The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. An attacker can upload a malicious file containing a reverse shell payload, which can then be triggered by requesting the file from the server.
CVE-2021-21972 is an unauthenticated file upload and overwrite, exploitation can be done via SSH public key upload or a webshell. The webshell must be of type JSP, and its success depends heavily on the specific vCenter version. Manual verification can be done via https://<ip>/ui/vropspluginui/rest/services/checkmobregister. A white page means vulnerable and a 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet). On Linux SSH key upload is always best, when SSH access is possible & enabled. On Linux the upload is done as user vsphere-ui:users and on Windows the upload is done as system user. vCenter 6.5 <=7515524 does not contain the vulnerable endpoint, so webshell upload is not possible.
Desktop Server software used by mobile app has PIN option which does not to prevent command input. Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input. A python script is provided to exploit the vulnerability.
This module exploits an unauthenticated arbitrary file upload via insecure POST request. It has been tested on version 4.4.2.2 in Windows 10 Enterprise.
This module attempts to enumerate valid usernames and passwords against a Microsoft RDP Web Client by attempting authentication and performing a timing based check against the provided username.
An issue was discovered in LightCMS v1.3.4. There is a stored-self XSS, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords.
Triconsole 3.75 is vulnerable to Reflected XSS. An attacker can inject malicious JavaScript code into the application by crafting a malicious URL and sending it to the victim. The malicious code will be executed in the victim's browser when the URL is accessed.
uploadID.php can be used to upload .php files to '/uploads/employees_ids/' without authentication. An attacker can make a POST request to upload a malicious .php file and then execute commands by accessing the uploaded file with a GET request.
A persistent cross-site scripting (XSS) vulnerability exists in Vehicle Parking Management System 1.0, which allows an attacker to inject malicious JavaScript code into the 'catename' parameter of the 'addcategory.php' page. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious payload to the vulnerable page. The malicious payload will be executed in the browser of the victim when they view the page.
This exploit is for ASUS Remote Link 1.1.2.13. It allows an attacker to execute arbitrary code on the target system by sending a specially crafted payload. The payload is generated by converting the ASCII characters of the payload name to their corresponding hexadecimal values. The payload is then sent to the target system via a socket connection on port 5665.
Services By CQR