CVE-2019-11892 Improper access control in the JSON-RPC interface of the Bosch Smart Home Controller (SHC)

A potential improper access control vulnerability exists in the JSON-RPC interface of the Bosch Smart Home Controller SHC before 9.8.905 that may result in reading or modification of the SHC's configuration or triggering and restoring backups. In order to exploit the vulnerability, the adversary...

CVE-2019-11892

The CVE-2019-11892 issue affects the Bosch Smart Home Controller (SHC) JSON-RPC interface. Affected component: SHC’s JSON-RPC layer. Root cause: improper access control could allow reading or modification of SHC configuration and could trigger and restore backups. Exploitation requirements: an at...

CVE-2018-20487

An issue was discovered in the firewall3 component in Inteno IOPSYS 1.0 through 3.16. The attacker must make a JSON-RPC method call to add a firewall rule as an "include" and point the "path" argument to a malicious script or binary. This gets executed as root when the firewall changes are...

CVE-2018-20487

An issue was discovered in the firewall3 component in Inteno IOPSYS 1.0 through 3.16. The attacker must make a JSON-RPC method call to add a firewall rule as an "include" and point the "path" argument to a malicious script or binary. This gets executed as root when the firewall changes are...

Design/Logic Flaw

An issue was discovered in the firewall3 component in Inteno IOPSYS 1.0 through 3.16. The attacker must make a JSON-RPC method call to add a firewall rule as an "include" and point the "path" argument to a malicious script or binary. This gets executed as root when the firewall changes are...

CVE-2018-20487

This CVE affects the firewall3 component of Inteno IOPSYS 1.0–3.16. A JSON-RPC call to add a firewall rule as an “include” can point the path to a malicious script/binary, which is executed as root when changes are committed. Affected software: Inteno IOPSYS firewall3. Root-level impact: arbitrar...

CVE-2018-20487

An issue was discovered in the firewall3 component in Inteno IOPSYS 1.0 through 3.16. The attacker must make a JSON-RPC method call to add a firewall rule as an "include" and point the "path" argument to a malicious script or binary. This gets executed as root when the firewall changes are...

CVE-2018-15490

An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe process which runs as a service with SYSTEM privileges listens on TCP port 2015, which is used as an RPC interface for communication with the client side of the ExpressVPN application. A JSON-RPC protocol over HTTP is used for...

Path traversal

An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe process which runs as a service with SYSTEM privileges listens on TCP port 2015, which is used as an RPC interface for communication with the client side of the ExpressVPN application. A JSON-RPC protocol over HTTP is used for...

CVE-2018-15490

ExpressVPN for Windows contains a path traversal vulnerability in the JSON-RPC methods XVPN.GetPreference and XVPN.SetPreference within the Xvpnd.exe service (running with SYSTEM privileges). The Xvpnd RPC interface listens on TCP port 2015 and communicates over HTTP, allowing a local attacker to...

CVE-2018-15490

An issue was discovered in ExpressVPN on Windows. The Xvpnd.exe process which runs as a service with SYSTEM privileges listens on TCP port 2015, which is used as an RPC interface for communication with the client side of the ExpressVPN application. A JSON-RPC protocol over HTTP is used for...

Neto - A Tool To Analyse Browser Extensions

Project Neto is a Python 3 package conceived to analyse and unravel hidden features of browser plugins and extensions for well-known browsers such as Firefox and Chrome. It automates the process of unzipping the packaged files to extract these features from relevant resources in a extension like...

Hackers Stole Over $20 Million in Ethereum from Insecurely Configured Clients

Security researchers have been warning about cybercriminals who have made over 20 million dollars in just past few months by hijacking insecurely configured Ethereum nodes exposed on the Internet. Qihoo 360 Netlab in March tweeted about a group of cybercriminals who were scanning the Internet for...

Quest NetVault Backup NVBUBackup Count Method SQL Injection (CVE-2017-17652)

An SQL injection vulnerability exists in the Server Process Manager Service of Quest NetVault Backup. The vulnerability is due to improper validation of user-supplied input on JSON-RPC requests invoking the Count method of the NVBUBackup class...

Quest NetVault Backup NVBUEventHistory Get Method SQL Injection (CVE-2017-17412)

An SQL injection vulnerability exists in the Server Process Manager Service of Quest NetVault Backup. The vulnerability is due to improper validation of user-supplied input on JSON-RPC requests invoking the Get method of the NVBUEventHistory class...

Rootstock Labs: JSON RPC methods for debugging enabled by default allow DoS

A vulnerability was discovered in the RSK JSON-RPC server that allowed an attacker to cause a denial of service DoS attack by sending the evmreset command. The server would hang, become slow, and eventually become synced to block 0, resulting in a loss of service and responsiveness to all users...

uTorrent Users Warned of Remote Code Execution Vulnerability

Google Project Zero researchers are warning of two critical remote code execution vulnerabilities in popular versions of BitTorrent’s web-based uTorrent Web client and its uTorrent Classic desktop client. According to researchers, the flaws allow a hacker to either plant malware on a user’s...

μTorrent (uTorrent) Classic/Web - JSON-RPC Remote Code Execution / Information Disclosure

By default, utorrent create an HTTP RPC server on port 10000 uTorrent classic or 19575 uTorrent web. There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest. To be clear, visiting any website is enough to compromise these applications. uTorrent...

μTorrent (uTorrent) ClassicWeb - JSON-RPC Remote Code Execution Information Disclosure

μTorrent uTorrent ClassicWeb - JSON-RPC Remote Code Execution Information Disclosure By default, utorrent create an HTTP RPC server on port 10000 uTorrent classic or 19575 uTorrent web. There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest. T...

utorrent - JSON-RPC Remote Code Execution / Information Disclosure Vulnerabilities

Exploit for multiple platform in category remote exploits By default, utorrent create an HTTP RPC server on port 10000 uTorrent classic or 19575 uTorrent web. There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest. To be clear, visiting any...