The kk Star Ratings plugin before version 5.4.6 for WordPress allows attackers to tamper with ratings via a race condition. By intercepting the rating submission request using tools like Burp and Turbo Intruder, an attacker can manipulate the connection header and send multiple requests simultaneously to alter the total rates displayed on the page.
The Solar-Log 200 PM+ 3.6.0 Build 99 web panel is vulnerable to a stored cross-site scripting (XSS) attack. By modifying the name field in the Smart Energy configuration and inserting malicious script code like <xss onmouseenter="alert(document.cookie)" style=display:block>test</xss>, an attacker can trigger the execution of arbitrary scripts in the context of the victim's session. This could potentially lead to the theft of sensitive information such as cookies when a privileged user interacts with the manipulated element.
The TEM Opera Plus FM Family Transmitter 35.45 allows unauthorized access to an endpoint enabling the upload of binary images to the MPFS File System without authentication. By leveraging this flaw, an attacker can overwrite the flash program memory hosting the web server's main interfaces and run arbitrary code.
The vulnerability in Moodle version 4.3 allows an attacker to access user details, email addresses, country, city/town, city, and timezone by manipulating the 'id' parameter in URLs like profile.php and user.php. By changing the 'id' value to another number, the attacker can view sensitive information of other users.
The vulnerability impacts all Sitecore Experience Platform topologies (XM, XP, XC) from version 9.0 to 10.3 Initial Release, including version 8.2. An attacker can execute arbitrary code by sending a crafted payload to the sitecore_xaml.ashx endpoint. This vulnerability is identified as CVE-2023-35813.
The exploit allows an attacker to read arbitrary files on a target system. The vulnerability affects Adobe ColdFusion versions 2018,15 and earlier, as well as 2021,5 and earlier. By exploiting this vulnerability, an attacker can gain unauthorized access to sensitive files on the target system. This exploit is identified by CVE-2023-26360.
A SQL Injection vulnerability was discovered in Petrol Pump Management Software v.1.0. This vulnerability allows an attacker to execute arbitrary code by injecting a malicious payload into the email address parameter within the index.php component.
The FAQ Management System v1.0 is vulnerable to SQL injection due to unsanitized user input ($_GET['faq']) being directly used in SQL queries. An attacker can manipulate the 'faq' parameter to inject malicious SQL code, potentially leading to unauthorized database operations.
The exploit involves running a Python script that creates a malicious file 'xampp-control.ini' which triggers a buffer overflow in XAMPP v3.3.0 when the application 'xampp-control.exe' is opened. By clicking on the 'admin' button for the Apache service, the exploit can be triggered, leading to potential code execution.
The Electrolink FM/DAB/TV Transmitter devices are vulnerable to an authentication bypass issue. Attackers can exploit this vulnerability to bypass authentication mechanisms and gain unauthorized access to the affected devices. This could lead to potential unauthorized configuration changes or disruptions in broadcasting services. This vulnerability has been identified in various versions of the Electrolink transmitters, including Compact DAB Transmitters, Medium DAB Transmitters, High Power DAB Transmitters, Compact FM Transmitters, Modular FM Transmitters, Digital FM Transmitters, VHF TV Transmitters, and UHF TV Transmitters.
Services By CQR