A vulnerability exists in Itech News Portal Script v6.28, which allows an attacker to inject arbitrary SQL commands via the 'sc' parameter in the subcategory.php file. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Login as employee user and access http://localhost/[PATH]/notice-edit.php?aid=[SQL] to exploit the vulnerability.
Advanced PHP Real-Estate Script is vulnerable to a time-based blind injection attack. The vulnerable URL is http://locahost/property-list/property_view.php?propid=443[payload], where the parameter 'propid' is vulnerable to the attack. The payload used is propid=443' AND SLEEP(5) AND 'FBop'='FBop.
This exploit allows an attacker to inject malicious content into a WordPress site by exploiting a vulnerability in the WordPress REST API. The vulnerability affects WordPress versions 4.7 to 4.7.1, and is patched in version 4.7.2. The exploit requires the attacker to know the post ID of the post they wish to inject content into, and then use a Ruby script to send a POST request to the WordPress REST API with the malicious content. The malicious content is then injected into the post.
This exploit allows an unauthenticated user to inject malicious content into a Wordpress website. The vulnerability is present in Wordpress versions 4.7.0 and 4.7.1, and can be exploited by sending a specially crafted request to the Wordpress REST API. This can be used to inject malicious content into the website, such as JavaScript code, which can be used to steal user data or perform other malicious activities.
The ghostscript ps2epsi translator to processes ".ps" files executes arbitrary commands from specially crafted filenames that contain OS commands as part of the processed postscript files name. This feature seems to work only using the ps2epsi translator. Other tested GS translator calls like 'ps2pdf' fail.
QNAP VioStor NVR, QNAP NAS, and Fujitsu Celvin NAS are vulnerable to classic heap and stack overflows. The tags 'u' (user) and 'p' (password) suffer from heap overflow, which allows an attacker to overwrite the heap wilderness top chunk size. The tag 'pp' (sysApp) suffers from stack overflow, which allows an attacker to overwrite libc_argv[0].
Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by 'shielding' certain data structures within the hypervisor. However, RKP provides commands which can be used in order to re-map regions in the stage 2 translation table. Most of these commands correctly perform a validation on the given address range using 'physmap'. However, the 'rkp_set_init_page_ro' command (command code 0x51) can be used to mark a region as read-only in stage 2, and performs no such validation.
This vulnerability allows an attacker to bypass the security policy implemented by RKP (Real-time Kernel Protection) on Samsung phones. RKP is a security hypervisor running in EL2 which is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by shielding certain data structures within the hypervisor. The security policy is meant to ensure that only the authentic kernel code pages are executable from EL1. This vulnerability allows an attacker to bypass this policy by exploiting the initial stage 2 translation table which is embedded in the VMM code.
There is a type confusion vulnerability that affects WebKit with accessibility enabled (WebCore::AXObjectCache::gAccessibilityEnabed). The PoC provided crashes WebKitGTK+ 2.14.2 and Safari on Mac when the Web Inspector / Error Console are enabled. The vulnerability is caused by a bad cast in RenderBox.h in the function RenderBox::firstChildBox() which expects that the first child is going to be of type RenderBox, but in the PoC it is actually of type RenderText.
Services By CQR