Ruckus Wireless Zoneflex 2942 Wireless Access Point version 9.6.0.0.267 contains an authentication bypass vulnerability. A local unauthenticated attacker may attempt to login with any credentials and after receiving the authentication failure message, the user can remove the /login.asp portion of the URI to bypass the login page. The attacker will not be able to browse to the other configuration pages of the device via the graphical user interface, but they can then manually edit the URI to gain access to the following pages: /configuration/wireless.asp, /configuration/local_network.asp, /configuration/internet.asp, /configuration/device.asp, /maintenance/upgrade.asp, /maintenance/reboot.asp
A read access violation near function pointer call can be triggered by feeding a specially crafted image(width or height smaller than 65535 ) which could lead to code exec.
The vulnerability allows an attacker to bypass the authentication in the SMTP server to send emails. The problem is that the SMTP server performs authentication against LDAP by default, and the service does not check that the password is null if this Base64. This creates a connection 'anonymous' but with a user account without entering the password. An Attacker could login in the SMTP server knowing only the username of one user in the server and he could sends emails. One important thing is that the user 'admin' always exists in the server. To authenticate against the SMTP server can make the login is done using Base64, so if you enter the usernamne and a null password, the authentication is successful.
Kaseya 6.3 suffers from an Arbitrary File Upload vulnerability that can be leveraged to gain remote code execution on the Kaseya server. The code executed in this way will run with a local IUSR account’s privileges. The vulnerability lies within the /SystemTab/UploadImage.asp file. This file constructs a file object on disk using user input, without first checking if the user is authenticated or if input is valid. The application preserves the file name and extension of the upload, and allows an attacker to traverse from the default destination directory. Directory traversal is not necessary to gain code execution however, as the default path lies within the application’s web-root.
Dahua web-enabled DVRs and rebranded versions do not enforce authentication on their administrative services. Various commands can be replayed to any DVR sans authentication. These include: Get the firmware version, Get the serial number, Get the email settings (includes username, SMTP server, and cleartext creds), Get the DDNS settings (includes the DDNS service, server, and cleartext creds), Get the NAS settings (again, cleartext creds), Get the users (username, group membership, and hashed passwords), Get the user groups (group name, description, etc), Get the channels (camera channel names, e.g. 'bedroom' 'cocina'), Clear the logs (handy), Change a user's password (unauthorized access). A MetaSploit scanner module was written as a proof of concept.
CSRF File Upload Vulnerability allows an attacker to upload malicious files to the vulnerable website. The attacker can craft a malicious form and send it to the victim. When the victim visits the malicious page, the malicious file will be uploaded to the vulnerable website. The attacker can then access the uploaded file by accessing the URL http://site-target/uploads/[years]/[month]/your_shell.php
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Amplus Themes for Wordpress. An attacker can exploit this vulnerability to upload arbitrary PHP code and execute it in the context of the web server process. The vulnerability is due to insufficient validation of the uploaded file type. An attacker can send a malicious POST request to the upload-handler.php script in the functions directory of the theme, which will allow them to upload arbitrary PHP code and execute it in the context of the web server process.
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Wordpress Dimension Themes. An attacker can exploit this vulnerability to upload arbitrary PHP code and execute it in the context of the webserver process. The vulnerability is due to insufficient validation of the uploaded file type. An attacker can send a malicious POST request to the upload-handler.php script in the library/includes directory to upload a malicious PHP file. The uploaded file can then be accessed directly from the uploads directory.
A CSRF File Upload Vulnerability exists in Wordpress Euclid V1 Themes. An attacker can exploit this vulnerability to upload malicious files on the server. The vulnerable file is upload-handler.php which is located in the functions folder. An attacker can craft a malicious form and send it to the victim. When the victim submits the form, the malicious file will be uploaded on the server. The uploaded file can be accessed via http://site-target/uploads/[years]/[month]/your_shell.php
A persistent / stored XSS vulnerability is detected in the official Google Gmail IOS Mobile Application. The vulnerability allows remote attackers to inject own malicious script code to a vulnerable module on application-side (persistent) via mail attachment feature. All iPad/iPhone users are affected directly with this vulnerability. During the testing it was discovered that .html files can be attached to outgoing emails. Viewing these attachments direct from the application will cause the malicious code to be executed.
Services By CQR