MyBB versions prior to 1.8.21 are vulnerable to an authenticated Remote Code Execution (RCE) vulnerability. An attacker can exploit this vulnerability by sending a specially crafted payload to an admin user. The payload will execute a malicious JavaScript file hosted on a VPS. The payload will trigger once an admin views the message.
The digital touch iMessage extension can read out of bounds if a malformed Tap message contains a color array that is shorter than the points array and delta array. The method [ETTapMessage initWithArchiveData:] checks that the points array is twice as long as the deltas array, but only checks that the colors array is longer than eight bytes, even though a color is needed for every point-delta pair that is processed. To reproduce the issue with the files in tapcrash.zip, install frida, open sendMessage.py, and replace the sample receiver with the phone number or email of the target device, in injectMessage.js replace the marker "FULL PATH" with the path of the obj file, and in the local directory, run python3 sendMessage.py. This will lead to a crash in SpringBoard requiring no user interaction.
CVE-2019-2107 is a vulnerability that allows for remote code execution on Android devices running versions 7-9. The vulnerability is present in the HVEC (a.k.a H.265 and MPEG-H Part 2) decoder/codec, which runs under the mediacodec user. By crafting a video with tiles enabled (ps_pps->i1_tiles_enabled_flag), an attacker can exploit the vulnerability to gain remote code execution.
The application interface of Cisco Wireless Controller 3.6.10E allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
An attacker can inject malicious SQL code into the Referer HTTP header field of a GET request to the NoviSmart CMS, which can be used to gain unauthorized access to the system.
Axway SecureTransport versions 5.3 through 5.0 (and potentially others) are vulnerable to an unauthenticated blind XML injection (& XXE) vulnerability in the resetPassword functionality via the REST API. If executed properly, this vulnerablity can lead to local file disclosure, DOS or URI invocation attacks (e.g SSRF->RCE). It's worth noting that in version 5.4 the v1 API was deprecated... but not removed entirely. Meaning that you can still trigger this vulnerability on updated installations if they have the v1.0, v1.1, v1.2 or v1.3 in the /api/ directory.
Comtrend AR 5310 routers have a restricted shell, the list of command a user can execute is [ ? help logout exit quit reboot ads lxdslctl xtm loglevel logdest virtualserver ddns dumpcfg dumpmdm meminfo psp dumpsysinfo dnsproxy syslog ifconfig ping sntp sysinfo tftp wlan wlctl vlanctl arp defaultgateway dhcpserver dns lan lanhosts passwd ppp restoredefault route nslookup traceroute save uptime exitOnIdle wan build version serialnumber modelname acccntr upnp urlfilter timeres tr69cfg logouttime ipneigh dhcp6sinfo nat mcpctl ]. Usual terminal constructs like the command separator ';', the control operator '&' (run in forground), the redirection operator (pipe) '|', the command substitution operator '`' are all filtered. Still the $ operator is not filtered, so invoking a command with $( subcommand ) as argument would give an obvious shell.
This exploit allows an attacker to gain root privileges on a Linux system by exploiting a vulnerability in the cgroup subsystem. The exploit involves creating a cgroup, mounting it, and then writing a malicious script to the cgroup's release_agent file. The malicious script is then executed when the cgroup is released, allowing the attacker to gain root privileges.
Most JavaScript event are blacklisted but not all. As a result we found one event that was not blacklisted and successfully used it. Stored XSS n°1 was found in project name, where an *onkeypress* event was triggered whenever the user touch any key and since the XSS payload is stored in the project name it appears in several pages. Stored XSS n°2 was found in calendar event, where an *onkeypress* event was triggered whenever the user touch any key and since the XSS payload is stored in the calendar event it appears in several pages. Stored XSS n°3 was found in CSV upload feature with displayed parsed results, where a malicious CSV is uploaded and the parsed content is inserted into a HTML table where the XSS will be triggered.
Web Ofisi Firma 13 is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this vulnerability to manipulate SQL queries by injecting arbitrary SQL code. The vulnerable parameter is 'oz[]' (GET). The payload used for this exploit is '0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z'.
Services By CQR