Logic Vulnerability in Growatt Monitoring System App for Android

Growatt Monitoring System is a remote data monitoring center system for PV power plants developed by Grunewald. The system displays PV plant operation data through intuitive charts and graphs, including power plant power generation, revenue, CO2 emission reduction benefits, equipment operation...

Analysis of Ronggolawe Ransomware and How to Block It

In the last few years ransomware attacks have been significantly on the rise. This infamous trend began by targeting end point users’ machines, such as personal desktop and laptops. Later, it evolved and broadened the attack surface to target mobile phones and servers. Web Servers Not Immune to...

ROPEMAKER Exploit Allows for Changing of Email Post-Delivery

Researchers say a new exploitable attack vector for email, one that could enable the changing of email content content post-delivery, could let attackers bypass security controls and trick victims into clicking through to a malicious site. Details of the exploit called ROPEMAKER, which stands for...

Unikrn: Non-Cloudflare IPs allowed to access origin servers

Summary: Non-Cloudflare IPs allowed to access origin servers Description: Your origin servers are not blocking access from non-Cloudflare servers. This way crawlers can find your origin servers' IPs by checking random IPs until they found your origin servers. What makes this especially easy are...

OnePlus 2 SBL1 Partition Authentication Vulnerability

OnePlus 2 is a smartphone from China's OnePlus Technology OnePlus.Primary Bootloader PBL is one of the primary bootloaders. A security vulnerability exists in the OnePlus 2 PBL. An attacker can exploit the vulnerability to disable signature verification...

Concrete CMS: Stored XSS vulnerability in additional URLs in 'Location' dialog [Sitemap]

Intro "Transformers: Dark of the Crayons" Type of issue: Core CMS issue Level of severity: Internal Attack Vector Concrete5 version: 8.2.0 RC2 rev. 0a26b63c4a64d42e7afb36aba0a6e4d1f4c53d7d July 19th Summary There is Stored XSS vulnerability in additional URLs in 'Location' dialog. This issue can ...

The vulnerability of the getNodeSize function in the SQLite database management system allows attackers to carry out other attacks.

The vulnerability of the getNodeSize function in the SQLite database management system arises from the execution of an operation beyond the buffer boundaries in memory. Exploiting this vulnerability allows a malicious actor to exert other effects using the reduced size of RTree blobs within the...

Concrete CMS: Stored XSS vulnerability in RSS Feeds Description field

Intro "Pirates of the Crayons" Type of issue: Core CMS issue Level of severity: Internal Attack Vector Concrete5 version: 8.2.0 RC2 rev. b54f2b451f0a0804699c4cf9f0b3a8fef0e407db July 10th Summary There is Stored XSS vulnerability in RSS Feeds Description property. Value of the textarea is not...

Concrete CMS: Stored XSS in Name field in User Groups/Group Details form

Intro "The Crayons of Madagascar" Type of issue: Core CMS issue Level of severity: Internal Attack Vector Concrete5 version: 8.2.0 RC2 rev. 32c9daf352645d4fafedb7b956e7f2de4e153ab3 Summary There is Stored XSS vulnerability in User Groups-Group Details Name field. This vulnerability might be used ...

Concrete CMS: Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains payload

Intro "Back to the Crayons" Type of issue: Core CMS issue Level of severity: External Attack Vector Concrete5 version: 8.2.0 RC2 rev. 32c9daf352645d4fafedb7b956e7f2de4e153ab3 July 8th Summary There is Stored XSS vulnerability in Private Messages 'Reply' feature, when original message is quoted in...

Devmode Remote Command Execution Vulnerability in Elevator Engineering Management System

Elevator project management system is to establish an informatization system applicable to elevator enterprises, which collects elevator business data from various departments in time, has good data communication and exchange capability, standardized management process, unified management model,...

Solarwinds LEM 6.3.1 Hardcoded Credentials Vulnerability

Exploit for linux platform in category local exploits Title: Solarwinds LEM Hardcoded Credentials Advisory ID: KL-001-2017-015 Publication Date: 2017.07.06 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-015.txt 1. Vulnerability Details Affected Vendor: Solarwinds...

Solarwinds LEM Hardcoded Credentials

Vulnerability Details Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-798: Use of Hard-coded Credentials Impact: Unintended Access Attack vector: Local 2. Vulnerability Description The...

SA151: ImageMagick RCE Vulnerability (ImageTragick)

SUMMARY Symantec Network Protection products using affected versions of ImageMagick are susceptible to the ImageTragick security vulnerability. A remote attacker can send crafted images and execute arbitrary code on the target. AFFECTED PRODUCTS The following products are vulnerable: Security...

CVE-2017-1347

IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 126462...

Code execution vulnerability in finecms

FineCMS is an efficient and simple small and medium-sized content management system based on PHP+MySql+CI framework. A code execution vulnerability exists in finecms. An attacker can exploit the vulnerability getshell...

Google Android has an unspecified vulnerability (CNVD-2017-13247)

Android is a Linux-based open source operating system jointly developed by Google and the Open Handheld Alliance OHA. A security vulnerability exists in the DRM provisioning command parsing process in Android. An attacker can exploit this vulnerability to perform unauthorized operations...

Windows Uniscribe Remote Code Execution Vulnerability

A remote code execution vulnerability exists due to the way Windows Uniscribe handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accoun...

Fastspot BigTree CMS SQL Injection Vulnerability (CNVD-2017-08704)

Fastspot BigTree CMS is the United States Fastspot company based on PHP and MySQL open source content management system CMS. Fastspot BigTree CMS 4.2.18 and earlier versions of the core\admin\modules\developer\extensions\install\process.php file and core\admin\modules\developer\ An SQL injection...

Sql injection

SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2380hw6580hw2710hw31350hw22500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enumeration of user accounts by observing whether a sessi...