This vulnerability could permit executing code during startup or reboot with the escalated privileges.
The application contains a widget functionality within Global View Dashboard which can be used by a malicious admin to propagate stored cross site scripting attack. The “URL” widget iframe does not have any inbuilt restrictions for the content executing within. The malicious webpages within iframes can be used for hosting forms for Phishing, malware propagation, forced redirections etc.
CMS Made Simple 2.2.15 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload using the malicious SVG file. The user can get cookies from every authenticated user who visits the website.
An authenticated user can crash the application by setting a higher value to the 'range' (default 30) parameter and sending simultaneous requests (10 simultaneous requests was enough to DoS the server in my testing).
Forma LMS 2.3 is vulnerable to stored cross-site scripting. An attacker can inject malicious JavaScript code in the 'First & Last Name' field of the user profile. When the user visits the profile page, the malicious code will be executed in the user's browser.
This vulnerability can results attacker to inject the XSS payload in admin panel Custom Field section. And Inject JavaScript Malicious code & Steal User’s cookie. Attack vector: Steps for reproduce: 1. Go to admin panel’s add custom fields page 2. Fill the Title name as <script>alert("HELLO XSS")</script> payload in title. 3. Now Click on Save we can see our payload gets executed. 4. All Users Can Show our Payload As a xss.
A vulnerability in Chromium 83 allows attackers to bypass the Content Security Policy (CSP) and execute malicious code. The vulnerability is due to the way the browser handles the Content Security Policy (CSP) when processing certain requests. An attacker can exploit this vulnerability by sending a specially crafted request to the target system. This will allow the attacker to bypass the CSP and execute malicious code.
Testa Helps You To make Online Exams. An attacker can inject malicious payloads in the search field of the Testa Online Test Management System 3.4.7 to exploit the SQL Injection vulnerability.
A stored XSS vulnerability exists in MiniCMS 1.10. An attacker can inject malicious JavaScript code into the 'content box' of the page-edit page in /MiniCMS/mc-admin/page-edit.php. The malicious code is then executed when the page is viewed. An attacker can use Burp Suite to edit the payload and URL-encode the '+' character. When the page is viewed, a window will pop up with the domain.
The vulnerability exists due to insufficient sanitization of user-supplied input in the 'id' parameter of the 'admins.php' script. A remote attacker can execute arbitrary SQL commands in the application's database, cause denial of service, bypass certain security restrictions, access, modify or delete data, or exploit latent vulnerabilities in the underlying database. The attacker can also gain access to the application's administrative panel.
Services By CQR