OpenCart 3.0.3.6 is vulnerable to stored cross-site scripting (XSS) in the 'Profile Image' parameter. An authenticated attacker can upload a malicious image containing XSS payloads to the profile page, which will be triggered when the profile page is accessed by an administrator.
The default user/pass is admin/admin and the vulnerability is on the ipAddr parameter in system_log.cgi. To exploit the vulnerability, the attacker needs to login to the dashboard, setup a listener, download the revshell.txt with the RCE, and run the revshell.txt. To get a reverse shell, the attacker needs to setup the listener and download the file on the router then run it. To download, the attacker needs to send a POST request with the CommandDiagnostic, traceModetrace, reportIpOnly0, pingPktSize56, pingTimeout30, pingCount4, ipAddr;id, maxTTLCnt30, queriesCnt3, reportIpOnlyCheckboxon, btnApplyDownload, and T1596644096617 parameters.
Apache OpenMeetings 5.0.0 is vulnerable to a denial of service attack when a malicious user sends a specially crafted request containing a payload of 'x.x.x.x;ls' to the 'hostname' parameter. This causes the application to crash and become unresponsive.
By default the web interface of the TL-WA855RE wireless extender require users to log in in order to access the admin interface. However, an attacker, on the same network, can bypass it and use the APIs provided to reset the device to its factory settings by using the TDDP_RESET code. An attacker can then set up a new admin password, resulting in a complete takeover of the device.
A persistent input validation web vulnerability has been discovered in the official VTiger v7.0 CRM web-application. The vulnerability allows remote attackers to inject malicious script codes to the application-side of the vulnerable module. The persistent vulnerability is located in the `To` parameter of the `Email` module. Remote attackers are able to inject own malicious script codes to the vulnerable `To` parameter. The attack vector of the vulnerability is persistent and the request method to inject is POST. The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.8. Exploitation of the persistent input validation web vulnerability requires no privileged web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious sources and persistent manipulation of affected or connected module context.
This module exploits a buffer overflow in Free MP3 CD Ripper versions 2.6 and 2.8. By constructing a specially crafted WMA WAV M3U ACC FLAC file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode.
This vulnerability can results attacker to inject the XSS payload in Page description and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
A buffer overflow vulnerability exists in Internet Download Manager 6.38.12 when a specially crafted file is opened in the Scheduler Downloads Scheduler. An attacker can exploit this vulnerability to execute arbitrary code in the context of the current user.
A stored cross-site scripting (XSS) in Nagios Log Server 2.1.7 can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.
This exploit allows an attacker to steal MD5 hashes of users from M/Monit 3.7.4. The attacker can use the Session() function from the requests library to create a session and then use the post() function to send a POST request to the '/z_security_check' endpoint with the username and password. The attacker can then use the get() function to send a GET request to the '/api/1/admin/users/list' endpoint to get a list of users and then use the get() function to send a GET request to the '/api/1/admin/users/get' endpoint to get the MD5 hash of the user. The attacker can then use the stolen MD5 hash to gain access to the user's account.
Services By CQR