Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities

Allworx Server Manager Multiple Cross-Site Scripting Vulnerabilities history.pushState'', '', '/' ::: default.asp ::: confirm0' / confirm1' / confirm2' / ::: action.asp ::: confirm3' / ::: query.asp ::: input type="hidden" name="query" value="RepQuerya xmlns:a='http://www.w3.org/1999/x...

Coredy CX-E120 Repeater Multiple Vulnerabilities

Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in Coredy CX-E120 Repeater. The Coredy CX-E120 WiFi Range Extender is “a network device with multifunction, which can be using for increasing the distance of a WiFi network by boosting the existing WiFi signal an...

Claymore's Dual Ethereum Miner unauth stack buffer overflow(CVE-2017-16929)

VuNote =================== Author: Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-16929 Version: 0.2 Date: Nov 30th, 2017 Tag: claymore dual ethereum decred crypto currency miner Overview -------- Name: Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner Vendor: nanopool/claymore...

Mailsploit vulnerability exists in email address resolution

TL;DR: Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents MTA aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC DKIM/SPF or spam filters. Bu...

Claymore's Dual Ethereum Miner unauth stack buffer overflow(CVE-2017-16930)

VuNote =================== Author: Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-16930 Version: 0.2 Date: Nov 30th, 2017 Tag: claymore dual ethereum decred crypto currency miner Overview -------- Name: Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner Vendor: nanopool/claymore...

Polycom HDX Series RCE

When doing external assessments you spend a decent amount of time footprinting your target and finding possible avenues of attack. Given a large corporate, you are pretty likely to hit video conferencing end-points. This post details a vulnerability in one of these video conferencing systems, the...

taocms v2.5Beta3 SQL注入

...

semcms view.php SQL注入

...

ucms 1.4.3 SQL注入

...

niushop任意文件删除漏洞

...

Microsoft Edge: Chakra: JIT: Incorrect function declaration scope(CVE-2017-11870)

In the following JavaScript code, both of the print calls must print out "undefined" because of "x" is a formal parameter. But the second print call prints out "function x ". This bug may lead to type confusion in JITed code. function fx printx; function x printx; The following code in...

TPshop 前台SQL注入#2

0x01 说明 TPshop开源商城系统 Thinkphp shop的简称 ，是深圳搜豹网络有限公司开发的一套多商家模式的商城系统。适合企业及个人快速构建个性化网上商城。包含PC+IOS客户端+Adroid客户端+微商城，系统PC+后台是基于ThinkPHP5 MVC构架开发的跨平台开源软件，设计得非常灵活，具有模块化架构体系和丰富的功能，易于与第三方应用系统无缝集成，在设计上，包含相当全面，以模块化架构体系，让应用组合变得相当灵活，功能也相当丰富。 下载地址：http://www.tp-shop.cn/Index/Index/download.html 目录大概结构 ├─index.p...

Microsoft Edge: Chakra: JIT: Inline::InlineCallApplyTarget_Shared doesn't return the return instruction(CVE-2017-11841)

Here's a snippet of Inline::Optimize. FOREACHINSTREDITINGinstr, instrNext, func-mheadInstr switch instr-mopcode case Js::OpCode::Label: ... if instr-AsLabelInstr-misForInExit Assertthis-currentForInDepth != 0; // The PoC hits this this-currentForInDepth--; break; case...

Microsoft Edge: Chakra: JIT: GlobOpt::OptTagChecks must consider IsLoopPrePass properly(CVE-2017-11840)

There's one more place that emits a BailOnNotObject opcode. Here's a snippet of GlobOpt::OptTagChecks. if valueType.CanBeTaggedValue && !valueType.HasBeenNumber && this-IsLoopPrePass || !this-currentBlock-loop ValueType newValueType = valueType.SetCanBeTaggedValuefalse; // Split out the tag check...

Linux: mincore() discloses uninitialized kernel heap pages(CVE-2017-16994)

I found the following bug with an AFL-based fuzzer: When walkpagerange is used on a VMHUGETLB VMA, callbacks from the mmwalk structure are only invoked for present pages. However, domincore assumes that it will always get callbacks for all pages in the range passed to walkpagerange, and when this...

Microsoft Edge: Chakra: JIT: BailOutOnTaggedValue bailouts can be generated for constant values(CVE-2017-11839)

In the Chakra's JIT compilation process, it stores variables' type information by basic block. function optb let o; if b // BASIC BLOCK a o = ; else // BASIC BLOCK b o = 1.1; // BASIC BLOCK c return o; For example, let's think the above code gets optimized. At the basic block a, the type of "o"...

OS Command Injection & Reflected Cross Site Scripting in OpenEMR

Vendor description: ------------------- "OpenEMR is the most popular open source electronic health records and medical practice management solution. ONC certified with international usage, OpenEMR's goal is a superior alternative to its proprietary counterparts." Source: http://www.open-emr.org/...

7zip CVE-2016-2334 HFS+ Code Execution Vulnerability

INTRODUCTION In 2016 Talos released an advisory for CVE-2016-2334, which was a remote code execution vulnerability affecting certain versions of 7zip, a popular compression utility. In this blog post we will walk through the process of weaponizing this vulnerability and creating a fully working...

TPshop 前台无限制Getshell #2

0x01 说明 TPshop开源商城系统 Thinkphp shop的简称 ，是深圳搜豹网络有限公司开发的一套多商家模式的商城系统。适合企业及个人快速构建个性化网上商城。包含PC+IOS客户端+Adroid客户端+微商城，系统PC+后台是基于ThinkPHP5 MVC构架开发的跨平台开源软件，设计得非常灵活，具有模块化架构体系和丰富的功能，易于与第三方应用系统无缝集成，在设计上，包含相当全面，以模块化架构体系，让应用组合变得相当灵活，功能也相当丰富。 下载地址：http://www.tp-shop.cn/Index/Index/download.html 目录大概结构 ├─index.p...

TPshop 前台无限制Getshell #1

0x01 说明 TPshop开源商城系统 Thinkphp shop的简称 ，是深圳搜豹网络有限公司开发的一套多商家模式的商城系统。适合企业及个人快速构建个性化网上商城。包含PC+IOS客户端+Adroid客户端+微商城，系统PC+后台是基于ThinkPHP5 MVC构架开发的跨平台开源软件，设计得非常灵活，具有模块化架构体系和丰富的功能，易于与第三方应用系统无缝集成，在设计上，包含相当全面，以模块化架构体系，让应用组合变得相当灵活，功能也相当丰富。 下载地址：http://www.tp-shop.cn/Index/Index/download.html 目录大概结构 ├─index.p...

TPshop 前台SQL注入#3

0x01 说明 TPshop开源商城系统 Thinkphp shop的简称 ，是深圳搜豹网络有限公司开发的一套多商家模式的商城系统。适合企业及个人快速构建个性化网上商城。包含PC+IOS客户端+Adroid客户端+微商城，系统PC+后台是基于ThinkPHP5 MVC构架开发的跨平台开源软件，设计得非常灵活，具有模块化架构体系和丰富的功能，易于与第三方应用系统无缝集成，在设计上，包含相当全面，以模块化架构体系，让应用组合变得相当灵活，功能也相当丰富。 下载地址：http://www.tp-shop.cn/Index/Index/download.html 目录大概结构 ├─index.p...

TPshop 前台SQL注入#1

0x01 说明 TPshop开源商城系统 Thinkphp shop的简称 ，是深圳搜豹网络有限公司开发的一套多商家模式的商城系统。适合企业及个人快速构建个性化网上商城。包含PC+IOS客户端+Adroid客户端+微商城，系统PC+后台是基于ThinkPHP5 MVC构架开发的跨平台开源软件，设计得非常灵活，具有模块化架构体系和丰富的功能，易于与第三方应用系统无缝集成，在设计上，包含相当全面，以模块化架构体系，让应用组合变得相当灵活，功能也相当丰富。 下载地址：http://www.tp-shop.cn/Index/Index/download.html 目录大概结构 ├─index.p...

TPshop 后台代码执行漏洞

0x01 说明 TPshop开源商城系统 Thinkphp shop的简称 ，是深圳搜豹网络有限公司开发的一套多商家模式的商城系统。适合企业及个人快速构建个性化网上商城。包含PC+IOS客户端+Adroid客户端+微商城，系统PC+后台是基于ThinkPHP5 MVC构架开发的跨平台开源软件，设计得非常灵活，具有模块化架构体系和丰富的功能，易于与第三方应用系统无缝集成，在设计上，包含相当全面，以模块化架构体系，让应用组合变得相当灵活，功能也相当丰富。 下载地址：http://www.tp-shop.cn/Index/Index/download.html 目录大概结构 ├─index.p...

CRITICAL CODESYS VULNERABILITIES IN WAGO PFC 200 SERIES

VENDOR DESCRIPTION “The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for decentralized automation tasks. With the relay, function and interface modules, as well as overvoltage protection, WAGO provides a suitable interface for any application.” Source:...

Apache Struts2 S2-054(CVE-2017-15707)

Summary A crafted JSON request can be used to perform a DoS attack when using the Struts REST plugin | | | | :------------ | :------------ | | Who should read this | All Struts 2 developers and users which are using the REST plugin | | Impact of vulnerability | A DoS attack is possible when using...

WordPress Plugin WooCommerce 2.0/3.0 - Directory Traversal(CVE-2017-17058)

$woo = "www/wp-content/plugins/woocommerce/templates/emails/plain/"; function filegetcontentsutf8$fn $opts = array 'http' = array 'method'="GET", 'header'="Content-Type: text/html; charset=utf-8" ; $wp = streamcontextcreate$opts; $result = @filegetcontents$fn,false,$wp; return $result; / $head=...

macOS High Sierra - Root Privilege Escalation (CVE-2017-13872)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Mac OS X Root Privilege Escalation', 'Description' = %q This module exploits a serious flaw in MacOSX High Sierra. Any user can login with user...

Apache Struts2 S2-055(CVE-2017-7525)

Summary Vulnerability in the Jackson JSON library | | | | :------------ | :------------ | | Who should read this | All Struts 2 developers and users which are using the REST plugin | | Impact of vulnerability | Not clear, please read the linked issue for more details...

"Huge Dirty COW" (CVE-2017–1000405)

The “Dirty COW” vulnerability CVE-2016–5195 is one of the most hyped and branded vulnerabilities published. Every Linux version from the last decade, including Android, desktops and servers was vulnerable. The impact was vast — millions of users could be compromised easily and reliably, bypassing...

libxls xls_addCell Formula Code Execution Vulnerability(CVE-2017-12111)

Summary An exploitable out-of-bounds vulnerability exists in the xlsaddCell function of libxls 1.4. A specially crafted XLS file with a formula record can cause memory corruption resulting in remote code execution. An attacker can send a malicious XLS file to trigger this vulnerability. Tested...

libxls xls_mergedCells Code Execution Vulnerability(CVE-2017-2896)

Summary An exploitable out-of-bounds write vulnerability exists in the xlsmergedCells function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability. Tested Versions libxl...

libxls xls_appendSST Code Execution Vulnerability(CVE-2017-12110)

Summary An exploitable integer overflow vulnerability exists in the xlsappendSST function of libxls 1.4. A specially crafted XLS file can cause memory corruption resulting in remote code execution. An attacker can send a malicious XLS file to trigger this vulnerability. Tested Versions libxls 1.4...

libxls read_MSAT Code Execution Vulnerability(CVE-2017-2897)

Summary An exploitable out-of-bounds write vulnerability exists in the readMSAT function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. Tested Versions libxls 1.4...

libxls xls_getfcell Code Execution Vulnerability(CVE-2017-2919)

Summary An exploitable stack based buffer overflow vulnerability exists in the xlsgetfcell function of libxls 1.3.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. Tested Version...

ZTE ZXDSL Configuration Reset

Vulnerability Summary The following advisory describes a configuration reset vulnerability found in ZTE ZXDSL 831CII version 6.2. ZXDSL 831CII is “an ADSL access device to support multiple line modes. It supports ADSL2/ADSL2+ and is backward compatible to ADSL, even offers auto-negotiation...

Exim 4.89 - 'BDAT' Denial of Service(CVE-2017-16944)

On 23 November, 2017, we reported two vulnerabilities to Exim. These bugs exist in the SMTP daemon and attackers do not need to be authenticated, including CVE-2017-16943 for a use-after-free UAF vulnerability, which leads to Remote Code Execution RCE; and CVE-2017-16944 for a Denial-of-Service D...

Synology StorageManager smart.cgi Remote Command Execution

Vulnerability Summary The following advisory describes a remote command execution vulnerability found in Synology StorageManager. Storage Manager is “a management application that helps you organize and monitor the storage capacity on your Synology NAS. Depending on the model and number of...

libxls xls_preparseWorkSheet MULRK Code Execution Vulnerability(CVE-2017-12109)

Summary An exploitable integer overflow vulnerability exists in the xlspreparseWorkSheet function of libxls 1.4 when handling a MULRK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this...

Tinysvcmdns Multi-label DNS Heap Overflow Vulnerability(CVE-2017-12087)

Summary An exploitable heap overflow vulnerability exists in the tinysvcmdns library version 2016-07-18. A specially crafted packet can make the library overwrite an arbitrary amount of data on the heap with attacker controlled values. An attacker needs send a dns packet to trigger this...

libxls xls_preparseWorkSheet MULBLANK Code Execution Vulnerability(CVE-2017-12108)

Summary An exploitable integer overflow vulnerability exists in the xlspreparseWorkSheet function of libxls 1.4 when handling a MULBLANK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this...

Exim Use-After-Free(CVE-2017-16943)

On 23 November, 2017, we reported two vulnerabilities to Exim. These bugs exist in the SMTP daemon and attackers do not need to be authenticated, including CVE-2017-16943 for a use-after-free UAF vulnerability, which leads to Remote Code Execution RCE; and CVE-2017-16944 for a Denial-of-Service D...

Linux Kernel XFRM Privilege Escalation

Vulnerability Summary The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM. Netlink is used to transfer information between the kernel and user-space processes. It...

WebKit: use-after-free in WebCore::FormSubmission::create(CVE-2017-13791)

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==934==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000b9810 at pc 0x000114b6f4...

WebKit: out-of-bounds read in WebCore::SVGPatternElement::collectPatternAttributes(CVE-2017-13783)

There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==30453==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200007e474 at pc...

WebKit: use-after-free in WebCore::RenderObject::previousSibling(CVE-2017-13798)

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==732==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000089218 at pc 0x00010e8a4e...

WebKit: use-after-free in WebCore::PositionIterator::decrement(CVE-2017-13797)

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==29700==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000149b24 at pc...

JBOSSAS 4.x 反序列化命令执行漏洞（CVE-2017-7504）

The MITRE CVE dictionary describes this issue as: HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server = Jboss 4.X does not restrict the classes for which it performs deserialization, which allows...

WebKit: out-of-bounds read in WebCore::SimpleLineLayout::RunResolver::runForPoint(CVE-2017-13784)

There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==30436==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000560c48 at pc...

WebKit: use-after-free in WebCore::TreeScope::documentScope(CVE-2017-13796)

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==29647==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e00005d0d8 at pc...

WebKit: use-after-free in WebCore::Style::TreeResolver::styleForElement(CVE-2017-13802)

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==30588==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000077ec8 at pc...