Joomla! Component Ek Rishta 2.9 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending a malicious SQL query to the vulnerable parameter of the application. This can allow the attacker to access or modify the data in the back-end database.
Joomla! Component PrayerCenter 3.0.2 is vulnerable to a SQL injection vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow the attacker to execute arbitrary SQL commands on the underlying database, potentially allowing them to access or modify sensitive data.
A vulnerability in Joomla! Component Proclaim 9.1.1 allows an attacker to download the backup of the database by accessing the URL http://localhost/[PATH]/media/com_biblestudy/backup/Joomla375_jbs-db-backup_2018_February_22_1518955684.sql
Joomla! Component CW Tags 2.0.6 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to sensitive information stored in the database. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'searchtext[]' parameter of the 'index.php' script. An attacker can send a malicious SQL query to the vulnerable parameter to gain access to the database.
Disk Pulse Enterprise v10.4.18 is vulnerable to a buffer overflow vulnerability in the 'Import Command' feature. An attacker can exploit this vulnerability by sending a specially crafted XML file to the application, which can lead to arbitrary code execution. The vulnerability is caused due to a boundary error when handling the 'name' parameter of the 'classify' tag in the XML file.
A denial of service vulnerability exists in Wavpack 5.1.0 when a specially crafted .caf file is processed, which could allow an attacker to cause a denial of service condition. This is due to a memmove_sse2_unaligned_erms() function call in the wvunpack.c file, which can be triggered by a crafted .caf file. This issue is related to CVE-2018-7254.
There is a Use-after-free vulnerability in Internet Explorer that could potentially be used for memory disclosure. This was tested on IE11 running on Window 7 64-bit with the latest patches applied. Note that the PoC was tested in a 64-bit tab process via TabProcGrowth=0 registry flag and the page heap was enabled for iexplore.exe (The PoC is somewhat unreliable so applying these settings might help with reproducing). The PoC code is provided in the text.
The SvcMoveFileInheritSecurity RPC method in StorSvc can be used to move an arbitrary file to an arbitrary location resulting in elevation of privilege. The main problem occurs if the call to SetNamedSecurityInfo fails, in that case the code tries to move the file back to its original location, however it does reassert the impersonation. This probably makes sense because it’s possible to have a file/directory which you can open for DELETE but without the rights to create a new file in the same directory. In the case the original move would succeed but the revert would fail. However there’s a TOCTOU issue in that the original path might have been replaced with a mount point which redirects the revert to a totally arbitrary location while running at SYSTEM. The exploit controls both the name and the contents of the file so this would be a trivial privilege escalation. It’s possible to cause SetNamedSecurityInfo to fail just by adding a Deny ACE to the file for SYSTEM. This will cause the function to get ERROR_ACCESS_DENIED and the revert will take place. By placing an oplock on the original file open we can switch in a mount point and always win the race condition.
uTorrent web is configured to startup with Windows, so will always be running and accessible. For authentication, a random token is generated and stored in a configuration file which must be passed as a URL parameter with all requests. Unfortunately, the authentication secret is stored inside the webroot, so an attacker can just fetch the secret and gain complete control of the service. This requires some simple dns rebinding to attack remotely, but once the secret is obtained, the attacker can change the directory torrents are saved to, and then download any file anywhere writable.
A vulnerability in Aastra 6755i SIP SP4 allows an unauthenticated attacker to remotely reboot the device. The vulnerability exists due to the lack of authentication for the /confirm.html page, which allows an attacker to create a crash.cfg file. This file can be used to reboot the device.
Services By CQR