Zabbix API uses a function called DBcondition() (definded in include/db.inc.php) to format conditions in WHERE clause of an SQL query. The function expects sanitized data and does not perform any additional checks. An attacker can use this vulnerability to gain access to the system and retrieve sensitive information such as usernames and passwords.
This exploit allows an attacker to read files from a vulnerable NIBE heat pump. The exploit is done by sending a GET request to the heat pump's web server with a crafted URL containing the path of the file to be read. The request must also include a valid username and password in the form of a base64 encoded string in the Authorization header.
This exploit allows an attacker to execute arbitrary commands on a vulnerable NIBE heat pump. The web interface of the heat pump is running with root rights, allowing the attacker to execute any command with root privileges. The exploit is based on the fact that the web interface does not properly validate user input, allowing an attacker to inject malicious commands into the web interface.
The user can upload there evil script by changing the extension of your script to .jpg,.bmp,.gif in the list your section in the menu. Once uploaded, the user can access the script at http://server/propertyfinder/components/com_jesectionfinder/assets/images/[evil script.php.bmp.php].
This exploit is a buffer overflow vulnerability in the WebMoney Advisor application. The vulnerability is triggered when a malicious user passes a long string of characters to the Redirect() function. This causes the application to crash and can potentially allow an attacker to execute arbitrary code on the vulnerable system. The vulnerability was discovered in 2020 and affects versions of WebMoney Advisor prior to version 3.0.
An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. The application then includes the file specified in the request, allowing an attacker to view arbitrary files on the server.
ABC Joomla Extension is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending a crafted HTTP request with malicious SQL query to the vulnerable application. This can allow the attacker to gain access to the admin account and extract sensitive information from the database.
A vulnerability in the Joomla Component SmartSite allows an attacker to include local files on the server. This is done by sending a specially crafted HTTP request to the vulnerable server containing directory traversal strings (e.g. '../../') in the 'controller' parameter. This can be exploited to read arbitrary files from the server.
A local file inclusion vulnerability exists in the com_noticeboard version 1.3 component for Joomla. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal characters to the vulnerable application. This can allow the attacker to include arbitrary local files on the system, which may contain sensitive information.
A Local File Inclusion (LFI) vulnerability exists in the com_ultimateportfolio version 1.0 component for Joomla. An attacker can exploit this vulnerability to include arbitrary files from the web server, which can lead to the disclosure of sensitive information. The vulnerability is due to insufficient sanitization of user-supplied input to the 'controller' parameter in the 'index.php' script. An attacker can exploit this vulnerability by sending a malicious HTTP request containing directory traversal characters (e.g. '../') to the vulnerable script. Successful exploitation of this vulnerability can result in the disclosure of sensitive information, such as the web server's configuration files, which can lead to further attacks.
Services By CQR