ZKTeco FaceDepot and ZKBiosecurity Server Persistent Token Vulnerability

ZKTeco FaceDepot is a face attendance system. A persistent token vulnerability exists in ZKTeco FaceDepot version 7B 1.0.213 and ZKBiosecurity Server version 1.0.020190723, which stems from a lack of two-way authentication in the program, and can be exploited by an attacker to obtain a long-lived...

LimeSurvey 4.3.10 Cross Site Scripting

Exploit Title: LimeSurvey 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting Date: 2020-08-23 Exploit Author: Matthew Aberegg Vendor Homepage: https://www.limesurvey.org Version: LimeSurvey 4.3.10+200812 Tested on: Ubuntu 18.04.4 Patch Link:...

LimeSurvey 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting

Exploit Title: LimeSurvey 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting Date: 2020-08-23 Exploit Author: Matthew Aberegg Vendor Homepage: https://www.limesurvey.org Version: LimeSurvey 4.3.10+200812 Tested on: Ubuntu 18.04.4 Patch Link:...

ElkarBackup 1.3.3 Cross Site Scripting

Exploit Title: ElkarBackup 1.3.3 - Persistent Cross-Site Scripting Date: 2020-08-14 Exploit Author: Enes Özeser Vendor Homepage: https://www.elkarbackup.org/ Version: 1.3.3 Tested on: Linux 1- Go to following url. http://HOST/elkarbackup/login 2- Default username and password is root:root. We mus...

ElkarBackup 1.3.3 - Persistent Cross-Site Scripting

Exploit Title: ElkarBackup 1.3.3 - Persistent Cross-Site Scripting Date: 2020-08-14 Exploit Author: Enes Özeser Vendor Homepage: https://www.elkarbackup.org/ Version: 1.3.3 Tested on: Linux 1- Go to following url. http://HOST/elkarbackup/login 2- Default username and password is root:root. We mus...

ElkarBackup 1.3.3 - Persistent Cross-Site Scripting Vulnerability

Exploit for php platform in category web applications Exploit Title: ElkarBackup 1.3.3 - Persistent Cross-Site Scripting Exploit Author: Enes Özeser Vendor Homepage: https://www.elkarbackup.org/ Version: 1.3.3 Tested on: Linux 1- Go to following url. http://HOST/elkarbackup/login 2- Default...

It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future when the UID/GID will be recycled.

...

WordPress Change Login Logo 1.0.1 Persistent Cross Site Scripting

Exploit Title: WordPress Change Login Logo Plugin v1.0.1 - Persistent Cross-Site Scripting Date: 2020-08-18 Vendor Homepage: http://www.boopathirajan.com/ Vendor Changelog: https://wordpress.org/plugins/change-login-logo/developers Exploit Author: Melbin K Mathew @melbinkm Author Advisory:...

vBulletin 5.6.2 Persistent Cross Site Scripting Vulnerability

Exploit for php platform in category web applications Exploit Title: vBulletin 5.6.2 Stored XSS Date:15.08.2020 Author: Vincent666 ibn Winnie Software Link: https://www.vbulletin.com/en/features/ Tested on: Windows 10 Web Browser: Mozilla Firefox Blog : https://pentest-vincent.blogspot.com/ PoC:...

Tailor Management System 1.0 Persistent Cross Site Scripting

Title: Tailor Management System 1.0 - Stored Cross-Site Scripting Exploit Author: Ahmed Abbas Date: 2020-08-09 Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html Software Link:...

WordPress Click To Top 1.2.7 Persistent Cross Site Scripting

Exploit Title: WordPress Click to top Plugin v1.2.7 - Persistent Cross-Site Scripting Date: 2020-08-18 Vendor Homepage: http://wpthemespace.com/ Vendor Changelog: https://wordpress.org/plugins/click-to-top/ Exploit Author: Melbin K Mathew @melbinkm Author Advisory:...

Tailor Management System 1.0 Persistent Cross Site Scripting Vulnerability

Exploit for php platform in category web applications Title: Tailor Management System 1.0 - Stored Cross-Site Scripting Exploit Author: Ahmed Abbas Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html Software Link:...

Urlbuster - Powerful Mutable Web Directory Fuzzer To Bruteforce Existing And/Or Hidden Files Or Directories

Powerful web directory fuzzer to locate existing and/or hidden files or directories. Similar to dirb or gobuster, but with a lot of mutation options. Installation pip install urlbuster Features Proxy support Cookie support Basic Auth Digest Auth Retries for slow servers Persistent and...

Home Villas <= 2.2 - Multiple Cross-Site Scripting Issues

An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities were discovered in the Home Villas theme through 2.2 for WordPress. Edit WPScanTeam: July 27th, 2020 - Confirmed & Escalated to Envato July 28th, 2020 - Envato Investigating August 17th, 2020 - No updates, disclosing...

Home Villas <= 2.2 - Multiple Cross-Site Scripting Issues

An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities were discovered in the Home Villas theme through 2.2 for WordPress. Edit WPScanTeam: July 27th, 2020 - Confirmed & Escalated to Envato July 28th, 2020 - Envato Investigating August 17th, 2020 - No updates, disclosing...

WordPress Responsive Lightbox2 1.0.2 Cross Site Scripting

Exploit Title: WordPress Responsive Lightbox2 Plugin v1.0.2 - Persistent Cross-Site Scripting Date: 2020-08-14 Vendor Homepage: https://noorsplugin.com/ Vendor Changelog: https://wordpress.org/plugins/responsive-lightbox2/developers Exploit Author: Melbin K Mathew @melbinkm Author Advisory:...

Dolibarr Persistent Cross Site Scripting (CVE-2020-13094)

A persistent cross site scripting vulnerability exists in Dolibarr. Successful exploitation of this vulnerability would allow remote attackers to inject an arbitrary web script into the affected system...

WordPress NextGen Gallery Sell Photo 1.0.5 Cross Site Scripting

Exploit Title: Wordpress Plugin NextGen Gallery Sell Photo 1.0.5 - Persistent Cross-Site Scripting Date: 2020-08-14 Vendor Homepage: https://noorsplugin.com/ Vendor Changelog: https://wordpress.org/plugins/nextgen-gallery-sell-photo/developers Exploit Author: Melbin K Mathew @melbinkm Author...

Wordpress Easy Media Download 1.1.4 Cross Site Scripting

Exploit Title: Wordpress Easy Media Download v1.1.4 - Persistent Cross-Site Scripting Date: 2020-08-14 Vendor Homepage: https://noorsplugin.com/ Vendor Changelog: https://wordpress.org/plugins/easy-media-download/developers Exploit Author: Melbin K Mathew @melbinkm Author Advisory:...

WordPress Sell Photo 1.0.5 Cross Site Scripting

Exploit Title: Sell Photo Wordpress Plugin v1.0.5 - Persistent Cross-Site Scripting Date: 2020-08-14 Vendor Homepage: https://noorsplugin.com/ Vendor Changelog: https://wordpress.org/plugins/sell-photo/developers Exploit Author: Melbin K Mathew @melbinkm Author Advisory:...