The exploit allows an attacker to execute arbitrary code remotely on Elasticsearch versions 8.5.3 and OpenSearch. By sending a crafted payload, an attacker can perform this remote code execution. This exploit is associated with CVE-2023-31419.
The 'bookid' parameter in Online Nurse Hiring System 1.0 is susceptible to Time-Based SQL Injection, allowing attackers to manipulate the SQL query execution time.
The 'id' parameter in PHP Shopping Cart-4.2 is vulnerable to SQL injection attacks. By submitting a single quote and observing a database error message, an attacker can manipulate the input to steal information from the database. This exploit allows unauthorized access to sensitive data.
The Hitachi NAS (HNAS) System Management Unit (SMU) before version 14.8.7825.01 is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability. An attacker could exploit this vulnerability to access unauthorized backup and restore functionalities.
Stored Cross-site scripting (XSS) is a severe vulnerability where a malicious script is inserted directly into a vulnerable web application, leading to potential attacks on users. This exploit allows an attacker to inject a malicious script into the 'Name' section of the category in WEBIGniter v28.7.23.
The Employee Management System v1 is vulnerable to SQL injection in the 'email' field of the user login functionality. By injecting malicious SQL code in the email input, an attacker can manipulate the SQL query to bypass authentication and potentially access sensitive information from the database.
An attacker can exploit a vulnerability in Magento version 2.4.6 by injecting malicious XSLT configuration, allowing the execution of arbitrary commands on the server. This can lead to unauthorized access, data theft, and further compromise of the Magento platform. This vulnerability has been assigned CVE-ID: TBD.
In Grocy version 4.0.2, when creating a new user, the request is in JSON format without a CSRF Token or verification method. An attacker can exploit this vulnerability by submitting a crafted HTML form to create a new user if the target is logged in with Create User Permissions.
The Cisco Firepower Management Center (FMC) versions 6.2.3.18, 6.4.0.16, and 6.6.7.1 allow attackers to bypass authentication and gain unauthorized access. This vulnerability is identified as CVE-2023-20048.
User input passed through the 'url' request parameter to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function, allowing remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, potentially leading to code execution.
Services By CQR