Dell EMC PowerScale OneFS Operating System Command Injection Vulnerability

Dell EMC PowerScale OneFS is an API-powered file system. An OS command injection vulnerability exists in Dell EMC PowerScale OneFS 8.1.0 - 9.1.0. An attacker with the ISIPRIVCLUSTER privilege could exploit this vulnerability to execute arbitrary OS commands on the underlying OS of an application...

SQL Injection

thinkjs is vulnerable to SQL injection. An attacker is able to inject and execute arbitrary SQL statements as demonstrated by a blind SQL injection using sleep...

Invision Power Services, Inc.: PHP Code Injection through "previewBlock()" method

Summary: The vulnerability exists because the IPS\cms\modules\front\pages\builder::previewBlock method allows to pass arbitrary content to the IPS\Theme::runProcessFunction method, which will be used in a call to the eval function. This can be exploited to inject and execute arbitrary PHP code...

CVE-2020-13563

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template groupid parameter...

Code injection

Variable underflow exists in accel-ppp radius/packet.c when receiving a RADIUS vendor-specific attribute with length field is less than 2. It has an impact only when the attacker controls the RADIUS server, which can lead to arbitrary code execution...

Cross site request forgery (csrf)

A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 commit babec93f600ff1394f91ccd512bcad85832eb6ce. A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker ca...

CVE-2021-3291

Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element within the modules edit page and inserting a command...

Shopify: [h1-2102] Stored XSS in product description via `productUpdate` GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID]

This is most likely going to be a duplicate, so I'll keep it short. A stored cross site scripting vulnerability exists at handshake-web-internal.shopifycloud.com through the product description field. Recruirements A shop with the Handshake plugin enabled and set-up Reproduction steps 1. Add a...

Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution

Exploit Title: Selea CarPlateServer CPS 4.0.1.6 - Remote Program Execution Date: 08.11.2020 Exploit Author: LiquidWorm Vendor Homepage: https://www.selea.com Selea CarPlateServer CPS v4.0.1.6 Remote Program Execution Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version:...

Selea CarPlateServer (CPS) v4.0.1.6 Remote Program Execution

Summary Our CPS Car Plate Server software is an advanced solution that can be installed on computers and servers and used as an operations centre. It can create sophisticated traffic control and road safety systems connecting to stationary, mobile or vehicle-installed ANPR systems. CPS allows to...

Code Injection in spotify/postgresql-metrics

Description Tool that extracts and provides metrics on your PostgreSQL database Vulnerability discription unsafe loading of data by the yaml.load function leading to Arbitrary code execution. Proof of Concept Vulnerable code part python readconfigdict = yaml.loadf...

CVE-2020-26085 Cisco Jabber Desktop and Mobile Client Software Vulnerabilities

Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system OS with elevated privileges or gain access to sensitive information. For more information about these...

PHPGurukul Admin Panel SQL Injection (CVE-2020-25952)

An SQL Injection vulnerability exists in PHPGurukul Admin Panel. Successful exploitation of this vulnerability could result in the execution of arbitrary SQL statements on the affected system...

The vulnerability of the Microsoft Visual Studio software, related to improper code generation management, allows a perpetrator to execute arbitrary code.

The vulnerability of the Microsoft Visual Studio software development tool is related to improper code generation management. Exploiting this vulnerability can allow an attacker to execute arbitrary code...

Sourcecodester Online Health Care System SQL Injection Vulnerability

Sourcecodester Online Health Care System is a Php-based website builder for online health checkups from Sourcecodester, Inc. Online Health Card System 1.0 suffers from a SQL injection vulnerability that originates from a database application that lacks validation of externally entered SQL...

The vulnerability of the cloud-based application for video digitization, annotation, and format conversion in Adobe Prelude lies in the recording beyond buffer boundaries in memory, allowing an attacker to execute arbitrary code.

The vulnerability of the cloud-based application for video digitization, annotation, and format conversion in Adobe Prelude involves writing beyond the buffer boundaries in memory. Exploiting this vulnerability could allow a malicious actor to execute arbitrary code in the context of the current...

postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution

A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function...

Information disclosure

Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system OS with elevated privileges or gain access to sensitive information. For more information about these...

The vulnerability of the KTS web interface “Mayak,” related to the failure to protect the SQL query structure, allows attackers to execute arbitrary SQL commands.

The vulnerability of the KTS “Lighthouse” web interface is related to the lack of measures taken to protect the SQL query structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary SQL commands using a specially crafted HTTP POST request...

The vulnerability of the KTS web interface “Mayak,” related to the failure to protect the SQL query structure, allows attackers to execute arbitrary SQL commands.

The vulnerability of the KTS “Lighthouse” web interface is related to the lack of measures taken to protect the SQL query structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary SQL commands using a specially crafted HTTP POST request...