A SQL injection vulnerability exists in Joomla! Component Spider FAQ Lite v1.3.1. An attacker can send a specially crafted HTTP request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. This can potentially result in the manipulation or disclosure of application data.
A SQL injection vulnerability exists in Joomla! Component Spider Facebook v1.6.1. An attacker can send a malicious SQL query to the vulnerable application which can be used to access or modify the contents of the database. The vulnerability is located in the 'name' parameter of the 'index.php?option=com_spiderfacebook&task=loginwith' page when processing to login with a user account.
A SQL injection vulnerability exists in Joomla! Component Spider Catalog Lite v1.8.10. An attacker can send malicious SQL queries to the application by manipulating the 'product_id' and 'select_categories' parameters in the URL. This can allow an attacker to access or modify the application's data.
A SQL injection vulnerability exists in Joomla! Component Spider Calendar Lite v3.2.16. An attacker can exploit this vulnerability to inject malicious SQL queries into the application, allowing them to bypass authentication and gain access to unauthorized data. The vulnerability is due to insufficient input validation in the application when handling user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL queries to the vulnerable application.
The WebVPN http server exposes a way of accessing files from CIFS with a url hook of the form: https://portal/+webvpn+/CIFS_R/share_server/share_name/file. When someone logged into the portal navigates to such an address, the http_cifs_process_path function parses the request URI and creates 2 C strings in a http_cifs_context struct. These strings are copied in various places, but is done incorrectly. For example, in ewaURLHookCifs, there is the following pseudocode: filename_copy_buf = calloc(1LL, 336LL); net_handle[10] = filename_copy_buf; if ( filename_copy_buf ) { src_len = _wrap_strlen(filename_from_request); if ( filename_from_request[src_len - 1] == ('|') ) { // wrong length (src length) strncpy((char *)filename_copy_buf, filename_from_request, src_len - 1); } In this case, a fixed size buf (|filename_copy_buf|) is allocated. Later, strncpy is called to copy to it, but the length passed is the length of the src string, which can be larger than 366 bytes. This leads to heap overflow.
Joomla! Component JSP Store Locator v2.2 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable application. This can be done by sending malicious SQL queries to the vulnerable application via the 'id' parameter in the 'task' parameter of the 'index.php' page. For example, http://localhost/[PATH]/index.php?option=com_jsplocation&task=directionview&id=[SQL]
A remote heap corruption vulnerability exists in GOM Player 2.3.10.5266. An attacker can exploit this vulnerability by sending a malicious .fpx file to the victim, which when opened with CTRL+U, can lead to a heap corruption. This can be exploited to execute arbitrary code on the victim's system.
Document D2 contains vulnerable BeanShell (bsh) and Apache Commons libraries and accepts serialised data from untrusted sources, which leads to remote code execution. Proof of concept code is provided which creates a superuser account in the underlying Documentum repository.
An attacker can specify an arbitrary length for the copy, as well as specify an arbitrary 32-bit offset to copy from, leading to an out-of-bounds read/write. This is possible due to the lack of proper checks on the |len| value and the |size| field from the header.
The implementation of EMR_SETDIBITSTODEVICE (residing in the MRSETDIBITSTODEVICE::bPlay function) still doesn't enforce condition #3, which is that cbBitsSrc is within expected bounds, and especially that it is larger or equal the expected number of bitmap bytes. As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.
Services By CQR