Event Calendar 3.7.4 is vulnerable to SQL Injection. An attacker can send a specially crafted HTTP request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. This can be exploited to manipulate or disclose arbitrary data in the back-end database.
Matrix MLM Script version 1.0 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries via the 'id' parameter in the 'deleteadmin.php', 'deletepin.php', 'activateadmin.php' and 'read' section of the application. This can allow an attacker to gain access to sensitive information from the database.
An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request to the vulnerable application. This request contains malicious SQL statements that can be executed in the back-end database, allowing the attacker to access or modify the application's data.
SHIELD - Freelancer Content Management System 2.2 is prone to an SQL injection vulnerability and a cross-site request forgery vulnerability. An attacker can exploit these issues to execute arbitrary SQL commands in the context of the affected application, steal cookie-based authentication credentials, and launch other attacks. This can lead to a full compromise of the affected application.
An unauthenticated attacker can inject arbitrary SQL commands into the 'search' parameter of the 'searchs' script, which is reachable through the 'entries' parameter. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Matrix MLM Script 1.0 is vulnerable to Information Leakage. An attacker can send a GET request to the getdata.php page in the modules directory to view sensitive information such as userid, username, profileid, passport, currentstage, l_member, r_member, firstname, lastname, emailaddress, and parentid.
In PEAR Archive_Tar before 1.4.4, there are several file operation with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract() is called without a specific prefix path, we can trigger phar induced unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path name. Object injection can be used to trigger destructor/wakeup method in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar itself, we can trigger arbitrary file deletion because `@unlink($this->_temp_tarname)` will be called in the destructor method. If another class with useful gadget is loaded, remote code execution may be possible.
An XML External Entity (XXE) Injection vulnerability was discovered in BlogEngine 3.3. An attacker can exploit this vulnerability by sending a maliciously crafted POST request to the metaweblog.axd parameter with the BodyXML parameter. The attack pattern used is <?xml version="1.0"?><!DOCTYPE ns [<!ELEMENT ns ANY><!ENTITY lfi SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts">]><ns>&lfi;</ns>
When a non-root user attempts to control systemd units in the system instance from an active session over DBus, the access is gated by a polkit policy that requires "auth_admin_keep" auth. This results in an auth prompt being shown to the user, asking the user to confirm the action by entering the password of an administrator account. After the action has been confirmed, the auth decision for "auth_admin_keep" is cached for up to five minutes. However, the start time check is bypassable because fork() is not atomic. An attacker can fork() a process, then quickly allocate a PID with the same start time as the original process.
The Data Sharing Service doesn’t has a TOCTOU in PolicyChecker::CheckFilePermission resulting in an arbitrary file deletion. In many different places the DSSVC calls PolicyChecker::CheckFilePermission to ensure the calling user has permission to open a file with a certain set of access rights. This function has an unusual behavior, specifically it passes OPEN_ALWAYS as the disposition to CreateFile even if the code expects the file to already exist. The OPEN_ALWAYS disposition will create a file if it doesn’t exist, to handle the the code checks whether GetLastError() is 0, if it is then it assumes the file is new and so will call DeleteFile on the path. This has a big problem, there’s a TOCTOU in that the path passed to CreateFile doesn’t need to refer to the same file that’s passed to DeleteFile. For example when this method is called in DSSCreateSharedFileTokenEx it’s using the path supplied by the user almost directly. One way of exploiting this would be to specify a path with a mount point in it, then between the call to CreateFile and DeleteFile change the mount point to point somewhere else. However, there’s an easier way, as CreateFile is called under impersonation and DeleteFile is not an attacker could just setup a per-user C: redir to a file they don’t have access to, then when the service calls CreateFile it will succeed, but when it calls DeleteFile it will fail.
Services By CQR