A remote Arbitrary file delete vulnerability has been discovered in the official WSO2 API Manager Carbon UI product. The security vulnerability allows a remote attacker with low privileges to perform authenticated application requests and to delete arbitrary System files. The vulnerability is located in the `/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the `extensionName` parameter of the extension we want to delete. Remote attackers are able to delete arbitrary files as configuration files, database(.db) files via authenticated POST method requests with a crafted String arbitrary traversal files names in "extensionName".
An attacker can exploit this vulnerability by sending a specially crafted POST request to the vulnerable application. The request contains an action parameter with a value of cardview-actions and a prefix and extpath parameter with a value of '../' and '../../../../Windows/win.ini' respectively. This allows the attacker to read arbitrary files from the server.
TVT NVMS 1000 is vulnerable to directory traversal. An attacker can exploit this vulnerability to read arbitrary files from the server. This vulnerability is caused due to insufficient sanitization of user-supplied input to the 'filename' parameter in the 'get_file' function. An attacker can exploit this vulnerability by sending a crafted HTTP request containing directory traversal characters (e.g. '../') in the 'filename' parameter.
An attacker can leak the serial number of the router via the web app API and use it to login to the router.
The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response. Note that disclosure of the shadow file may allow an attacker to discover users' passwords
The vulnerability exists due to insufficient sanitization of user-supplied input in the 'post_id' parameter of the 'helpful_ajax_pro' AJAX action of the 'helpful' plugin before using it in a SQL query. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in the application's database, allowing to read, modify or delete data, compromise vulnerable system and potentially compromise other systems. The vulnerability is confirmed in version 2.4.11. Other versions may also be affected.
Django 3.0 is vulnerable to Cross-Site Request Forgery (CSRF) token bypass. An attacker can bypass the CSRF token by using the Session() class from the requests library to get the cookies and csrf token from the target URL. The attacker can then use the csrf token to login to the target URL.
A local denial of service vulnerability exists in ZOC Terminal 7.25.5. An attacker can create a malicious .zrx file with a large amount of 'A' characters, which when opened in ZOC Terminal will cause the application to crash.
The vulnerability exists due to a boundary error when handling user-supplied data, specifically when handling the 'dhcp_release' command. By supplying an overly long argument, a buffer overflow can be triggered, resulting in a denial of service.
A persistent cross-site scripting vulnerability exists within the 'User Manager' functionality of the pfSense administration panel. The vulnerability can be triggered by navigating to 'https://TARGET/system_usermanager_addprivs.php?userid=0' where userid is the id of the user containing the payload.
Services By CQR