This vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file (.xlsm). An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.
This exploit is for educational purposes only. It uses a buffer overflow vulnerability to inject a malicious shellcode into the Texas Instrument emulator. The exploit is composed of 84 bytes of junk, a malicious shellcode, 12 bytes of NOPs, and a 4-byte EIP.
This exploit allows an attacker to bypass authentication and upload arbitrary files to the Oracle Application Testing Suite. The attacker can then execute arbitrary code on the server. This exploit is based on two CVEs: CVE-2016-0492 and CVE-2016-0491.
The GLOBALS[babInstallPath]-parameter isn't declared before require_once, so an attacker can inject some php-shellcode (c99 or r57 for example) 'bout it.
The IMemory interface allows the passing of shared memory across the Binder IPC channel on Android. The interface supports a single remote call, GET_MEMORY which requests a separate IMemoryHeap interface along with an offset value and size for the shared memory buffer. The IMemoryHeap interface in turn supports a HEAP_ID call which marshals across a FileDescriptor, size, flags and an offset. This is passed to mmap to map the shared memory into the current process. The underlying vulnerability is the sizes in IMemory and IMemoryHeap are not checked relative to one another, and nor is the offset in IMemory checked against the size of IMemoryHeap. This allows a local process to craft fake IMemory and IMemoryHeap objects such that they lie about their values and either cause information disclosure or memory corruption.
The GET_CONFIG and GET_PARAMETER calls on IOMX are vulnerable to an information disclosure of uninitialized heap memory. This could be used by an attacker to break ASLR in the media server process by reading out heap memory which contains useful address information. The vulnerability stems from the fact that Parcel::read(void* outData, size_t len) fails quickly if it doesn’t have sufficient data in the parcel to satisfy the request leaving the outData buffer untouched. As long as the call to getParameter or getConfig succeed then the entire, mostly uninitialized buffer will be returned.
Axis Network Cameras are prone to multiple (stored/reflected) cross-site scripting vulnerability. Attack vectors allow you to execute an arbitrary javascript code in the user browser (session) with this steps: Attacker injects a javascript payload in the vulnerable page: http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script type="text/javascript>prompt("AXIS_PASSWORD:")</script> This will create a entry in the genneral log file (/var/log/messages) So, when the user is viewing the log 'system options' -> 'support' -> 'Logs & Reports': http://{axishost}/axis-cgi/admin/systemlog.cgi?id will be displayed a prompt for the password of the current user ('AXIS_PASSWORD'). However, due to CSRF presented is even possible to perfor the attack without the user interaction.
RockMongo, a MongoDB administration tool, written in PHP5, is vulnerable to Cross-Site Request Forgery (CSRF), HTML Injection and Cross-Site Scripting (XSS) vulnerabilities. The XSS vulnerabilities include reflected and stored XSS. The reflected XSS can be exploited by sending a maliciously crafted URL to the victim, while the stored XSS can be exploited by sending a maliciously crafted POST request to the vulnerable application.
OpenCart json_decode function is vulnerable to Remote Code Execution. An attacker can inject malicious code in the First Name field of the account/edit page or in the Custom Field value of the account/edit or account/register page. When an admin user visits the administration panel, the injected code will be executed.
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
Services By CQR