This module exploits a php unserialize() vulnerability in Invision IP.Board <= 3.3.4 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the '/admin/sources/base/core.php' script, which is called with user controlled data from the cookie. The exploit abuses the __destruct() method from the dbMain class to write arbitrary PHP code to a file on the Invision IP.Board web directory.
Multiple local buffer overflow vulnerabilities are detected in the in the official Zoner Photo Studio Software v15 (b3). The bug allows local attackers to escalate out of the affected vulnerable software module with system process privileges. The vulnerabilities are detected in 2 different software functions of the main executeable (zps.exe). The first local buffer overflow vulnerability is located in the XML `Keyword Import (Schl�sselwort)` module. The xml importer does not parse the length (values) of the storable xml keyword values. This can be exploited to cause a stack-based buffer overflow by an local attacker with system user account and low required user interaction. Successful exploitation of the vulnerability results in system process compromise. The second local buffer overflow vulnerability is located in the `Image Import (Bilder)` module. The image importer does not parse the length (values) of the storable image values. This can be exploited to cause a stack-based buffer overflow by an local attacker with system user account and low required user interaction. Successful exploitation of the vulnerability results in system process compromise.
The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in the Eventy CMS v1.8 Plus. A SQL Injection vulnerability is detected in the Eventy CMS v1.8 Plus ,web based event calendar software. The vulnerability allows an attacker (remote) or local low privileged user account to execute a SQL commands on the affected application dbms. The sql injection vulnerability is located in eventy.php file with the bound vulnerable event_id parameter. Successful exploitation of the vulnerability results in dbms & application compromise. Exploitation requires no user interaction & without privileged user account. A persistent input validation vulnerability is detected in the Eventy CMS v1.8 Pus, web based event calendar software. The vulnerability allows remote attackers to inject malicious script codes to the application-side of the vulnerable module. The persistent web vulnerability is located in the `event_name` value of the `eventy.php` file. Remote attackers are able to inject own malicious script codes to the vulnerable `event_name` value. The attack vector of the vulnerability is persistent and the request method to inject is POST.
Since version 2.0.18, the stack overflow vulnerability has not been corrected, which I assume would make it 0day. An exploit was recoded as memory addresses have changed. It was designed to bypass NX & ASLR, SSP not being implemented. The binary is not SUID.
An error when processing JPEG compressed TIFF images can be exploited to cause a heap-based buffer overflow via a specially crafted 'ImageWidth' value.
An error when processing RLE compressed images can be exploited to cause a heap-based buffer overflow via a specially crafted BMP image containing many 'End of Line' markers within a stream.
A context-dependent attacker can execute arbitrary code by exploiting a memory corruption vulnerability during the handling of the vsd files.
This jira plugin does notuse the built in jira protections (websudo or csrf tokens) to protect the page from CSRF. This page is supposed to be used by admins to automate tasks, it will accept java code and by default in a windows environment jira will be run as system.
This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.
Among a couple of other unsanitized parameters used within an INSERT INTO statement on line 424-460 of /upload/vbay.php, the "type" variable can be used to exploit this using error based sql injection, making it possible to grab anything the user wants from the vbulletin database (and any others if accessible). As said above, the affected file is /upload/vbay.php. On line 418, we can see the $vbulletin->input variable "type" being assigned with the datatype NO_HTML. Using this data type allows malicious attacks to still be executed. At line 448, it is used within the insert into statement, without any sanitization. To exploit this vulnerability, an attacker needs to register an account, go to [site]/vbay.php?do=postauction, modify the post data using a tool such as live http headers, or setting it directly using a tool such as curl/wget to grab the source. The attacker then needs to set the value of "type=" to something that will cause an error, such as a single tick. If, when the attacker views the source, they get a vbulletin error message surrounded within comments, then it's possible to go ahead. If not, blind is the way forward.
Services By CQR