AiOPMSD Final 1.0.0 is vulnerable to SQL Injection. This vulnerability exists in the 'q' parameter of the search.php and actor.php scripts. An attacker can send a malicious SQL query to the 'q' parameter of the search.php and actor.php scripts, which will be executed in the backend database server.
A SQL injection vulnerability exists in Simple POS and Inventory 1.0, due to insufficient sanitization of user-supplied input to the 'cat' parameter in the 'plist.php' script. An attacker can leverage this vulnerability to inject and execute arbitrary SQL commands in the application's back-end database, allowing for the manipulation or disclosure of arbitrary data.
ClipBucket 2.8 is vulnerable to a SQL injection vulnerability in the 'id' parameter of the ajax.php file. An attacker can send a specially crafted HTTP request with a malicious 'id' parameter to execute arbitrary SQL commands on the underlying database.
Stored XSS has been discovered in the upload section of ARDAWAN.COM User Management 1.1, as demonstrated by a .jpg filename to the /account URI.
Delta Sql 1.8.2 is vulnerable to arbitrary file upload. An attacker can upload a malicious file to the web server by sending a specially crafted HTTP request. This can be used to execute arbitrary code on the server.
A SQL injection vulnerability exists in Simple Chat System 1.0, which allows an attacker to execute arbitrary SQL commands via the 'id' parameter in a 'chatroom.php' script. An attacker can send a malicious HTTP request to the vulnerable script and execute arbitrary SQL commands in the back-end database, allowing them to access or modify sensitive data.
ProjeQtOr PMT 7.2.5 and lower versions allows to upload arbitrary 'shtml' files which leads to a remote command execution on the remote server. An attacker can create a file with HTML code and save it as .shtml, login to ProjeQtOr portal as priviliage user, click (Image) button on Content panel, choose Upload section and browse the .shtml file, click 'Send it to Server'. The file will be sent to the server and the attacker can find the file by using the formula Y+m+d+H+i+s+_+UserID+_+filename = uploaded file name. The uploaded images are sent under the '/files/images/' folder and the attacker can verify the exploit by using http://domain/files/image/20181023010230_1_RCE.shtml?ls
BORGChat 1.0.0 build 438 is vulnerable to a denial of service attack. An attacker can send a specially crafted 'DOOM' packet to the target system, causing it to crash. This can be done by using a python script to send multiple 'DOOM' packets to the target system.
An issue was discovered on D-Link routers: DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware. The administrative password is stored in plaintext in the /tmp/XXX/0 file. An attacker having a directory traversal (or LFI) can easily get full router access. PoC using the directory traversal vulnerability disclosed above - CVE-2018-10822 `$ curl http://routerip/uir//tmp/XXX/0` This command returns a binary config file which contains admin username and password as well as many other router configuration settings. By using the directory traversal vulnerability it is possible to read the file without authentication.
An issue was discovered on D-Link routers: DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.
Services By CQR