CAMALEON CMS version 2.4 is vulnerable to stored cross-site scripting. An attacker can send a malicious POST request with a specially crafted filename containing an XSS payload. This payload will be stored in the application and will be triggered when the file is accessed.
Script to read and write PLC tags via a Webvisit HMI page (even in case of a password protection). Steps: Get Project Name: http://<ip>/, Get list of tags: http://<ip>/<projectname>.tcr, Get current values of tags: http://<ip>/cgi-bin/ILRReadValues.exe, Set new tag values: http://<ip>/cgi-bin/writeVal.exe?<tag>+<value> (urlencode!)
LUYA CMS version 1.0.12 is vulnerable to stored cross-site scripting. An attacker can send a malicious POST request to the '/admin/api-cms-nav/create-page' endpoint with a crafted payload in the 'title', 'description', and 'keywords' parameters to execute arbitrary JavaScript code in the victim's browser.
HaPe PKH 1.1 is vulnerable to SQL injection in the 'id' parameter of the 'lap-anggota-kelompok-pdf.php', 'lap-peserta-perdesa-pdf.php', 'media.php?module=desa&act=hapus&id' and 'media.php?module=pengurus&act=print&id' and 'media.php?module=pengurus&act=editpengurus&id' scripts. An attacker can inject arbitrary SQL commands to gain access to the database and execute malicious code.
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XMLA files. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process.
This script will perform retrieval of clear text credentials for a Phoenix Contact PLC with a WebVisit GUI, password protected, application on it. Tested on the Phoenix Contact ILC-390 PLC, but others are surely equally vulnerable with WebVisit 6.40.00, the passwords are SHA256 hashes, which also will be retrieved.
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft SQL Server Management Studio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XEL files. Due to the improper restriction of XML External Entity (XXE) references, a specially crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the current process.
The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php doesn't require any validation to upload files to the server. It also doesn't exclude file types. This allows for remote code execution.
A SQL injection vulnerability exists in E-Registrasi Pencak Silat 18.10, which allows an attacker to execute arbitrary SQL commands via the 'id_partai' parameter in the 'monitor_nilai.php' script.
WAGO 750-881 Ethernet Controller devices, versions 01.09.18(13) and before, have XSS in the SNMP configuration via the webserv/cplcfg/snmp.ssi SNMP_DESC or SNMP_LOC_SNMP_CONT field. The exploit string is "<svg/onload=alert(1)>" and the http-post-data is SNMP_DESC=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E&SNMP_LOC%22%3E%3Csvg%2Fonload%3Dalert%282%29%3E&SNMP_CONT=%22%3E%3Csvg%2Fonload%3Dalert%283%29%3E&SNMP_V1V2_ENABLE=SNMP_V1V2_ENABLE&SNMP1_LCOM_NAME=public&SNMP_TR_V1V2_1_IP=0.0.0.0&SNMP1_COM_NAME=public&SNMP_V1V2_TR1_VERSION=SNMP_V1V2_TR1_VERSION1&SNMP_TR_V1V2_2_IP=0.0.0.0&SNMP2_COM_NAME=public&SNMP_V1V2_TR2_VERSION=SNMP_V1V2_TR2_VERSION1&SUBMIT=SUBMIT
Services By CQR