Symphony-cms version 2.3 is vulnerable to several vulnerabilities ranging in severity from low to high and can result in complete compromise by an unauthenticated attacker. Direct requests to library files will disclose the full local file path if php is configured to display errors due to the reliance on the library path being declared in a constant of global scope outside of the library script. The retrive password url http://host/path/symphony/login/retrieve-password/ will display a helpful error message if the email address entered does not exist in the database. Symphony-cms allows a user to login without entering their username and password via a remote auth url that contains a token made up of the first 8 characters of a sha1 hash of the user's username and hashed password. The email input field suplied in the retrieve password form is vulnerable to reflected cross site scripting. The “about” field in the user profile is vulnerable to stored cross site scripting. The “sort” parameter supplied in the “authors” page is vulnerable to SQL injection.
The web application is vulnerable to multiple security vulnerabilities, such as Unauthenticated File Upload. All form in direktori [Sisfokol]/janissari/k/ does not require authentication to upload a file. By issuing a POST request with a webshell embedded in a JPEG image it is possible to upload [Sisfokol]/filebox/
The vulnerability exists due to a null pointer dereference error in GetDataTable() method within the Samsung.DeviceService.DCA.DeviceDataParagonATGM.1 ActiveX control (DCAPARAGONGM.dll, GUID {7650BC47-036D-4D5B-95B4-9D622C8D00A4}, located by default in "C:Program Files(x86)SamsungKiesExternalDeviceModules"). A remote attacker can pass ""tagDATATABLE_SUID"" argument equal to 0 to the GetDataTable() method and rise an ACCESS_VIOLATION exception on a MOV EDX
EzServer is a software for audio and video streaming adopted by various companies worldwide. Version 7.0 is affected by a remote heap corruption vulnerability. Version 6.x is not affected by this issue, as does not implement RTMP support. The vulnerability is caused by the application passing to memcpy() an uncontrolled size, which is directly taken from the AMF request in the RTMP packet. After have successfully completed the RTMP handshake, an attacker can send a malformed AMF request embedded in the RTMP session, with an high value for the 'size' field (2 bytes, such as 0xFFFF) and a lower-sized 'string' (such as 'connect'). This result in a heap corruption and a crash for the application.
The 'id' parameter in com_icagenda is prone to a Blind SQL Vulnerability. An attacker can retrieve & steal data by sending series of True and False Queries through SQL statements. The Full path can be retrieved using Array method [] in ItemID & id Parameters.
The vulnerabillity exist within albums.php, where the user input is not properly sanitized before being used in a SQL query. An attacker can exploit this vulnerability by sending a crafted HTTP request with a malicious SQL statement to the vulnerable script. This can be used to bypass authentication, access, modify and delete data in the back-end database.
This module attempts to exploit existing administrative privileges to obtain a SYSTEM session. If directly creating a service fails, this module will inspect existing services to look for insecure file or configuration permissions that may be hijacked. It will then attempt to restart the replaced service to run the payload. This will result in a new session when this succeeds. If the module is able to modify the service but does not have permission to start and stop the affected service, the attacker must wait for the system to restart before a session will be created.
This module exploits an arbitrary command execution vulnerability in the AjaXplorer 'checkInstall.php' script. All versions of AjaXplorer prior to 2.6 are vulnerable.
A user can authenticate to the web server running on the device using the credentials 'Monitor:bigpond1'. These credentials are hard-coded, and cannot be changed by a normal user. The 'ping.cgi' web page is subject to a command-injection vulnerability, as the server-side script does not properly validate user-supplied input. The following URL exploits this issue, executing the 'ls /' command: http://<device IP address>/ping.cgi?DIA_IPADDRESS=;%20cat%20/etc/passwd
QQPlayer 3.7.892 is vulnerable to a heap pointer overwrite vulnerability. An attacker can craft a malicious .m2p file and send it to the victim. When the victim opens the file, the heap pointer overwrite will occur, allowing the attacker to execute arbitrary code.
Services By CQR