Arbitrary EJB QL Command Execution

jbossas is vulnerable to arbitrary EJB QL command execution. The vulnerability exists as the setOrder method in the org.jboss.seam.framework.Query class did not correctly validate user-supplied parameters. This vulnerability allowed remote attackers to inject, and execute, arbitrary Enterprise...

UBUNTU-CVE-2017-5611

SQL injection vulnerability in wp-includes/class-wp-query.php in WPQuery in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name...

Design/Logic Flaw

The getRenderedEjbql method in the org.jboss.seam.framework.Query class in JBoss Seam 2.x before 2.0.0.CR3 allows remote attackers to inject and execute arbitrary EJBQL commands via the order parameter...

JBoss Seam order参数远程SQL注入漏洞

BUGTRAQ ID: 26850 JBoss Seam是一个Java EE5框架，把JSF与EJB3.0组件合并在一起，从而为开发基于Web的企业应用程序提供一个最新的模式。 JBoss Seam在处理用户请求数据时存在输入验证漏洞，远程攻击者可能利用此漏洞执行SQL注入攻击。 JBoss Seam的org.jboss.seam.framework.Query类中没有正确地验证传送给getRenderedEjbql方式的order参数便将其用于创建EJBQL查询： if getOrder!=null builder.append" order by ".append getOrder ...

MaraDNS DoS

Dynamic memory leak on unsupported query class or opcode...

DotProject Query.Class.PHP远程文件包含漏洞

DotProject是一款基于PHP的WEB应用程序。 DotProject不正确过滤用户提交的URI数据，远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是'Query.Class.PHP'脚本对用户提交的'baseDir'参数缺少过滤，提交恶意的远程服务器作为包含对象，可导致以WEB进程权限执行任意PHP代码。 Dotproject Dotproject 2.0.4 Dotproject Dotproject 2.0.3 Dotproject Dotproject 2.0.1 Dotproject Dotproject 2.0 NO...