the cookie value to 'lvl=1&userid=1&usr=admin&s=TYPE A SERIES OF RANDOM NUMBERS AND CHARACTERS HERE; path=/' and navigating to /menu.aspx, an attacker can gain administrative access to the application.
The vulnerability is caused due to the user input passed to the 'cid' parameter in 'showcategory.php' script not being properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation may allow an attacker to gain access to the affected application, disclose sensitive information from the database, modify data, etc.
Absolute FAQ Manager is prone to an insecure cookie vulnerability. An attacker can exploit this issue to gain administrative access to the application. The attacker can exploit this issue by executing a specially crafted JavaScript code.
A vulnerability in Absolute News Feed allows an attacker to gain administrative access by setting a cookie value. An attacker can set the cookie value to 'xlaAFSuser=p=admin' and then access the administrative panel at http://www.xigla.com/absolutenf/demo/menu.aspx.
A Cross-Site Scripting vulnerability was discovered in Absolute News Manager. An attacker can exploit this vulnerability to inject malicious JavaScript code into the application, which will be executed in the browser of a user when the malicious page is loaded.
A-Link WLAN54AP3 does not validate the origin of an HTTP request. If attacker is able to make user view malicious content, the WLAN54AP3 device can be controlled by submitting malicious HTTP requests. This is possible because the device does not require authentication for administrative requests. In addition, no input validation or output encoding is performed in management interface, thus making it vulnerable to cross-site scripting.
This vulnerability allows remote attackers to write arbitrary file on vulnerable installations of U-Mail Webmail Server. Authentication is required to exploit this vulnerability.The specific flaw exists in the 'edit.php' file running on the U-Mail Webmail Server. A malicious HTTP POST request can write arbitrary file to the publicly accessible web directories.
Local File Inclusion vulnerability can be exploited by renaming a shell to config.php and uploading it to the ./ directory. Cross Site Scripting can be exploited by setting the action parameter to Upgrade%20to%201.7.4 and exploiting the vulnerable variables such as $localapp, $updatedir, $scriptpath_show, $domain_show, $thispage, $thisapp, and $currentversion.
An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable server. The request should contain a malicious SQL query in the ‘art’ parameter. This malicious query will be executed in the backend database, allowing the attacker to gain access to sensitive information such as usernames and passwords.
Services By CQR