The manageengine eventlog analyzer fails to properly verify user privileges when making changes via the userManagementForm.do. An unprivileged user would be allowed to make changes to any account by changing the USER_ID field to a number corresponding to another user. Testing discovered that the default admin and guest accounts are 1 and 2.
XXE (XML External Entity) processing through upload of SVG images in the CMS, and through XML import in the CMS Console application.
iScripts EasyCreate suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/ajax_image_upload.php' script thru the 'userImages' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php4' extension (to bypass the '.htaccess' block rule) that will be stored in '/uploads/siteimages/thumb/' directory.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script. The application is vulnerable to SQL injection attacks. The issue is due to the application not properly sanitizing user-supplied input before using it in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
ProjectSend (previously cFTP) suffers from multiple vulnerabilities: SQL Injection, Auth Bypass, Arbitrary File Access, and Insecure Object Reference. The script manage-files.php, clients.php, and download.php are all vulnerable to these exploits. An attacker must be logged into the application as a non-privileged user in order to exploit these issues. Proof-of-concepts demonstrate how an attacker can inject a SLEEP command into the database engine, download login credentials of registered users, and download the application configuration file.
A CSRF vulnerability exists in the Wordpress plugin 'Simple Add Pages or Posts' version 1.6, which allows an attacker to add pages or posts to a Wordpress site. An attacker can craft a malicious HTML form and send it to a victim, who is logged into the Wordpress site. When the victim submits the form, the attacker can add pages or posts to the Wordpress site. The HTML code and live POST request are provided in the text.
A buffer overflow vulnerability exists in SAP HANA interface. If an attacker has a network access to the SQL interface or the SAP HANA Extended Application Services interface of an SAP HANA system, the vulnerability enables the attacker to inject code into the working memory that is subsequently executed by the application. It can also be used to cause a general fault in the product causing the product to terminate.
Method 5 of the IOHDIXController user client is createDrive64. This takes a 0x100 byte structure input from which it reads a userspace pointer and a size which it passes to IOHDIXController::convertClientBuffer. This wraps the memory pointed to by the userspace pointer in an IOMemoryDescriptor then takes the user-provided size, casts it to a 32-bit type and adds one. It passes that value to IOMalloc. By passing a size of 0xffffffff we can cause an integer overflow and IOMalloc will be passed a size of 0. IOMalloc falls through to kalloc which will quite happily make a 0-sized allocation for us and return a valid, writable kernel heap pointer. The original size we specified, cast to a 32-bit type but withone one added to it is then passed as the size of the target buffer in the call to IOMemoryDescriptor::readBytes which attempts to read from the wrapped userspace memory into the undersized kernel heap buffer. It actually tries to use some fancy DMA stuff to do that copy and this PoC will almost certainly fail and kernel panic somewhere inside that DMA code as there probably aren't valid page-table entries for the whole destination range. But some kalloc heap spraying should take care of that allowing us to actually overwrite stuff :)
IOUserClient::connectClient is an obscure IOKit method which according to the docs is supposed to 'Inform a connection of a second connection.' In fact, IOKit provides no default implementation and only a handful of userclients actually implement it, and it's pretty much up to them to define the semantics of what 'informing the connection of a second connection' actually means. One of the userclients which implements connectClient is IOAccelContext2 which is the parent of the IGAccelContext userclient family (which are the intel GPU accelerator userclients). IOUserClient::connectClient is exposed to userspace as IOConnectAddClient.
A vulnerability exists in the NKE control sockets implementation in necp.c, where a maliciously crafted packet can cause a memory corruption due to an undersized array allocation. By sending a packet with an id of NECP_PACKET_TYPE_POLICY_ADD, an attacker can overflow conditions_array_size to anything they want, which is then used as the size of a memory allocation. This can lead to a memory corruption.
Services By CQR