There is a heap overflow in Array.map in Chakra. In Js::JavascriptArray::MapHelper, if the array that is being mapped is a Proxy, ArraySpeciesCreate is used to create the array that the mapped values are copied into. They are then written to the array using DirectSetItemAt, even through there is no guarantee the array is a Var array. If it is actually an int array, it will be shorter than this function expects, causing a heap overflow.
We have encountered Windows kernel crashes in the memmove() function called by nt!CmpCheckValueList while loading corrupted registry hive files. The root cause of the bug seems to be that the nt!CmpCheckValueList function miscalculates the number of items to be shifted to the left in an array with 4-byte entries, resulting in the following call: RtlMoveMemory(&array[x], &array[x + 1], 4 * (--y - x)); Here, the eventual value of y is negative, resulting in a large number being passed to memmove().
We have encountered Windows kernel crashes in the win32k!sbit_Embolden and win32k!ttfdCloseFontContext functions while processing corrupted TTF font files. The exception code that was not handled was 0xc0000005 and the address that the exception occurred at was 0x8e70bba3. The instruction at 0x8e70bba3 referenced memory at 0x00000000. The memory could not be read.
The vulnerable request to `valider_xml` (see: *SPIP 3.1.2 Template Compiler/Composer PHP Code Execution - CVE-2016-7998*) is vulnerable to Cross-Site Request Forgery, allowing the execution of the CVE-2016-7998 attack by tricking an administrator to open the malicious link.
The `valider_xml` file can be used to enumerate files on the system. Bypassing SPIP 3.1.2 protection using PHP Wrappers, the attacker can access files on the system.
The SPIP template composer/compiler does not correctly handle SPIP 'INCLUDE/INCLURE' Tags, allowing PHP code execution by an authenticated user. This vulnerability can be exploited using the CSRF or the XSS vulnerability also found in this advisory.
A SQL injection vulnerability exists in Event Calendar PHP 1.5. An attacker can send a specially crafted HTTP request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the 'cal_id' parameter of the vulnerable URL. An attacker can exploit this vulnerability to access or modify the data in the back-end database.
An attacker can exploit a SQL injection vulnerability in Classifieds Rental Script by sending malicious payloads to the vulnerable parameter 'catid' in the 'viewproducts.php' script. The payloads can be sent using tools such as Sqlmap. The payloads can be of type boolean-based blind, error-based, or UNION query. For example, a boolean-based blind payload can be 'catid=-1285' OR 8060=8060#' and an error-based payload can be 'catid=-9700' OR 1 GROUP BY CONCAT(0x717a627071,(SELECT (CASE WHEN (7055=7055) THEN 1 ELSE 0 END)),0x716a767871,FLOOR(RAND(0)*2)) HAVING MIN(0)#' and a UNION query payload can be 'catid=-4664' UNION ALL SELECT CONCAT(0x717a627071,0x444c6a6547574179515a64414752636446697064764a5a64745042625072666b5954674a58484577,0x716a767871)#'
Oracle BI Publisher (formerly XML Publisher) is vulnerable to XML External Entity Injection without authentication. This vulnerability can be exploited by sending a specially crafted SOAP request to the vulnerable server. The vulnerable SOAP actions are 'replyToXML' and 'replyToXMLWithContext'. Previous versions of Oracle BI Publisher may also be vulnerable.
A remote attacker can execute code on the MiCasa VeraLite if someone on the same LAN as the VeraLite visits a crafted webpage. This is achieved by acquiring the client's internal IP address using webrtc, POSTing :49451/z3n.html to every address on the subnet, attempting to load :49451/z3n.html in an iframe, and executing a reverse shell to 192.168.217:1270.
Services By CQR