Force browsing or download via embedded iframe in a chat window. No user interaction required. When the iframe contains a web site URL, a new browser window of the default browser will open with the URL. If the URL is a file, it will download it automatically if it is a permitted file type (e.g., zip)
In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command, resulting in a denial of service or possibly unspecified other impact. In versions before 3.0, modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above, modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code. To exploit, start the Budabot listener, set valid configuration options, and wait for the chatbot to announce it's ready in-game. Send the chatbot a private message containing '!calc 5 x 5', and the Budabot listener will terminate.
A vulnerability in Apache Superset before 0.23 allows remote code execution. An attacker can exploit this vulnerability by sending a malicious pickle file to the server, which can be used to execute arbitrary code. This exploit was originally disclosed to the Apache Superset team in May 2018 and the fix had already been in place, but not backported.
PHP Server Monitor version 3.3.1 and possibly before are affected by multiple Cross-Site Request Forgery vulnerability, an attacker could remove users, logs, and servers. The attacker can use Google URL Shortener (or similar) to shorten the malicious URL and send it to the victim, or use a form with hidden inputs to send it to the victim.
Mozilla Firefox is vulnerable to Denial of Service when it tries to process the chunked data. When Transfer-Encoding header is used, data is supposed to be sent in chunks form. When all the chunks are transferred, a zero length chunk is sent to indicate the end of the stream. However, if data is sent after the zero length chunk, Firefox is unable to understand it and crashes.
Joomla! Component JE Photo Gallery 1.1 is vulnerable to a SQL injection vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow the attacker to gain access to the database and execute arbitrary SQL commands.
An information disclosure vulnerability exists in PaloAlto Networks Expedition Migration Tool 1.0.106 and prior versions. An unauthenticated attacker can send a specially crafted request to the vulnerable server to disclose sensitive information from the server.
In Rockwell Automation Allen-Bradley PowerMonitor 1000 web page, user can add a new user by access the /Security/Security.shtm. When users add a new user, the new user’s account will in the post data. Attackers can inject malicious XSS code in user’s account parameter of post data. The user’s account parameter will be stored in database, so that cause a stored XSS vulnerability.
There is an out-of-bounds vulnerability in Microsoft VBScript. The vulnerability has been confirmed in Internet Explorer on Windows 7 with the latest patches applied. The issue is that the input array can be resized during the rtFilter call (by invoking a default getter on one of the input array members) and rtFilter fails to handle this case correctly. While rtFilter does implement some logic to determine if the input array has been resized, this logic fails to take into account elements of the input array that do not match the input string.
There is a use-after-free vulnerability (possibly two vulnerabilities triggerable by the same PoC) in Microsoft VBScript. The vulnerability has been confirmed in Internet Explorer on Windows 7 with the latest patches applied. The PoC involves creating a Scripting.Dictionary object, setting an item to a new class2 object, and then setting the item to a new value. This triggers a call to OLEAUT32!VariantClear, which can call attacker-controlled VBScript and free the memory holding the Variant. Additionally, VBADictionary::put_Item calls VariantCopy immediately after VariantClear, which can access the freed memory.
Services By CQR