56796 matches found
Easy!Appointments v1.2.1 Multiple Stored XSS Vulnerabilities
Summary Easy!Appointments is a highly customizable web application that allows your customers to book appointments with you via the web. Moreover, it provides the ability to sync your data with Google Calendar so you can use them with other services. It is an open source project and you can...
Dell SonicWALL Global Management System GMS 8.1 Blind SQL Injection
Summary Provide your organization, distributed enterprise or managed service offering with an intuitive, powerful way to rapidly deploy and centrally manage SonicWall solutions, with SonicWall GMS. Get more value from your firewall, secure remote access, anti-spam, and backup and recovery solutio...
InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability
Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...
Dell SonicWALL Global Management System GMS 8.1 XSS Vulnerabilities
Summary Provide your organization, distributed enterprise or managed service offering with an intuitive, powerful way to rapidly deploy and centrally manage SonicWall solutions, with SonicWall GMS. Get more value from your firewall, secure remote access, anti-spam, and backup and recovery solutio...
Telesquare SKT LTE Router SDT-CS3B1 WebDAV HTTP Methods Arbitrary File Events
Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description WebDAV is enabled with directory listing and dangerous HTTP methods allowed: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK and UNLOCK. The HTTP PUT metho...
Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution
Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description The router suffers from authenticated arbitrary system command execution. The application interface allows users to perform certain actions via HTTP requests without...
Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference Info Leak
Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description Insecure direct object references occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attacke...
ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability
Summary ZKAccess Systems are built on flexible, open technology to provide management, real-time monitoring, and control of your access control system-all from a browser, with no additional software to install. Our secure Web-hosted infrastructure and centralized online administration reduce your...
NS International Train Tickets v7.31.4 Reflected XSS Vulnerability
Summary NS International Train Tickets is a web application that is used by NS International Dutch railways to manage search, book, plan, buy train tickets for international travels from the Netherlands. Description NS International Train Tickets confirmation page 'bookingConfirm' is vulnerable t...
InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution
Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...
InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability
Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...
Dell SonicWALL Global Management System (GMS) 8.1 Adobe Flex SOP Bypass
Summary Provide your organization, distributed enterprise or managed service offering with an intuitive, powerful way to rapidly deploy and centrally manage SonicWall solutions, with SonicWall GMS. Get more value from your firewall, secure remote access, anti-spam, and backup and recovery solutio...
ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote SYSTEM Code Execution
Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...
ZKTeco ZKBioSecurity 3.0 User Enumeration Weakness
Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...
Dell SonicWALL Network Security Appliance NSA 6600 Reflected XSS
Summary Uncompromising security and performance for emerging large organizations. The NSA 6600 network security appliance delivers best-in-class protection, speed and scalability with 12 Gbps throughput and up to 6000 VPN clients. Description SonicWALL NSA suffers from a XSS issue due to a failur...
Eir’s D1000 Modem Is Wide Open To Being Hacked.
Background The Eir D1000 Modem has bugs that allow an attacker to gain full control of the modem from the Internet. The modem could then be used to hack into internal computers on the network, as a proxy host to hack other computers or even as a bot in a botnet. A port scan of the the modem...
phpcms9.6.3后台存储型xss
...
Trustwave SWG Unauthorized Access
Vulnerability Summary The following advisory describes an unauthorized access vulnerability that allows an unauthenticated user to add their own SSH key to a remote Trustwave SWG version 11.8.0.27. Trustwave Secure Web Gateway SWG “provides distributed enterprises effective real-time protection...
COMTREND ADSL Router CT-5367 - Remote Code Execution
Description Any user can edit all users password and execute remote code directly without have access Proof of Concept request this page before login to ADSL panel : 192.168.1.1/password.cgi/password.cgi Username: root support user Old Password: New Password: Confirm Password: !/usr/bin/env pytho...
Kingsoft Antivirus/Internet Security 9+ Privilege Escalation
Vulnerability Summary The following advisory describes a kernel stack buffer overflow that leads to privilege escalation found in Kingsoft Antivirus/Internet Security 9+. Kingsoft Antivirus “provides effective and efficient protection solution at no cost to users. It applies cloud security...
Asus_GlobalWirteOverflow
Vulnerability: Global buffer overflow in networkmap ------------------------------------------ Exploitation: Can write data at any address in heap ------------------------------------------ Vendor of Product: Asus wireless router ------------------------------------------ Affected Products and...
Tplink Interface Authenticated RCE
Tested product: TL-WVR450L Hardware version:V1.0 Firmware version: 20161125 The RSAEncryptionForTplink.js is use for Rsa Encryption to the password when login the web manager. You can download the RSAEncryptionForTplink.js by...
Tplink Diagnostic Authenticated RCE
Vulnerability: Command Injection in diagnostic.lua ------------------------------------------ Exploitation: Can remote command execution on the root shell. ------------------------------------------ Vendor of Product: Tp-Link router ------------------------------------------ Affected Products and...
Tplink Bridge Authenticated RCE
Vulnerability: Command Injection in bridge.lua ------------------------------------------ Exploitation: Can remote command execution on the root shell. ------------------------------------------ Vendor of Product: Tp-Link router ------------------------------------------ Affected Products and...
Pre-auth Remote Code Execution exploit for QNAP QTS
!/usr/bin/env python -- coding: iso-8859-15 -- Pre-auth Remote Code Execution exploit for QNAP QTS 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 Beta 2 build 2017111 Just a quick dirty RCE PoC to make your QNAP sing "XMAS" in morse. Author: Andrea Palazzo @cogitoergor00t E-mail:...
Tplink LocalePath Disclosure
Vulnerability: Path Disclosure in locale.lua ------------------------------------------ Exploitation: Can be used to verify whether a path exists on the file system. ------------------------------------------ Vendor of Product: Tp-Link router ------------------------------------------ Affected...
Asus_serviceTypeCopyOverflow
Tested product and firmware version: RT-N12HPB1 3.0.0.4.380.3479 coding=utf-8 ROUTERIP = '192.168.2.1' asus wireless router ip IP = '192.168.2.31' attacker ip INTERACE = 'eth0' attacker host network interface import time import socket import sys import os import threading import socketserver sc =...
Asus_DeleteOfflineClientOverflow
Vulnerability: Stack buffer overflow in httpd ------------------------------------------ Exploitation: Can control the $pc. Use together with a session hijack vulnerability or in a csrf attack, can remote code execution and then get a connectback shell. ------------------------------------------...
Remote Stack Format String in 'nsd' binary from multiple OEM
Subject: Remote Stack Format String in 'nsd' binary from multiple OEM Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis December 2017 PoC: https://github.com/mcw0/PoC Release date: December 14, 2017 Full Disclosure: 0-Day PoC 1 $ curl...
Vitek RCE and Information Disclosure
Subject: Vitek RCE and Information Disclosure and possible other OEM Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis December 2017 PoC: https://github.com/mcw0/PoC Release date: December 22, 2017 Full Disclosure: 0-day heap: Executable + Non-ASLR stack:...
Huawei HG532 Router Remote Code Execution(CVE-2017-17215)
A Zero-Day vulnerability CVE-2017-17215 in the Huawei home router HG532 has been discovered by Check Point Researchers, and hundreds of thousands of attempts to exploit it have already been found in the wild. The delivered payload has been identified as OKIRU/SATORI, an updated variant of Mirai...
Oracle WebLogic wls-wsat RCE(CVE-2017-10271)
漏洞描述 黑客利用WebLogic 反序列化漏洞(CVE-2017-3248)和WebLogic WLS 组件漏洞(CVE-2017-10271)对企业服务器发起大范围远程攻击,有大量企业的服务器被攻陷,且被攻击企业数量呈现明显上升趋势,需要引起高度重视。其中,CVE-2017-10271是一个最新的利用Oracle WebLogic中WLS 组件的远程代码执行漏洞,属于没有公开细节的野外利用漏洞,大量企业尚未及时安装补丁。官方在 2017 年 10 月份发布了该漏洞的补丁。 该漏洞的利用方法较为简单,攻击者只需要发送精心构造的 HTTP...
Ichano AtHome IP Cameras Multiple Vulnerabilities
Vulnerabilities Summary The following advisory describes three 3 vulnerabilities found in Ichano IP Cameras. AtHome Camera is “a remote video surveillance app which turns your personal computer, smart TV/set-top box, smart phone, and tablet into a professional video monitoring system in a minute....
Windows: use-after-free in jscript!NameTbl::GetValDef(CVE-2017-11903)
There is a use-after-free vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors: - An attacker on the local network could exploit this issue by posing as a WPAD Web Proxy Auto-Discovery host and sending a malicious wpad.dat file to the victim. This works...
Windows: Uninitialized variable in jscript!JsArraySlice(CVE-2017-11855)
There is an uninitialized variable vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors: - By opening a malicious web page in Internet Explorer. - currently untested An attacker on the local network could exploit this issue by posing as a WPAD Web Proxy...
Outlook for Android: Directory Traversal in Attachment Download
There is a directory traversal issue in attachment downloads in Outlook for Android. There is no path sanitization on the attachment filename in the app. If the email account is a Hotmail account, this will be sanitized by the server, but for other accounts it will not be. This allows a file to b...
Windows: Heap overflow in jscript!RegExpComp::Compile through IE or local network via WPAD(CVE-2017-11890)
There is a heap overflow in jscript.dll when compiling a regex. This issue could potentially be exploited through multiple vectors: - An attacker on the local network could exploit this issue by posing as a WPAD Web Proxy Auto-Discovery host and sending a malicious wpad.dat file to the victim. Th...
Windows: heap overflow in jscript.dll in Array.sort(CVE-2017-11907)
There is an heap overflow vulnerability in jscript.dll library used in IE, WPAD and other places. The bug affects 2 functions, JsArrayStringHeapSort and JsArrayFunctionHeapSort. PoC for IE note: page heap might be required to obsorve the crash: var vars = new Array100; var arr = new Array1000;...
VMware VNC Dynamic Resolution Request Code Execution Vulnerability(CVE-2017-4933)
Summary An exploitable code execution vulnerability exists in the remote management functionality of VMware . A specially crafted set of VNC packets can cause a heap overflow resulting in heap corruption. An attacker can create a VNC session to trigger this vulnerability. Tested Versions Vase,...
VMware VNC Pointer Decode Code Execution Vulnerability(CVE-2017-4941)
Summary An exploitable code execution vulnerability exists in the remote management functionality of VMware . A specially crafted set of VNC packets can cause a type confusion resulting in stack overwrite, which could lead to code execution. An attacker can initiate a VNC session to trigger this...
Windows: out-of-bounds read in jscript!RegExpFncObj::LastParen(CVE-2017-11906)
There is an out-of-bounds read in jscript.dll library used in IE, WPAD and other places: PoC for IE note: page heap might be required to obsorve the crash: function go var r= new RegExpArray100.join''; ''.searchr; alertRegExp.lastParen; go; Debug log: cec.a14: Access violation - code c0000005 fir...
Python 'Lib/webbrowser.py' Remote Command Execution Vulnerability(CVE-2017-17522)
Description Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Vulnerable: Python Software Foundation Python 3.6...
bluecms guest_book注入
...
GOAHEAD 命令执行漏洞(CVE-2017-17562)
INTRODUCTION This blog post details CVE-2017-17562, a vulnerability which can be exploited to gain reliable remote code execution in all versions of the GoAhead web server 3.6.5. The vulnerability is a result of Initialising the environment of forked CGI scripts using untrusted HTTP request...
bluecms 任意文件删除漏洞导致重装getshell & XSS漏洞
...
Command injection vulnerability in Net::FTP(CVE-2017-17405)
There is a command injection vulnerability in Net::FTP bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2017-17405. Details Net::FTPget, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernelopen to open a local file. If the localfile argument...
iOS/MacOS kernel double free due to IOSurfaceRootUserClient not respecting MIG ownership rules(CVE-2017-13861)
I have previously detailed the lifetime management paradigms in MIG in the writeups for: CVE-2016-7612 https://bugs.chromium.org/p/project-zero/issues/detail?id=926 and CVE-2016-7633 https://bugs.chromium.org/p/project-zero/issues/detail?id=954 If a MIG method returns KERNSUCCESS it means that th...
MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig(CVE-2017-13875)
AppleIntelCapriController::GetLinkConfig trusts a user-supplied value in the structure input which it uses to index a small table of pointers without bounds checking. The OOB-read pointer is passed to AppleIntelFramebuffer::validateDisplayMode which will read a pointer to a C++ object from that...
QNAP QTS Unauthenticated Remote Code Execution(CVE-2017-17033)
Vulnerability Summary The following advisory describes a memory corruption vulnerability that can lead to an unauthenticated remote code execution in QNAP QTS versions 4.3.x and 4.2.x, including the 4.3.3.0299. QNAP Systems, Inc. “specializes in providing networked solutions for file sharing,...
MacOS getrusage stack leak through struct padding(CVE-2017-13869)
For 64-bit processes, the getrusage syscall handler converts a struct rusage to a struct user64rusage using mungeuser64rusage, then copies the struct user64rusage to userspace: int getrusagestruct proc p, struct getrusageargs uap, unused int32t retval struct rusage rup, rubuf; struct user64rusage...