The add function defined in the Application/link/controller/link.class.php file does not filter the ‘url’ parameter, causing malicious code to be executed.
The default installation of Sysaid is enabling the exposure of AJP13 protocol which is used by tomcat instance, this vulnerability has been released recently on different blogposts. An attacker would be able to exploit the vulnerability and read the Web.XML of Sysaid. It was found on the Sysaid application that an attacker would be able to upload files without authenticated by directly access the below link: http://REDACTED:8080/UploadIcon.jsp?uploadChatFile=true&parent= In the above screenshot, it shows that an attacker can execute commands in the system without any prior authentication to the system.
This exploit is a .bsp file that has four bytes very close to the end of the file that controls the memory allocator. It works on all supported operating systems such as Linux, Windows, and macOS.
This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.
This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work.
This module exploits an issue in Chrome 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.
This exploit is a local privilege escalation vulnerability in Windows GDI. It is triggered by calling NtUserMessageCall to set fnid = 0x2A0 on a window, followed by allocating memory to be used for corruption, setting window extra data, creating a switch window #32771, and finally triggering the vulnerability by calling PostMessage.
The 60CycleCMS application is vulnerable to SQL Injection and Cross Site-Scripting. In the file /common/lib.php, the function getCommentsLine() is vulnerable to SQL Injection. The news.php file is vulnerable to Cross Site-Scripting. An attacker can inject malicious payloads into the 'etsu' and 'ltsu' parameters of the index.php file.
An unauthenticated attacker can reach a Deserialization of Untrusted Data vulnerability that can allow them to execute arbitrary code as SYSTEM/root. An attacker can exploit this vulnerability by sending a maliciously crafted serialized object to the CewolfServlet servlet. This will allow the attacker to execute arbitrary code as SYSTEM/root.
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
Services By CQR