In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: '/api/RecordingList/DownloadRecord?file=' and '/api/SupportInfo?file=' are the vulnerable parameters. An attacker must be authenticated to exploit this issue to access sensitive information to aid in subsequent attacks.
Under Webmin menu ‘Others/File Manager‘ there is option to download a file from a remote server ‘Download from remote URL‘. By setting up a malicious server we can wait for file download request then send a XSS payload that will lead to Remote Code Execution. Webmin echo back the ‘File Download‘ request status which we can trigger the XSS vulnerability and bypass this Referrer check by setting the domain=webmin-victim-ip.
AlienVault USM v5.4.2 offers authenticated users the functionality to generate and afterwards export generated compliance reports via the script located at "/ossim/report/wizard_email.php". Besides offering an export via a local file download, the script does also offer the possibility to send out any report via email to a given address (either in PDF or XLSX format). An exemplary request to send the pre-defined report "PCI_DSS_3_2__Vulnerability_Details" to the email address "email () example com" looks like the following: https://example.com/ossim/report/wizard_email.php?extra_data=1&name=UENJX0RTU18zXzJfX1Z1bG5lcmFiaWxpdHlfRGV0YWlscw==&format=email&pdf=true&email=email () example com The base64-encoded HTTP GET "name" parameter can be replaced with any other of the approx. 240 pre-defined reports, that are shipped with AlienVault USM since they do all have hardcoded identifiers, such as: - Alarm_Report - Ticket_Report - Business_and_Compliancy_Report - etc. The vulnerability is caused due to the fact that the script does not properly validate the "name" parameter, which can be abused to send out arbitrary reports to arbitrary email addresses. This can be exploited to send out sensitive information to an attacker-supplied email address by e.g. using the "Business_and_Compliancy_Report" report.
Dream Multimedia Dreambox devices via their WebControl component are vulnerable to reflected cross-site scripting, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.
The vulnerability exists due to insufficient validation of user-supplied input in the 'file' parameter of the 'getsource.php' script. A remote attacker can send a specially crafted request to the vulnerable script and read arbitrary files on the vulnerable system.
Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the 'Title of your FAQ' field in the Configuration Module.
The XSS is present in the applicant registration area, where it is possible to inject codes through the input that receives the user's name.
Vulnerability is in the zip code search script. An attacker can exploit this vulnerability by sending malicious payloads to the 'f' parameter of the 'buscacep.php' script. The payloads can be of type boolean-based blind, AND/OR time-based blind, or UNION query.
The vulnerability is in the login area of e-sic, where an attacker can enter the panel without providing valid credentials by using some parameters such as username and password. The PoC for this exploit is to send a POST request to http://vulnsite/esic/index/index.php with the data login=%27%3D%27%27or%27&password=%27%3D%27%27or%27&btsub=Entrar
The vulnerability is in the search private area of e-sic without authentication. The payload used is '1' AND (SELECT * FROM (SELECT(SLEEP(5-(IF(ORD(MID((SELECT DISTINCT(HEX(IFNULL(CAST(schema_name AS CHAR),0x20))) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 13,1),11,1))>1,0,5)))))oslN)-- UACx and the command used is sqlmap -v 5 -u 'http://localhost/esiclivre/restrito/inc/lkpcep.php?q=1' --level 5 --random-agent --hex --dbs
Services By CQR