Dell SonicWALL Global Management System (GMS) 8.1 Adobe Flex SOP Bypass

Summary Provide your organization, distributed enterprise or managed service offering with an intuitive, powerful way to rapidly deploy and centrally manage SonicWall solutions, with SonicWall GMS. Get more value from your firewall, secure remote access, anti-spam, and backup and recovery solutio...

Xerox DC260 EFI Fiery Controller Webtools 2.0 Arbitrary File Disclosure

Summary Drive production profitability with Fiery servers and workflow products. See which Fiery digital front end is right for your current or future print engines and business needs. Manage all your printers from a single screen using this intuitive print job management interface. Description...

NS International Train Tickets v7.31.4 Reflected XSS Vulnerability

Summary NS International Train Tickets is a web application that is used by NS International Dutch railways to manage search, book, plan, buy train tickets for international travels from the Netherlands. Description NS International Train Tickets confirmation page 'bookingConfirm' is vulnerable t...

ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability

Summary ZKAccess Systems are built on flexible, open technology to provide management, real-time monitoring, and control of your access control system-all from a browser, with no additional software to install. Our secure Web-hosted infrastructure and centralized online administration reduce your...

Telesquare SKT LTE Router SDT-CS3B1 WebDAV HTTP Methods Arbitrary File Events

Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description WebDAV is enabled with directory listing and dangerous HTTP methods allowed: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK and UNLOCK. The HTTP PUT metho...

Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service

Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description The router suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario. /lte/lteuicc.shtml: 858:...

InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access

Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...

Easy!Appointments v1.2.1 Multiple Stored XSS Vulnerabilities

Summary Easy!Appointments is a highly customizable web application that allows your customers to book appointments with you via the web. Moreover, it provides the ability to sync your data with Google Calendar so you can use them with other services. It is an open source project and you can...

ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote SYSTEM Code Execution

Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...

ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass

Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...

ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions

Summary ZKTime.Net V3.0 is a new generation time attendance management software. Meanwhile, it integrates with time attendance and access control system. Some frequently used functions such as attendance reports, device management and employee management can be managed directly on the home page...

Dell SonicWALL Secure Mobile Access SMA 8.1 XSS And WAF CSRF

Summary Keep up with the demands of today’s remote workforce. Enable secure mobile access to critical apps and data without compromising security. Choose from a variety of scalable secure mobile access SMA appliances and intuitive Mobile Connect apps to fit every size business and budget...

Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution

Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description The router suffers from authenticated arbitrary system command execution. The application interface allows users to perform certain actions via HTTP requests without...

ZKTeco ZKBioSecurity 3.0 Multiple XSS Vulnerabilities

Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...

Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference Info Leak

Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description Insecure direct object references occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attacke...

Eir’s D1000 Modem Is Wide Open To Being Hacked.

Background The Eir D1000 Modem has bugs that allow an attacker to gain full control of the modem from the Internet. The modem could then be used to hack into internal computers on the network, as a proxy host to hack other computers or even as a bot in a botnet. A port scan of the the modem...

phpcms9.6.3后台存储型xss

...

Trustwave SWG Unauthorized Access

Vulnerability Summary The following advisory describes an unauthorized access vulnerability that allows an unauthenticated user to add their own SSH key to a remote Trustwave SWG version 11.8.0.27. Trustwave Secure Web Gateway SWG “provides distributed enterprises effective real-time protection...

COMTREND ADSL Router CT-5367 - Remote Code Execution

Description Any user can edit all users password and execute remote code directly without have access Proof of Concept request this page before login to ADSL panel : 192.168.1.1/password.cgi/password.cgi Username: root support user Old Password: New Password: Confirm Password: !/usr/bin/env pytho...

Kingsoft Antivirus/Internet Security 9+ Privilege Escalation

Vulnerability Summary The following advisory describes a kernel stack buffer overflow that leads to privilege escalation found in Kingsoft Antivirus/Internet Security 9+. Kingsoft Antivirus “provides effective and efficient protection solution at no cost to users. It applies cloud security...

Asus_GlobalWirteOverflow

Vulnerability: Global buffer overflow in networkmap ------------------------------------------ Exploitation: Can write data at any address in heap ------------------------------------------ Vendor of Product: Asus wireless router ------------------------------------------ Affected Products and...

Tplink Bridge Authenticated RCE

Vulnerability: Command Injection in bridge.lua ------------------------------------------ Exploitation: Can remote command execution on the root shell. ------------------------------------------ Vendor of Product: Tp-Link router ------------------------------------------ Affected Products and...

Tplink Diagnostic Authenticated RCE

Vulnerability: Command Injection in diagnostic.lua ------------------------------------------ Exploitation: Can remote command execution on the root shell. ------------------------------------------ Vendor of Product: Tp-Link router ------------------------------------------ Affected Products and...

Asus_serviceTypeCopyOverflow

Tested product and firmware version: RT-N12HPB1 3.0.0.4.380.3479 coding=utf-8 ROUTERIP = '192.168.2.1' asus wireless router ip IP = '192.168.2.31' attacker ip INTERACE = 'eth0' attacker host network interface import time import socket import sys import os import threading import socketserver sc =...

Tplink LocalePath Disclosure

Vulnerability: Path Disclosure in locale.lua ------------------------------------------ Exploitation: Can be used to verify whether a path exists on the file system. ------------------------------------------ Vendor of Product: Tp-Link router ------------------------------------------ Affected...

Tplink Interface Authenticated RCE

Tested product: TL-WVR450L Hardware version：V1.0 Firmware version: 20161125 The RSAEncryptionForTplink.js is use for Rsa Encryption to the password when login the web manager. You can download the RSAEncryptionForTplink.js by...

Asus_DeleteOfflineClientOverflow

Vulnerability: Stack buffer overflow in httpd ------------------------------------------ Exploitation: Can control the $pc. Use together with a session hijack vulnerability or in a csrf attack, can remote code execution and then get a connectback shell. ------------------------------------------...

Pre-auth Remote Code Execution exploit for QNAP QTS

!/usr/bin/env python -- coding: iso-8859-15 -- Pre-auth Remote Code Execution exploit for QNAP QTS 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 Beta 2 build 2017111 Just a quick dirty RCE PoC to make your QNAP sing "XMAS" in morse. Author: Andrea Palazzo @cogitoergor00t E-mail:...

Vitek RCE and Information Disclosure

Subject: Vitek RCE and Information Disclosure and possible other OEM Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis December 2017 PoC: https://github.com/mcw0/PoC Release date: December 22, 2017 Full Disclosure: 0-day heap: Executable + Non-ASLR stack:...

Remote Stack Format String in 'nsd' binary from multiple OEM

Subject: Remote Stack Format String in 'nsd' binary from multiple OEM Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis December 2017 PoC: https://github.com/mcw0/PoC Release date: December 14, 2017 Full Disclosure: 0-Day PoC 1 $ curl...

Huawei HG532 Router Remote Code Execution(CVE-2017-17215)

A Zero-Day vulnerability CVE-2017-17215 in the Huawei home router HG532 has been discovered by Check Point Researchers, and hundreds of thousands of attempts to exploit it have already been found in the wild. The delivered payload has been identified as OKIRU/SATORI, an updated variant of Mirai...

Oracle WebLogic wls-wsat RCE(CVE-2017-10271)

漏洞描述 黑客利用WebLogic 反序列化漏洞（CVE-2017-3248）和WebLogic WLS 组件漏洞（CVE-2017-10271）对企业服务器发起大范围远程攻击，有大量企业的服务器被攻陷，且被攻击企业数量呈现明显上升趋势，需要引起高度重视。其中，CVE-2017-10271是一个最新的利用Oracle WebLogic中WLS 组件的远程代码执行漏洞，属于没有公开细节的野外利用漏洞，大量企业尚未及时安装补丁。官方在 2017 年 10 月份发布了该漏洞的补丁。 该漏洞的利用方法较为简单，攻击者只需要发送精心构造的 HTTP...

Windows: Heap overflow in jscript!RegExpComp::Compile through IE or local network via WPAD(CVE-2017-11890)

There is a heap overflow in jscript.dll when compiling a regex. This issue could potentially be exploited through multiple vectors: - An attacker on the local network could exploit this issue by posing as a WPAD Web Proxy Auto-Discovery host and sending a malicious wpad.dat file to the victim. Th...

VMware VNC Pointer Decode Code Execution Vulnerability(CVE-2017-4941)

Summary An exploitable code execution vulnerability exists in the remote management functionality of VMware . A specially crafted set of VNC packets can cause a type confusion resulting in stack overwrite, which could lead to code execution. An attacker can initiate a VNC session to trigger this...

Windows: out-of-bounds read in jscript!RegExpFncObj::LastParen(CVE-2017-11906)

There is an out-of-bounds read in jscript.dll library used in IE, WPAD and other places: PoC for IE note: page heap might be required to obsorve the crash: function go var r= new RegExpArray100.join''; ''.searchr; alertRegExp.lastParen; go; Debug log: cec.a14: Access violation - code c0000005 fir...

Outlook for Android: Directory Traversal in Attachment Download

There is a directory traversal issue in attachment downloads in Outlook for Android. There is no path sanitization on the attachment filename in the app. If the email account is a Hotmail account, this will be sanitized by the server, but for other accounts it will not be. This allows a file to b...

Ichano AtHome IP Cameras Multiple Vulnerabilities

Vulnerabilities Summary The following advisory describes three 3 vulnerabilities found in Ichano IP Cameras. AtHome Camera is “a remote video surveillance app which turns your personal computer, smart TV/set-top box, smart phone, and tablet into a professional video monitoring system in a minute....

Windows: use-after-free in jscript!NameTbl::GetValDef(CVE-2017-11903)

There is a use-after-free vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors: - An attacker on the local network could exploit this issue by posing as a WPAD Web Proxy Auto-Discovery host and sending a malicious wpad.dat file to the victim. This works...

Windows: Uninitialized variable in jscript!JsArraySlice(CVE-2017-11855)

There is an uninitialized variable vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors: - By opening a malicious web page in Internet Explorer. - currently untested An attacker on the local network could exploit this issue by posing as a WPAD Web Proxy...

Windows: heap overflow in jscript.dll in Array.sort(CVE-2017-11907)

There is an heap overflow vulnerability in jscript.dll library used in IE, WPAD and other places. The bug affects 2 functions, JsArrayStringHeapSort and JsArrayFunctionHeapSort. PoC for IE note: page heap might be required to obsorve the crash: var vars = new Array100; var arr = new Array1000;...

VMware VNC Dynamic Resolution Request Code Execution Vulnerability(CVE-2017-4933)

Summary An exploitable code execution vulnerability exists in the remote management functionality of VMware . A specially crafted set of VNC packets can cause a heap overflow resulting in heap corruption. An attacker can create a VNC session to trigger this vulnerability. Tested Versions Vase,...

Python 'Lib/webbrowser.py' Remote Command Execution Vulnerability(CVE-2017-17522)

Description Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Vulnerable: Python Software Foundation Python 3.6...

GOAHEAD 命令执行漏洞(CVE-2017-17562)

INTRODUCTION This blog post details CVE-2017-17562, a vulnerability which can be exploited to gain reliable remote code execution in all versions of the GoAhead web server 3.6.5. The vulnerability is a result of Initialising the environment of forked CGI scripts using untrusted HTTP request...

bluecms guest_book注入

...

bluecms 任意文件删除漏洞导致重装getshell & XSS漏洞

...

Command injection vulnerability in Net::FTP(CVE-2017-17405)

There is a command injection vulnerability in Net::FTP bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2017-17405. Details Net::FTPget, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernelopen to open a local file. If the localfile argument...

MacOS so_pcb type confusion in necp_get_socket_attributes(CVE-2017-13855)

When getsockopt edited; original report said "setsockopt" is called on any socket with level SOLSOCKET and optname SONECPATTRIBUTES, necpgetsocketattributes is invoked. necpgetsocketattributes unconditionally calls sotoinpcbso: errnot necpgetsocketattributesstruct socket so, struct sockopt sopt i...

MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig(CVE-2017-13875)

AppleIntelCapriController::GetLinkConfig trusts a user-supplied value in the structure input which it uses to index a small table of pointers without bounds checking. The OOB-read pointer is passed to AppleIntelFramebuffer::validateDisplayMode which will read a pointer to a C++ object from that...

MacOS/iOS kernel double free due to incorrect API usage in flow divert socket option handling(CVE-2017-13867)

SOFLOWDIVERTTOKEN is a socket option on the SOLSOCKETlayer. It's implemented by flowdiverttokensetstruct socket so, struct sockopt sopt in flowdivert.c. The relevant code is: error = sooptgetmsopt, &token; if error goto done; error = sooptmcopyinsopt, token; if error goto done; ... done: if token...

MacOS/iOS multiple kernel UAFs due to incorrect IOKit object lifetime management in IOTimeSyncClockManagerUserClient(CVE-2017-13847)

IOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService. IOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor. IOUserClient::clientClose is not a destructor and plays no role in the...