The `_refcount` in `struct page` can be overflowed on a machine with ~140GiB of RAM or less on kernels that have commit 5da784cce4308. A FUSE request can contain up to FUSE_DEFAULT_MAX_PAGES_PER_REQ==32 page references, each consuming 16 bytes. To overflow the 32-bit `_refcount` of a page, 64GiB of kernel memory are needed as storage for such references allocated with fuse_req_pages_alloc().
The Siemens R3964 line discipline code in drivers/tty/n_r3964.c has a race condition in its ioctl handler. Specifically, the handler for R3964_ENABLE_SIGNALS allocates and deletes elements in a linked list without proper locking. This vulnerability can be exploited by an unprivileged user if the line discipline is enabled in the kernel config.
DashBoard suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.
This module exploits sqli and command injection vulnerability in the ManageEngine AM 14 and prior versions. It is completely different from the previous EDB-ID:46725 exploit. Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides authentication bypass. Therefore an unauthenticated user can gain the authority of 'system' on the server. It uploads malicious file using the 'Execute Program Action(s)' feature of the app with the new admin account. Tested: Applications Manager 14 on Linux 64-bit (PostgreSQL) Applications Manager 14 on Windows 10 64-bit (MSSQL) Applications Manager 14 on Windows 10 64-bit (PostgreSQL) Applications Manager 13 on Windows Server 2012 R2 64-bit (MSSQL) Applications Manager 12 on Windows Server 2012 R2 64-bit (PostgreSQL)
The vulnerability allows an attacker to disclose files on the server by exploiting a flaw in the TuMusika Evolution 1.7R5 script. By manipulating the 'uri' parameter in the sc_download.php script, an attacker can traverse the file system and access sensitive files. The exploit example provided demonstrates accessing the /etc/passwd file.
Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is unrequired to exploit this vulnerability. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows).Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.This vulnerability was originally discovered by Daniil Dmitriev.
This module attempts to gain root privileges by exploiting a vulnerability in the `staprun` executable included with SystemTap version 1.3. The `staprun` executable does not clear environment variables prior to executing `modprobe`, allowing an arbitrary configuration file to be specified in the `MODPROBE_OPTIONS` environment variable, resulting in arbitrary command execution with root privileges. This module has been tested successfully on systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and systemtap 1.1-3.el5 on RHEL 5.5 (x64).
This exploit is a shell bind TCP exploit for the MSF framework on OSX x86. It is 81 bytes in size and binds to port 5354 before executing the exit() function.
The exploit allows an attacker to traverse through directories and access files outside the intended directory.
asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dereference, which allows the attacker to cause a denial of service via a crafted file.
Services By CQR