The elFinder web file manager version 2.1.53 is vulnerable to remote command execution. By uploading a PHP file containing a system command, an attacker can execute arbitrary commands on the server. This can lead to unauthorized access, data theft, and further exploitation of the target system. This vulnerability is tracked as CVE-2023-XXXX.
CSZ CMS Version 1.3.0 is vulnerable to remote command execution. An attacker can exploit this vulnerability by sending a specially crafted request to the target system, allowing the execution of arbitrary commands. This vulnerability has a CVE ID pending assignment.
The Lot Reservation Management System is a PHP/MySQLi project designed for managing land property reservations. It allows clients to view property information, reserve properties, and provides user-friendly functions. However, the application is vulnerable to an unauthenticated file disclosure exploit.
CVE-2023-46453 is an authentication bypass vulnerability found in GLiNet routers with firmware versions 4.x and above. This vulnerability allows unauthorized users to bypass authentication mechanisms and gain access to the router's web interface. The issue originates from inadequate authentication checks in the /usr/sbin/gl-ngx-session file, where the username is not properly sanitized before being processed by the login_test function in the lua script.
Lot Reservation Management System is a PHP/MySQLi project designed for managing property reservations. The system lacks proper authentication, allowing unauthenticated users to upload malicious files and execute remote code on the server. This could lead to unauthorized access, data breaches, and system compromise.
Multiple SQL injection vulnerabilities were found in Customer Support System 1.0, allowing authenticated attackers to execute arbitrary SQL commands via the parameters department_id, customer_id, and subject. An example payload could be '+(select*from(select(sleep(20)))a)+'
The vulnerability in Atemio AM 520 HD Full HD satellite receiver with firmware <=2.01 allows an unauthorized attacker to execute system commands with elevated privileges. By using the 'getcommand' query, the attacker can achieve root access.
The vulnerability in Windows PowerShell allows the execution of arbitrary code by combining the semicolon ";" and ampersand "&" characters to bypass the single quote limitation in filenames. This can lead to event log failures and code execution. By using specially crafted filenames, an attacker can trigger malicious code execution. This issue affects PowerShell API calls and module commands.
An attacker can send crafted HEX values to the GATT Charactristic handle '0x0012' on the Maxima Max Pro Power watch to perform unauthorized actions like changing Time display format, updating Time, and notifications. The lack of integrity checks allows the attacker to sniff values from one smartwatch and replay them on another, leading to unauthorized actions.
A Cross Site Scripting vulnerability was found in Petrol Pump Management Software v.1.0. This vulnerability allows an attacker to execute malicious code by uploading a specially crafted SVG file to the 'image' parameter in the profile.php component. By exploiting this vulnerability, an attacker can conduct various attacks such as stealing sensitive data, session hijacking, or defacing the website.
Services By CQR