41207 matches found
Forum Template 1.0 - SQL Injection
Forum Template 1.0 - SQL Injection Exploit Title: Forum Template v1.0 for ASPRunnerPro/PHPRunner/ASPRunner.NET. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/marketplace/productsview.php?editid1=9 Demo:...
Quiz Template 1.0 - testid SQL Injection
Quiz Template 1.0 - testid SQL Injection Exploit Title: Quiz Template v1.0 for ASPRunnerPro/PHPRunner. - SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/marketplace/productsview.php?editid1=2 Demo:...
Document Management Template - hash SQL Injection
Document Management Template - hash SQL Injection Exploit Title: Document Management Template v1.0 for PHPRunner 8.x,ASPRunnerPro 9.x,ASPRunner.NET 8.x or better.- SQL Injection Google Dork: N/A Date: 07.04.2017 Vendor Homepage: https://xlinesoft.com/ Software: https://xlinesoft.com/docmanager...
QNAP TVS-663 QTS 4.2.4 build 20170313 - Command Injection
QNAP TVS-663 QTS 4.2.4 build 20170313 - Command Injection QNAP QTS multiple RCE vulnerabilities ===================================== The latest version of this advisory is available at: https://sintonen.fi/advisories/qnap-qts-multiple-rce-vulnerabilities.txt Overview -------- QNAP QTS firmware...
WordPress Plugin Firewall 2 1.3 - Cross-Site Request Forgery Cross-Site Scripting
WordPress Plugin Firewall 2 1.3 - Cross-Site Request Forgery Cross-Site Scripting alert1" !-- In a real attack, forms can be submitted automatically and spear-phishing attacks can be convincing. Mitigations ================ Disable the plugin until a new version is released that fixes this bug...
D-Link DWR-116 DWR-116A1 - Arbitrary File Download
D-Link DWR-116 DWR-116A1 - Arbitrary File Download Title: D-Link DWR-116 Arbitrary File Download Vendor: D-Link www.dlink.com Affected models: DWR-116 / DWR-116A1 Tested on: V1.01EU, V1.00CPb10, V1.05AU CVE: CVE-2017-6190 Date: 04.07.2016 Author: Patryk Bogdan @patrykbogdan Description: D-Link...
Moodle 2.x3.x - SQL Injection
Moodle 2.x3.x - SQL Injection Exploit: Moodle SQL Injection via Object Injection Through User Preferences Date: April 6th, 2017 Exploit Author: Marko Belzetski Contact: [email protected] Vendor Homepage: https://moodle.org/ Version: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.1...
Cesanta Mongoose OS - Use-After-Free
Cesanta Mongoose OS - Use-After-Free COMPASS SECURITY ADVISORY https://www.compass-security.com/en/research/advisories/ Product: Mongoose OS Vendor: Cesanta CVE ID: CVE-2017-7185 CSNC ID: CSNC-2017-003 Subject: Use-after-free / Denial of Service Risk: Medium Effect: Remotely exploitable Authors:...
D-Link DIR-615 - Cross-Site Request Forgery
D-Link DIR-615 - Cross-Site Request Forgery Title: ==== D-Link DIR 615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery CSRF vulnerability Credit: ====== Name: Pratik S. Shah Reference: ========= CVE Details: CVE-2017-7398. Date: ==== 1-04-2017 Vendor: ====== D-Link wireless router...
Appointment Script - SQL Injection
Appointment Script - SQL Injection Exploit Title: Doctors Appointment Script - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://appointment-script.com/ Software: http://appointment-script.com/demo Demo: http://appointment-script.com/demo Version: N/A Tested on: Win7 x64, Ka...
HelpDEZK 1.1.1 - Cross-Site Request Forgery Code Execution
HelpDEZK 1.1.1 - Cross-Site Request Forgery Code Execution Exploit Title: Multiple CSRF Remote Code Execution Vulnerability on HelpDEZK 1.1.1 Date: 05-April-2017 Exploit Author: @runggareksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy Vendor Homepage: http://www.helpdezk.org/ Software...
Premium Penny Auction Script - SQL Injection
Premium Penny Auction Script - SQL Injection Exploit Title: Premium Penny Auction Script - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://bimedia.info/ Software: http://bimedia.info/premium-penny-auction-script/ Demo: http://pennyauction.clonedemo.com/ Version: N/A Tested...
Faveo Helpdesk Community 1.9.3 - Cross-Site Request Forgery
Faveo Helpdesk Community 1.9.3 - Cross-Site Request Forgery Exploit Title: CSRF / Privilege Escalation Manipulation of Role Agent to Admin on Faveo version Community 1.9.3 Google Dork: no Date: 05-April-2017 Exploit Author: @runggareksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy Vendor...
SpiceWorks 7.5 TFTP - Remote File Overwrite Upload
SpiceWorks 7.5 TFTP - Remote File Overwrite Upload + Credits: John Page AKA HYP3RLINX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SPICEWORKS-IMPROPER-ACCESS-CONTROL-FILE-OVERWRITE.txt + ISR: APPARITIONSEC Vendor: ================== www.spiceworks.com...
Sweepstakes Pro Software - SQL Injection
Sweepstakes Pro Software - SQL Injection Exploit Title: Sweepstakes Pro Software - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://bimedia.info/ Software: http://bimedia.info/sweepstakes-pro-software/ Demo: http://mysweepstakespro.com/demo/ Version: N/A Tested on: Win7 x64...
Airbnb Crashpadder Clone Script - SQL Injection
Airbnb Crashpadder Clone Script - SQL Injection Exploit Title: Airbnb Crashpadder Clone Script - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://bimedia.info/ Software: http://bimedia.info/airbnb-premium-clone-script/ Demo: http://airbnb.clonedemo.com/ Version: N/A Tested...
ImagePro Lazygirls Clone Script - SQL Injection
ImagePro Lazygirls Clone Script - SQL Injection Exploit Title: ImagePro Lazygirls Clone Script - SQL Injection Google Dork: N/A Date: 05.04.2017 Vendor Homepage: http://bimedia.info/ Software: http://bimedia.info/8-2/ Demo: http://imagepro.clonedemo.com/ Version: N/A Tested on: Win7 x64, Kali Lin...
Apple macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn
Apple macOS Kernel 10.12.3 16D32 - Use-After-Free Due to Double-Release in posixspawn / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104 exechandleportactions is responsible for handling the xnu port actions extension to posixspawn. It supports 4 different types of port...
Apple WebKit 10.0.2(12602.3.12.0.1) - Frame::setDocument (1) Universal Cross-Site Scripting
Apple WebKit 10.0.212602.3.12.0.1 - Frame::setDocument 1 Universal Cross-Site Scripting && newDocument ASSERT!newDocument || newDocument-frame == this; if mdoc && mdoc-pageCacheState != Document::InPageCache mdoc-prepareForDestruction; mdoc = newDocument.copyRef; ... The function...
Apple macOSiOS Kernel 10.12.3 (16D32) - bpf Heap Overflow
Apple macOSiOS Kernel 10.12.3 16D32 - bpf Heap Overflow / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1125 The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length: case BIOCSBLEN: / uint / if d-bdbif != 0 error = EINVAL; else uint size; bcopyaddr, &size, sizeof...
Apple WebKit - ComposedTreeIterator::traverseNextInShadowTree Use-After-Free
Apple WebKit - ComposedTreeIterator::traverseNextInShadowTree Use-After-Free function go d.open = false; d.innerHTML = "foo"; d.open = true; foo !-- ================================================================= ASan log: =================================================================...
Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow
Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1046 https://googleprojectzero.blogspot.ca/2017/04/over-air-exploiting-broadcoms-wi-fi4.html Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and...
Broadcom Wi-Fi SoC - dhd_handle_swc_evt Heap Overflow
Broadcom Wi-Fi SoC - dhdhandleswcevt Heap Overflow Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1061 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capab...
Apple macOS Kernel 10.12.2 (16C67) - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability
Apple macOS Kernel 10.12.2 16C67 - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1069 MacOS kernel memory disclosure due to lack of bounds checking in...
Apple macOS Kernel 10.12.3 (16D32) - audit_pipe_open Off-by-One Memory Corruption
Apple macOS Kernel 10.12.3 16D32 - auditpipeopen Off-by-One Memory Corruption / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1126 MacOS kernel memory corruption due to off-by-one in auditpipeopen auditpipeopen is the special file open handler for the auditpipe device major...
Apple WebKit - WebCore::toJS Use-After-Free
Apple WebKit - WebCore::toJS Use-After-Free function freememory var a; forvar i=0;i !-- ================================================================= ASan log: ================================================================= ==25184==ERROR: AddressSanitizer: heap-use-after-free on address...
Apple macOSiOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking
Apple macOSiOS Kernel 10.12.3 16D32 - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1108 SIOCSIFORDER is a new ioctl added in iOS 10. It can be called on a regular tcp socket, so from pretty much any...
Apple WebKit - RenderLayer Use-After-Free
Apple WebKit - RenderLayer Use-After-Free function go div.style.setProperty"-webkit-flow-into", "foo"; document.execCommand"fontSize", false, 6; window.requestAnimationFramecb; h1.attachShadowmode: "open"; h1.replaceWith"foo"; function cb var a; //trigger garbage collector forvar i=0;i !--...
Maian Uploader 4.0 - user SQL Injection
Maian Uploader 4.0 - user SQL Injection Exploit Title: Maian Uploader Script v4.0 - SQL Injection Google Dork: N/A Date: 04.04.2017 Vendor Homepage: http://www.maiansoftware.com/ Software: http://www.maianuploader.com/?dl=yes Demo: http://www.maiansoftware.com/demos/uploader/ Version: 4.0 Tested...
Apple Webkit - JSCallbackData Universal Cross-Site Scripting
Apple Webkit - JSCallbackData Universal Cross-Site Scripting globalObject-vm, callback JSC::JSObject callback return mcallback.get; JSDOMGlobalObject globalObject return JSC::jsCastmcallback-globalObject; JSC::JSValue invokeCallbackJSC::MarkedArgumentBuffer& args, CallbackType callbackType,...
Apple WebKit - FormSubmission::create Use-After-Free
Apple WebKit - FormSubmission::create Use-After-Free function go object.name = "foo"; input.autofocus = true; output.appendChildinput; form.submit; function eventhandler forvar i=0;i a !-- ================================================================= Preliminary analysis: The bug is in...
Apple macOS Kernel 10.12.2 (16C67) - AppleIntelCapriController::GetLinkConfig Code Execution Due to Lack of Bounds Checking
Apple macOS Kernel 10.12.2 16C67 - AppleIntelCapriController::GetLinkConfig Code Execution Due to Lack of Bounds Checking / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1071 Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig This method...
Apple macOSiOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free
Apple macOSiOS Kernel 10.12.3 16D32 - Bad Locking in necpopen Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap...
Apple WebKit 10.0.2 (12602.3.12.0.1_ r210800) - constructJSReadableStreamDefaultReader Type Confusion
Apple WebKit 10.0.2 12602.3.12.0.1 r210800 - constructJSReadableStreamDefaultReader Type Confusion exec.argument0; if !stream return throwArgumentTypeErrorexec, scope, 0, "stream", "ReadableStreamReader", nullptr, "ReadableStream"; JSValue jsFunction = stream-get&exec, Identifier::fromString&exec...
Maian Survey 1.1 - survey SQL Injection
Maian Survey 1.1 - survey SQL Injection Exploit Title: Maian Survey v1.1 - SQL Injection Google Dork: N/A Date: 04.04.2017 Vendor Homepage: http://www.maiansoftware.com/ Software: http://www.maiansurvey.com/?dl=yes Demo: http://www.maiansoftware.com/demos/survey/ Version: 1.1 Tested on: Win7 x64,...
Apple WebKit 10.0.2 (12602.3.12.0.1) - disconnectSubframes Universal Cross-Site Scripting
Apple WebKit 10.0.2 12602.3.12.0.1 - disconnectSubframes Universal Cross-Site Scripting frameOwners; if policy == RootAndDescendants if isroot frameOwners.appenddowncastroot; collectFrameOwnersframeOwners, root; // Must disable frame loading in the subtree so an unload handler cannot // insert mo...
Apple macOSiOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device
Apple macOSiOS Kernel 10.12.3 16D32 - Double-Free Due to Bad Locking in fsevents Device / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129 fseventsfioctl handles ioctls on fsevent fds acquired via FSEVENTSCLONE64 on /dev/fsevents Heres the code for the FSEVENTSDEVICEFILTER64...
Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window
Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window document auto& htmlDocument = downcastdocument; auto atomicPropertyName = propertyName.publicName; if atomicPropertyName && htmlDocument.hasWindowNamedItematomicPropertyName JSValue namedItem; if...
Broadcom Wi-Fi SoC - Heap Overflow wlc_tdls_cal_mic_chk Due to Large RSN IE in TDLS Setup Confirm Frame
Broadcom Wi-Fi SoC - Heap Overflow wlctdlscalmicchk Due to Large RSN IE in TDLS Setup Confirm Frame Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1047 Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in bot...
Apache Tomcat 6789 - Information Disclosure
Apache Tomcat 6789 - Information Disclosure Exploit Title:Apache Tomcat CVE-2016-6816 Security Bypass Vulnerability Date: 4th March 2017 Exploit Author: justpentest Vendor Homepage: tomcat.apache.org Version: Apache Tomcat 9.0.0.M1 through 9.0.0.M11, 8.5.0 through 8.5.6, 8.0.0.RC1 through 8.0.38,...
Apple WebKit - table Use-After-Free
Apple WebKit - table Use-After-Free -webkit-border-image: urlfoo 1 5 1 63 repeat; -webkit-flow-into: foo function eventhandler var a; document.execCommand"selectAll", false; output.slot = "foo"; table.deleteCaption; //trigger garbage collector forvar i=0;i foo !--...
Apple WebKit - Negative-Size memmove in HTMLFormElement
Apple WebKit - Negative-Size memmove in HTMLFormElement function go var iframe = document.getElementById"iframe"; var iframeWindow = window0; var toInsert = div; var iframeBody = iframeWindow.document.body; iframeBody.beforedocument.body; iframe.aftertoInsert; aaaaaaaa !--...
Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free
Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free function eventhandler1 input.type = "foo"; function eventhandler2 input.selectionStart = 25; !-- ================================================================= ASAN log from WebKit nightly on Mac:...
Apple macOSiOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption
Apple macOSiOS Kernel 10.12.3 16D32 - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1111 SIOCSIFORDER and SIOCGIFORDER allow userspace programs to build and maintain the ifnetorderedhead linked list of interfaces...
Maian Greetings 2.1 - cat SQL Injection
Maian Greetings 2.1 - cat SQL Injection Exploit Title: Maian Greetings v2.1 - SQL Injection Google Dork: N/A Date: 04.04.2017 Vendor Homepage: http://www.maiansoftware.com/ Software: http://www.maiangreetings.com/?dl=yes Demo: http://www.maiansoftware.com/demos/greetings/ Version: 2.1 Tested on:...
Bluecoat ASG 6.6CAS 1.3 - OS Command Injection (Metasploit)
Bluecoat ASG 6.6CAS 1.3 - OS Command Injection Metasploit Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS Date: April 3, 2017 Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd Contact: chrisdhebertatgmail.com Vendor Security Advisory:...
Moxa AWK-3131A 1.4 1.7 - Username OS Command Injection
Moxa AWK-3131A 1.4 1.7 - Username OS Command Injection !/usr/bin/env python2 import telnetlib import re import random import string Split string into chunks, of which each is /var/a' - 1 completed = temp = re.split'\n', script for content in temp: if lencontent != 0: for s in re.split' ', content...
Bluecoat ASG 6.6CAS 1.3 - Local Privilege Escalation (Metasploit)
Bluecoat ASG 6.6CAS 1.3 - Local Privilege Escalation Metasploit Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS Date: April 3, 2017 Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd Contact: chrisdhebertatgmail.com Vendor Security Advisory:...
GeoMoose 2.9.2 - Directory Traversal
GeoMoose 2.9.2 - Directory Traversal Exploit Title: GeoMoose = 2.9.2 Local File Disclosure Exploit Author: Sander 'dsc' Ferdinand Date: 2017-03-4 Version: = 2.9.2 Blog: https://ced.pwned.systems/advisories-geomoose-local-file-disclosure-2-9-2.html Vendor Homepage: geomoose.org Reported: 4-3-2017...
BackBox OS - Denial of Service
BackBox OS - Denial of Service //Exploited By Hosein Askari include include include include include ifdef FPASS include endif include include include include ifndef USEBSD define USEBSD endif ifndef FAVORBSD define FAVORBSD endif include include include include include include ifdef LINUX define...