A vulnerability in the web-based management interface of RAD SecFlow-1v could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260.
A Stored-XSS vulnerability was found in multiple pages in the web-based management interface of RAD SecFlow-1v. An attacker could exploit this vulnerability by uploading a malicious file as the OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys. These files content is presented to users while executing malicious stored JavaScript code. This could be exploited in conjunction with CVE-2020-13259.
Tea LaTex 1.0 is vulnerable to unauthenticated remote code execution. An attacker can send a malicious payload to the /api.php?action=tex2png endpoint to execute arbitrary code on the server. The payload is sent as a POST request with the content type set to text/plain and the charset set to UTF-8. The payload is then executed on the server, allowing the attacker to gain a remote shell.
This exploit uses a combination of three vulnerabilities to achieve Remote Code Execution. The first vulnerability is an XSS vulnerability in the 'From' field of the VTENEXT Messages module. The second vulnerability is a file upload vulnerability, where file extensions are checked against a $upload_badext in the config file, .pht extensions are allowed and executable by default. The third vulnerability is a CSRF vulnerability, where there are no CSRF protections in place. The exploit.js file needs to be hosted somewhere, IP's need to be replaced, check_csrf() should be changed based on the setup, and run_shell() is a 'nice to have'.
While logging in to the affected device you are presented with a username, password and captcha field. Submitting the form results in an HTTP request being sent out to /checkValidateCode.gch to validate the captcha, if valid it goes on to really submit the login request. This can be easily bypassed as this is a client side verification. One can always ignore the response and proceed to forcefully submit the form via Javascript (via calling the subpageSubmit() method). Though, firing the same request twice fails with a text on the top saying 'Error'. This pretty much defeats our purpose. It turns out that on every login attempt, the parameter Frm_Logintoken gets incremented by one and is required to match the server side value. This can pretty easily be achieved by some pattern matching. Thus allowing any script to bypass the captcha and log in.
This exploit allows an attacker to gain access to the credentials of a Tiandy IPC and NVR device running version 9.12.7, 11.7.4, 13.6.1, or 22.1.0. The exploit requires Python 3 and PyCrypto to be installed. It connects to the device and attempts to recover the credentials using a code or default credentials. If the code is not found, it will attempt to set a mail address and then recover the credentials.
This exploit allows an attacker to change the admin password of the Scopia XT Desktop 8.3.915.4 software to a predefined value. The exploit is achieved by sending a malicious POST request to the directory_settings.jsp page with the newadminpassword parameter set to a predefined value. This will change the admin password to the predefined value.
The Tailor Management System is vulnerable to SQL injection. An attacker can exploit this vulnerability by sending malicious SQL queries to the application. This can be done by manipulating the 'id' parameter in the URL. For example, an attacker can send the following malicious requests to the application: http://localhost/tailor/addmeasurement.php?id=-1'+union+select+concat(username,0x3a,password),2+from+users-- -, http://localhost/tailor/staffedit.php?id=-1'+union+select+1,2,3,concat(username,0x3a,password),5+from+users-- -, http://localhost/tailor/staffcatedit.php?id=-3'+union+select+concat(username,0x3a,password)+from+users-- -
Audio Playback Recorder 3.2.2 is vulnerable to a local buffer overflow vulnerability when a long string is passed as an argument to the application. This can be exploited to execute arbitrary code by overwriting the SEH handler with a malicious payload.
A successful attempt to exploit this vulnerability could allow executing code during startup or reboot with the elevated privileges.
Services By CQR