There is a directory traversal issue in attachment downloads in Gmail. For non-gmail accounts, there is no path sanitization on the attachment filename in the email, so when attachments are downloaded, a file with any name and any contents can be written to anywhere on the filesystem that the Gmail app can access. This bug has limitations such as the email address has to be a non-Gmail and non Gmailified (Hotmail or Yahoo) account, the file cannot overwrite an existing file, and the user has to click to download the attachment.
The vulnerability allows an attacker to inject malicious code by exploiting the 'InlineBuiltInFunction' and 'InlineScriptFunction' methods in the 'Inline::Optimize' function. By manipulating the call expression, an attacker can execute arbitrary code.
The Chakra JIT compilation process stores variables' type information by basic block. However, unlike variables, the type information of constants like numbers and strings is managed globally. This leads to a type confusion vulnerability where constants can be treated as a different type regardless of the control flow. This vulnerability can be exploited through inlined JavaScript functions.
This is a proof-of-concept exploit for a buffer overflow vulnerability in the php_iisfunc.dll extension in PHP versions <= 5.2.0 on the win32 platform. The vulnerability allows an attacker to execute arbitrary code by sending a specially crafted string argument(s) to various functions that convert the string(s) to unicode. The specific functions affected are fnStartService, fnGetServiceState, and fnStopService.
Multiple stored XSS vulnerabilities in CommuniGatePro 6.1.16 webmails (crystal, pronto, and pronto4) allow attackers to execute scripts in the victim's browser, gaining control over the victim's mailbox, computer, and ability to send emails on behalf of the victim, deface the victim's mailbox, and invoke malicious code when attachments are sent to the victim.
The nt!NtQueryDirectoryFile system call discloses portions of uninitialized pool memory to user-mode clients on Windows 10, due to uninitialized fields in the output structure being copied to the application.
TpwnT is maliciously crafted text that affects the iPhone and other Apple devices by exploiting a vulnerability found in the Core-Text firmware which results in a thread crash or extreme application lag.
The exploit allows an attacker to overwrite the EIP register in the Mercury/32 SMTP Server, leading to remote code execution. It works on versions 3.32 to 4.51.
VX Search v10.2.14 suffers from a local buffer overflow. The following exploit will generate a bind shell on port 1337. I was unable to get a shell working with msfvenom shellcode so below is a custom alphanumeric bind shell.
It is possible to execute arbitrary shell commands on the remote server by exploiting a vulnerability in the Mail package for Zeta Components. The vulnerability exists in the send method of the ezcMailMtaTransport class. By injecting a payload in the mail body and assigning a specific email address, an attacker can pass extra parameters to the sendmail function, allowing the execution of arbitrary commands.
Services By CQR