CVE-2018-0326

A vulnerability in the web UI of Cisco TelePresence Server Software could allow an unauthenticated, remote attacker to conduct a cross-frame scripting XFS attack against a user of the web UI of the affected software. The vulnerability is due to insufficient protections for HTML inline frames...

CVE-2018-0326

A vulnerability in the web UI of Cisco TelePresence Server Software could allow an unauthenticated, remote attacker to conduct a cross-frame scripting XFS attack against a user of the web UI of the affected software. The vulnerability is due to insufficient protections for HTML inline frames...

Google Chrome Cross-Border Access Vulnerability

Google Chrome is a web browser developed by the American company Google Google. Google Chrome suffers from an out-of-bounds access vulnerability. An attacker can exploit this vulnerability to cause out-of-bounds reads and writes, resulting in inline fields e.g., lastIndex being changed to...

Microsoft Edge Chakra JIT - Stack-to-Heap Copy (Incomplete Fix) (1)

/ Here's a snippet of JavascriptArray::BoxStackInstance. To fix issue 1420 , "deepCopy" was introduced. But it only deep-copies the array when "instance-head" is on the stack. So simply by adding a single line of code that allocates "head" to the heap, we can bypass the fix. template T...

Microsoft Edge Chakra JIT - Stack-to-Heap Copy (Incomplete Fix) Exploit

Exploit for windows platform in category dos / poc / Here's a snippet of JavascriptArray::BoxStackInstance. To fix issue 1420 , "deepCopy" was introduced. But it only deep-copies the array when "instance-head" is on the stack. So simply by adding a single line of code that allocates "head" to the...

Blue River Mura CMS Arbitrary Code Execution Vulnerability

Mura CMS is a CFML open source content management system created by Blue River Interactive Group. An arbitrary code execution vulnerability exists in Blue River Mura CMS prior to v7.0.7029. The vulnerability arises because Blue River Mura CMS supports inline function calls using m tags and /m end...

Design/Logic Flaw

Blue River Mura CMS before v7.0.7029 supports inline function calls with an m tag and /m end tag, without proper restrictions on file types or pathnames, which allows remote attackers to execute arbitrary code via an m$.dspinclude"../pathname/executable.jpeg"/m approach, where executable.jpeg...

CVE-2018-7486

Blue River Mura CMS before v7.0.7029 supports inline function calls with an m tag and /m end tag, without proper restrictions on file types or pathnames, which allows remote attackers to execute arbitrary code via an m$.dspinclude"../pathname/executable.jpeg"/m approach, where executable.jpeg...

CVE-2018-7486

Blue River Mura CMS before v7.0.7029 supports inline function calls with an m tag and /m end tag, without proper restrictions on file types or pathnames, which allows remote attackers to execute arbitrary code via an m$.dspinclude"../pathname/executable.jpeg"/m approach, where executable.jpeg...

CVE-2018-7486

Blue River Mura CMS before v7.0.7029 is affected by an arbitrary code execution vulnerability. The issue arises from supporting inline function calls using [m]...[/m] tags without proper restrictions on file types or pathnames, enabling a remote attacker to trigger code execution via an [m]$.dspi...

CVE-2017-1000488

The CVE-2017-1000488 entry concerns Mautic 2.1.0–2.11.0, which is vulnerable to inline JavaScript XSS in Mautic forms on a landing page when GET parameters pre-populate the form. Root cause cited across sources is lack of sanitization on GET parameters used for pre-population. Consequences includ...

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of December 25, 2017

Last Sunday, my day could be best described by the lyrics of Sammy Hagar’s song “I Can’t Drive 55.” I was issued a ticket for an alleged speeding infraction. I usually drive about 10 mph over the speed limit, but my “alleged” lead foot got the best of me and so did the Texas Highway Patrol. C’est...

TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Chan

Exploit for windows platform in category local exploits --- A proof of concept injectable C++ DLL, that uses naked inline hooking and direct memory modification to change TeamViewer permissions. Features As the Server - Enables extra menu item options on the right side pop-up menu. Most useful so...

Apple_iOS Meterpreter, Reverse HTTPS Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 796904 include...

Apple_iOS Meterpreter, Reverse HTTP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 796904 include...

Apple_iOS Meterpreter, Reverse TCP Inline

Run the Meterpreter / Mettle server payload stageless This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework Module generated by tools/modules/generatemettlepayloads.rb module MetasploitModule CachedSize = 796904 include...

Microsoft Edge: Chakra: JIT: Inline::InlineCallApplyTarget_Shared doesn't return the return instruction(CVE-2017-11841)

Here's a snippet of Inline::Optimize. FOREACHINSTREDITINGinstr, instrNext, func-mheadInstr switch instr-mopcode case Js::OpCode::Label: ... if instr-AsLabelInstr-misForInExit Assertthis-currentForInDepth != 0; // The PoC hits this this-currentForInDepth--; break; case...

TeamViewer 11 13 (Windows 10 x86) - Inline Hooking Direct Memory Modification Permission Change

TeamViewer 11 13 Windows 10 x86 - Inline Hooking Direct Memory Modification Permission Change TeamViewer Permissions Hook V1 --- A proof of concept injectable C++ DLL, that uses naked inline hooking and direct memory modification to change TeamViewer permissions. Features As the Server - Enables...

TeamViewer 11 &lt; 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change

TeamViewer Permissions Hook V1 --- A proof of concept injectable C++ DLL, that uses naked inline hooking and direct memory modification to change TeamViewer permissions. Features As the Server - Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the "switc...

Microsoft Edge Chakra JIT Inline::InlineCallApplyTarget_Shared Failed Return Exploit

Exploit for windows platform in category dos / poc Microsoft Edge: Chakra: JIT: Inline::InlineCallApplyTargetShared doesn't return the return instruction CVE-2017-11841 Here's a snippet of Inline::Optimize. FOREACHINSTREDITINGinstr, instrNext, func-mheadInstr switch instr-mopcode case...