When a Document Fragment containing an applet element is added to the DOM, all elements receive a notification that they are removed from the CMarkup. Next, they are added to the DOM and receive notification of being added to another CMarkup. When the applet is added, a CObject Element is created and added to the CMarkup. This causes a readystatechange event to fire, which interrupts the current code. During this readystatechange event, the DOM may be modified, which causes further notifications to fire. However, elements in the Document Fragment that come after the applet element have already received a notification that they have been remove from one CMarkup, but not that they have been added to the new one. Thus, these elements may receive another notification of removal, followed by two notifications of being added to a CMarkup.
This exploit is used to bypass authentication and execute remote code on Dolphin <= 7.3.2. It uses a form-data request to upload a malicious zip file containing a PHP script which can be used to execute arbitrary code. The exploit was developed by Ahmed Sultan (0x4148) and the authentication bypass trick was credited to Saadat Ullah.
An unauthenticated user can POST to /index.php/sessions/passwordreset setting a new password for any user.
vBulletin versions 3.6.0 through 4.2.3 are vulnerable to an SQL injection vulnerability in the vBulletin core forumrunner addon. The vulnerability allows an attacker to execute arbitrary SQL queries and potentially access sensitive information from the database.
4images is a powerful web-based image gallery management system. It is vulnerable to Sql injection flaw which can be escalated to new administrator add exploit. The vulnerable code is present in the file admin/validateimages.php, line 406. The input parameter orderby is not sanitized before being passed to the sql query which lead to sql injection flaw. The proof of concept is a GET request to the URL /lab/4images1.7.13/4images/admin/validateimages.php?action=validateimages&orderby=extractvalue(1,concat(0x7e,version()))&direction=ASC&limitnumber=10.
A specially crafted HTTP response can cause the CHttpHeaderParser::ParseStatusLine method in WININET to read data beyond the end of a buffer. The size of the read can be controlled through the HTTP response. An attacker that is able to get any application that uses WININET to make a request to a server under his/her control may be able to disclose information stored after this memory block.
Datas from `$_POST['updated_data']` inside `usersettings.php` are not properly validated so we can set `user_admin`.
A vulnerability in Windows Local Security Authority Subsystem Service (LSASS) was found on Windows OS versions ranging from Windows XP through to Windows 10. This vulnerability allows an attacker to remotely crash the LSASS.EXE process of an affected workstation with no user interaction. Successful remote exploitation of this issue will result in a reboot of the target machine. Local privilege escalation should also be considered likely. The vulnerability affects both LSASS client and server and can be triggered remotely via SMBv1 and SMBv2, during the NTLM message 3 (Authenticate) message. Incoming NTLM messages via SMB are using ASN1 and DER encoding, the first ASN length field can be set to unsigned int by using 0x84.
A specially crafted script can cause the VBScript engine to read data beyond a memory block for use as a regular expression. An attacker that is able to run such a script in any application that embeds the VBScript engine may be able to disclose information stored after this memory block.
The vulnerability laboratory core research team discovered an application-side vulnerability in the Adobe Connect online web-application and v9.5.6 windows software.
Services By CQR