A vulnerability exists in the friendsinwar Make or break V1.3 software, which allows an attacker to bypass authentication by using the ' or ' 1=1 credentials. This allows the attacker to gain access to the admin panel.
iDev Rentals v1.0 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied data before using it in the application. An attacker can exploit this vulnerability to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
This module exploits an arbitrary file upload vulnerability on the Client Analyzer component as included in Oracle Database 11g, which allows remote attackers to upload and execute arbitrary code. This module has been tested successfully on Oracle Database 11g 11.2.0.1.0 on Windows 2003 SP2, where execution through the Windows Management Instrumentation service has been used.
The vulnerability exists due to insufficient filtration of user-supplied data in multiple parameters of the 'search.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in the application database. Also, an attacker can inject arbitrary web script or HTML code into a vulnerable application page. Successful exploitation of the vulnerability may allow an attacker to bypass certain security restrictions, steal cookie-based authentication credentials, modify data, and perform other actions with the privileges of a legitimate user.
MYREphp Vacation Rental Software is vulnerable to multiple SQL injection vulnerabilities. An attacker can exploit these vulnerabilities to gain access to sensitive information, execute arbitrary code, and perform other malicious activities. The first vulnerability is a SQL injection vulnerability in the /vacation/1_mobile/search.php file. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable file. The second vulnerability is a Cross Site Scripting (XSS) vulnerability in the /vacation/1_mobile/alert_members.php file. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable file. The third vulnerability is a Blind SQL Injection vulnerability in the /vacation/1_mobile/search.php and /vacation/widgate/request_more_information.php files. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable files.
The vulnerability is present in the Myrephp Business Directory software. It allows an attacker to inject malicious SQL queries into the application by manipulating the 'cat' parameter of the 'links.php' page. It also allows an attacker to inject malicious JavaScript code into the application by manipulating the 'look' parameter of the 'search.php' page.
A SQL Injection vulnerability exists in the friendsinwar FAQ Manager software. An attacker can bypass the authentication process by using the username 'admin' and the password ' or ' 1=1. Additionally, a Cross Site Scripting vulnerability exists in the login form, allowing an attacker to insert malicious JavaScript code.
Narcissus is an online image builder for the angstrom distribution. A Remote Command Execution vulnerability exists in the backend.php file of Narcissus, which is triggered when an attacker sends a malicious POST request to the backend.php file with the action parameter set to configure_image, the machine parameter set to any_machine and the release parameter set to any_release. This will cause the configure_image() function to be executed, which in turn will execute the passthru() function with the malicious command as an argument.
dotProject is a PHP web-based project management framework that includes modules for companies, projects, tasks (with Gantt charts), forums, files, calendar, contacts, tickets/helpdesk, multi-language support, user/module permissions and themes. A Remote File Inclusion vulnerability exists in dotProject version 2.1.6, which allows an attacker to include a remote file via the dPconfig[root_dir] parameter in the gantt.php file. This vulnerability can be exploited if allow_url_include and register_globals are enabled.
The vulnerability is caused due to an overflow error in GroupWise Internet Agent (gwia.exe) when the LDAP service process an overly long BIND Request. Successful exploiataion of this vulnerability can allow a remote attacker to execute arbitrary code on the vulnerable system.
Services By CQR