The application suffers from a stored XSS through a POST request. The issue is triggered when input passed to the 'files_list' parameter is not properly sanitized befoer being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The application suffers from an unquoted search path issue impacting the service 'Selea CarPlateServer' for Windows deployed as part of Selea CPS software application. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
The server suffers from an arbitrary win32/64 binary executable execution when setting the NO_LIST_EXE_PATH variable to a program of choice. The command will be executed if proper trigger criteria is met. It can be exploited via CSRF or by navigating to /cps/ endpoint from the camera IP and bypass authentication gaining the ability to modify the running configuration including changing the password of admin and other users.
Anchor CMS 0.12.7 is vulnerable to Cross-Site Request Forgery (CSRF) which allows an attacker to delete a user by sending a malicious link to the admin. The malicious link contains the user id of the user to be deleted. When the admin clicks on the link, the user with the specified id is deleted.
A persistent cross-site scripting vulnerability exists in the 'My Tools' and 'Business Process Intelligence' functionalities of Nagios XI. The vulnerable parameters are 'url' and 'groupID' respectively. An attacker can create a tool or BPI group with an XSS payload and click on the URL link or Group ID to trigger the payload.
Apartment Visitors Management System 1.0 is vulnerable to a time-based blind SQL injection in the 'email' parameter. An attacker can send a malicious payload to the 'email' parameter to execute arbitrary SQL commands on the underlying database. The payload used in the proof-of-concept is 'email=test@gmail.com' AND (SELECT 2600 FROM (SELECT(SLEEP(5)))jpeB) AND 'WVFv'='WVFv&contactno=1&submit=
The 'user' parameter is vulnerable to error-based and time-based SQL Injection.
A stored XSS vulnerability exists in Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715. An attacker can inject malicious JavaScript code into the Dashboard - Add New Text area, which will be executed when the page is loaded by a victim.
Church Rota version 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file. The application is written primarily with PHP so we use PHP in our PoC
osTicket before 1.14.3 suffers from Server Side Request Forgery (SSRF). HTML page is rendered on backend server on calling 'Print' ticket functionality. An attacker can create a new ticket, select 'HTML Format' format, add an image tag with malicious payload in src attribute and print the ticket. This will result in a hit on the malicious website from the internal server on which osTicket is deployed.
Services By CQR