41207 matches found
WordPress Plugin Firewall 2 1.3 - Cross-Site Request Forgery Cross-Site Scripting
WordPress Plugin Firewall 2 1.3 - Cross-Site Request Forgery Cross-Site Scripting alert1" !-- In a real attack, forms can be submitted automatically and spear-phishing attacks can be convincing. Mitigations ================ Disable the plugin until a new version is released that fixes this bug...
Quiz Template 1.0 - testid SQL Injection
Quiz Template 1.0 - testid SQL Injection Exploit Title: Quiz Template v1.0 for ASPRunnerPro/PHPRunner. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/marketplace/productsview.php?editid1=2 Demo:...
Adobe (Multiple Products) - XML Injection File Content Disclosure
Adobe Multiple Products - XML Injection File Content Disclosure !/bin/bash Exploit Title: Adobe XML Injection file content disclosure Date: 07-04-2017 Exploit Author: Thomas Sluyter Website: https://www.kilala.nl Vendor Homepage: http://www.adobe.com/support/security/bulletins/apsb10-05.html...
Invoice Template - hash SQL Injection
Invoice Template - hash SQL Injection Exploit Title: Invoice Template v1.0 for PHPRunner/ASPRunnerPro/ASPRunner.NET. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/invoice Demo:...
Intellinet NFC-30IR Camera - Multiple Vulnerabilities
Intellinet NFC-30IR Camera - Multiple Vulnerabilities Bitcrack Cyber Security - BitLabs Advisory http://www.bitcrack.net Multiple Vulnerabilities in Intellinet NFC-30IR Network Cameras ADVISORY -------- Title: Local File Inclusion in CGI-SCRIPT & Hard-Coded Manufacturer Backdoor Advisory ID:...
D-Link DWR-116 DWR-116A1 - Arbitrary File Download
D-Link DWR-116 DWR-116A1 - Arbitrary File Download Title: D-Link DWR-116 Arbitrary File Download Vendor: D-Link www.dlink.com Affected models: DWR-116 / DWR-116A1 Tested on: V1.01EU, V1.00CPb10, V1.05AU CVE: CVE-2017-6190 Date: 04.07.2016 Author: Patryk Bogdan @patrykbogdan Description: D-Link...
Cesanta Mongoose OS - Use-After-Free
Cesanta Mongoose OS - Use-After-Free COMPASS SECURITY ADVISORY https://www.compass-security.com/en/research/advisories/ Product: Mongoose OS Vendor: Cesanta CVE ID: CVE-2017-7185 CSNC ID: CSNC-2017-003 Subject: Use-after-free / Denial of Service Risk: Medium Effect: Remotely exploitable Authors:...
Moodle 2.x3.x - SQL Injection
Moodle 2.x3.x - SQL Injection Exploit: Moodle SQL Injection via Object Injection Through User Preferences Date: April 6th, 2017 Exploit Author: Marko Belzetski Contact: [email protected] Vendor Homepage: https://moodle.org/ Version: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.1...
Faveo Helpdesk Community 1.9.3 - Cross-Site Request Forgery
Faveo Helpdesk Community 1.9.3 - Cross-Site Request Forgery Exploit Title: CSRF / Privilege Escalation Manipulation of Role Agent to Admin on Faveo version Community 1.9.3 Google Dork: no Date: 05-April-2017 Exploit Author: @runggareksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy Vendor...
SpiceWorks 7.5 TFTP - Remote File Overwrite Upload
SpiceWorks 7.5 TFTP - Remote File Overwrite Upload + Credits: John Page AKA HYP3RLINX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SPICEWORKS-IMPROPER-ACCESS-CONTROL-FILE-OVERWRITE.txt + ISR: APPARITIONSEC Vendor: ================== www.spiceworks.com...
Sweepstakes Pro Software - SQL Injection
Sweepstakes Pro Software - SQL Injection Exploit Title: Sweepstakes Pro Software - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://bimedia.info/ Software: http://bimedia.info/sweepstakes-pro-software/ Demo: http://mysweepstakespro.com/demo/ Version: N/A Tested on: Win7 x64...
Airbnb Crashpadder Clone Script - SQL Injection
Airbnb Crashpadder Clone Script - SQL Injection Exploit Title: Airbnb Crashpadder Clone Script - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://bimedia.info/ Software: http://bimedia.info/airbnb-premium-clone-script/ Demo: http://airbnb.clonedemo.com/ Version: N/A Tested...
ImagePro Lazygirls Clone Script - SQL Injection
ImagePro Lazygirls Clone Script - SQL Injection Exploit Title: ImagePro Lazygirls Clone Script - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://bimedia.info/ Software: http://bimedia.info/8-2/ Demo: http://imagepro.clonedemo.com/ Version: N/A Tested on: Win7 x64, Kali Lin...
Premium Penny Auction Script - SQL Injection
Premium Penny Auction Script - SQL Injection Exploit Title: Premium Penny Auction Script - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://bimedia.info/ Software: http://bimedia.info/premium-penny-auction-script/ Demo: http://pennyauction.clonedemo.com/ Version: N/A Tested...
Appointment Script - SQL Injection
Appointment Script - SQL Injection Exploit Title: Doctors Appointment Script - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://appointment-script.com/ Software: http://appointment-script.com/demo Demo: http://appointment-script.com/demo Version: N/A Tested on: Win7 x64, Ka...
D-Link DIR-615 - Cross-Site Request Forgery
D-Link DIR-615 - Cross-Site Request Forgery Title: ==== D-Link DIR 615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery CSRF vulnerability Credit: ====== Name: Pratik S. Shah Reference: ========= CVE Details: CVE-2017-7398. Date: ==== 1-04-2017 Vendor: ====== D-Link wireless router...
HelpDEZK 1.1.1 - Cross-Site Request Forgery Code Execution
HelpDEZK 1.1.1 - Cross-Site Request Forgery Code Execution Exploit Title: Multiple CSRF Remote Code Execution Vulnerability on HelpDEZK 1.1.1 Date: 05-April-2017 Exploit Author: @runggareksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy Vendor Homepage: http://www.helpdezk.org/ Software...
Broadcom Wi-Fi SoC - dhd_handle_swc_evt Heap Overflow
Broadcom Wi-Fi SoC - dhdhandleswcevt Heap Overflow Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1061 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capab...
Apple macOSiOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption
Apple macOSiOS Kernel 10.12.3 16D32 - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1111 SIOCSIFORDER and SIOCGIFORDER allow userspace programs to build and maintain the ifnetorderedhead linked list of interfaces...
Apple macOS Kernel 10.12.3 (16D32) - audit_pipe_open Off-by-One Memory Corruption
Apple macOS Kernel 10.12.3 16D32 - auditpipeopen Off-by-One Memory Corruption / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1126 MacOS kernel memory corruption due to off-by-one in auditpipeopen auditpipeopen is the special file open handler for the auditpipe device major...
Apple macOSiOS Kernel 10.12.3 (16D32) - bpf Heap Overflow
Apple macOSiOS Kernel 10.12.3 16D32 - bpf Heap Overflow / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1125 The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length: case BIOCSBLEN: / uint / if d-bdbif != 0 error = EINVAL; else uint size; bcopyaddr, &size, sizeof...
Apple WebKit - ComposedTreeIterator::traverseNextInShadowTree Use-After-Free
Apple WebKit - ComposedTreeIterator::traverseNextInShadowTree Use-After-Free function go d.open = false; d.innerHTML = "foo"; d.open = true; foo !-- ================================================================= ASan log: =================================================================...
Apple macOSiOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking
Apple macOSiOS Kernel 10.12.3 16D32 - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1108 SIOCSIFORDER is a new ioctl added in iOS 10. It can be called on a regular tcp socket, so from pretty much any...
Maian Uploader 4.0 - user SQL Injection
Maian Uploader 4.0 - user SQL Injection Exploit Title: Maian Uploader Script v4.0 - SQL Injection Google Dork: N/A Date: 04.04.2017 Vendor Homepage: http://www.maiansoftware.com/ Software: http://www.maianuploader.com/?dl=yes Demo: http://www.maiansoftware.com/demos/uploader/ Version: 4.0 Tested...
Apple Webkit - JSCallbackData Universal Cross-Site Scripting
Apple Webkit - JSCallbackData Universal Cross-Site Scripting globalObject-vm, callback JSC::JSObject callback return mcallback.get; JSDOMGlobalObject globalObject return JSC::jsCastmcallback-globalObject; JSC::JSValue invokeCallbackJSC::MarkedArgumentBuffer& args, CallbackType callbackType,...
Apple WebKit 10.0.2 (12602.3.12.0.1) - disconnectSubframes Universal Cross-Site Scripting
Apple WebKit 10.0.2 12602.3.12.0.1 - disconnectSubframes Universal Cross-Site Scripting frameOwners; if policy == RootAndDescendants if isroot frameOwners.appenddowncastroot; collectFrameOwnersframeOwners, root; // Must disable frame loading in the subtree so an unload handler cannot // insert mo...
Apple macOSiOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device
Apple macOSiOS Kernel 10.12.3 16D32 - Double-Free Due to Bad Locking in fsevents Device / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129 fseventsfioctl handles ioctls on fsevent fds acquired via FSEVENTSCLONE64 on /dev/fsevents Heres the code for the FSEVENTSDEVICEFILTER64...
Broadcom Wi-Fi SoC - Heap Overflow wlc_tdls_cal_mic_chk Due to Large RSN IE in TDLS Setup Confirm Frame
Broadcom Wi-Fi SoC - Heap Overflow wlctdlscalmicchk Due to Large RSN IE in TDLS Setup Confirm Frame Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1047 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in bot...
Apple WebKit - Negative-Size memmove in HTMLFormElement
Apple WebKit - Negative-Size memmove in HTMLFormElement function go var iframe = document.getElementById"iframe"; var iframeWindow = window0; var toInsert = div; var iframeBody = iframeWindow.document.body; iframeBody.beforedocument.body; iframe.aftertoInsert; aaaaaaaa !--...
Maian Greetings 2.1 - cat SQL Injection
Maian Greetings 2.1 - cat SQL Injection Exploit Title: Maian Greetings v2.1 - SQL Injection Google Dork: N/A Date: 04.04.2017 Vendor Homepage: http://www.maiansoftware.com/ Software: http://www.maiangreetings.com/?dl=yes Demo: http://www.maiansoftware.com/demos/greetings/ Version: 2.1 Tested on:...
Apple WebKit - WebCore::toJS Use-After-Free
Apple WebKit - WebCore::toJS Use-After-Free function freememory var a; forvar i=0;i !-- ================================================================= ASan log: ================================================================= ==25184==ERROR: AddressSanitizer: heap-use-after-free on address...
Apple WebKit - table Use-After-Free
Apple WebKit - table Use-After-Free -webkit-border-image: urlfoo 1 5 1 63 repeat; -webkit-flow-into: foo function eventhandler var a; document.execCommand"selectAll", false; output.slot = "foo"; table.deleteCaption; //trigger garbage collector forvar i=0;i foo !--...
Apple macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn
Apple macOS Kernel 10.12.3 16D32 - Use-After-Free Due to Double-Release in posixspawn / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104 exechandleportactions is responsible for handling the xnu port actions extension to posixspawn. It supports 4 different types of port...
Apache Tomcat 6789 - Information Disclosure
Apache Tomcat 6789 - Information Disclosure Exploit Title:Apache Tomcat CVE-2016-6816 Security Bypass Vulnerability Date: 4th March 2017 Exploit Author: justpentest Vendor Homepage: tomcat.apache.org Version: Apache Tomcat 9.0.0.M1 through 9.0.0.M11, 8.5.0 through 8.5.6, 8.0.0.RC1 through 8.0.38,...
Maian Survey 1.1 - survey SQL Injection
Maian Survey 1.1 - survey SQL Injection Exploit Title: Maian Survey v1.1 - SQL Injection Google Dork: N/A Date: 04.04.2017 Vendor Homepage: http://www.maiansoftware.com/ Software: http://www.maiansurvey.com/?dl=yes Demo: http://www.maiansoftware.com/demos/survey/ Version: 1.1 Tested on: Win7 x64,...
Apple WebKit 10.0.2(12602.3.12.0.1) - Frame::setDocument (1) Universal Cross-Site Scripting
Apple WebKit 10.0.212602.3.12.0.1 - Frame::setDocument 1 Universal Cross-Site Scripting && newDocument ASSERT!newDocument || newDocument-frame == this; if mdoc && mdoc-pageCacheState != Document::InPageCache mdoc-prepareForDestruction; mdoc = newDocument.copyRef; ... The function...
Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window
Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window document auto& htmlDocument = downcastdocument; auto atomicPropertyName = propertyName.publicName; if atomicPropertyName && htmlDocument.hasWindowNamedItematomicPropertyName JSValue namedItem; if...
Apple macOS Kernel 10.12.2 (16C67) - AppleIntelCapriController::GetLinkConfig Code Execution Due to Lack of Bounds Checking
Apple macOS Kernel 10.12.2 16C67 - AppleIntelCapriController::GetLinkConfig Code Execution Due to Lack of Bounds Checking / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1071 Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig This method...
Apple WebKit - RenderLayer Use-After-Free
Apple WebKit - RenderLayer Use-After-Free function go div.style.setProperty"-webkit-flow-into", "foo"; document.execCommand"fontSize", false, 6; window.requestAnimationFramecb; h1.attachShadowmode: "open"; h1.replaceWith"foo"; function cb var a; //trigger garbage collector forvar i=0;i !--...
Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow
Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1046 https://googleprojectzero.blogspot.ca/2017/04/over-air-exploiting-broadcoms-wi-fi4.html Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and...
Apple macOS Kernel 10.12.2 (16C67) - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability
Apple macOS Kernel 10.12.2 16C67 - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1069 MacOS kernel memory disclosure due to lack of bounds checking in...
Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free
Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free function eventhandler1 input.type = "foo"; function eventhandler2 input.selectionStart = 25; !-- ================================================================= ASAN log from WebKit nightly on Mac:...
Apple macOSiOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free
Apple macOSiOS Kernel 10.12.3 16D32 - Bad Locking in necpopen Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap...
Apple WebKit 10.0.2 (12602.3.12.0.1_ r210800) - constructJSReadableStreamDefaultReader Type Confusion
Apple WebKit 10.0.2 12602.3.12.0.1 r210800 - constructJSReadableStreamDefaultReader Type Confusion exec.argument0; if !stream return throwArgumentTypeErrorexec, scope, 0, "stream", "ReadableStreamReader", nullptr, "ReadableStream"; JSValue jsFunction = stream-get&exec, Identifier::fromString&exec...
Apple WebKit - FormSubmission::create Use-After-Free
Apple WebKit - FormSubmission::create Use-After-Free function go object.name = "foo"; input.autofocus = true; output.appendChildinput; form.submit; function eventhandler forvar i=0;i a !-- ================================================================= Preliminary analysis: The bug is in...
Bluecoat ASG 6.6CAS 1.3 - OS Command Injection (Metasploit)
Bluecoat ASG 6.6CAS 1.3 - OS Command Injection Metasploit Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS Date: April 3, 2017 Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd Contact: chrisdhebertatgmail.com Vendor Security Advisory:...
Moxa AWK-3131A 1.4 1.7 - Username OS Command Injection
Moxa AWK-3131A 1.4 1.7 - Username OS Command Injection !/usr/bin/env python2 import telnetlib import re import random import string Split string into chunks, of which each is /var/a' - 1 completed = temp = re.split'\n', script for content in temp: if lencontent != 0: for s in re.split' ', content...
GeoMoose 2.9.2 - Directory Traversal
GeoMoose 2.9.2 - Directory Traversal Exploit Title: GeoMoose = 2.9.2 Local File Disclosure Exploit Author: Sander 'dsc' Ferdinand Date: 2017-03-4 Version: = 2.9.2 Blog: https://ced.pwned.systems/advisories-geomoose-local-file-disclosure-2-9-2.html Vendor Homepage: geomoose.org Reported: 4-3-2017...
Bluecoat ASG 6.6CAS 1.3 - Local Privilege Escalation (Metasploit)
Bluecoat ASG 6.6CAS 1.3 - Local Privilege Escalation Metasploit Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS Date: April 3, 2017 Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd Contact: chrisdhebertatgmail.com Vendor Security Advisory:...
Linux Kernel (PonyOS 4.0) - fluttershy LD_LIBRARY_PATH Local Privilege Escalation
Linux Kernel PonyOS 4.0 - fluttershy LDLIBRARYPATH Local Privilege Escalation !/usr/bin/python PonyOS 4.0 has added several improvements over previous releases including support for setuid binaries and dynamic libraries. The run-time linker does not sanitize environment variables when running...