$_POST[ 'id' ] is not escaped. sirv_get_row_by_id() is accessible for every registered user.
$_POST['id'] is not escaped. Url is accessible for any user.
Two XXE vulnerabilities were discovered in CS-Cart <= 4.3.10. The first vulnerability is in the Twimgo addon, located in the app/addons/twigmo/Twigmo/Api/ApiData.php file, on line 131. The second vulnerability is in the Amazon payment, located in the app/payments/amazon/amazon_callback.php file, on line 16. An attacker can send a malicious XML request to the vulnerable host, which will cause a GET request to be sent to the attacker's server, indicating a successful attack.
This PoC exploit allows local attackers on Debian-based systems (Debian, Ubuntu as well as Gentoo etc.) to escalate their privileges from nginx web server user (www-data) to root through unsafe error log handling. The exploit waits for Nginx server to be restarted or receive a USR1 signal. On Debian-based systems the USR1 signal is sent by logrotate (/etc/logrotate.d/nginx) script which is called daily by the cron.daily on default installations.
This module exploits a buffer overflow in the WinaXe 7.7 FTP client. This issue is triggered when a client connects to the server and is expecting the Server Ready response.
We have encountered a Windows kernel crash in the nt!RtlEqualSid function invoked through nt!SeAccessCheck by nt!CmpCheckSecurityCellAccess while loading corrupted registry hive files.
The VHDMP driver doesn’t safely delete files leading to arbitrary file deletion which could result in EoP. The VHDMP driver is used to mount VHD and ISO files so that they can be accessed as a normal mounted volume. There are numerous places where the driver calls ZwDeleteFile without specifying OBJ_FORCE_ACCESS_CHECK. This can be abused to delete any arbitrary file or directory on the filesystem by abusing symbolic links to redirect the delete file name to an arbitrary location. Also due to the behaviour of ZwDeleteFile we also don’t need to play games with the DosDevices directory or anything like that, the system call opens the target file without specifying FILE_DIRECTORY_FILE or FILE_NON_DIRECTORY_FILE flags, this means it’s possible to use a mount point even to redirect to a file due to the way reparsing works in the kernel.
The VHDMP driver doesn’t safely create files related to Resilient Change Tracking leading to arbitrary file overwrites under user control leading to EoP. When you enable RCT on an existing VHD it creates the files if they’re not already present. Unfortunately it does it using ZwCreateFile (in VhdmpiCreateFileWithSameSecurity) and doesn’t specify the OBJ_FORCE_ACCESS_CHECK flag. As the location is entirely controlled by the user we can exploit this to get an arbitrary file create/overwrite, and the code as its name suggests will copy across the DACL from the parent VHD meaning we’ll always be able to access it.
A malicious interaction with the keyctl usermode interface allows an attacker to crash the kernel. Processing the attached certificate by the kernel leads to a kernel nullpointer dereference. This vulnerably can be triggered by any unprivileged user locally.
Linux kernel >=4.4 with CONFIG_BPF_SYSCALL and kernel.unprivileged_bpf_disabled sysctl is not set to 1, BPF can be abused to priv escalate. Ubuntu 16.04 has all of these conditions met.
Services By CQR