W-Agora v.4.2.1 is vulnerable to XSS and File Inclusion. An attacker can exploit this vulnerability by sending a malicious URL to the victim. The malicious URL contains a malicious script which will be executed when the victim visits the URL. The malicious URL also contains a file inclusion parameter which can be used to include a malicious file from a remote server. This can be used to execute arbitrary code on the victim's system.
The Ninja Blog v4.8 is vulnerable to XSS and RFI attacks. An attacker can inject malicious JavaScript code into the vulnerable parameter of the index.php page, which will be executed in the browser of the victim. An attacker can also inject a malicious URL into the vulnerable parameter of the index.php page, which will be executed in the browser of the victim.
An unauthenticated attacker can exploit a blind SQL injection vulnerability in the Joomla component com_j-projects. By manipulating the 'project' parameter in the 'index.php' file, an attacker can inject malicious SQL queries and gain access to the admin login credentials.
Gbook MX v4.1.0 is vulnerable to a remote file inclusion vulnerability. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. The malicious request contains a URL pointing to a malicious file hosted on a remote server. If the vulnerable server is configured to allow remote file inclusion, the malicious file will be executed on the vulnerable server.
A vulnerability exists in Joomla components com_cartikads which allows an attacker to upload a malicious file on the server. The vulnerable file is uploadimage.php which can be accessed via http://server/[kaMtiEz]/components/com_cartikads/uploadimage.php. The attacker can upload a malicious file with extension shell.php.jpg and the shell will be available at http://server/[kaMtiEz]/images/stories/shell.php.jpg and http://server/[kaMtiEz]/images/banners/shell.php.jpg.
Pay Per Minute Video Chat Script V 2.1 is vulnerable to multiple XSS attacks. An attacker can inject malicious JavaScript code into the vulnerable parameters of the application. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Using multiple times the SED feature can DoS a remote client (CPU 100%), and prevent the normal use of Skype, especially the voice conversations. After the DoS the program must be restarted. Local Bofs when you try to send SMS and call phone numbers that are not well formatted. A BoF occurs also when the string of the previous attack is 89601 characters long. It is possible to inject HTML code in the QT GUI of Skype. The HTML code is not interpreted by the browser, but it is possible to inject javascript code that will be executed by the QT engine.
We can find this obviously flawed code in /scripts_ralcr/filesystem/writeToFile.php: An attack can be easily performed by manipulating the parameters (path and raw_data). Probably other php files in scripts_ralcr are coded without any care about security. In Oziogallery the vulnerable files are located in /components/com_oziogallery2/imagin/scripts_ralcr/.
Elite Gaming Ladders v3.0 suffers a remote SQL injection exploit (stats.php) in the 'account' parameter.
A SQL injection vulnerability exists in Smart Vision Script News (newsdetail) which allows an attacker to execute arbitrary SQL commands on the vulnerable system. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable application. This can be done by sending a specially crafted URL to the vulnerable application. The URL contains malicious SQL commands that are executed on the vulnerable system.
Services By CQR