PCProtect Anti-Virus v4.8.35 installs with weak folder permissions and a service that can be exploited to escalate privileges to NT AUTHORITYSYSTEM.
The EE 4GEE Mini EE40_00_02.00_44 device is vulnerable to privilege escalation. This allows an attacker to gain elevated privileges on the affected system.
An issue was discovered in Rausoft ID.prove 2.95. The login page with a field "Username" is vulnerable to the SQL injection via Microsoft SQL Server stacked queries in the Username POST parameter. Hypothetically, an attacker can utilize master..xp_cmdshell for the further privilege elevation.
This exploit allows for remote blind SQL injection in BBPortalS and BBsProcesS scripts. The vulnerability can be found using the dork "inurl : tnews.php?op". The exploit has been tested on versions 1.5.10, 1.6.2, and 1.5.11. For version 2.0, the field names are 'user' and 'password', but the table name needs to be discovered separately. The exploit uses Perl and the LWP::UserAgent module.
Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.
This exploit takes advantage of the AddAc function to escalate privileges on a Windows system. By exploiting this vulnerability, an attacker can gain elevated privileges and potentially execute malicious code. This exploit has been tested on Windows 7 and Windows 10 systems.
The exploit script creates a file with a large payload and then attempts to open it in the TransMac software. This causes the software to crash, resulting in a denial of service.
On the RICOH MP C406Z printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi.
Multiple remote file inclusion (RFI) and local file inclusion (LFI) vulnerabilities in PHP Project Management version 0.8.10 and earlier allow remote attackers to execute arbitrary code or read arbitrary files via a full_path parameter in various modules.
On the RICOH Aficio MP 305+ printer and other affected models, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi.
Services By CQR