A SQL injection vulnerability exists in Joomla! Component Ek Rishta 2.10, which allows an attacker to inject malicious SQL queries into the application. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is due to insufficient sanitization of user-supplied input in the 'cid' parameter of the 'user_detail' view. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL code to the vulnerable application. This can result in the execution of arbitrary SQL commands in the back-end database, allowing an attacker to gain access to sensitive data.
Insert data in events_new.php do not use escape string function, so attacker can put qoute character and inject query in insert data. Login in admin page, go to events_new.php, add new title, add some value and press 'new type' button. Add payload to value, example payload = a'), (120, (select version()))-- -, press 'new type' button to see mysql version.
This bug was found using the portal in the files: /pie-register/classes/invitation_code_pagination.php: if ( isset( $_GET['order'] ) && $_GET['order'] ) /pie-register/classes/invitation_code_pagination.php: $order = $_GET['order']; And when the query is executed, the parameter "order" it is not sanitized. /pie-register/classes/invitation_code_pagination.php: $this->order = esc_sql( $order ); The following URL have been confirmed to all suffer from Time Based SQL Injection. GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc (original) GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(2)))a) HTTP/1.1(2 seconds of response) GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a) HTTP/1.1(30 seconds of response)
A SQL injection vulnerability exists in Schools Alert Management Script, which allows an attacker to execute arbitrary SQL commands via the 'xxx' parameter in the 'photo_gallery.php' script. This can be exploited to gain access to the database and potentially gain access to sensitive information.
Splunk through 6.2.3 7.0.1 allows information disclosure by appending /__raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key and other information.
XiongMai uc-httpd 1.0.0 is vulnerable to a buffer overflow attack when a maliciously crafted POST request is sent to the web server. This can be exploited to execute arbitrary code on the vulnerable system.
The file video_coding/rtp_frame_reference_finder.cc, the function RtpFrameReferenceFinder::ManageFrameVp9 fetches the GofInfo based on a pic_idx parsed from the incoming packet header. If the incoming frame is of type kVideoFrameKey, find is called on an iterator and the result is used without checking whether the it succeeds, which can cause a pointer to memory outside the gof_info_ map to be passed to FrameReceivedVp9. This function both reads and writes the info structure.
In WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling 'var state = this.@generatorState' and set by calling 'generator.@generatorState = @GeneratorStateExecuting'. Checking that the @generator property is set is also used in place of type checking the generator. Therefore, if Generator.next is called on an object with a prototype that is a Generator, it will pass the type check, and the internal properties of the Generator prototype will be used to resume the generator. However, when @generatorState, it will be set as an own property on the object, not the prototype. This allows the creation of non-Generator objects with the @generatorState set to completed. It is then possible to bypass the recursion check by setting the prototype of one of these objects to a Generator, as the check will then get the object's @generatorState own property, meanwhile the other internal properties will come from the prototype. Generators are not intended to allow recursion, so a reference to the scope is not maintained, leading to a use-after free.
When v8 decodes the locals of a function, it performs a check to ensure that the number of function locals is not too large. On a 32-bit platform, this check can be bypassed due to an integer overflow, which can lead to memory corruption when the locals are allocated. A PoC is attached.
When a source buffer is compiled, it is first copied into a read-only buffer by the function getWasmBufferFromValue. This function returns the code buffer as follows: return arrayBufferView ? static_cast<uint8_t*>(arrayBufferView->vector()) : static_cast<uint8_t*>(arrayBuffer->impl()->data()). If the source buffer is a view (DataView or TypedArray), arrayBufferView->vector() is returned. The vector() method returns the start of the data in the buffer, including any offset. However, the function createSourceBufferFromValue copies the output of this function as follows: memcpy(result.data(), data + byteOffset, byteSize). This means that if the buffer is a view, the offset is added to the buffer twice before this is copied. This could allow memory off the heap to be read out of the source buffer, either though parsing exceptions or data sections when they are copied.
Services By CQR