Multiple persistent input validation vulnerabilities are detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application. The bugs allows remote attackers to implement/inject malicious script code on the application side (persistent). The fiirst vulnerability is located in the `name` value of the `/scrutinizer/index.php` module. Remote attackers are able to inject own malicious script codes to the vulnerable `name` value of the `/scrutinizer/index.php` module. The request method to inject is POST and the attack vector is persistent on the application-side. The second vulnerability is located in the `username` value of the `/scrutinizer/index.php` module. Remote attackers are able to inject own malicious script codes to the vulnerable `username` value of the `/scrutinizer/index.php` module. The request method to inject is POST and the attack vector is persistent on the application-side.
Accessing the URL http://<IP>/nav.cgi?foldName=adm&localePreference=en allows an attacker to bypass the login procedure. System -> Time Settings -> NTP Server -> User Define allows an attacker to inject scripts into the parameter ntp_name without authentication. The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands.
The vulnerability is caused by missing input validation in the maxmtu parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to use Netcat to fully compromise the device. Injecting scripts into the parameter xxx reveals that this parameter is not properly validated for malicious input.
The vulnerability allows remote attackers via POST method to injecct own malicious script codes to the vulnerable application. The vulnerability is located in the `index.php` file with the POST method request.
The vulnerability allows an remote attacker to inject/execute own sql commands on the affected application dbms. The vulnerability is located in the `search` module of the `scrutinizer` application. Remote attackers are able to inject own sql commands to compromise the application dbms. The injection point is the `search` value of the `scrutinizer` application. The request method to inject is POST and the attack vector is located on the application-side of the service. The security risk of the sql injection vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 7.3. Exploitation of the sql injection vulnerability requires no user interaction or privileged application user account. Successful exploitation of the vulnerability results in dbms, application or service compromise.
This module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed.
The telnet component of Polycom HDX video endpoint devices is vulnerable to an authorization bypass when multiple simultaneous connections are repeatedly made to the service, allowing remote network attackers to gain full access to a Polycom command prompt without authentication. Versions prior to 3.0.4 also contain OS command injection in the ping command which can be used to escape the telnet prompt and execute arbitrary commands as root.
The vulnerability is caused due to the improper verification of uploaded files in '/library/openflashchart/php-ofc-library/ofc_upload_image.php' script thru the 'name' parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions.
This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll ActiveX. Several methods in the GWCalServer control use user provided data as a pointer, which allows to read arbitrary memory and execute arbitrary code. This module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The JRE6 needs to be installed to achieve ASLR bypass.
Volema found remotely exploitable buffer overflow vulnerability in libcurl POP3, SMTP protocol handlers which lead to code execution (RCE). When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack.
Services By CQR