Ladder version v0.0.21 is vulnerable to Server-side Request Forgery (SSRF) due to inadequate restrictions on destination addresses. This allows an attacker to send GET requests to addresses that are usually inaccessible externally. Attackers can exploit this to reach private address ranges, locally hosted services, and cloud instance metadata APIs.
The vulnerability in Real Estate Management System v1.0 allows an attacker to upload malicious files and execute command injection payloads on the web server.
Akaunting version 3.1.3 and below are vulnerable to Remote Code Execution (RCE) allowing an attacker to execute arbitrary commands on the target system. By injecting malicious commands through a crafted request to the 'companies' endpoint, an attacker can exploit this vulnerability. CVE-2024-22836 has been assigned to this issue.
An attacker can bypass authentication on Electrolink FM/DAB/TV Transmitter devices due to a lack of proper authentication mechanisms. This vulnerability affects various models and versions of Electrolink transmitters, allowing unauthorized access to the devices.
The exploit allows remote attackers to execute arbitrary code on the target system without authentication. By leveraging a vulnerability in Wordpress Augmented-Reality plugin, an attacker can upload and execute malicious PHP code.
In 2022, a proof of concept was released to bypass the Backdoor:JS/Relvelshe.A detection in Windows Defender. Although the initial method was mitigated, a new approach involves adding a simple JavaScript try-catch error statement and evaluating the hex string to execute the bypass successfully.
The Wordpress Canto plugin before 3.0.5 is vulnerable to Remote File Inclusion (RFI) through the 'wp_abspath' parameter, allowing unauthenticated attackers to execute arbitrary remote code on the server if allow_url_include is enabled. The issue arises from the improper handling of the 'wp_abspath' variable in the 'download.php' code.
CVE-2023-46453 is a remote authentication bypass vulnerability in GLiNet routers with firmware versions 4.x and above. The vulnerability allows an attacker to bypass authentication and access the router's web interface by exploiting a lack of proper authentication checks in the /usr/sbin/gl-ngx-session file.
A Cross Site Scripting (XSS) vulnerability in Petrol Pump Management Software v1.0 allows attackers to execute malicious code by inserting a specially crafted payload into the 'Address' parameter in the add_invoices.php component.
An SQL injection vulnerability was found in WP Fastest Cache plugin version 1.2.2. This vulnerability allows an unauthorized attacker to execute SQL queries on the system.
Services By CQR
