AVideo Platform 8.1 is vulnerable to Cross Site Request Forgery (CSRF) which allows an attacker to reset the password of an admin user. An attacker can send a malicious request to the vulnerable endpoint objects/playlistsFromUser.json.php?users_id=[ID] to get the recoverPass parameter of the admin user. The attacker can then use the recoverPass parameter to reset the password of the admin user using the endpoint recoverPass?user=admin&recoverpass=0ce70c7b006c78552fee993adeaafadf.
Verodin Director's REST API allows authenticated users to query the configuration details, which include credentials, of any 50+ possible integrated security tools (e.g. Splunk, ArcSight, Palo Alto, AWS Cloud Trail). Fortunately for attackers, members of 3 out of the 4 user groups in the Director can query this info (Users, Power Users, System Admin).
Exploit abuses delegation privs present in the WebTA "/servlet/com.threeis.webta.H491delegate" servlet. By specifying the "delegate" and "delegatorUserId" parameter an attacker can use an admin user id to delegate role 5 (aka admin privs) to any other known user id, including oneself. With the new admin account, an attacker can abuse a stored XSS vulnerability present in the login page, banner (displayed on every page) & password reset page. An attacker can also pull system information and download a file containing the FULL NAME AND SSN OF EVERY USER in the database (typically thousands).
The source code of socat.c contains _socat() function which has the Integer Overflow vulnerability. After that, the the line of code 'if ((bytes2 = xiotransfer(sock2, sock1, &buff, socat_opts.bufsiz, true)) < 0) {' calls the xiotransfer() function. The xiotransfer() function calls xioread() function. Finally xioread() function calls Read() function. In addition, the 'Makefile' file does not turn on the Position Independent Executables (PIE) mitigation (the CFLAGS does not contains '-pie' flag). By default, Ubuntu 16.04 does not turn on this mitigation. Consequently, it is easier to exploit the program, may even lead to Remode Code Execution (RCE).
This exploit is a proof-of-concept for a heap overflow vulnerability in F-Secure Internet Gatekeeper 5.40. The vulnerability is triggered by sending a specially crafted POST request with a large Content-Length header. This causes a heap overflow, which can be used to overwrite a fast bin chunk and gain code execution. The exploit was discovered by Kevin Joensen and detailed in a blog post by Doyensec.
Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key presses. While pwfeedback is not enabled by default in the upstream version of sudo, some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files. Due to a bug, when the pwfeedback option is enabled in the sudoers file, a user may be able to trigger a stack-based buffer overflow. This bug can be triggered even by users not listed in the sudoers file. Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled. The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password. If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account.
Schneider Electric U.Motion Builder version 1.3.4 is vulnerable to authenticated command injection. An attacker can send a malicious command to the application and execute it on the server. The exploit is written in Python and uses the HTTP protocol to send the malicious command to the application. The exploit is tested on a Delivered Virtual Appliance running on Windows 10 x64.
A vulnerability in Jira versions 2.1 to 8.3.4 allows an attacker to enumerate usernames by sending a specially crafted request to the Jira REST API. This vulnerability is due to insufficient input validation of the query parameter in the Jira REST API. An attacker can leverage this vulnerability to enumerate usernames and gain access to the Jira instance.
Php loose comparison '==' compares two operands by converting them to integers even if they are strings. An attacker can bypass authentication by providing a string which is converted to an integer and matches the hashed value of the valid password.
An attacker can use XSS (in color parameter IceWarp WebMail 11.4.4.1 and before)to send a malicious script to an unsuspecting Admins or users. The end admins or useras browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. Even an attacker can easily place users in social engineering through this vulnerability and create a fake field.
Services By CQR