A local buffer overflow vulnerability has been discovered in the official AVS Audio Converter. The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process. The issue can be exploited by local attackers with system privileges to compromise the affected local computer system. The vulnerability is marked as classic buffer overflow issue.
A vulnerability in NopCommerce 4.2.0 allows an attacker to gain elevated privileges by exploiting a directory traversal vulnerability in the RoxyFileman file manager. An attacker can use this vulnerability to gain access to the web server's file system and execute arbitrary code. The vulnerability can be exploited by sending a specially crafted HTTP request to the vulnerable application.
This exploit allows an attacker to execute arbitrary code on the vulnerable Netgear R6400 router. The exploit is triggered by sending a specially crafted HTTP request to the router's web server. The request contains a command that is executed on the router. The output of the command is then returned to the attacker.
Attackers use vulnerable web pages to inject malicious code and have it stored on the web server for later use. The payload is automatically served to users who browse web pages and executed in their context. Thus, the victims do not need to click on a malicious link to run the payload. All they have to do is visit a vulnerable web page.
The problem is that sendmsg() can end up looking at the credentials of the calling task for various reasons; for example: sendmsg() with non-null, non-abstract ->msg_name on an unconnected AF_UNIX datagram socket ends up performing filesystem access checks, sendmsg() with SCM_CREDENTIALS on an AF_UNIX socket ends up looking at process credentials, sendmsg() with non-null ->msg_name on an AF_NETLINK socket ends up performing capability checks against the calling process. When the request has been handed off to a kernel worker task, all such checks are performed against the credentials of the worker - which are default kernel creds, with UID 0 and full capabilities. To force io_uring to hand off a request to a kernel worker thread, an attacker can abuse the fact that the opcode field of the SQE is read multiple times, with accesses to the struct msghdr in between: The attacker can first submit an SQE of type IORING_OP_RECVMSG whose struct msghdr is in a userfaultfd region, and then, when the userfaultfd triggers, switch the type to IORING_OP_SENDMSG.
A vulnerability in D-Link DIR-615 Wi-Fi router allows an attacker to gain root privileges by changing the privileges id from 1 to 2 with Burp Suite. This can be done by logging in to the router gateway with normal user credentials and creating an account with a name and changing the privileges from user to root.
Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal which can lead to file write in arbitrary locations depending on the IIS worker process privileges. This PoC demonstrates a crafted Windows shortcut file being uploaded and written to the Startup folder. The execution of this file will be triggered on the next login.
A directory traversal vulnerability exists in NVMS-1000, which allows an attacker to access sensitive files outside of the web root directory. By sending a specially crafted HTTP request, an attacker can traverse the directory structure and access files outside of the web root directory. This can lead to information disclosure, such as the contents of the Windows win.ini file.
A directory traversal vulnerability exists in Bullwark Momentum Series Web Server JAWS/1.0. An attacker can send a specially crafted HTTP request containing '../' sequences to read arbitrary files from the server.
The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type 'application/xml', which trigger the deserialization of entities, can be used to trigger XXE attacks.
Services By CQR