Joomla Payage 2.05 is vulnerable to SQL Injection. The vulnerability exists in the 'aid' parameter of the 'make_payment' task. An attacker can inject malicious SQL queries in the 'aid' parameter and execute them in the backend database. This can be exploited to gain access to sensitive information from the database.
DiskSorter v9.7.14 (32-Bit) is vulnerable to a local buffer overflow when a user copies the text of poc.txt into the 'Inputs -> Add Input Directory' dialog. This can be exploited to execute arbitrary code by overwriting the return address with a pointer to the shellcode.
The login form is vulnerable to blind SQL injection by an unauthenticated user. The 'valueAsString' parameter inside the JSON payload contained by the 'ucLogin_txtLoginId_ClientStat' POST parameter is not properly validated. An unauthenticated remote attacker may modify the POST request and insert a SQL query which will then be executed by the backend server. eTRAKiT 3.2.1.17 was tested, but other versions may also be vulnerable.
This vulnerability is a Use-After-Free vulnerability in Element::setAttributeNodeNS. It occurs when setAttributeNodeNS is called again in setAttributeInternal, resulting in two Attr objects with the same owner element and the same name after the first setAttributeNodeNS call. One of the Attr objects will hold the raw pointer of the owner element even if the owner element is freed.
Document::prepareForDestruction is called on the assumption that the document will not be used again with its frame. However, if a frame caching is made in Document::prepareForDestruction, the document's frame will be stored in a CachedFrame object that will reattach the frame at some point, and thereafter, the document's frame will be never detached due to |m_hasPreparedForDestruction|. The PoC code creates a new window and an iframe in it. The iframe is then navigated to about:blank and a click event is triggered on an anchor element. This triggers the onunload event of the iframe, which is used to set the location of the window to a javascript URI. This causes the window to execute the javascript code, which sets the location of the window to a malicious website. This exploit can be used to bypass the same-origin policy and execute arbitrary code on the victim's machine.
This vulnerability allows an attacker to execute arbitrary code in the context of the browser by exploiting the FrameLoader::open() function. The FrameLoader::open() function calls the clear() function which in turn calls the prepareForDestruction() function which fires unloads events. An attacker can use this vulnerability to execute arbitrary code in the context of the browser by creating an iframe and setting the onbeforeunload event handler. The attacker can then navigate the iframe to a malicious URL and use the XMLHttpRequest object to trigger the onabort event handler. The onabort event handler then calls the showModalDialog() function which can be used to execute arbitrary code in the context of the browser.
When a document loads 'about:blank' or 'about:srcdoc', it tries to inherit the security origin from its parent frame, or its opener frame if the parent frame doesn't exist. However, when the subframe is cached, only the parent frame is detached but not the opener frame. This allows the subframe to inherit the opener frame's security origin.
When a super expression is used in an arrow function, the following code, which generates bytecode, is called. The |emitPutToScope| is directly called without resolving the scope. This means the scope |m_arrowFunctionContextLexicalEnvironmentRegister| must have a place for |derivedConstructorPrivateName|. And that place is secured in the following method.
JSObject::ensureLength is vulnerable to an out-of-bounds write. The function is called whether ensureLengthSlow failed or not, which results in an OOB access. The PoC code creates an array of length 0x200000 and then tries to increase its length to 0x1000000. This causes an OOB write, which can be used to leak memory.
An authenticated user can read arbitrary files on Riverbed SteelHead VCX. This exploit was discovered by Gregory DRAPERI in 2017. The vulnerable version is SteelHead VCX (VCX255U) (x86_64) 9.6.0a. The exploit uses a Session object to authenticate the user and then uses a GET request to read the arbitrary file.
Services By CQR