The HTMLKeygenElement::shadowSelect() function in Chromium allows accessing (and modifying) userAgentShadowRoot from JavaScript. It blindly casts the first child of the userAgentShadowRoot to HTMLSelectElement without checking the Node type, which can lead to a type confusion vulnerability.
This vulnerability allows an attacker to write out-of-bounds memory in the HTMLKeygenElement::shadowSelect() function. This is done by using the caretRangeFromPoint() function to access the userAgentShadowRoot and then prepending a string to it. The HTMLKeygenElement::shadowSelect() function then blindly casts the first child of the userAgentShadowRoot to HTMLSelectElement without checking the Node type, resulting in an out-of-bounds write.
The bug is in HTMLFormElement::reset() function, specifically in this part: while m_associatedElements vector is being iterated, its content can change (HTMLFormControlElement being added or removed from it). Normally HTMLFormControlElement.reset() doesn't change the DOM, but there is one exception to this: The 'output' element. In WebKit, resetting the output element is equivalent to setting its textContent, which causes all of its child elements (if any) to be removed from the DOM tree. Using this trick we can remove elements from m_associatedElements while it is being iterated. However, this by itself is not sufficient to exploit this issue as m_associatedElements.remove(index) (called from HTMLFormElement::removeFormElement()) won't actually reallocate the vector's buffer, it will only decrease vector's m_size and the vector's elements after m_size will still point to the (former) form members.
Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by 'shielding' certain data structures within the hypervisor. However, RKP provides two commands which produce a value using the 64-bit hypervisor key, namely: cfp_ropp_new_key (RKP command 0x91) and cfp_ropp_new_key_reenc (RKP command 0x92). Both of these commands convert the given virtual address from the kernel VAS to a physical address, but fail to verify the resulting address either via 'physmap', or by checking that the given address does not reside in the physical address range of RKP itself. This means an attacker can issue these RKP calls in order to corrupt RKP memory or write to regions which are S2-protected by EL2.
An SQL Injection vulnerability in LogoStore allows attackers to read arbitrary data from the database. Vulnerable URL : http://locahost/LogoStore/search.php Mehod : POST Parameter : query Simple Payload: Type: UNION query Payload: query=test' UNION ALL SELECT CONCAT(CONCAT('qqkkq','VnPVWVaYxljWqGpLLbEIyPIHBjjjjASQTnaqfKaV'),'qvvpq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- oCrh&search=Search
The Joomla Component JTAG Calendar 6.2.4 is vulnerable to SQL Injection. The search parameter is vulnerable to SQL injection when the 'format=raw&noframe=1&searchOnly=1' parameters are used. An attacker can use this vulnerability to gain access to the database and execute malicious code.
Netman 204 cards have a backdoor account eurek:eurek which can be logged in by simply browsing to the URL http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek or https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek. Due to flaws in parameter validation, the URL can be shortened to http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek or https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek. If an admin has changed the passwords, they can be reset by generating a reset key from the MAC address if you are on the same subnet. To generate the key, do an MD5 hash of 204:[MAC ADDRESS] and take characters 2-10, then browse to the url http://[ip]/cgi-bin/recover2.cgi?password=354a65581 or https://[ip]/cgi-bin/recover2.cgi?password=354a65581. Passwords have now been reset.
It is possible to execute openvpn with custom dll as SYSTEM using ViscosityService because path is not correctly validated.
NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices are susceptible to authentication bypass via simple crafted requests to the web management server.
A SQL injection vulnerability exists in Video Sharing Script 4.94, which allows an attacker to execute arbitrary SQL commands via the 'uid' parameter in the 'channels.php' and 'faq_show.php' scripts.
Services By CQR