A vulnerability in AirControl <= 1.4.2 allows an attacker to execute arbitrary code on the target system. This is achieved by sending a crafted HTTP request to the vulnerable server, which contains a malicious payload in the form of a Java expression. This expression is then evaluated by the server, allowing the attacker to execute arbitrary code on the target system.
VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.
OpenCart versions prior to 3.0.3.2 are vulnerable to a stored cross-site scripting vulnerability. An authenticated attacker can exploit this vulnerability by uploading a malicious image file containing an XSS payload to the Image Manager section. This payload will be executed each time someone visits the Image Manager section.
Attacker can bypass login page and access to dashboard page by sending a POST request with user=admin&email='='or'&password='='or'&btn_login=:undefined to the vulnerable file login.php
An authenticated low-privileged user can exploit a command injection vulnerability to get code-execution as www-data and escalate privileges to root due to weak sudo rules.
WordPress Plugin BBPress version 2.5 is vulnerable to an unauthenticated privilege escalation vulnerability. An attacker can exploit this vulnerability by sending a crafted POST request to the login page of the WordPress website. The request contains the username, password, email address, and the bbp-forums-role parameter set to bbp_keymaster. This will create a new user with the keymaster role, allowing the attacker to gain full access to the WordPress website.
This exploit allows an attacker to execute arbitrary commands on vulnerable QNAP QTS and Photo Station 6.0.3 devices. The vulnerability exists due to improper validation of user-supplied input in the web application. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. Successful exploitation of this vulnerability can result in unauthorized access to the application.
EyouCMS V1.4.6 is vulnerable to Persistent Cross-Site Scripting. An attacker can send a malicious POST request to the vulnerable application with a crafted payload in the 'addonFieldExt[content]' parameter. This will result in a persistent XSS vulnerability which can be used to steal user's cookies and other sensitive information.
A vulnerability exists in Online-Exam-System 2015, where an attacker can inject malicious SQL code into the 'fid' parameter of the 'dash.php' page, allowing them to access sensitive information from the database.
A SQL injection vulnerability exists in NOKIA VitalSuite SPM 2020, which allows an attacker to inject malicious SQL queries via the 'UserName' parameter. An example time-based payload is 'UserName=test'; waitfor delay '00:00:10' --'
Services By CQR