This exploit allows an attacker to execute arbitrary operating system commands on the target system. By sending a specially crafted HTTP request to the vulnerable CGI script, the attacker can inject malicious commands into the command parameter, which will be executed by the server. This can lead to unauthorized access, data leakage, and potential remote code execution.
This exploit allows an attacker to delete arbitrary files on the target system. By sending a specially crafted DELETE request, the attacker can specify the file to be deleted. This vulnerability can be exploited without authentication.
College Management System 1.0 allows SQL Injection via parameter 'course_code' in /College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Due to the Via WebDAV (Web Distributed Authoring and Versioning), on the remote server,telesquare TLR-2021 allows unauthorized users to upload any file(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes remote code execution as well. Due to the WebDAV, it is possible to upload the arbitrary file utilizing the PUT method.
In all versions below 2.1.8 of the Joomla plugin SexyPolling, an unauthenticated attacker can execute arbitrary SQL commands by sending crafted POST parameters to poll.php.
A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 (and related products from same vendor, like "MyProjects") allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the title description (or content) while creating a project, todo, timecard, estimates, report or finding, it will be triggered once page gets loaded.
The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.
Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without any validation with SYSTEM privileges.
Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefined enum.
Prime95 Version 30.7 build 9 Buffer Overflow RCE. The exploit allows an attacker to execute remote code.