There are no file extension controls on Image Manager (5.2.4) and on Backup Restore. If an authorized user is obtained, it is possible to run a malicious PHP file on the server.
This exploit is based on a checker script which checks for authentication bypass and remote code execution vulnerabilities in Saltstack versions < 3000.2, < 2019.2.4, 2017.*, 2018.*. It checks for CVE-2020-11651 and CVE-2020-11652.
webERP is a complete web-based accounting and business management system that requires only a web-browser and pdf reader to use. It has a wide range of features suitable for many businesses particularly distributed businesses in wholesale, distribution, and manufacturing. This vulnerability allows an attacker to access the backup file of the webERP application without authentication. The attacker can access the backup file by accessing the URL http://localhost/webERP/companies/weberp/Backup_2020-05-01-16-55-35.sql.gz
An attacker can exploit a SQL injection vulnerability in the 'username' parameter of the Online Scheduling System 1.0 application. By sending a specially crafted request, an attacker can inject malicious SQL code into the application, which can be used to access, modify, or delete data from the back-end database.
Oracle Database 11g Release 2 is vulnerable to Unquoted Service Path vulnerability. This vulnerability allows an attacker to gain elevated privileges on the system. The vulnerability exists due to the OracleDBConsoleorcl, OracleOraDb11g_home1TNSListener and OracleServiceORCL services not having their paths quoted. An attacker can exploit this vulnerability by injecting malicious code into the unquoted service path.
BoltWire 6.03 is vulnerable to Local File Inclusion (LFI). An authenticated user can send a specially crafted HTTP GET request to the vulnerable page, which allows the attacker to read arbitrary files from the server. This can be exploited to gain access to sensitive information such as the /etc/passwd file.
An attacker can bypass authentication of the Online Scheduling System 1.0 by sending a malicious POST request to the login.php page with a username and password of 0.
A Cross-Site Request Forgery (CSRF) vulnerability in Apache OFBiz 17.12.03 allows an attacker to take over an account by sending a malicious request to the server. The malicious request is sent via a form with hidden fields containing the user's information. The form is then submitted using a script. After that, the attacker can do a password reset via the forget password feature.
An arbitrary file upload web vulnerability has been discovered in the official Air Sender v1.0.2 iOS mobile application. The web vulnerability allows remote attackers to upload arbitrary files to compromise for example the file system of a service. The arbitrary upload vulnerability is located in the within the web-server configuration when using the upload module. Remote attackers are able to bypass the local web-server configuration by an upload of malicious webshells. Attackers are able to inject own files with malicious `filen` values in the `upload` POST method request to compromise the mobile web-application. The application does not perform checks for multiple file extensions. Thus allows an attacker to upload for example to upload a html.js.png file. After the upload the attacker requests the original url source with the uploaded file and removes the unwanted extension to execute the code in th web-application context.
A directory traversal web vulnerability has been discovered in the official Super Backup v2.0.5 ios mobile web-application. The vulnerability allows remote attackers to change the application path in performed requests to compromise the local application or file-system of a mobile device.
Services By CQR