The exploit allows remote attackers to execute arbitrary code on the target system without authentication. By leveraging a vulnerability in Wordpress Augmented-Reality plugin, an attacker can upload and execute malicious PHP code.
In 2022, a proof of concept was released to bypass the Backdoor:JS/Relvelshe.A detection in Windows Defender. Although the initial method was mitigated, a new approach involves adding a simple JavaScript try-catch error statement and evaluating the hex string to execute the bypass successfully.
The Wordpress Canto plugin before 3.0.5 is vulnerable to Remote File Inclusion (RFI) through the 'wp_abspath' parameter, allowing unauthenticated attackers to execute arbitrary remote code on the server if allow_url_include is enabled. The issue arises from the improper handling of the 'wp_abspath' variable in the 'download.php' code.
CVE-2023-46453 is a remote authentication bypass vulnerability in GLiNet routers with firmware versions 4.x and above. The vulnerability allows an attacker to bypass authentication and access the router's web interface by exploiting a lack of proper authentication checks in the /usr/sbin/gl-ngx-session file.
A Cross Site Scripting (XSS) vulnerability in Petrol Pump Management Software v1.0 allows attackers to execute malicious code by inserting a specially crafted payload into the 'Address' parameter in the add_invoices.php component.
An SQL injection vulnerability was found in WP Fastest Cache plugin version 1.2.2. This vulnerability allows an unauthorized attacker to execute SQL queries on the system.
The vulnerability in SISQUALWFM version 7.1.319.103 allows attackers to manipulate webpage links or redirect users to malicious sites by tampering with the host header. This specifically targets the /sisqualIdentityServer/core endpoint.
Electrolink FM/DAB/TV Transmitter devices are prone to a credentials disclosure vulnerability. Attackers can exploit this issue to gain unauthorized access to sensitive information such as login credentials. This vulnerability affects various versions of Electrolink transmitters including Compact DAB Transmitter, Medium DAB Transmitter, High Power DAB Transmitter, Compact FM Transmitter, Modular FM Transmitter, Digital FM Transmitter, VHF TV Transmitter, and UHF TV Transmitter.
The vulnerability in ManageEngine ADManager Plus Build < 7183 allows helpdesk technicians without backup/recovery privileges to view passwords of restored user accounts. This could lead to compromise of user accounts through password spraying attacks in the Active Directory environment. By configuring restore and recycle options in the Recovery Settings, deleted user accounts can be restored with a defined password.
An attacker can store malicious script into the 'Adress', 'Email id', or 'Contact Number' fields in the /admin/update-contactinfo.php page. When a user accesses the http://bbdms.local/inedx.php page, the stored XSS payload gets executed, triggering the XSS attack.
Services By CQR