Multiple parameters in the iFdate Social Dating Script v2.0 are vulnerable to SQL injection, allowing an attacker to extract data from the database. The vulnerable parameters are gender, sexuality, marital, ethnic, country, picture, online, error_name, username, and videos. The data that can be extracted includes id, username, email, password, signup_date, signup_ip, banned, active, and is_admin.
FTPShell Client 6.53 is vulnerable to a buffer overflow vulnerability when a long session name is provided. This can be exploited by an attacker to execute arbitrary code on the vulnerable system.
Pasal - Departmental Store Management System v1.2 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to sensitive information such as usernames, passwords, emails, full names, and permissions from the tbl_users table. The vulnerable parameters are module.php?module=vendors&page=edit-vendors&id=[SQL], module.php?module=units&page=edit-units&id=[SQL], module.php?module=currency&page=edit-currency&id=[SQL], module.php?module=category&page=edit-category&id=[SQL], and module.php?module=purchase&y=[SQL]&m=[SQL].
The variable 'imagePath=' (that is prone to XSS in a large range of products) also can be used to resource injection intents. If inserted a URL in this variable will be made an GET request to this URL, so this an interesting point to request malicious codes from the attacker machine, and of course, the possibilities are vast (including hook the browser).
This exploit allows an attacker to download arbitrary files from a vulnerable Wordpress Plugin Membership Simplified v1.58 installation. The attacker can specify the file to download by manipulating the download_file parameter in the download.php file.
This problem happens when the Attacker send the bad char "A" in the command "MLST" (2047).
Windows DVD Maker Project '.msdvd' files are prone to XML External Entity attacks allowing remote attackers to gain access to files from a victims computer using a specially crafted malicious .msdvd file, resulting in remote information / file disclosures.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Name and Description input fields aren't properly escaped. This could lead to an XSS attack that could possibly affect administrators,users,editor.
An unauthenticated attacker can inject arbitrary SQL commands into the 'id' parameter of the 'update' action of the 'steamProfile' module of the IPS Community Suite. This is due to the lack of proper sanitization of the 'id' parameter in the 'updateProfile()' function of the 'Update.php' file. This can allow an attacker to gain access to sensitive information from the database.
This exploit allows an attacker to execute arbitrary code on vulnerable versions of Github Enterprise (2.8.0 - 2.8.6). The exploit works by constructing a malicious cookie and sending it to the server, which then executes the code contained in the cookie.
Services By CQR