This exploit targets a local SEH (Structured Exception Handling) overflow vulnerability in Lavavo CD Ripper version 4.20. By providing a specially crafted 'License Activation Name' value, an attacker can trigger a buffer overflow and execute arbitrary code. This exploit creates a bind shell on port 3110.
The NoAh version 0.9 pre 1.2 is vulnerable to remote file disclosure. This vulnerability allows an attacker to disclose sensitive files on the system by exploiting certain files in the NoAh system module templates. By manipulating the 'filepath' parameter in the URLs, an attacker can access files outside the intended directory and retrieve sensitive information such as the '/etc/passwd' file.
This vulnerability exists in the V8 JavaScript engine in the way it handles the length of FixedDoubleArray. By providing a large length value to the NewFixedDoubleArray function, an attacker can trigger an integer overflow and potentially cause a denial of service or remote code execution.
The hardened VirtualBox process on a Windows host doesn’t secure its COM interface leading to arbitrary code injection and EoP.
The `_refcount` in `struct page` can be overflowed on a machine with ~140GiB of RAM or less on kernels that have commit 5da784cce4308. A FUSE request can contain up to FUSE_DEFAULT_MAX_PAGES_PER_REQ==32 page references, each consuming 16 bytes. To overflow the 32-bit `_refcount` of a page, 64GiB of kernel memory are needed as storage for such references allocated with fuse_req_pages_alloc().
The Siemens R3964 line discipline code in drivers/tty/n_r3964.c has a race condition in its ioctl handler. Specifically, the handler for R3964_ENABLE_SIGNALS allocates and deletes elements in a linked list without proper locking. This vulnerability can be exploited by an unprivileged user if the line discipline is enabled in the kernel config.
DashBoard suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.
This module exploits sqli and command injection vulnerability in the ManageEngine AM 14 and prior versions. It is completely different from the previous EDB-ID:46725 exploit. Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides authentication bypass. Therefore an unauthenticated user can gain the authority of 'system' on the server. It uploads malicious file using the 'Execute Program Action(s)' feature of the app with the new admin account. Tested: Applications Manager 14 on Linux 64-bit (PostgreSQL) Applications Manager 14 on Windows 10 64-bit (MSSQL) Applications Manager 14 on Windows 10 64-bit (PostgreSQL) Applications Manager 13 on Windows Server 2012 R2 64-bit (MSSQL) Applications Manager 12 on Windows Server 2012 R2 64-bit (PostgreSQL)
The vulnerability allows an attacker to disclose files on the server by exploiting a flaw in the TuMusika Evolution 1.7R5 script. By manipulating the 'uri' parameter in the sc_download.php script, an attacker can traverse the file system and access sensitive files. The exploit example provided demonstrates accessing the /etc/passwd file.
Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is unrequired to exploit this vulnerability. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows).Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.This vulnerability was originally discovered by Daniil Dmitriev.