DocumentWriter::replaceDocument() is vulnerable to improper access control. This vulnerability can be exploited by an attacker to gain access to the document object of the frame. The attacker can use this access to modify the document object and execute malicious code. The vulnerability is triggered when the DocumentWriter::replaceDocument() function is called with a malicious source string. The malicious source string is then passed to the DocumentParser::append() function which is used to parse the source string and create a new document object. The attacker can then use this access to modify the document object and execute malicious code.
A malicious unauthenticated person can attempt to register a user with the XSS payload in 'Display Name' parameter. The administrator of the website will see a notification that a new user needs to be approved. An administrator should click on this notification, and the JavaScript code will be executed in the administrator's browser. This exploit adds the user, and grants him administrator priviliges. A native module 'module creator' also allows remote code execution.
This exploit will add a superuser to target DNN website. Successful exploitation occurs when an admin user visits a notification page.
This exploit allows an attacker to execute arbitrary code on a vulnerable vBulletin 5.x installation. It works on all versions from 5.0.0 till 5.5.4. The exploit is triggered by sending a specially crafted POST request to the vulnerable server, containing a payload in the 'widgetConfig[code]' parameter. The payload is then executed on the server.
This exploit is a type confusion vulnerability in the PHP SplFixedArray class. It allows an attacker to execute arbitrary code on the target system by exploiting the way the SplFixedArray class handles references. The exploit works by creating a SplFixedArray object and setting the first element to a reference to a Z object. The Z object contains a jsonSerialize() method which is used to serialize the object. The jsonSerialize() method contains a call to the leak1() method which is used to leak the address of the Z object. The address is then used to parse the ELF header of the PHP binary and leak the address of the .data segment. The address of the .data segment is then used to leak the address of the command string. Finally, the command string is set to the address of the command and the jsonSerialize() method is called again to execute the command.
Boa/Hydra suffer of exploitable stack overflow with a 'one byte read-write loop' w/o boundary check. Reuse of code between vendors gives almost indentical exploitation of found vulnerabilities. Two strcpy() vulnerable fixed buffers next to each others in same function make it easy for jumping in Big Endian.
Simple Command injection after login bypass(login_required didn't used). An attacker can send a malicious POST request to the vulnerable endpoint /run_command/ with a command parameter containing arbitrary system commands. The application will execute the command without any validation or sanitization.
Persistent XSS vulnerability was discovered in theSystem after login bypass. An attacker can send a malicious request with a malicious script in the form of an operating system, system owner, system username, and system password. This malicious script will be executed when the user visits the page.
This exploit allows an attacker to execute arbitrary SQL commands on the vulnerable phpIPAM application. The vulnerability exists in the custom field filter feature, which allows an attacker to inject malicious SQL code into the 'table' parameter of the 'filter-result.php' page. This can be exploited to execute arbitrary SQL commands on the underlying database.
This module exploits a 0day pre-auth RCE vulnerability in vBulletin 5.x versions from 5.0.0 till 5.5.4. It allows an attacker to execute arbitrary code on the vulnerable server.
Services By CQR