Unauthenticated users can exploit the Zoo Management System 1.0 by uploading a malicious PHP file instead of an animal picture through the /zoomanagementsystem/admin/public_html/save_animal endpoint without requiring any authentication.
SQL injection allows attackers to gain unauthorized access to sensitive data, manipulate data, and disrupt the application, potentially causing financial losses and harm to a company's reputation. In this exploit, the 'price_min' and 'price_max' parameters in the /academy/tutor/filter path are vulnerable to SQL injection.
The Automatic Systems SOC FL9600 FastLine device with version V06 contains hardcoded login credentials for a super admin account. An attacker can exploit this vulnerability to access sensitive information using the admin login credentials.
Ladder v0.0.21 allows attackers to perform Server-Side Request Forgery (SSRF) attacks by not enforcing sufficient restrictions on destination addresses. This enables attackers to send GET requests to addresses that are typically inaccessible from an external context, potentially allowing access to private address ranges, local services, and cloud instance metadata APIs. This vulnerability has been assigned CVE-2024-27620.
The Akaunting version prior to 3.1.3 is vulnerable to Remote Code Execution. An attacker can exploit this vulnerability to inject and execute arbitrary commands on the target system. This vulnerability is identified as CVE-2024-22836.
The Electrolink FM/DAB/TV Transmitter devices are prone to an authentication bypass vulnerability. This issue allows remote attackers to access the devices without proper authentication, potentially leading to unauthorized control or access to sensitive information. This vulnerability has been assigned CVE-XXXXX.
The exploit allows remote attackers to execute arbitrary code without authentication in WordPress Augmented-Reality plugin. By exploiting this vulnerability, an attacker can upload malicious files and execute commands on the target system.
In 2022, a Proof of Concept (PoC) was released to bypass the detection of Backdoor:JS/Relvelshe.A in Windows Defender, which was later mitigated. However, by adding a simple JavaScript try-catch error statement and evaluating the hex string, the bypass can still be achieved.
The Canto plugin for WordPress versions up to 3.0.4 is vulnerable to Remote File Inclusion (RFI) via the 'wp_abspath' parameter. This allows unauthenticated attackers to execute arbitrary remote code on the server if allow_url_include is enabled.
Services By CQR