A Cross-Site Scripting (XSS) vulnerability was discovered in the D-Link Dir-600M N150 router. An attacker can inject malicious JavaScript code into the 'Hostname' and 'Username' fields of the Dynamic DNS page, which will be executed when the page is loaded by an authenticated user.
A directory traversal vulnerability exists in WirelessHART Fieldgate SWG70 3.0. An attacker can send a specially crafted HTTP POST request to the vulnerable server to traverse the directory and read arbitrary files on the server.
This exploit lets you read almost any file on a vulnerable server via XXE vulnerability. There are two types of payload this exploit is able to use, 'SIMPLE' & 'ADVANCED'. 'SIMPLE' payload will work in most cases and will be used by default, if server errors out, use 'ADVANCED' payload. 'ADVANCED' payload will start local web server and serve malicious XML which will be parsed by a target server. To successfully perform attack with 'ADVANCED' payload, make sure that port you listen on (--lport flag) is accessible out of the network.
Jorani Leave Management System 0.6.5 and possibly before are affected by SQL Injection in startdate and enddate parameters through POST request in '/leaves/validate' resource. This allows a user of the application without permissions to read and modify sensitive information from the database used by the application.
Language parameter is vulnerable to Persistent Cross-Site Scripting (XSS) attacks through a GET request in which the values are stored in the user session.
NovaPACS suffers from an unauthenticated XML External Entity (XXE) injection vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data from the affected node via out-of-band (OOB) channel attack. The vulnerability is triggered when importing XML format preferences within the settings submenu.
Tenda D152 ADSL Router is vulnerable to Cross-Site Scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code into the SSID field of the router's web interface. When a user visits the router's web interface, the malicious code will be executed in the user's browser, allowing the attacker to gain access to the user's session.
Microsoft people desktop application is a contact management app and address book included in Microsoft's Windows 8 and 10. It allows a user to organize and link contacts from different email accounts with a unique graphical interface. An attacker can create a malicious file containing a large number of characters and paste it into the name field of the application, causing the application to crash.
A vulnerability in FUJI XEROX DocuCentre-V 3065 Printer allows an attacker to write files to the printer. This is achieved by bypassing the pin and setting the CPLOCK and DISKLOCK to OFF. The attacker can then use the FSDOWNLOAD and FSUPLOAD commands to write files to the printer.
The vulnerability allows an attacker to inject sql commands on 'columns[0][search][value]' parameters in the management panel of Simple POS 4.0.24.
Services By CQR