Open source ERP-CRM Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution Attack. An attacker who has the access the admin dashboard can manipulate the backup function by inserting payload into the zipfilename_template parameter at page /admin/tools/dolibarr_export.php by clicking on the button "Generate Backup" thus triggering command injection on target system.
Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the user’s browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks are forums, message boards, and web pages that allow comments.
This vulnerability allows an attacker to inject malicious SQL code into the 'id_products' parameter of the 'CommentGrade' controller of the PrestaShop ProductComments module. This can be exploited to perform a time-based blind SQL injection attack, allowing an attacker to extract data from the database.
Magic Home Pro 1.5.1 is vulnerable to authentication bypass. An attacker can send specially crafted requests to the application to bypass authentication and gain access to the application. This vulnerability affects version 1.5.1 of the application.
Raysync 3.3.3.8 is vulnerable to Remote Code Execution. An attacker can exploit this vulnerability by running RaysyncServer.sh to build a web application on the local environment, setting the admin password to 123456, which will be written to manage.db file. The attacker can then use curl to override the remote manage.db file in the server. After logging in to the admin portal with admin/123456, the attacker can create a normal file with all permissions in scope and modify RaySyncServer.sh to add arbitrary evil command. Finally, the attacker can trigger the RCE by clicking the 'reset' button.
Grav CMS 1.6.30 Admin Plugin 1.9.18 is vulnerable to persistent cross-site scripting (XSS) vulnerability. An attacker can exploit this vulnerability by crafting a malicious payload and injecting it into the 'Page Title' field when creating a new page. When the page is saved, the malicious payload will be stored in the database and will be executed when the page is viewed.
A trivial to reach stack-based buffer overflow is present in libpam on Solaris. The vulnerable code exists in pam_framework.c parse_user_name() which allocates a fixed size buffer of 512 bytes on the stack and parses usernames into the buffer via modules (authtok_get) without bounds checks. This issue can be reached remotely pre-authentication via SunSSH when "keyboard-interactive" is enabled to use PAM based authentication.
A vulnerability in the Online Marriage Registration System (OMRS) 1.0 allows an authenticated user to execute arbitrary code on the server. An attacker can exploit this vulnerability by sending a maliciously crafted request to the server with a specially crafted payload. The payload will be executed on the server, allowing the attacker to gain access to the system.
Babl has an interesting way of managing buffers allocated and freed using babl_malloc() and babl_free(). This is the structure of its allocations (taken from babl-memory.c): typedef struct { char *signature; size_t size; int (*destructor)(void *ptr); } BablAllocInfo; signature is used to track whether a chunk was allocated by babl, and if so, whether it is currently allocated or freed. This is done by either pointing it to the global string 'babl-memory' or 'So long and thanks for all the fish.' (babl-memory.c:44). Using this signature, babl can detect bad behavior's like double free (babl-memory.c:173): void babl_free (void *ptr, ...) { ... if (freed == BAI (ptr)->signature) fprintf (stderr, '
babl:double free detected
'); Or so the developers think. As it turns out, because babl internally uses libc's malloc() and free(), which has its own data that it stores within freed chunks, most systems will overwrite babl's signature variable upon freeing, breaking the double free detection. The simple PoC below demonstrates this.
Task Management System 1.0 is vulnerable to Local File Inclusion (LFI) due to insufficient sanitization of user-supplied input. An attacker can exploit this vulnerability by supplying a maliciously crafted URL to the application. By manipulating the 'page' parameter, an attacker can include a file from the local system. This can be used to read sensitive files from the server, such as the php.ini file. This vulnerability affects version 1 of the application and is tested on Windows 10 x86_64.
Services By CQR