Upload a file extension did not check. After logging in, a user can upload a webshell and run it at <host>/datastore/webshell.php
This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt .mp4 file loaded by Flash, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the 'Iran's Oil and Nuclear Situation.doc' e-mail attack.
Input passed via the parameters 'entSortOrder' and 'entSort' in 'ent_i.jsp' script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The parameters 'startTime' and 'endTime' in 'ent_i.jsp' are vulnerable to a XSS issue where the attacker can execute arbitrary HTML and script code in a user's browser session in context of an affected site. The parameter 'userID' in 'usr_ent.jsp' and 'usr_t.jsp' is vulnerable to HTTP Response Splitting which can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.
It is possible to retrieve the users.cfg file which contains HomeSeer usernames, access levels, and encrypted passwords by using a directory traversal attack. It is also possible to add a new admin user by tricking logged-in admin to visit a malicious URL.
Iciniti Store is a web application providing e-commerce and payment solutions. The application suffers from a SQL injection vulnerability in logon_forgot_password.aspx. It fails to validate data supplied in the 'ctlEmail' variable before being used in an SQL query.
This module exploits a vulnerability found in Lotus CMS 3.0's Router() function. This is done by embedding PHP code in the 'page' parameter, which will be passed to a eval call, therefore allowing remote code execution. The module can either automatically pick up a 'page' parameter from the default page, or manually specify one in the URI option.
Drupal 7.12 -latest stable release - suffers from multiple vulnerabilities which could allow an attacker to gain administrative access to the CMS. The first vulnerability is a CSRF which could allow an attacker to change any Drupal settings. The second vulnerability is a CSRF which could allow an attacker to force administrator logout. The third vulnerability is a POST and GET method which could allow an attacker to gain administrative access to the CMS. The fourth vulnerability is a Http Referer which could allow an attacker to gain administrative access to the CMS. The exploit is a POST and GET method which could allow an attacker to gain administrative access to the CMS. The exploit is a CSRF which could allow an attacker to force administrator logout.
ForkCMS 3.2.5 (and lower) suffers from CSRF and XSS (reflected) vulnerabilities. An attacker can delete admins or users, delete web pages, and escalate privileges by sending a malicious link to the victim. The application is also prone to a XSS vulnerability that allows an attacker to inject malicious code into the application.
Lizard Cart is vulnerable to SQL injection in the search.php page. An attacker can exploit this vulnerability by sending a malicious SQL query to the search.php page. This can be done by appending a malicious SQL query to the metode parameter in the URL. This will allow the attacker to view the contents of the database.
The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system. Any application written in Symfony2 that parses user supplied XML is affected.
Services By CQR