An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do qc_siteID parameter. Attack vector: domain/SiteLookup.do?configID=0&SELECTSITE=qc_siteID"/><svg onload=alert('XSS')>&userConfigID=21111111&SELECTEDSITEID=1&SELECTEDSITENAME=
A stack overflow vulnerability exists in Cisco RV130W Wireless-N Multifunction VPN Router running firmware version 1.0.3.44 and prior. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP POST request to the router's web interface. This will allow the attacker to execute arbitrary code on the router.
NUUO NVRMini2 3.9.1 is vulnerable to a stack overflow vulnerability due to improper bounds checking of user-supplied input. An attacker can send a specially crafted packet to the vulnerable device to trigger a stack overflow, which can be used to execute arbitrary code.
A SQL injection vulnerability was discovered in WordPress Plugin Form Maker 1.13.3. An attacker can exploit this vulnerability to gain access to the database and execute arbitrary SQL commands. The vulnerability is due to the lack of input validation in the 'admin.php' script when handling the 'order_by' parameter. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script. This can allow the attacker to gain access to the database and execute arbitrary SQL commands.
In AUO Solar Data Recorder web page, it's use HTTP Basic Access Authentication. Once user access the files which are under path http://<host>/protect/, the website will response the plaintext account and password in WWW-Authenticate attribute. Attackers is capable to login AUO Solar Data Recorder successfully.
The Dell Kace allows Admin users to access ajax_lookup_list.php. However, it can be accessed by a least privileged user with ‘User Console Only’ rights. Also, the user input supplied to 'selvalue' parameter is not sanitized that leads to a Blind SQL Injection vulnerability.
This exploit is a proof-of-concept code for CVE-2020-46945, a buffer overflow vulnerability in the hd.h library. The vulnerability occurs when a malicious user supplies a large amount of data to the library, which causes a buffer overflow and allows the malicious user to execute arbitrary code.
Services By CQR