Xoops 2.5.7.2 has CSRF vulnerability where remote attackers can delete ALL users from the Xoops database.
The Cgi Script '/cgi-bin/dget.cgi' handles most of user side and server side requests, but there is no observation on requests recieved from unauthorized users. This allows an attacker to view the administrative or WiFi password in clear text by visiting certain URLs.
DORG is vulnerable to SQL Injection and Cross Site Scripting. An attacker can inject malicious SQL queries into the vulnerable parameter 'q' in the 'results.php' page. An attacker can also inject malicious JavaScript code into the vulnerable parameter 'q' in the 'results.php' page.
Internet Download Manager 6.25 Build 14 is vulnerable to a SEH buffer overflow vulnerability. An attacker can exploit this vulnerability by sending a specially crafted malicious payload to the 'Find file' textbox. This will cause a SEH overwrite and allow the attacker to execute arbitrary code.
A directory traversal vulnerability exists in Wordpress eBook Download 1.1, which allows an attacker to read arbitrary files on the server. This is due to the lack of proper validation of the 'ebookdownloadurl' parameter in the 'filedownload.php' script. An attacker can exploit this vulnerability by sending a crafted HTTP request containing directory traversal sequences (e.g. '../') to the vulnerable script. This will allow the attacker to read arbitrary files on the server.
An information disclosure of the content of restricted files WEB-INF and META-INF via filter mechanism was reported. Servlet filter restriction mechanism is enforced by two code checks which can be bypassed using lower case and adding meaningless character to path.
PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is vulnerable to Directory Traversal, allowing authenticated users to read and delete files outside of the PivotX directory.
An integer signedness error has been found in the amd64_set_ldt() function in the FreeBSD kernel code (defined in the /sys/amd64/amd64/sys_machdep.c file), which implements the i386_set_ldt system call on the amd64 version of the OS. This integer signedness issue ultimately leads to a heap overflow in the kernel, allowing local unprivileged attackers to crash the system.
An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie. The newline acts as a command separator to the xauth binary. This attack requires the server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector. By injecting xauth commands one gains limited* read/write arbitrary files, information leakage or xauth-connect capabilities. These capabilities can be leveraged by an authenticated restricted user - e.g. one with the login shell configured as /bin/false or one with configured forced-commands - to bypass account restriction.
This exploit generates a reverse shell to a nc listener. It is confirmed on version 2.1(1b), but more are likely vulnerable.
Services By CQR