Loadbalancer.org Enterprise VA 7.5.2 contains a default SSH private key which is used to authenticate the root user on the system. This key is stored in the .ssh directory and is accessible to anyone with root access. An attacker can use this key to gain access to the system and execute arbitrary code.
The file '/usr/local/pancetera/bin/cmd_processor.py' on the vmPRO 3.1.2 virtual machine contains a hidden command to gain a root shell. If a user is created in the web interface without administrator rights, they can still ssh and gain a root shell.
The vulnerability exists due to insufficient sanitization of user-supplied input in the web interface of the affected appliances. A remote attacker can execute arbitrary HTML and script code in a user's browser session in context of an affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This module abuses a backdoor command in vmPRO 3.1.2. Any user, even without admin privileges, can get access to the restricted SSH shell. By using the hidden backdoor 'shell-escape' command it's possible to drop to a real root bash shell.
An SQL injection vulnerability exists in SePortal 2.5, which allows an attacker to execute arbitrary SQL commands on the vulnerable system. The vulnerability is due to the application not properly sanitizing user-supplied input before using it in an SQL query. An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable application. This can allow the attacker to gain access to sensitive information in the database, modify data, or execute arbitrary commands on the underlying operating system.
A stack-based buffer overflow vulnerability has been identified in the Free Download Manager. The application parses download requests, which are added to the download queue, but does not properly validate the length of the complete download queue object when it’s removed from the queue by the user. The following function from fdm.exe (source file: Downloads_Deleted.cpp) is triggered on deletion: void CDownloads_Deleted::UpdateDownload(int iItem). This function reads the filename of the download object using CDownloads_Tasks::GetFileName into szFile and adds the whole URL value as a description (in brackets) via an insecure strcat() sequence to szFile during the queue deletion process. Since the application follows HTTP 301 redirects, an attacker who controls the target HTTP server is able to send arbitrary long filename values to exploit this flaw. If the complete name of the queued download exceeds the size of szFile (10000 bytes), strcat() writes outside the expected memory boundaries. This leads to a stack-based buffer overflow with an overwritten SEH chain or return points, resulting in remote code execution. Successful exploits can allow remote attackers to execute arbitrary code with the privileges of the user running Free Download Manager.
A vulnerability exists in Joomla AJAX Shoutbox due to improper sanitization of user-supplied input in the 'jal_lastID' parameter. An attacker can exploit this vulnerability to inject arbitrary SQL commands and gain access to sensitive information from the database.
This vulnerability affects /support/login.php, /support/responder.php and /support/verarticulo.php. An attacker can inject malicious SQL queries into the vulnerable parameters of the application. For example, in /support/login.php, an attacker can inject malicious SQL queries into the emailcorreoelectronico parameter. In /support/responder.php, an attacker can inject malicious SQL queries into the idarticulo and text_content parameters. In /support/verarticulo.php, an attacker can inject malicious SQL queries into the id parameter.
OpenSupports v2.x suffers from a CSRF and authentication bypass Vulnerabilities. Proof of concept includes a CSRF attack to add staff members and an authentication bypass attack using a username and password of '1'or'1'='1'. No contact from vendor.
The file '/photos/gallery.php' contains a Blind SQL Injection Vulnerability in the '?gallery_id=' variable in the URL.
Services By CQR