Ubuntu's aufs kernel patch includes a change which allows fput() to be called on the current value of vma->vm_file instead of the saved file pointer. This matters if the ->mmap() handler replaces ->vm_file before returning an error code. To demonstrate the issue, the PoC below mounts a shiftfs that is backed by a FUSE filesystem with the FUSE flag FOPEN_DIRECT_IO, which causes fuse_file_mmap() to bail out with -ENODEV if MAP_SHARED is set.
OpenNetAdmin v18.1.1 is vulnerable to Remote Code Execution. An attacker can send a malicious payload to the vulnerable server to execute arbitrary code. The payload is sent via a POST request to the vulnerable server.
WordPress websites are vulnerable to URL manipulation attacks, which can be used to leak secret content. This can be done by adding '?static=1' to a WordPress URL and manipulating the returned entries by using 'order' with 'asc' or 'desc', 'orderby', and 'm' with 'm=YYYY', 'm=YYYYMM' or 'm=YYYYMMDD' date format.
A vulnerability in the Health Monitor component of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system with root privileges. The vulnerability is due to improper validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system with root privileges.
XMedia Recode is vulnerable to a denial of service attack when a maliciously crafted .m3u file is opened. This causes the application to crash. An attacker can exploit this vulnerability by convincing a user to open a maliciously crafted .m3u file.
The Centova Cast becomes out of control and causes 100% CPU load on all cores. A bash script is used to exploit the vulnerability by sending a request to the API with a filename of /dev/zero, which causes the Centova Cast to become out of control and cause 100% CPU load on all cores.
A buffer overflow vulnerability exists in ipPulse 1.92 when a maliciously crafted input is sent to the 'Enter Key' field. An attacker can exploit this vulnerability to cause a denial of service condition. This can be exploited by running a python code to create a text file containing a 256 byte long string of 'A' characters, copying the content of the text file to the clipboard, clicking on 'Enter Key' in ipPulse.exe, pasting the clipboard content into the 'Name:' field, and clicking 'OK'. This will cause the application to crash.
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the appliaction.
A form with action http://xyz.com/cgi-bin/up.cgi and method post and enctype multipart/form-data is used to upload a file. The sid value is set to joe. The uploaded file can be included using http://xyz.com/?op=page&tmpl=../../admin_settings. The .html extension is hard coded on the server so the included file must be with html extension anywhere on the server. The LFI can be merged with Arbitrary File Upload vulnerability by uploading an html file i.e. upload.html and changing the sid to ../../../../../../tmp and so the file gets uploaded in tmp directory of the server. The Xfilesharing script has builtin shortcodes as well so RCE can be achieved by including them in the upload.html file.
Services By CQR