WebKit: use-after-free in WebCore::RenderObject::previousSibling(CVE-2017-13798)

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==732==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000089218 at pc 0x00010e8a4e...

Cambium Multiple Vulnerabilities

Vulnerabilities Summary The following advisory describes three 3 vulnerabilities found in Cambium Network Updater Tool and Networks Services Server. The Network Updater Tool is “a free-of-charge tool that applies packages to upgrade the device types that the release notes for the release that you...

WebKit: use-after-free in WebCore::InputType::element(CVE-2017-13792)

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==29682==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800005dca8 at pc...

WebKit: out-of-bounds read in WebCore::RenderText::localCaretRect(CVE-2017-13785)

There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==30388==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000f5de6 at pc...

WebKit: use-after-free in WebCore::AXObjectCache::performDeferredCacheUpdate(CVE-2017-13795)

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector simply opening the...

WebKit: use-after-free in WebCore::DocumentLoader::frameLoader(CVE-2017-13794)

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. ASan log: ================================================================= ==689==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000889c8 at pc 0x000114c94a...

JBOSSAS 5.x/6.x 反序列化命令执行漏洞（CVE-2017-12149）

CVE-2017-12149 It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization. This allows an attacker to execute arbitrary code via crafted serialized data. Find out more about CVE-2017-12149 from the MITRE CV...

DblTek Multiple Vulnerabilities

Vulnerabilities summary The following advisory describes 2 two vulnerabilities found in DblTek webserver. DBL is “specialized in VoIP products, especially GoIPs. We design, develop, manufacture, and sell our products directly and via distributors to customers. Our GoIP models now cover 1, 4, 8, 1...

UCMS v1.4.3 一处SQL注入

...

AppCMS 一处SSRF漏洞

No description provided by source...

AppCMS 1.3.855 SQL注入

No description provided by source...

Vivotek IP Cameras - Remote Stack Overflow

Subject: Vivotek IP Cameras - Remote Stack Overflow Researcher: bashis September-October 2017 PoC: https://github.com/mcw0/PoC Release date: November 13, 2017 Full Disclosure: 43 days Attack Vector: Remote Authentication: Anonymous no credentials needed Firmware Vulnerable: Only 2017 versions...

Remote Code Execution in CouchDB(CVE-2017-12635)

There was a vulnerability in CouchDB caused by a discrepancy between the database’s native JSON parser and the Javascript JSON parser used during document validation. Because CouchDB databases are meant to be exposed directly to the internet, this enabled privilege escalation, and ultimately remo...

Microsoft IE11: use-after-free in jscript!JsErrorToString(CVE-2017-11810)

There is a use-after-free in jscript.dll library that can be exploited in IE11. jscript.dll is an old JavaScript library that was used in IE 8 and back. However, IE11 can still load it if put into IE8 compatibility mode and if there is a script tag that can only be understood by the older library...

Microsoft Edge: Chakra: JIT: Bailouts must be generated for OP_Memset(CVE-2017-11873)

function opta, b, v if b.length b0 = ; return 0; ; printb0; main;...

Microsoft Edge: Memory corruption with Object.setPrototypeOf(CVE-2017-8751)

I accidentally found this while trying to reproduce another bug in Edge. Failed to reproduce on Microsoft Edge 38.14393.1066.0, Microsoft EdgeHTML 14.14393. Tested on Microsoft Edge 40.15063.0.0, Microsoft EdgeHTML 15.15063 Insider Preview. Crash Log: First chance exceptions are reported before a...

Xen: unbounded recursion in pagetable de-typing(CVE-2017-15595)

Xen allows pagetables of the same level to map each other as readonly in PV domains. This is useful if a guest wants to use the self-referential pagetable trick for easy access to pagetables by mapped virtual address. When cleaning up a pagetable after the last typed reference to it has been...

Microsoft Edge: Chakra: JIT: Incorrect integer overflow check in Lowerer::LowerBoundCheck(CVE-2017-11861)

Here's a snippet of the method. void Lowerer::LowerBoundCheckIR::Instr const instr ... ifrightOpnd-IsIntConstOpnd IntConstType newOffset; if!IntConstMath::Addoffset, rightOpnd-AsIntConstOpnd-GetValue, &newOffset --- a offset = newOffset; rightOpnd = nullptr; offsetOpnd = nullptr; ... if!rightOpnd...

Microsoft Edge: Chakra: JIT: Type confusion with switch statements(CVE-2017-11811)

Let's start with a switch statement and its IR code for JIT. JS: for let i = 0; i ; 100; i++ switch i case 2: case 4: case 6: case 8: case 10: case 12: case 14: case 16: case 18: case 20: case 22: case 24: case 26: case 28: case 30: case 32: case 34: case 36: case 38: break; IRs before Type...

BlueBorne RCE on Android 6.0.1 (CVE-2017-0781)

A few days ago, the company Armis published a proof of concept PoC of a remote code execution vulnerability in Android via Bluetooth CVE-2017-0781, known as BlueBorne. Although BlueBorne refers to a set of 8 vulnerabilities, this PoC uses only 2 of them to achieve its goal. The exploitation proce...

Chrome < 62 UXSS(CVE-2017-5124)

No description provided by source. PoC.mht ------------------------- MIME-Version: 1.0 Content-Type: multipart/related; type="text/html"; boundary="----MultipartBoundary--" CVE-2017-5124 ------MultipartBoundary-- Content-Type: application/xml; ------MultipartBoundary-- Content-Type: text/html...

AppCMS a SQL injection

No description provided by source...

Xplico Unauthenticated Remote Code Execution(CVE-2017-16666)

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email POP, IMAP, and SMTP protocols, all HTTP contents, each VoIP call SIP, FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is ...

Foscam IP Video Camera devMng Multi-Camera Port 10001 Command 0x0064 Empty AuthResetKey Vulnerability(CVE-2017-2877)

Summary A missing error check exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10001 could allow an attacker to reset the user accounts to factory defaults, without authentication. Tested Versio...

Foscam IP Video Camera webService oray.com DDNS Client Code Execution Vulnerability(CVE-2017-2854)

Summary An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating...

Foscam IP Video Camera webService 3322.net DDNS Client Code Execution Vulnerability(CVE-2017-2855)

Summary An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating...

Foscam IP Video Camera webService 9299.org DDNS Client Code Execution Vulnerability(CVE-2017-2857)

Summary An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating...

Foscam IP Video Camera CGIProxy.fcgi SoftAP Configuration Command Injection Vulnerability(CVE-2017-2873)

Summary An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during the SoftAP configuration...

Foscam IP Video Camera CGIProxy.fcgi Firmware Upgrade Code Execution Vulnerability(CVE-2017-2872)

Summary Insufficient security checks exist in the recovery procedure used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A HTTP request can allow for a user to perform a firmware upgrade using a crafted image. Before any firmware upgrades in this image are flashed to th...

Foscam IP Video Camera devMng Multi-Camera Port 10000 Command 0x0002 Password Field Code Execution Vulnerability()

Summary An exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10000 can cause a buffer overflow resulting in overwriting arbitrary data. Tested Versions...

Foscam IP Video Camera webService dyndns.com DDNS Client Code Execution Vulnerability(CVE-2017-2856)

Summary An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating...

Wordpress SQLi — PoC

In order to understand the writing here, you need to read the previous explanation https://medium.com/websec/wordpress-sqli-bbb2afcc8e94. If you got it, then we can jump to the part and solve the question e.g. how to update / insert our sql payload into thumbnailid post meta. PoC start - Login to...

Foscam IP Video Camera UPnP Discovery Code Execution Vulnerability(CVE-2017-2879)

Summary An exploitable buffer overflow vulnerability exists in the UPnP implementation used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted UPnP discovery response can cause a buffer overflow resulting in overwriting arbitrary data. An attacker needs ...

Foscam IP Video Camera devMng Multi-Camera Port 10000 Command 0x0000 Information Disclosure Vulnerability(CVE-2017-2874)

Summary An information disclosure vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10001 can allow for a user to retrieve sensitive information without authentication. Tested...

Wordpress <= 4.8.2 SQL Injection POC

Author: Ambulong@vulspy I found this vulnerability after reading slavco’s post, and reported it to Wordpress Team via Hackerone on Sep. 2nd, 2017. But, unfortunately, WordPress team didn’t pay attention to this report too. SQL Injection Details Wordpress SQLi by slavco Wordpress SQLi — PoC by...

Foscam IP Video Camera CGIProxy.fcgi logOut Code Execution Vulnerability(CVE-2017-2878)

Summary An exploitable buffer overflow vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted HTTP request can cause a buffer overflow resulting in overwriting arbitrary data. An attacker can simply...

Foscam IP Video Camera devMng Multi-Camera Port 10000 Command 0x0002 Username Field Code Execution Vulnerability(CVE-2017-2875)

Summary An exploitable buffer overflow vulnerability exists in the Multi-Camera interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. A specially crafted request on port 10000 can cause a buffer overflow resulting in overwriting arbitrary data. Tested Versions...

DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery

Description A server-side request forgery SSRF vulnerability exists in the DALIM Web Service management interface within the XUI servlet functionality. The DALIM web services are a set of tools used by the different DALIM SOFTWARE applications: TWIST, MISTRAL and ES. It provides file sharing...

wget HTTP integer overflow(CVE-2017-13089)

That’s an interesting vulnerability in GNU wget. According to the wget project, this was reported by Antti Levomäki, Christian Jalio, Joonas Pihlaja of Forcepoint as well as Juhani Eronen of the Finnish National Cyber Security Centre. The vulnerability is in src/http.c source code file and more...

Mikogo 5.4.1.160608 Local Credentials Disclosure

Description Mikogo is vulnerable to local credentials disclosure, the supplied password is stored as a MD5 hash format in memory process. A potential attacker could reveal the supplied password hash and re-use it or store it via the configuration file in order to gain access to the account...

NethServer 7.3.1611 (create.json) CSRF Create User And Enable SSH Access

Description The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Vendor...

NethServer 7.3.1611 (Upload.json) CSRF Script Insertion Vulnerability

Description NethServer suffers from an authenticated stored XSS vulnerability. Input passed to the 'BackupConfigUploadDescription' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser sessio...

Automated Logic WebCTRL 6.5 Insecure File Permissions Privilege Escalation

Description WebCTRL server/service suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'M' flag Modify or 'C' flag Chan...

Automated Logic WebCTRL 6.5 Unrestricted File Upload Remote Code Execution

Description WebCTRL suffers from an authenticated arbitrary code execution vulnerability. The issue is caused due to the improper verification when uploading Add-on .addons or .war files using the uploadwarfile servlet. This can be exploited to execute arbitrary code by uploading a malicious web...

Automated Logic WebCTRL 6.1 Path Traversal Arbitrary File Write

Description The vulnerability is triggered by an authenticated user that can use the manualcommand console in the management panel of the affected application. The ManualCommand function in ManualCommand.js allows users to perform additional diagnostics and settings overview by using pre-defined...

DALIM SOFTWARE ES Core 5.0 build 7184.1 User Enumeration Weakness

Description The weakness is caused due to the 'Login.jsp' script enumerating the list of valid usernames when some characters are provided via the 'login' parameter. Vendor Dalim Software GmbH - https://www.dalim.com Affected Version ES/ESPRiT 5.0 build 7184.1 build 7163.2 build 7163.0 build 7135...

DALIM SOFTWARE ES Core 5.0 build 7184.1 - Directory Traversal

Description Input passed thru several parameters is not properly verified before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files from local resources with directory traversal attacks. Vendor Dalim Software GmbH - https://www.dalim.com Affecte...

DALIM SOFTWARE ES Core 5.0 build 7184.1 Multiple Stored XSS And CSRF Vulnerabilities

Description The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. XSS issues were als...

Shopware 5.3.3: PHP Object Instantiation to Blind XXE

Shopwareis a popular e-commerce software. It is based on PHP using technologies like Symfony 2, Doctrine and the Zend Framework. The code base of its open source community edition encompasses over 690,000 lines of code which we scanned for security vulnerabilities with our RIPS static code...

Circle with Disney configure.xml Notifications Command Injection Vulnerability(CVE-2017-2917)

Summary An exploitable vulnerability exists in the notifications functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability. Tested Versions Circle with Disney 2.0...