This exploit allows an attacker to gain access to the Cerberus Helpdesk (Cerb5) system by grabbing the password hashes from the /storage/tmp/ directory. The attacker must have access to the /storage/tmp/ directory and at least one worker must be logged in for the exploit to work.
This exploit is related to the vulnerability in AFD.SYS driver in Windows 7, 64 bit. It allows an attacker to gain elevated privileges on the system. The vulnerability is caused due to a dangling pointer in the AFD.SYS driver which can be exploited by an attacker to gain elevated privileges on the system.
ATutor LMS version 2.2.1 and earlier is vulnerable to a CSRF attack in the install_modules.php script, which allows an attacker to upload a malicious zip file containing a PHP script that can be used to execute arbitrary commands on the server. This exploit was tested on the latest Firefox 44.0.2 release build and requires the Access-Control-Allow-Origin header to be set in order to allow the target to pull zips.
This module will generate a .NET service executable on the target and utilise InstallUtil to run the payload bypassing the AppLocker protection.
Schneider Electric’s corporate headquarters is located in Paris, France, and it maintains offices in more than 100 countries worldwide. The affected product, Automation Server, is a building automation system for small and medium-sized buildings. According to Schneider Electric, Automation Server is deployed in the Commercial Facilities sector. Schneider Electric estimates that this product is used worldwide. There are two primary users: a. root - password is not set by default - this is a problem as we will see later in the vuln findings - By default, root cannot SSH in. b. admin - default password is 'admin' - Anyone can remotely ssh in to the device using default admin/admin login. The system / application allows a) weak creds to start with, and more importantly, b) vulnerable versions lacks the mechanism to forcefully have the user change the initial password on first use or later. This has been fixed in the latest version. After logging in to the device over SSH, the 'admin' user - the only active, administrative user at this point - is provided a restricted shell (msh), which offers a small set of, application- specific functional options. The 'release' command is vulnerable to OS command injection.
Bulk Delete plugin for WordPress suffers from a privilege escalation vulnerability. Any registered user can exploit the lack of capabilities checks to perform all administrative tasks provided by the Bulk Delete plugin. Some of these actions, but not all, are: 'bd_delete_pages_by_status': deletes all pages by status, 'bd_delete_posts_by_post_type': deletes all posts by type, 'bd_delete_users_by_meta': delete all users with a specific pair of meta name, meta value. Nearly all actions registered by this plugin can be performed from any user, as long as they passed to a query var named 'bd_action' and the user has a valid account. These actions would normally require administrative wrights, so we can consider this as a privilege escalation vulnerability.
A 0day vulnerability in sncc0.sys kernel driver of Secrity Code products allows attacker to perform local privileges escalation from Guest to Local System. Also, attacker that has access to any Windows system may manually install sncc0.sys (that has valid digital signature from Security Code) and exploit it's vulnerability to bypass DSE and load unsigned kernel mode drivers on Windows x64 platforms.
Picture Trail Photo editor fails to properly parse .bmp header height and width values. Negative height and width values cause a program crash (memory corruption) and SEH corruption. Remote code execution may be possible.
A remote Denial Of Service exists in Freeproxy Internet Suite 4.10.1751 when sending a GET request to the proxy with an overly long URL.
A remote overflow exists in Quick Tftp Server Pro 2.3 in the TFTP mode when sending a TFTP Read Request. This allows to remotely crash the application, thus causing a Denial of Service.
Services By CQR