Windows Media Center 'ehshell.exe' is vulnerable to XML External Entity attack allowing remote access to ANY files on a victims computer, if they open an XXE laden '.mcl' file via a remote share / USB or from an malicious 'windowsmediacenterweb' web link.
Microsoft Excel Starter OLD versions specifically '.xls' and '.xlthtml' files are vulnerable to XML External Entity attack. This can allow remote attackers to access and disclose ANY files from a victims computer if they open a corrupt '.xls' Excel file. We can also abuse XXE to make connections to the victims system/LAN and bypass Firewall,IPS etc (XXE/SSRF). When open the victim will get a warn message about it being a 'different format and from trusted source'. If user choose open the file they get error message 'File cannot be opened because: System does not support the specified encoding.' Then files you target get accessed and transfered to remote server. IF Excec.exe is running on the victims system, the malicious file will execute and you can get a reverse shell.
The parser processes XML External Entity nodes allowing external connections to be made to remote malicious DTD documents that can potentially allow access to files on users system to be exfiltrated to a remote server.
BlackStratus LOGStorm has multiple vulnerabilities that allow a remote unauthenticated user, among other things, to assume complete control over the virtual appliance with root privileges. This is possible due to multiple network servers listening for network connections by default, allowing authorization with undocumented credentials supported by appliance's OS, web interface and sql server.
An attacker could use this flaw to upload arbitrary files to the server, including a JSP shell, leading to remote code execution. The attacker can then take a standard JSP shell and upload it to the server.
The page located at /network_diagnostic_tools.php has a feature called test connectivity, which is carried out through a post request to /actionHandler/ajax_network_diagnostic_tools.php. The parameter destination_address is vulnerable to command injection. If you open up wireshark and set ip.dst==attackerip and icmp you will see that the router issues 3 icmp echo requests, proving successful command injection. This can be leveraged to completely compromise the device. This vulnerability is also particularly dangerous because there is no CSRF protections in this application as demonstrated.
This exploit allows an attacker to perform Cross-Site Request Forgery (CSRF) attacks on Comcast XFINITY Web Gateway, which can lead to Remote Code Execution (RCE) and access to the network. The vendor has been notified numerous times but no response has been received.
The Huge-IT Portfolio Gallery extension can be exploited by unauthenticated users to perform SQL injection against the functions in ajax_url.php. The vulnerability is present in the lines 11-59 of the ajax_url.php file, where the user-supplied input is not properly sanitized before being used in a SQL query. An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request to the vulnerable script, which can lead to the execution of arbitrary SQL commands.
$_GET[“wpv-image”] is not escaped in include file, allowing an attacker to include a file from the local system or a remote system. An attacker can use this vulnerability to include a malicious file from the local system or a remote system and execute arbitrary code on the vulnerable system.
The vulnerability is caused due to a NULL pointer dereference when processing malicious HEAD and GET requests. This can be exploited to cause denial of service scenario.
Services By CQR