This module exploits a stack over flow in Tomabo MP4 Player <= 3.11.6. When the application is used to open a specially crafted m3u file, an buffer is overwritten allowing for the execution of arbitrary code.
This exploit allows an authenticated user with customer or subscriber privileges to overwrite wp_options in the WordPress database. This can be used to gain administrative privileges.
Joomla com_bt_media is vulnerable to SQL injection. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious SQL statements to the vulnerable parameter 'categories[0]'. This can allow the attacker to gain access to sensitive information from the database.
sNews CMS v1.7.1 has a feature that allows PHP functions to be inserted for articles by authenticated users under 'Edit Article'. However, there is no CSRF token/checks to prevent unauthorized HTTP requests to be made on behalf of that user. Furthermore, these commands will get stored in MySQL database in the 'articles' table. So each time that sNews webpage is visited it will execute. Additionally, an attacker can hijack SNews CMS accounts, delete arbitrary files in the webroot, and inject persistent XSS.
In a recent security research, a privilege scalation web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin <=v3.8.1. The vulnerability allows remote attackers to take over control of the Ultimate Product Catalogue Plugin administration page if the plugin ispremium version and the remote attacker have an especific account (contributor|editor|author). The privilege scalation web vulnerability is located in the <upc-plugin-path>/Functions/Update_Admin-Databases.php` file. Remote attackers are able to request crafted data of the POST method request with the vulnerable ´acces_role´ parameter.
phpATM lets the administrator to modify the footer or the header through a specific form located in configure.php. The configure.php page and all of the forms in it are affected by a CSRF bug, so an attacker can modify the footer.html file, he can inject malicious code in every page of phpATM.
phpATM is the acronym for PHP Advanced Transfer Manager and is a free, open source, PHP based Upload and Download manager. But unlike most other of its kind it stores the data in flat text files and therefore does not require a database like MySQL installed on the web server. The bugged code is in the upload function. Generally phpATM lets you to register, and then upload some files (no admin privileges required). The hacking prevention is setted up by a regular expression to avoid .php files upload. So if we can upload a file with a space at the end, like this: "shell.php ", and the file system is running under Microsoft Windows, we can bypass the eregi, reaching the target to upload a php script file(like a shell)! The basic requirement is that the server is a Windows based server! You can upload the shell using a local proxy, like burp suite, or use the exploit below.
Gravity Forms is a WordPress plugin that allows users to create contact forms, subscription forms, and other types of forms. A vulnerability in the plugin allows an attacker to upload arbitrary files, such as a web shell, to the server. This vulnerability affects Gravity Forms versions 1.8.19 and below.
Input passed via the 'alpremove' and 'check_in_file' parameters is not properly verified in '/_int_/action.html' and '/_int_/checkin_file.html' before being used to delete and create files. This can be exploited to arbitrarily delete sensitive information on a system and/or write files via directory traversal attacks.
Depth Security discovered a vulnerability in Solarwinds Virtualization Manager appliance. This attack requires a user to have an operating system shell on the vulnerable appliance. The vulnerability exists due to the miconfiguration of sudo in that it allows any local user to use sudo to execute commands as the superuser. A local attacker can obtain root privileges to the operating system regardless of privilege level.
Services By CQR