XhP CMS 0.5.1 is vulnerable to Cross-Site Request Forgery to Persistent Cross-Site Scripting. An attacker can craft a malicious HTML page and send it to the victim. When the victim opens the page, the malicious code will be executed in the victim's browser. This can lead to persistent Cross-Site Scripting.
CNDSOFT 2.3 is vulnerable to an arbitrary file upload with CSRF. An attacker can upload a malicious file such as a PHP shell to the vulnerable server. The malicious file can be uploaded by sending a POST request to the vulnerable URL with the malicious file as a parameter. The malicious file can then be accessed by an attacker to execute arbitrary commands on the vulnerable server.
The DeviceApi is a driver implemented inside the kernel which exposes a number of devices. One of those is CMApi which presumably is short for configuration manager API as it primarily exposes device configuration from the registry to the caller. The device exposes calls using IOCTLs, in theory anything which “creates” or “deletes” an object is limited behind an access check which only administrators have access to. However certain calls feed into the call PnpCtxRegCreateTree which will allow a user to open parts of the registry, and if they’re not there will create the keys. This is a problem as the keys are created in the user’s context using ZwCreateKey but without forcing an access check (it does this intentionally, as otherwise the user couldn’t create the key). All we need to do is find a CMApi IOCTL which will create the arbitrary keys for us.
It is possible for an attacker to execute a DLL planting attack in Microsoft Office 2010 on Windows 7 x86 with a specially crafted OLE object. This attack also works on Office 2013 running on Windows 7 x64. When a user opens this document and single clicks on the icon for foo.txt ole32!OleLoad is invoked on our vulnerable CLSID. This results in a call to a class factory constructor that tries eventually tries to call mqrt!MQGetPrivateComputerInformation. Because mqrt is a delay loaded dll the loader has inserted a stub to call _tailMerge_mqrt_dll on the first call of this function. This results in a kernelbase!LoadLibraryExA call vulnerable to dll planting.
Inside almost all wp_ajax function there is no privilege check. This allows a regular user to change any post title by submitting a form with the post_id and post_title parameters.
'prodid' field in productdtl.php is not properly sanitized, that leads to SQL Injection Vulnerability.
GoAutoDial CE 3.3 is vulnerable to multiple SQL injections and Command Injections due to lack of sanitization of user input. An attacker can craft a malicious User-Agent header to inject malicious SQL queries and execute arbitrary commands on the vulnerable system.
The attached Microsoft Access Database causes JetDb::IsExploited4x to be called, which contains an unbounded search for objects. This can lead to a denial of service or information disclosure.
Avast Server Edition is vulnerable to an Out-of-Bounds Write vulnerability due to a lack of proper validation of user-supplied data. This vulnerability can be exploited by an attacker to execute arbitrary code on the vulnerable system. The vulnerability exists in the EmulatePolyCode() function of the engine.so library, which is used to process packed executables. The function does not properly validate user-supplied data, which can lead to an Out-of-Bounds Write. A proof-of-concept exploit is available.
Gökhan Balbal v2.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious HTML page that contains a form with hidden fields that when submitted, will add an admin user to the application. The malicious page can be hosted on a website or sent via email to a user of the application. When the user visits the malicious page, the form will be automatically submitted and the attacker will gain admin access to the application.
Services By CQR