This vulnerability in Xen permits an attacker with control over the kernel of a 64bit X86 PV guest to write arbitrary entries into a live top-level pagetable. This is possible due to the fact that the arch.cr3 field in the vcpu struct does not take an extra type-specific reference, and instead borrows the reference from either arch.guest_table_user or arch.guest_table. This means that whenever the field from which the reference is borrowed is updated, arch.cr3 (together with the physical CR3) must be updated as well. The guest can update arch.guest_table_user and arch.guest_table using __HYPERVISOR_mmuext_op with commands MMUEXT_NEW_USER_BASEPTR and MMUEXT_NEW_BASEPTR. The handlers for these commands assume that when the hypercall is executed, arch.cr3 always equals arch.guest_table, however, using the __HYPERVISOR_multicall hypercall, it is possible to execute the __HYPERVISO_mmuext_op hypercall from user context.
SymDiag.exe is vulnerable to buffer overflow, SEH overwrite. When trying to (Register a new card), Input fields are vulnerable to stack overflow attack which leads to code execution and other possible security threats. To exploit, start SmartDiag.exe tool, choose 'Register a new card', on the ATR use the following payload (Tested on Win7x64 & Win8x64 - SmartDiag v2.5): 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 40005283400052834000528340
The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged administrator of the targeted ViMbAdmin application. The vulnerable code is located in the `addAction()` and `purgeAction()` methods of the `<vimbadmin directory>/application/controllers/DomainController.php` and `<vimbadmin directory>/application/controllers/AdminController.php` files respectively.
During the security analysis, ThunderScan discovered SQL injection vulnerability in WebDorado Gallery WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Any user with such privileges can obtain the valid bwg_nonce value by previously visiting the settings page. Users that to do not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be able to.
Jenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent. The vulnerability can be found in the implementation of a bidirectional communication channel (over HTTP) which accepts commands. The first request starts a session for the bi-directional channel and is used for “downloading” data from the server. The HTTP header “Session” is the identifier for the channel. The HTTP header “Side” specifies the “downloading/uploading” direction. The second request is the sending component of the bidirectional channel. The first requests is blocked until the second request is sent. The request for a bidirectional channel is matched by the “Session” HTTP header which is just a UUID.
By triggering the vulnerability, a dangling pointer to a JSString object can be obtained in a JavaScript callback. A generic technique to obtain a reliable read/write primitive out of it is possible, although it requires a very large (~28 GiB) heap spray. This is possible even on a MacBook with 8 GB of RAM thanks to the page compression mechanism in macOS.
WordPress 4.7 is vulnerable to an unauthenticated password reset vulnerability due to improper validation of the SERVER_NAME variable. An attacker can send a specially crafted HTTP request with a modified HOST header to trigger the password reset function for the admin user account. This will result in the WordPress application passing the attacker's domain in the Return-Path, From, and Message-ID fields of the email sent to reset the password.
This PoC exploit allows an unauthenticated attacker to execute arbitrary code on a vulnerable WordPress 4.6 installation. The vulnerability is caused by a lack of sanitization of the filename parameter in the wp-admin/upload.php script. An attacker can exploit this vulnerability by uploading a malicious PHP file with a specially crafted filename. The malicious file will be uploaded to the server and can be executed by accessing it directly.
The version of Serviio installed on the remote Windows host is affected by an unauthenticated remote code execution vulnerability due to improper access control enforcement of the Configuration REST API and unsanitized input when FFMPEGWrapper calls cmd.exe to execute system commands. A remote attacker can exploit this with a simple JSON request, gaining system access with SYSTEM privileges via a specially crafted request and escape sequence.
The version of Serviio installed on the remote Windows/Linux host is affected by an unauthenticated password modification vulnerability due to improper access control enforcement of the Configuration REST API. A remote attacker can exploit this, via a specially crafted request, to change the login password for the mediabrowser protected page.
Services By CQR