A severe vulnerability has been found in the directory */wordpress/wp-content/backups-dup-lite/tmp/*. This vulnerability exposes detailed information about the site, including its configuration, directories, files, and grants unauthorized access to sensitive data within the database, posing a risk of brute force attacks on password hashes and potential system compromise.
The exploit allows an attacker to bypass identity verification in VMware Cloud Director version 10.5. By exploiting the vulnerability (CVE-2023-34060), an unauthorized user can gain access to the target device and execute commands remotely.
This exploit allows an attacker to establish a reverse shell connection on systems running OSGi v3.7.2 or earlier versions.
The vulnerability allows an attacker to download arbitrary files from the Hitachi NAS (HNAS) System Management Unit (SMU) due to improper access controls. This vulnerability has been assigned CVE-2023-5808. An exploit script has been created by Arslan Masood (@arszilla) to demonstrate the issue. The affected version is < 14.8.7825.01, and the exploit has been tested on version 13.9.7021.04. By manipulating the JSESSIONID and JSESSIONIDSSO cookies, an attacker can download sensitive files from the system.
The Cisco Firepower Management Center (FMC) versions 6.2.3.18, 6.4.0.16, and 6.6.7.1 are vulnerable to an authentication bypass exploit. An attacker can exploit this vulnerability to bypass authentication and gain unauthorized access to the FMC web services interface, potentially leading to further compromise of the system. This vulnerability has been assigned CVE-2023-20048.
The vulnerability in Sitecore versions 9.0 to 10.3 and 8.2 allows remote code execution, impacting all Experience Platform topologies (XM, XP, XC). An attacker can exploit this vulnerability to retrieve core connection strings. This vulnerability has been assigned CVE-2023-35813.
An exploit for Adobe ColdFusion versions 2018,15 and earlier, and 2021,5 and earlier allows an attacker to read arbitrary files due to improper input validation. This vulnerability is identified as CVE-2023-26360.
Client Details System 1.0 is vulnerable to SQL Injection through the 'uemail' parameter in the '/clientdetails/' endpoint. This exploit allows attackers to compromise the application, access or modify data, and potentially exploit other vulnerabilities in the database.
Windows Defender's mitigation bypass for TrojanWin32Powessere.G allows execution leveraging rundll32.exe. By using multi-commas, the mitigation can be bypassed, enabling successful execution.
The Human Resource Management System version 1.0 is vulnerable to SQL injection via the 'employeeid' parameter. By injecting malicious payloads like 'employeeid=2' AND 9667=9667-- NFMg' or 'employeeid=-4254' UNION ALL SELECT NULL,CONCAT(0x716a767671,0x457977584e79636568687641497a4b6e637668455Z487948534E50737753626F5A4A545244616276,0x7162716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--, an attacker can manipulate the database and retrieve sensitive information.
Services By CQR