Log injection in SAP NetWeaver AS Java using basic auth

Application: SAP NetWeaver AS Java Versions Affected: ENGINEAPI 7.10-7.50 Vendor URL: SAP Bug: Log Injection Reported: 17.05.2017 Vendor response: 18.05.2017 Date of Public Advisory: 14.11.2017 Reference: SAP Security Note 2485208 Author: Vahagn Vardanyan ERPScan VULNERABILITY INFORMATION Class:...

WordPress Plugin Car Rental System 2.5 - SQL Injection

WordPress Plugin Car Rental System 2.5 - SQL Injection Exploit Title: Car Rental System v2.5 Date: 28/03/2017 Exploit Author: TAD GROUP Vendor Homepage: https://www.bestsoftinc.com/ Software Link: https://www.bestsoftinc.com/car-rental-system.html Version: 2.5 Contact: infoattad.group Website:...

MySQL Cluster 7.3.x < 7.3.17 DD Subcomponent Arbitrary Data Manipulation (April 2017 CPU)

The version of MySQL Cluster running on the remote host is 7.3.x prior to 7.3.17. It is, therefore, affected by an arbitrary data manipulation vulnerability in the DD subcomponent due to an unspecified flaw. An authenticated, remote attacker can exploit this to update, insert, or delete arbitrary...

MySQL Cluster 7.5.x < 7.5.6 DD Subcomponent Arbitrary Data Manipulation (April 2017 CPU)

The version of MySQL Cluster running on the remote host is 7.5.x prior to 7.5.6. It is, therefore, affected by an arbitrary data manipulation vulnerability in the DD subcomponent due to an unspecified flaw. An authenticated, remote attacker can exploit this to update, insert, or delete arbitrary...

MySQL Cluster 7.4.x < 7.4.15 DD Subcomponent Arbitrary Data Manipulation (April 2017 CPU)

The version of MySQL Cluster running on the remote host is 7.4.x prior to 7.4.15. It is, therefore, affected by an arbitrary data manipulation vulnerability in the DD subcomponent due to an unspecified flaw. An authenticated, remote attacker can exploit this to update, insert, or delete arbitrary...

Palo Alto Networks PAN-OS 7.0.x < 7.0.14 / 7.1.x < 7.1.9 Multiple Vulnerabilities (PAN-SA-2017-0008 - PAN-SA-2017-0010)

The version of Palo Alto Networks PAN-OS running on the remote host is 7.0.x prior to 7.0.14 or 7.1.x prior to 7.1.9. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Management Web Interface due to improper validation of certain request parameters. An authenticated...

Cimetrics BACnet Explorer 4.0 XXE Injection

Cimetrics BACnet Explorer 4.0 XXE Vulnerability Vendor: Cimetrics, Inc. Product web page: https://www.cimetrics.com Affected version: 4.0.0.0 Summary: The BACnet Explorer is a BACnet client application that helps auto discover BACnet devices. Desc: BACnetExplorer suffers from an XML External Enti...

Cimetrics BACnet Explorer 4.0 - XML External Entity Injection

Cimetrics BACnet Explorer 4.0 XXE Vulnerability Vendor: Cimetrics, Inc. Product web page: https://www.cimetrics.com Affected version: 4.0.0.0 Summary: The BACnet Explorer is a BACnet client application that helps auto discover BACnet devices. Desc: BACnetExplorer suffers from an XML External Enti...

LogoStore - &#039;query&#039; SQL Injection

Exploit Title: LogoStore - SQL Injection Date: 27.01.2017 Software Link: https://codecanyon.net/item/logostore-buy-and-sell-logos-online/19379630 Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom Website: http://k2an.com Category: Web Application Exploits Overview LogoStore is a web...

Itech News Portal Script 6.28 SQL Injection

Exploit Title: Itech News Portal Script v6.28 a SQL Injection Date: 30.01.2017 Vendor Homepage: http://itechscripts.com/ Software Link: http://itechscripts.com/news-portal-script/ Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom Website: http://k2an.com Category: Web Application Exploits...

Itech Dating Script 3.26 - SQL Injection

Itech Dating Script 3.26 - SQL Injection Exploit Title: Itech Dating Script v3.26 – SQL Injection Date: 30.01.2017 Vendor Homepage: http://itechscripts.com/ Software Link: http://itechscripts.com/dating-script/ Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom Website: http://k2an.com...

Itech News Portal Script 6.28 - &#039;inf&#039; SQL Injection

Exploit Title: Itech News Portal Script v6.28 – SQL Injection Date: 30.01.2017 Vendor Homepage: http://itechscripts.com/ Software Link: http://itechscripts.com/news-portal-script/ Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom Website: http://k2an.com Category: Web Application Exploits...

Itech Freelancer Script 5.13 - SQL Injection

Exploit Title: Itech Freelancer Script v5.13 – SQL Injection Date: 30.01.2017 Vendor Homepage: http://itechscripts.com/ Software Link: http://itechscripts.com/freelancer-script/ Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom Website: http://k2an.com Category: Web Application Exploits...

Itech Dating Script 3.26 - SQL Injection

Exploit Title: Itech Dating Script v3.26 – SQL Injection Date: 30.01.2017 Vendor Homepage: http://itechscripts.com/ Software Link: http://itechscripts.com/dating-script/ Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom Website: http://k2an.com Category: Web Application Exploits Overview...

Itech Video Sharing Script 4.94 - &#039;v&#039; SQL Injection

Exploit Title: Video Sharing Script 4.94 – SQL Injection Date: 30.01.2017 Vendor Homepage: http://itechscripts.com/ Software Link: http://itechscripts.com/video-sharing-script/ Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom Website: http://k2an.com Category: Web Application Exploits...

My Photo Gallery 1.0 SQL Injection

Introduction Exploit Title: My Photo Gallery a SQL Injection Date: 27.01.2017 Vendor Homepage: http://software.friendsinwar.com/ Software Link: http://software.friendsinwar.com/news.php?readmore=40 Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom Website: http://k2an.com Category: Web...

My Photo Gallery 1.0 - SQL Injection

My Photo Gallery 1.0 - SQL Injection Introduction Exploit Title: My Photo Gallery – SQL Injection Date: 27.01.2017 Vendor Homepage: http://software.friendsinwar.com/ Software Link: http://software.friendsinwar.com/news.php?readmore=40 Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom...

Maian Weblog 4.0 - SQL Injection

Maian Weblog 4.0 - SQL Injection Introduction Exploit Title: Maian Weblog – SQL Injection Date: 27.01.2017 Vendor Homepage: http://www.maianweblog.com/ Exploit Author: Kaan KAMIS Contact: iletisimatk2andotcom Website: http://k2an.com Category: Web Application Exploits Overview Simple blog system...

WordPress Symposium Plugin SQL Injection (CVE-2015-6522)

An SQL injection vulnerability exists in the WordPress Symposium Plugin. It allows an authenticated remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data...

Updated libarchive packages fix security vulnerability

The updated packages fix several security vulnerabilities: A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive's file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with...