The vulnerability exists due to insufficient validation of 'password0' HTTP POST parameter passed to '/main/auth/profile.php' script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.
This module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to represent the large vlaue, which ends up being 0, but it still gets pushed as a dwBytes argumenet (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function point is then overwritten with a pointer to the shellcode.
With Notepad# plugin (1.5) and Explorer plugin (1.8.2) installed in Notepad ++ 6.3.2, open the html file in attachement, click Enter in the last </script> tag, Npp will crash and calc.exe will open. Without Explorer plugin, these still can be exploit. Explorer plugin makes this easier. NotepadSharp plugin has several stack buffer overflow bug. In its PluginDefinition.cpp file, there are some char buffer whose length are 9999. They are all defined on stack. So if some strcpy/memcpy copy more than 9999 chars to these buffers, it leads to a stack overflow.
A SQL injection vulnerability exists in the formcraft plugin for Wordpress. An attacker can send a specially crafted request to the form.php script with an SQL payload in the id parameter to execute arbitrary SQL commands.
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Photo Transfer WiFi v1.4.4 for apple iOS. The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable service module. The vulnerability is located in the `name` value of the `upload` POST method request. Remote attackers are able to inject own malicious script codes to the application-side of the vulnerable service module. The request method to inject is POST and the attack vector is located on the application-side.
A directory traversal vulnerability exists in TVT TD-2308SS-B DVR. An attacker can exploit this vulnerability to gain access to sensitive information such as configuration files. This vulnerability affects firmware versions 3.1.43.B, 3.1.43.P, 3.1.6.P-1.0.2.1-03, 3.1.75.B-1.0.2.1-00, 3.1.7.B-1.0.2.1-00, 3.1.81.B-1.0.2.1-00, 3.1.83.B-1.0.2.1-00, 3.1.83.P-1.0.4.2-03, 3.1.87.P-1.0.4.2-17, 3.1.91.P-1.0.2.1-03, 3.1.92.P-1.0.2.1-00, 3.1.93.B-1.0.2.1-17, 3.2.0.B-1.0.2.1-17, 3.2.0.P-1.0.2.1-03, 3.2.0.P-1.0.2.1-17, 3.2.0.P-1.0.6.0.32-00, 3.2.0.P-3520A-00, 3.2.0.P-3520A-03, 3.2.0.P-3531-00, 3.2.0.P-3531-11, 3.2.0.P-FH-00, 3.2.9.P-3520A-06 and maybe others.
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Orange Themes Wordpress themes. An attacker can exploit this vulnerability to upload arbitrary files to the web server, which can lead to remote code execution. The vulnerability exists due to insufficient validation of the uploaded file type. An attacker can send a malicious request to the upload-handler.php file, which will allow them to upload arbitrary files to the web server.
After creating a POC file (.zip), the file can be added to the program, which will cause a crash due to a buffer overflow. The crash occurs when the program attempts to compare a dword at [edx+50h] to 0, but the value is uninitialized.
An attacker can exploit multiple CSRF vulnerabilities in the DPR2320R2 Scientific-Atlanta, Inc.(A Cisco COMPANY) router. The attacker can change the modem authentication password, reboot the modem, and change the wireless settings. The wireless settings can be changed to authentication WPA-PSK with WPA-encryption set to TKIP.
A maliciously crafted .mp3 file can cause a crash in Audacious Player 3.4.2/3.4.1 on Windows. The exploit involves creating a .mp3 file with a large amount of junk data, which when opened in Audacious Player 3.4.2/3.4.1 will cause the program to crash.
Services By CQR