CVE-2021-3616

CVE-2021-3616 affects Lenovo Smart Camera X3, X5, and C2E. The entry describes an unauthorized user able to view device information and alter firmware content and device configuration. The provided materials do not specify root cause details beyond the high/critical risk ratings and do not includ...

Fileviewer <= 2.2 - Arbitrary File Upload/Deletion via CSRF

The plugin does not have CSRF checks in place when performing actions such as upload and delete files. As a result, attackers could make a logged in administrator delete and upload arbitrary files via a CSRF attack To delete /phpinfo.php:...

Shopp eCommerce <= 1.4 - Unauthenticated Arbitrary File Upload

The shoppuploadfile AJAX action of the plugin, available to both unauthenticated and authenticated user does not have any security measure in place to prevent upload of malicious files, such as PHP, allowing unauthenticated users to upload arbitrary files and leading to RCE...

Exploit for Improper Restriction of XML External Entity Reference in Apache Solr

注意: 切勿利用本工具对未授权的网站进行非法攻击。由此产生的法律后果由使用者自行承担!!! 软件更新早知道 下一版本将补weblogic漏洞将新增spring data Spring Cloud 漏洞敬请期待!!!! AttackWebFrameworkTools 1.0 2021-03-06 AttackWebFrameworkTools For RedTeam 更新状态日志: 2021-03-28 新增 CNVD-2021-10543 MessageSolution信息泄露漏洞,新增Apache OFBiz...

Simple eCommerce <= 2.2.5 - Arbitrary File Upload

The plugin does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE...

Email Artillery <= 4.1 - Arbitrary File Upload

The plugin does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denyin...

Smash Balloon Social Post Feed < 2.19.2 - Unauthenticated Stored XSS

The plugin does not sanitise or escape the feedID POST parameter in its feedlocator AJAX action available to both authenticated and unauthenticated users before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will ...

Language Bar Flags <= 1.0.8 - CSRF to Stored XSS

The plugin does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in t...

Email Artillery <= 4.1 - CSRF to Stored XSS

The plugin does not sanitise, validate or escape its settings, and is lacking any CSRF check before saving them. As a result, an attacker could make a logged in admin change them and put malicious JavaScript code as well, leading to Stored Cross-Site Scripting issues. alert/XSS/' /...

Police Crime Record Management System 1.0 - &#039;Multiple&#039; Stored Cross-Site Scripting (XSS)

Exploit Title: Police Crime Record Management System 1.0 - 'Multiple' Stored Cross-Site Scripting XSS Date: 12/08/2021 Exploit Author: Ömer Hasan Durmuş Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html Version: v1.0 Category: Webapps Tested on:...

Cockpit CMS 0.11.1 NoSQL Injection

Exploit Title: Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection Date: 06-08-2021 Exploit Author: Brian Ombongi Vendor Homepage: https://getcockpit.com/ Version: Cockpit 0.11.1 Tested on: Ubuntu 16.04.7 CVE : CVE-2020-35847 & CVE-2020-35848 !/usr/bin/python3 import json...

IPCop 2.1.9 - Remote Code Execution (Authenticated) Exploit

Exploit Title: IPCop 2.1.9 - Remote Code Execution RCE Authenticated Exploit Author: Mücahit Saratar Vendor Homepage: https://www.ipcop.org/ Software Link: https://sourceforge.net/projects/ipcop/files/IPCop/IPCop%202.1.8/ipcop-2.1.8-install-cd.i486.iso -...

WordPress Plugin Picture Gallery 1.4.2 - &#039;Edit Content URL&#039; Stored Cross-Site Scripting (XSS)

Exploit Title: WordPress Plugin Picture Gallery 1.4.2 - 'Edit Content URL' Stored Cross-Site Scripting XSS Date: 2021-08-06 Exploit Author: Aryan Chehreghani Software Link: https://wordpress.org/plugins/picture-gallery/ Version: 1.4.2 Tested on: Windows 10 How to Reproduce this Vulnerability: 1...

WordPress Download Manager < 3.2.13 - Email Template Setting Update via CSRF

The plugin did not have CSRF check in place before saving its Email Template setting, allowing attackers to make a logged in admin change them via a CSRF attack...

Pods < 2.7.29 - Multiple Authenticated Stored Cross-Site Scripting (XSS)

The plugin is vulnerable to an Authenticated Stored Cross-Site Scripting XSS security vulnerability in multiple parameters. 1. Go to /wp-admin/admin.php?page=pods 2. Edit one of the pods 3. Choose "Labels" menu 4. In "Label", "Singular Label", "Add New", or "All" input field, you can inject an XS...

WP LMS < 1.1.5 - Unauthenticated Arbitrary User Field Edition/Creation

The plugin is lacking any CSRF and capability checks when creating and editing User Fields, allowing unauthorised edition and creation of them either via CSRF or as any user including unauthenticated v1.1.5 added CSRF but still no capability check POST...

SEO Backlinks <= 4.0.1 - CSRF to Stored XSS

The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the locconfig function found in the /seo-backlinks.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.1. CSRF PoC alert1" / alert1" / function csrfSubmit let submit...

uListing < 2.0.6 - Modify User Roles via CSRF

An Add/Edit User Roles via CSRF vulnerability was discovered in the plugin. Missing WPNonce security tokens https://codex.wordpress.org/WordPressNonces . PoC | CSRF | Add/Edit User Roles: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: cookies User-Agent: Mozilla/5.0 Content-Type:...

M-vSlider <= 2.1.3 - Authenticated (admin+) SQL Injection

The update functionality in the rsliderpage uses an rsid POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role. POST /wp-admin/admin.php?page=rsliderpage&updated=true HTTP/1.1 Host:...

NEX Forms < 7.8.8 - Authentication Bypass for Excel Reports

The plugin was vulnerable to Authentication Bypass for Excel Reports allowing unauthenticated attackers to download Excel reports. http://www.example.com/wp-admin/admin.php?page=nex-forms-dashboard&exportcsv=true...