A SQL injection vulnerability exists in XOOPS CMS v.2.5.9. An attacker can send a maliciously crafted request to the gerar_pdf.php script in the patch/modules/patch/ directory, which can be accessed by using the 'inurl:gerar_pdf.php inurl:modules' dork. This can allow an attacker to execute arbitrary SQL commands on the underlying database.
The Soca web access control system suffers from multiple SQL Injection vulnerabilities. Input passed via multiple POST parameters is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism. It allows the attacker to remotely disclose password hashes and login with MD5 hash with highest privileges resulting in unlocking doors and bypass the physical access control in place.
Insecure direct object references occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources and functionalities in the system.
A denial of service vulnerability exists in DNSS Domain Name Search Software 2.1.8 when a maliciously crafted registration code is entered into the application. An attacker can leverage this vulnerability to crash the application, resulting in a denial of service condition.
A denial of service vulnerability exists in SpotMSN 2.4.6 when a maliciously crafted Name/Key is entered into the registration code dialog, resulting in a crash. An attacker can leverage this vulnerability to crash the application, denying service to legitimate users.
It has been found that the XML parser of the SAML authentication system of the Password Vault Web Access (PVWA) is vulnerable to XML External Entity (XXE) attacks via a crafted DTD. No user interaction or privileges are required as the vulnerability is triggered in pre-authentication.
A vulnerability in dotCMS 5.1.1 allows an attacker to inject malicious HTML and JavaScript code into the application. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is due to insufficient validation of user-supplied input when uploading files. An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request with malicious HTML code in the filename parameter.
A denial of service vulnerability exists in PHPRunner 10.1 when a maliciously crafted input is supplied to the application. An attacker can leverage this vulnerability to crash the application.
ASPRunner.NET 10.1 is vulnerable to a denial of service attack when a maliciously crafted table name is used. An attacker can exploit this vulnerability by creating a file containing a long string of characters, copying the contents of the file to the clipboard, and then pasting the contents into the 'Table name' field when creating a new database. This will cause the application to crash.
SpotPaltalk 1.1.5 is vulnerable to a denial of service attack when a maliciously crafted Name/Key field is entered. When the 'OK' button is clicked, the application crashes.
Services By CQR