An unescaped parameter was found in Simply Poll version 1.4.1. ( WP plugin ). An attacker can exploit this vulnerability to read from the database. The POST parameter 'pollid' is vulnerable. An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access the filesystem may be possible.
A vulnerability in PHPMailer < 5.2.18 allows attackers to inject parameters to the sendmail command which can be used to write the payload passed in the body of the message to a file. This can be used to execute arbitrary code on the server.
PHPMailer < 5.2.18 and PHPMailer < 5.2.20 are vulnerable to Remote Code Execution. The exploit was discovered and coded by Dawid Golunski. The exploit is based on the bypass of the first patch for CVE-2016-10033.
WordPress PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted Sender property in isMail transport.
A SQL Injection Vulnerability has been discovered in the Joomla Module called com_blog_calendar. The Vulnerability is located in the index.php?option=com_blog_calendar&modid=xxx Parameter. Attackers are able to execute own SQL commands by usage of a GET Method Request with manipulated modid Value. Attackers are able to read Database information by execution of own SQL commands.
The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. The agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:send_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_add_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded. This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine.
OpenSSH can forward TCP sockets and UNIX domain sockets. If privilege separation is disabled, then on the server side, the forwarding is handled by a child of sshd that has root privileges. For TCP server sockets, sshd explicitly checks whether an attempt is made to bind to a low port (below IPPORT_RESERVED) and, if so, requires the client to authenticate as root. However, for UNIX domain sockets, no such security measures are implemented. This means that, using "ssh -L", an attacker who is permitted to log in as a normal user over SSH can effectively connect to non-abstract unix domain sockets with root privileges. On systems that run systemd, this can for example be exploited by asking systemd to add an LD_PRELOAD environment variable for all following daemon launches and then asking it to restart cron or so.
During a penetration test, RedTeam Pentesting discovered a Padding Oracle vulnerability in mod_session_crypto of the Apache web server. This vulnerability can be exploited to decrypt the session data and even encrypt attacker-specified data.
A specially crafted web-page can trigger an out-of-bounds write in Microsoft Internet Explorer 11. Code that handles pasting images from the clipboard uses an incorrect buffer length, which allows writing beyond the boundaries of a heap-based buffer. An attacker able to trigger this vulnerability can execute arbitrary code.
An attacker with a send-right to the service can spoof a MACH_NOTIFY_DEAD_NAME message and cause an arbitrary port name to be passed to mach_port_deallocate as deadname->not_port doesn't name a port right but is a mach_port_name_t which is just a controlled integer. An attacker could cause syslogd to free a privilged port name and get it reused to name a port for which the attacker holds a receive right.
Services By CQR