A vulnerability in the AVC deblocking filter of the Adobe Flash Player allows an attacker to read out-of-bounds memory. This vulnerability is triggered when a specially crafted SWF file is loaded by the Adobe Flash Player. The vulnerability can be exploited to read out-of-bounds memory, which can lead to information disclosure.
The vulnerability exists in the Notifications API of Apple iOS versions < 10.3.2. An attacker can exploit this vulnerability by sending a malicious notification to the target device, which will cause the device to crash and restart. The exploit code is written in Objective-C and consists of three parts. The first part sets a boolean value to YES for the key “notificationIsActive” in the NSUserDefaults. The second part sets the fireDate of the localNotification to 5 seconds from the current time. The third part sets the alertBody of the localNotification to the text specified by the attacker. The localNotification is then scheduled and sent to the target device, which will cause the device to crash and restart.
A remote attacker could host a malicious page on his website that makes POST request to the victim’s Sophos Web Appliance to set the Session ID using STYLE parameter. The appliance does not validate if the Session ID sent by user/browser was issued by itself or fixed by an attacker. Also, the appliance does not invalidate pre-login Session IDs it issued earlier once user logs in successfully. It continues to use the same pre-login Session ID instead of invalidating it and issuing a new one.
This modules exploits a buffer overflow in the Quest Privilege Manager, a software used to integrate Active Directory with Linux and Unix systems. The vulnerability exists in the pmmasterd daemon, and can only triggered when the host has been configured as a policy server (Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow condition exists when handling requests of type ACT_ALERT_EVENT, where the size of a memcpy can be controlled by the attacker. This module only works against version < 6.0.0-27. Versions up to 6.0.0-50 are also vulnerable, but not supported by this module (a stack cookie bypass is required). NOTE: To use this module it is required to be able to bind a privileged port ( <=1024 ) as the server refuses connections coming from unprivileged ports, which in most situations means that root privileges are required.
In the code of the afd!AfdBind function of the up-to-date afd.sys module (handler of the AFD_BIND IOCTL accessible from ring-3) on Windows 7 32-bit, there is an assembly code construct that can lead to reading beyond the allocated pool-based buffer memory area, potentially allowing user-mode applications to disclose kernel-mode secrets.
An attacker with low privileges can download current CA certificate and Private Key (either the default ones or uploaded by administrators) and use t to decrypt HTTPS traffic.
We have observed (on Windows 7 32-bit) that for unclear reasons, the kernel-mode structure containing the default DACL of system processes' tokens (lsass.exe, services.exe, ...) has 8 uninitialized bytes at the end, as the size of the structure (ACL.AclSize) is larger than the sum of ACE lengths (ACE_HEADER.AceSize). It is possible to read the leftover pool data using a GetTokenInformation(TokenDefaultDacl) call. When the attached proof-of-concept code is run against a SYSTEM process (pid of the process must be passed in the program argument), on a system with Special Pools enabled for ntoskrnl.exe, output similar to the following can be observed.
Admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts. Using this crafted html form we are able to delete any user with admin/user privilege.
Any registered user can upload any file because of not proper Validation of file in sendfromfile.php. Now We know sendfromfile.php accept any file extension and just read content not stored in server. But there is bug when user upload example: mybackdoor.php server accept happily but not store in any folder so our shell is useless. But if User change the file name to "mybackdoor.php" to "<?php system('uname -a'); dia();?>.php" den server check for file and set some perameter $filename="<?php system('uname -a'); dia();?>.php" , U can see code below and display $filename on page.
Larson VizEx Reader 9.7.5 is vulnerable to a local buffer overflow vulnerability due to improper bounds checking of user-supplied data. An attacker can exploit this vulnerability by crafting a malicious TIF file and convincing the user to open it with the vulnerable application. This will cause a denial of service condition.
Services By CQR