The e-commerce software 'PilusCart' is not validating the 'filename' passed correctly, which leads to Local File Disclosure.
The page '/subscribe/' is vulnerable for SQL injection. Simply make a POST request to /subscribe/ with the parameters: email=jobber@zerodays.lol and category=1337<inject_here>. You can use this script to verify if YOUR OWN instance is vulnerable.
Due to several coding errors, it is possible for an unauthenticated remote attacker with no privileges to bypass authentication and abuse a password change function to inject arbitrary commands and execute code as root. In addition, there is a default unprivileged user with a known password that can login via SSH and execute commands on the virtual appliance provided by Cisco.
GoURL Unrestricted Upload Vulnerability POC is a vulnerability in the GoURL Bitcoin Wordpress Plugin. The vulnerable function is located at https://github.com/cryptoapi/Bitcoin-Wordpress-Plugin/blob/8aa17068d7ba31a05f66e0ab2bbb55efb0f60017/gourl.php#L5637. The vulnerability is caused by the use of a substring for the file name to select the first 95 letters, allowing an attacker to upload a file with a .php extension. To exploit this vulnerability, an attacker must create a file with a name of 95 characters or less, followed by a .php extension, and upload it to the target WordPress website. The uploaded file can then be accessed via a link such as http://127.0.0.1/wp/wp-content/uploads/gourl/images/i123456789a123456789b123456789c123456789d123456789e123456789f123456789g123456789h123456789i1.php.
SQLiteManager 1.20 allows SQL injection via the /sqlitemanager/main.php dbsel parameter. An attacker can send a malicious POST request to the vulnerable application to dump entries of all tables from all databases.
Outlook Password Recovery v2.10 is vulnerable to a Denial of Service attack. An attacker can create a malicious file containing 6000 bytes of data and paste it into the 'User Name and Registration Code' field, which will cause the application to crash.
Tableau XXE is an XML External Entity (XXE) vulnerability in Tableau products. It allows an attacker to send malicious XML documents to a vulnerable Tableau server, which can then be used to read files from the server, or even execute arbitrary code. The vulnerability was reported to the vendor in July 2019, and a fix was released in August 2019.
This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).
The NTFS driver supports a new FS control code to set a mount point which the existing sandbox mitigation doesn’t support allowing a sandboxed application to set an arbitrary mount point symbolic link. After multiple previous attempts the kernel mitigation against adding arbitrary NTFS mount points seems pretty robust. However due to the way it was implemented inside the IO manager in the kernel it is fragile to changes inside the filesystem drivers as the mitigation is only implemented when the FSCTL_SET_REPASE_POINT control code is used. In this case at some point (based on headers probably RS1) a new FSCTL was added to NTFS, FSCTL_SET_REPARSE_POINT_EX to allow overwriting an existing reparse point without having to first delete it. This FSCTL has a different control code to the old one, therefore issuing it does not trigger the mitigation and an arbitrary mount point can be set from any sandboxed applications.
openITCOCKPIT is vulnerable to CSRF 2 RCE. An attacker can exploit this vulnerability to gain remote code execution on the vulnerable system. The attacker can craft a malicious CSRF form using the credentials 'hacked@oicp.app - letmein1337' and host it on a malicious website. When the user visits the malicious website, the CSRF form will be submitted and the attacker will gain remote code execution on the vulnerable system.
Services By CQR