An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. The malicious request contains an SQL query in the form of a parameter value that is passed to the vulnerable application. This can allow an attacker to gain access to sensitive information stored in the database, such as user credentials, or to modify the data stored in the database.
A SQL injection vulnerability exists in the Joomla Component com_job ( showMoreUse) which allows an attacker to execute arbitrary SQL commands on the underlying database. The vulnerability is due to insufficient sanitization of user-supplied input in the 'id' parameter of the 'showMoreUser' task. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL commands to the vulnerable application. Successful exploitation of this vulnerability can allow an attacker to gain access to sensitive information stored in the database, modify or delete data, or even execute arbitrary system commands.
A regular user of the board can embed javascript code that could be executed within the context of the admin's browser. If the user edits their own profile by going to "http://[server]/viscacha/editprofile.php?action=profile" and places "<script>alert(document.cookie)</script>" into the instant messenger fields and then gives the following link to the admin: http://[server]/viscacha/profile.php?action=ims&type=msn&id=1 The user could potentially log the admins cookie and reset their own session thus gaining administration access.
Audio Workstation is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
Issues with the H.225 RAS implementation in TANDBERG Codecs have been confirmed when FIPS140 Mode is set to active. For the DoS to affect that Tandberg, H.323 Gatekeeper mode must be set to 'On' or 'Auto' as opposed to off. The Tandberg Endpoint does not have to be registered with a gatekeeper. The DoS is simply sending a RAS URQ request >3280 times. The Tandberg endpoint will swiftly run out of memory to process the request and subsequently reboot. The packet repetition amount required to crash depends on how many other legitimate requests the Endpoint is holding in its stack, if the tester wishes for clean results she/he may wish to reboot the Endpoint before running the PoC. However it is difficult to fit in any payload after the crashing packet (in a live remote exploit)as the person attempting this would have no control over what is already in the Endpoint network stack but due to the nature of video conferencing. This DoS would be effective on a large number of Endpoints that are on public IP. It is quite possible that the routed Endpoints(traversal, NAT, Port Forwarding) would allow this packet through as it is seemingly legitimate(most VC Network Admins set up Deep Packet Inspection exclusions to the VC Endpoints due to the nature of RTP, which in TCPDUMP looks like a UDP flood anyway)
MarieCMS v0.9 is vulnerable to Remote File Inclusion, Local File Inclusion, Persistent XSS and Shell Upload (Authenticated User). For Remote File Inclusion, an attacker can send a malicious URL to the vulnerable server in the page parameter. For Local File Inclusion, an attacker can send a malicious URL to the vulnerable server in the mod parameter. For Persistent XSS, an attacker can put a malicious script in the Name field on the page http://server/mariecms/?page=addgb&mod=gaestebuch. For Shell Upload (Authenticated User), an attacker can rename shell.php to shell.jpg.php and upload it into the galleryupload section. Then, the attacker can view images to get the image id for shell.jpg.php and access the shell.
A vulnerability exists in the IRAN N.E.T E-commerce Group script, which allows an attacker to inject malicious SQL commands into vulnerable parameters. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerable parameter is the 'id' parameter in the 'zcat.php' and 'cat.php' scripts.
The CoreHTTP web server versions buffer, 46: "%" PATHSIZE_S "[A-Za-z] %" PATHSIZE_S "s%*[ ]", req, url); contains a vulnerability that can lead to denial of service attacks against the CoreHTTP web server and potentially to the remote execution of arbitrary code with the privileges of the user running the server. A proof-of-concept exploit has been developed to demonstrate the vulnerability.
This module exploits a stack overflow in gAlan 0.2.1 By creating a specially crafted galan file, an an attacker may be able to execute arbitrary code.
This exploit is a buffer overflow vulnerability in gAlan (.galan file). It allows an attacker to execute arbitrary code by overflowing a buffer and overwriting the return address. The exploit uses a PexAlphaNum encoder to encode the shellcode and then writes it to a file called exploit.galan. The exploit then calls ESI from glib-1_3 to execute the shellcode.
Services By CQR