A SQL injection vulnerability exists in Itech Real Estate Script v3.12, which allows an attacker to execute arbitrary SQL commands via the 'id' parameter in the agent_search_property.php script.
A SQL injection vulnerability exists in Itech Dating Script v3.26, which allows an attacker to execute arbitrary SQL commands via the 'send_gift.php' script. An attacker can send a specially crafted request to the vulnerable script to execute arbitrary SQL commands.
A SQL injection vulnerability exists in Itech Classifieds Script v7.27, which allows an attacker to execute arbitrary SQL commands via the 'pid' parameter in the message.php and showSubcat.php scripts.
HelpDeskZ <= v1.0.2 suffers from an sql injection vulnerability that allow to retrieve administrator access data, and download unauthorized attachments. Software after ticket submit allow to download attachment by entering following link: http://127.0.0.1/helpdeskz/?/?v=view_tickets&action=ticket¶m[]=2(VALID_TICKET_ID_HERE)¶m[]=attachment¶m[]=1¶m[]=1(ATTACHMENT_ID_HERE). By entering a valid id of param[] which is our submited ticket id and adding our query on the end of request we are able to download any uploaded attachment.
An SQL Injection vulnerability in Video Sharing Script 4.94 allows attackers to read arbitrary data from the database. The vulnerability can be exploited by sending a malicious payload to the vulnerable parameter in the URL.
The PHP Logo Designer Script is vulnerable to an arbitrary file upload vulnerability. This vulnerability allows an attacker to upload a malicious file to the server, which can be used to execute arbitrary code on the server.
The PHP Product Designer Script is vulnerable to an arbitrary file upload vulnerability. This vulnerability allows an attacker to upload a malicious file to the server, which can be used to execute arbitrary code on the server.
In Oracle's VirtualBox, it is possible to compromise a system behind a firewall by infiltrating the updates of Extension-Packs due to the lack of HTTPS and the presence of a privilege escalation bug in the downloader of VirtualBox. A Man-In-The-Middle could send his own Extension-Pack(with malicious code included) instead of the regular update to the target, which would be executed with user-permissions. The malicious code could be an executable with setuid-permissions to the Extension-Pack, which would be stored as owner root and without checking the permissions of the binaries.
An SQL Injection vulnerability in Itech Real Estate Script v3.12 allows attackers to read arbitrary data from the database. The vulnerable parameter is 'property_for' and the payloads used are boolean-based blind, AND/OR time-based blind and UNION query.
An SQL Injection vulnerability in News Portal Script v6.28 allows attackers to read arbitrary data from the database. The vulnerability can be exploited by sending a malicious payload to the 'inf' parameter of the 'information.php' page.
Services By CQR