In Cacti 1.2.24, under certain conditions, an authenticated privileged user can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server.
This exploit allows an attacker to remotely execute code on the OpenPLC_v3 WebServer. The vulnerability occurs when the web server fails to properly handle user authentication, allowing an attacker to bypass authentication and gain unauthorized access to the server. By exploiting this vulnerability, an attacker can perform various malicious activities, including uploading and executing arbitrary code on the target system.
This exploit allows an attacker to execute arbitrary JavaScript code in the context of a user's browser by injecting a malicious payload into the comment section of a published page in the Wordpress Sonaar Music Plugin 4.7. The payload used in this example is <script>alert("XSS")</script>.
The media function in WEBIGniter v28.7.23 is vulnerable to file upload, allowing an attacker to upload and execute PHP files remotely. This can lead to malicious activities on the server.
The controller suffers from an unauthenticated remote denial of service vulnerability. An attacker can issue direct requests to the stm.cgi page to reboot and also reset factory settings on the device.
Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php
SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation.
A low-privilege user who holds a role that has the `edit_user` capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
This exploit allows an attacker to send a malicious request to the server, causing it to make arbitrary requests to other internal or external resources without the user's knowledge or consent.
This exploit allows an attacker to upload a malicious file to the BoidCMS version 2.0.0 or below, leading to remote code execution. The vulnerability is identified by CVE-2023-38836.
Services By CQR