SynaMan 4.0 suffers from cleartext password storage for SMTP settings which would allow email account compromise. The password for the smtp email account is stored in plaintext in the AppConfig.xml configuration file. This file can be viewed by any local user of the system.
SynaMan 4.0 suffers from Authenticated Cross Site Scripting (XSS). Prerequisites for exploitation include admin access to Synaman web console. From Configuration > Advanced Configuration > Partial Branding, if one were to apply the following XSS payload in either of the fields, alert pop-ups with xss would be present on navigation throughout the web app: <script>alert("xss");</script>. While Chrome does block the XSS payload on apply, simply hitting the back button and selecting "Explore" the payload is stored.
A directory traversal vulnerability exists in Rubedo CMS 3.4.0 which allows an attacker to read the /etc/passwd file from a remote server by sending a specially crafted request.
The privilege escalation from zygote to init is possible because system/sepolicy/private/zygote.te contains the following rule: allow zygote self:capability sys_admin;. This rule allows processes in the zygote domain to use the CAP_SYS_ADMIN capability, if they have such a capability. The exploit for this issue is in zygote_exec_target.c, starting at 'if (unshare(CLONE_NEWNS))'. The attack is basically: 1. set up a new mount namespace with a root that is fully attacker-controlled 2. execute crash_dump64, causing an automatic transition to the crash_dump domain 3. the kernel tries to load the linker for crash_dump64 from the attacker-controlled filesystem, resulting in code execution in the context of the zygote.
A local buffer overflow vulnerability exists in InTouch Machine Edition 8.1 SP1 due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability by running a specially crafted python code and copying the content to clipboard, then pasting it on 'Nombre del Tag' field. This can result in arbitrary code execution.
A buffer overflow vulnerability exists in HTML5 Video Player 1.2.5, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a boundary error when handling a specially crafted registration name. This can be exploited to cause a stack-based buffer overflow via an overly long, specially crafted registration name.
Due to improper user input management and lack of output encoding, unauthenticated users are able to inject malicious code via making an appointment. Malicious code runs on admin panel.
Oracle fixed some of the issues reported in VirtualBox during the Oracle Critical Patch Update - April 2018. CVE-2018-2844 was an interesting double fetch vulnerability in VirtualBox Video Acceleration (VBVA) feature affecting Linux hosts. VBVA feature works on top of VirtualBox Host-Guest Shared Memory Interface (HGSMI), a shared memory implemented using Video RAM buffer. The VRAM buffer is at physical address 0xE0000000. The exploit was tested with Ubuntu Server as Guest and Ubuntu Desktop as host running VirtualBox 5.2.6.r120293. The proof-of-concept exploit code with process continuation and connect back over network can be found at virtualbox-cve-2018-2844.
This module exploits a -dSAFER bypass in Ghostscript to execute arbitrary commands by handling a failed restore (grestore) in PostScript to disable LockSafetyParams and avoid invalidaccess. This vulnerability is reachable via libraries such as ImageMagick, and this module provides the latest vector for Ghostscript.
This module exploits a remote code execution vulnerability in Apache Struts version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed via an endpoint that makes use of a redirect action.
Services By CQR