After login success, the application will retuens base64 value and use it to authenticate again, That allow attacker to modify the response and become a user. For version 0.9.8.836 to 0.9.8.837, the response format is <username>||/<username>/theme/original and for version 0.9.8.838 to 0.9.8.846, the response format is username||/<username>/theme/original.
This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending DoS packets.
CVE-2019-2107 is a vulnerability that allows for remote code execution (RCE) on Android devices. The vulnerability is caused by a flaw in the HVEC (a.k.a H.265 and MPEG-H Part 2) decoder/codec, which runs under the mediacodec user. An attacker can exploit this vulnerability by crafting a malicious video with tiles enabled (ps_pps->i1_tiles_enabled_flag) and sending it to the target device. This will cause the decoder to crash, allowing the attacker to execute arbitrary code on the device.
Unauthenticated user can find the version number and device type by visiting this link directly. Can change to different domain under the host header and redirect the request to fake website and can be used for phishing attack also can be used for domain fronting.
NETGEAR WiFi Router R6080 is vulnerable to Security Questions Answers Disclosure. An attacker can exploit this vulnerability by sending a POST request to http://192.168.1.1/401_recovery.htm with the serial number of the router. This will allow the attacker to bypass the security questions and gain access to the admin password. Additionally, the attacker can also execute authenticated telnet commands by sending a GET request to http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug.
It is possible to use the NTLM reflection attack to escape a browser sandbox in the case where the sandboxed process is allowed to create TCP sockets. This attack was described in https://bugs.chromium.org/p/project-zero/issues/detail?id=222. MS16-075 was supposed to fix it by blocking attempts to reflect NTLM authentication operating in the same machine mode. However, it is still possible to reflect NTLM authentication that works in the regular remote mode. In the actual exploit, a compromised sandboxed process acts as both a web server and an SMB client, and asks the browser to visit http://localhost:[fake_webserver_port]. The browser receives an NTLM authentication request and considers the `localhost` domain to be safe to automatically log on with the current user's credentials. The sandboxed process forwards the corresponding packets to the local SMB server. Additionally, an insufficient path check in EFSRPC can be used to bypass security checks and gain file system access.
This module exploits a command injection vulnerability in Xymon versions before 4.3.25 which allows authenticated users to execute arbitrary operating system commands as the web server user. When adding a new user to the system via the web interface with `useradm.sh`, the user's username and password are passed to `htpasswd` in a call to `system()` without validation.
This code exploits both CVE-2019-12989 and CVE-2019-12991. It uses an SQL injection to bypass authentication and then a command injection to spawn a reverse shell. The code requires a Netcat listener.
The 'Display Name' field in General Options of the Configure module in Jenkins was found to be accepting arbitrary value which when loaded in the Dependency Graph View module gets execute which makes it vulnerable to a Stored/Persistent XSS.
Sahi Pro is vulnerable to Unauthenticated Remote Command Execution. It is possible to execute commands on the server using the function '_execute()'. This exploit creates a new sahi script that runs 'netcat' on the server and opens a shell session.
Services By CQR