The configuration page in version 7.1.9 and below allows the ability to test a system command, which can be abused to run arbitrary code as an unpriv user.
The vulnerability is triggered when an authenticated user with sufficient permissions creates a script without sufficient sanitization happening within 'Script Name' and 'Script Text'. This can be used to infect other hosts on the network.
The Roxy File Manager has a configuration setting named FORBIDDEN_UPLOADS, which keeps a list of forbidden file extensions that the application will not allow to be uploaded. This configuration setting is also checked when renaming an existing file to a new file extension. It is possible to bypass this check and rename already uploaded files to any extension, using the move function as this function does not perform any checks.
The ATCOM PBX system is affected by an authentication bypass vulnerability that allows an attacker to gain admin access without prior authentication. The vulnerability exists in the 'js/util.js' file, where the security check relies on the presence of a 'username' value in the cookies. If the value is not present, the user is redirected to the login page. By manipulating the cookies and setting 'username=admin', an attacker can bypass the authentication and gain admin access.
This exploit allows an attacker to execute arbitrary code on a target system running Apache with mod_rewrite. It creates a bind shell on port 4445. The exploit has been tested on Apache 2.0.58 with mod_rewrite on Windows 2003. The original exploit had a callback on 192.168.0.1 and was buggy, so the shellcode was rewritten using metasploit.
This module exploits a vulnerability in the Bomgar Remote Support, which deserializes user provided data using PHP's `unserialize` method. By providing an specially crafted PHP serialized object, it is possible to write arbitrary data to arbitrary files. This effectively allows the execution of arbitrary PHP code in the context of the Bomgar Remote Support system user. To exploit the vulnerability, a valid Logging Session ID (LSID) is required. It consists of four key-value pairs (i. e., 'h=[...];l=[...];m=[...];t=[...]'). Versions before 15.1.1 are reported to be vulnerable.
There are multiple sql injection vulnerabilities in this product. The exploit uses the sql injection vulnerability on the last step of the password recovery process and forces the application to reset the password and show the username, without requiring authentication or executing the first step. The vulnerability allows the recovery of both admin and operator.
This exploit allows an attacker to include remote files in the vulnerable application, which can lead to remote code execution.
ToLower() filter being applied to supplied arguments e.g. 'A' x41 beomes 'a' x61 etc... may be possible to subvert using encoder technique like 'ALPHA3'. Also we need to supply a second argument of just 4 bytes to trigger the access violation.
This exploit allows an authenticated user to overwrite wp_options in WordPress Social Stream plugin. It requires access to the wp-login.php file.
Services By CQR