The vulnerability allows for pre-authenticated Remote Code Execution (RCE) on Compuware iStrobe Web version 20.13. By exploiting this vulnerability, an attacker can upload a webshell through a web upload form, utilizing path traversal and arbitrary file upload (.jsp files). The specific vulnerable parameter is 'fileName' which can be manipulated to upload a webshell.
The TELSAT marKoni FM transmitters are vulnerable to unauthenticated remote code execution with root privileges. By manipulating the Email settings' WAN IP info service, which uses the 'wget' module, an attacker can exploit a command injection flaw. This allows unauthorized access with administrative privileges through the 'url' parameter in the HTTP GET request to ekafcgi.fcgi.
WBCE CMS version 1.6.1 is vulnerable to remote command execution. By uploading a malicious file and triggering its execution through the language installation feature, an attacker can execute arbitrary commands on the server. This can lead to unauthorized access, data theft, and other malicious activities. This vulnerability has been assigned CVE-2023-XXXXX.
The vulnerability allows unauthenticated attackers to upload arbitrary files leading to remote code execution. An attacker can exploit this vulnerability by uploading a malicious file containing PHP code. This vulnerability has a CVE assigned: CVE-2024-XXXXX.
The Open Source Medicine Ordering System v1.0 is vulnerable to SQL Injection. By exploiting this vulnerability, an attacker can extract sensitive data from the database, such as admin users' information.
OpenCart Core 4.0.2.3 is vulnerable to SQL Injection through the 'search' parameter in the URL /index.php?route=product/search&search=. Exploiting this vulnerability can lead to a potential compromise of the application, unauthorized access or modification of data, and exploitation of hidden database vulnerabilities.
PopojiCMS version 2.0.1 is vulnerable to remote command execution. By injecting a malicious payload into the Meta Social section under settings, an attacker can execute arbitrary commands on the server. This can lead to unauthorized access and potential data breaches. The exploit allows an attacker to execute system commands, as demonstrated by the payload '<?php echo system('id'); ?>'.
The BMC Log Scanner web application in Nokia's BMC is vulnerable to command injection attacks, which can be exploited for unauthenticated remote code execution. This vulnerability is critical as the service runs with root privileges. By injecting a malicious command in the Search Pattern field, an attacker can execute arbitrary commands on the target system as root.
The 'rename', 'remail', 'rphone', and 'rcity' parameters in the 'updateprofile.php' file of Code-Projects Blood Bank V1.0 are vulnerable to Stored Cross-Site Scripting (XSS) due to lack of proper input validation. An attacker can inject malicious scripts into these parameters, and when stored on the server, these scripts may get executed when viewed by other users.
Wallos, a subscription management system, is vulnerable to a file upload RCE exploit. By manipulating the file upload functionality, an authenticated attacker can upload a malicious .php file containing a web shell. This allows them to execute arbitrary commands on the target system.
Services By CQR