Easy arbitrary file upload vulnerability allows an attacker to upload malicious .zip archives. POST .zip file with cmd shell.
DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root. This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct directory for the WAR file upload. This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why).
When a user uploads an image in CraftCMS, the uploaded image's EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of CraftCMS's users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.
Cross-Site Request Forgery (CSRF) vulnerability exists in Wolters Kluwer TeamMate+ version 3.1 (January 2019) (Internal Version:21.0.0.0) and earlier. This vulnerability allows an attacker to perform malicious actions on behalf of the authenticated user. The vulnerability exists due to insufficient CSRF protection mechanisms. A remote attacker can trick an authenticated user into visiting a specially crafted web page and perform malicious actions on behalf of the user. The vulnerability is confirmed in TeamMate+ version 3.1 (January 2019) (Internal Version:21.0.0.0). Other versions may also be affected.
Alkacon OpenCMS 10.5.x is vulnerable to multiple Local File Inclusion (LFI) vulnerabilities. For the tests, the payloads used were “…%2f…%2fWEB-INF%2flogs%2fopencms.log” and “…%2f…%2fWEB-INF%2fweb.xml”. The vulnerable resources are “closelink” in the “loginmessage.jsp”, “xmlcontentrepair.jsp”, “group_new.jsp” and “index.jsp” pages.
Multiple XSS vulnerabilities were discovered in Alkacon OpenCMS 10.5.x. In Site Management, a stored XSS was found in the 'Affected resource title.0' field. In Treeview, a reflected XSS was found in the 'Affected resource type' field. In Workspace tools, a stored XSS was found in the 'Affected resource message.0' field. In Index sources, a stored XSS was found in the 'Affected resource name.0' field. In Index sources, a stored XSS was found in the 'Affected resource name.0' field of the 'New field configuration' page.
The vulnerability appears when the header X-Forwarded-For is used as shown in the next request: GET /login/index.html?requestedResource=&name=Editor&password=editor&action=login HTTP/1.1 Host: example.com X-Forwarded-For: .<img src=. onerror=alert('XSS')>.test.ninja Reflected XSS in the search engine: Affected resource -> 'q' POC: https://example.com/apollo-demo/search/index.html?facet_category_exact_ignoremax&q=demo%20examplez4e62%22%3e%3cscript%3ealert(1)%3c%2fscript%3ewhhpg&facet_type_ignoremax&facet_search.subsite_exact_ignoremax&reloaded&facet_query_query_ignoremax&
This exploit allows an attacker to read arbitrary files on IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 devices without authentication. The attacker can send a specially crafted HTTP request to the vulnerable device in order to read any file on the system.
It's possible to run malicious command on logged in user computer. Even though an alert message is shown on opening the file but users usually ignore such pop-ups since file is from known source. To exploit the vulnerability, a malicious payload is added to the Full Name section of the RSVP ticket page. The malicious payload is then exported in a .csv file, which when opened, executes the malicious command on the user's system.
ChaosPro 2.0 is vulnerable to a buffer overflow vulnerability due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted payload to the application, which can lead to arbitrary code execution.
Services By CQR