A Cross-Site Request Forgery (CSRF) vulnerability exists in FlexNet Publisher 11.12.1 which allows an attacker to add a local admin user. An attacker can send a malicious HTTP request to the vulnerable server to add a local admin user. This can be exploited by an attacker to gain access to the vulnerable server.
OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately escape dangerous characters from user-controlled input. An attacker can exploit this to execute arbitrary shell commands on the target.
rConfig 3.9.3 is vulnerable to authenticated remote code execution. An attacker can exploit this vulnerability by sending a malicious payload to the target server via the 'sqlQuery' parameter in the 'ajaxServerSettings.php' file. This will allow the attacker to execute arbitrary code on the target server.
Microsoft Windows Media Center, the very popular app still used by many people, (that can play a variety of file types and originally designed for playback and recording of TV shows from TV´s cable/antenna) is affected by an issue that allows malicious people to bypass the current security standards of the app, including modern browser security standards which could ultimately lead to arbitrary code execution. The issue can be exploited through specially crafted 'wma' or 'wmv' file containing a script instruction called 'URL'. By combining these 2 issues attackers may be able to reference a local html file in the context of MS IE core, which is hosted by a Media Center 'plugin' (ehexthost32). Because usually local files are parsed in the privileged Local Machine security zone, it´s possible to run arbitrary code on the target system, because Windows Media Center´s extensibility host (ehexthost32) does not enable the security feature 'Local Machine Zone Lockdown' (FEATURE_LOCALMACHINE_LOCKDOWN). Therefore attackers might be able to compromise the target system if they can exploit an Universal Cross Site Scripting (uXSS) issue, or plant a file in a predicatable location, like the user´s 'Downloads' folder.
The application suffers from an unauthenticated stored XSS through POST request. The issue is triggered when input passed via several parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
It is possible to get a reverse shell with a snmp trap and gain a pivot inside distributed architecture. Steps: Objective 1 : Create a SNMP trap or use linkDown OID with special command in action 3 Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy Objective 3 : Assign service trap relation Objective 4 : Get centreon id reverse shell
Satellian 1.12 is vulnerable to remote code execution. An attacker can send a malicious request to the server to execute arbitrary commands on the system. The attacker can use the 'libagent.cgi' endpoint to send a POST request with a malicious payload to execute arbitrary commands on the system.
Microsoft 'themepack' files are classic '.theme' files compressed for sharing over the internet. Theme files allows users to customize visual aspects of their device, such as icons for known features like 'My computer' and 'trash bin' folders, the default screensaver (which by the way allowed attackers to run '.scr' files located on shares upon applying a Theme, in the past. Refer to: CVE-2013-0810). ThemePack file type uses Microsoft 'CAB' format. The parser contains a vulnerability that allows attackers to create arbitrary files on arbitrary locations on the user´s system, by using the classic 'parent directory' technique, and thus could lead to creation of some executable files on the startup folder. This executable will be run on next logon.
XMLBlueprint XML Editor version 16.191112 and before are affected by XML External Entity Injection vulnerability through the malicious XML file. This allows a malicious user to read arbitrary files.
The Cups Easy (Purchase & Inventory) 1.0 web application is vulnerable to Cross Site Request Forgery that would allow an attacker to change the Admin password and gain unrestricted access to the site or delete any user. Proof of Concept Code for Password Change and user delete is provided in the text.
Services By CQR