Excel query from file feature is vulnerable to "Error" based XML External Entity attacks, if the user chooses the "Import as Html page" functionality upon receiving errors importing a specially crafted XML file. This can result in potential remote data exfiltration, user interaction is required to exploit this vulnerability. Tested successfuly Windows 10 .NET framework version v4.0.30319.
Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory. Local attackers or malware running at low integrity can replace a .exe or .dll file to achieve privilege escalation.
The application suffers from multiple CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Visual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst. By opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the remote attackers server. Double click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get associated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit.
Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, and to provide security alerts. A malicious user can create a file with a large number of characters and paste it into the 'Name' field of the 'Register -> Enter Registration Code' window, resulting in a denial of service.
This exploit allows an attacker to enumerate users of a Wordpress website running version 5.3 or lower. The exploit uses the /wp-json/wp/v2/users/ endpoint to retrieve a list of users from the website.
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
update_dyld_shared_cache, the tool responsible for generating the shared cache, is able to write to /private/var/db/dyld/ because it has the com.apple.rootless.storage.dyld entitlement. However, it accepts two command-line arguments - '-root' and '-overlay' which make it difficult to enforce security properties. The rootless_check_trusted() function does not work as expected, allowing an attacker to bypass the entitlement.
TestLink 1.9.19 is vulnerable to persistent cross-site scripting. This vulnerability allows an attacker to inject malicious JavaScript code into the application. The vulnerable pages are archiveData.php, index.php, tcEdit.php, and login.php. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable page. The malicious JavaScript code will be executed in the victim's browser.
mediaserverd has various media parsing responsibilities; its reachable from various sandboxes and is able to talk to interesting kernel drivers so is a valid target in an exploit chain. One of the services it vends is com.apple.audio.AudioFileServer, a fairly simple XPC service which will parse audio files on behalf of clients and send them the raw bytes. Files are opened via their ipod-library:// URL; for the purposes of this PoC you will need to ensure there is at least one audio file in the iTunes library. The files are actually parsed by the AudioFileReadPacketData method; here's the prototype from the docs: OSStatus AudioFileReadPacketData(AudioFileID inAudioFile, Boolean inUseCache, UInt32 *ioNumBytes, AudioStreamPacketDescription *outPacketDescriptions, SInt64 inStartingPacket, UInt32 *ioNumPackets, void *outBuffer). The docs tell us the meaning of the ioNumBytes and outBuffer arguments: ioNumBytes On input, the size of the outBuffer parameter, in bytes. On output, the number of bytes actually read. outBuffer Memory that you allocate to hold the read packets. Determine an appropriate size by multiplying the number of packets requested (in the ioNumPackets parameter) by the typical packet size for the audio data in the file. For uncompressed audio formats, a packet is equal to a frame. For the purposes of the bug this function has memcpy semantics; the value pointed to by ioNumBytes will be considered the correct size of the output buffer; AudioFileReadPacketData will be unable to verify that; it's up to the caller. Looking at the code which calls this the values are derived from three values passed in the 'read' xpc message: numbytes (uint64), numpackets (uint64), starti (uint64)
Services By CQR