This exploit allows an attacker to gain access to the password hashes of Oracle 10g R1 users. The exploit uses the XDB.XDB_PITRIG_PKG.PITRIG_TRUNCATE function to execute a malicious SQL statement that inserts the user_id, username, and password of all users into a table called SH2KERR. The attacker can then access the table to view the password hashes.
A vulnerability exists in the Wordpress Plugin fGallery 2.4.1, which allows an attacker to inject malicious SQL queries into the application. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the 'album' parameter in the 'fim_rss.php' script. This can be exploited to disclose the admin credentials of the application.
A Remote SQL Injection vulnerability exists in the Wordpress Plugin WP-Cal. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This can allow the attacker to gain access to sensitive information such as usernames, passwords, and emails stored in the database.
bubbling library v1.32 is vulnerable to multiple Local File Inclusion vulnerabilities. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. The attacker can include a local file on the server by using the vulnerable parameters page, tpl, uri, etc. This can lead to the disclosure of sensitive information such as system and application data, and may lead to further attacks.
There exist numerous SQL injection vulnerabilities in phpIP 4.3.2, and probably previous versions. Most of the data obtained from the request variables ($_GET, $_POST, $_COOKIE, etc) is not sanitized before it is passed to MySQL. This may result in un-authorized administrative access to phpIp and read-access to the database, among other things. One such vulnerability allows an attacker to gain administrative access to the application, this does not require the attacker to already have access to an existing user account. There is also the risk of information disclosure through another SQL injection vulnerability found in display.php.
SIMPLE FORUM v3.2 is vulnerable to XSS and Remote File Disclosure. XSS can be exploited by sending a malicious payload in the 'open' and 'date_show' parameters of the forum.php page. Remote File Disclosure can be exploited by sending a malicious payload in the 'file' parameter of the thumbnail.php page.
Remote user can see all databases fields (there are a lot of encrypted credit cards), also there are XSS and Path Disclosure bugs too.
A vulnerability exists in Namo Web Editor ActiveSquare 6 NamoInstaller.dll which allows remote attackers to execute arbitrary code. The vulnerability is due to a design error when handling the Install() method of the ActiveX control. By using the Install() method, a remote attacker can execute arbitrary code on the vulnerable system.
A vulnerability exists in Flinx 1.3 & below which allows an attacker to inject arbitrary SQL commands. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the 'id' parameter in category.php. An attacker can use this vulnerability to gain access to the database and extract sensitive information such as usernames and passwords.
A vulnerability exists in Tiger PHP News System, which allows an attacker to inject arbitrary SQL commands via the 'catid' parameter in the 'page=newscat' module. An attacker can exploit this vulnerability to gain access to the database and execute arbitrary SQL commands.
Services By CQR