56796 matches found
OurPHP search block stored xss vulnerability
No description provided by source...
Google Nexus Qualcomm Crypto Engine Driver Privilege Escalation Vulnerability(CVE-2016-6738)
No description provided by source. https://github.com/jiayy/androidvulnpoc-exp/tree/master/EXP-CVE-2016-6738...
IBOS enterprise collaboration management software the latest open source version of an SQL injection#2
No description provided by source...
Failed integer overflow check leads to heap overflow in driver /dev/qce (CVE-2016-3935)
No description provided by source. https://github.com/jiayy/androidvulnpoc-exp/tree/master/EXP-CVE-2016-3935...
IBOS enterprise collaboration management software the latest open source version of an SQL injection
No description provided by source...
REDDOXX Appliance Remote Command Execution
RedTeam Pentesting discovered a remote command execution vulnerability in the REDDOXX appliance software, which allows attackers to execute arbitrary command with root privileges while unauthenticated. Details ======= Product: REDDOXX Appliance Affected Versions: = Build 2032 / v2.0.625 Fixed...
VICIdial user_authorization Unauthenticated Command Execution
No description provided by source. This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'VICIdial userauthorization Unauthenticated Command Execution', 'Description' = %q This module exploits a...
iCMS V7 a SQL injection
No description provided by source...
WebKit: JSC: Stack-Use-After-Free in ObjectPatternNode::appendEntry
Here's a snippet of ObjectPatternNode::appendEntry. void appendEntryconst JSTokenLocation&, ExpressionNode propertyExpression, DestructuringPatternNode pattern, ExpressionNode defaultValue, BindingType bindingType mtargetPatterns.appendEntry Identifier, propertyExpression, false, pattern,...
WebKit: JSC: UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive(CVE-2017-7037)
JSObject::putInlineSlow and JSValue::putToPrimitive use getPrototypeDirect instead of getPrototype to get an object's prototype. So JSDOMWindow::getPrototype which checks the Same Origin Policy is not called. The PoC shows to call a setter of another origin's object. PoC 1 -...
ZenCart 1.5.5 e background code execution vulnerability
No description provided by source...
WebKit: use-after-free in WebCore::Node::getFlag(CVE-2017-7041)
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC note that you might need to refresh a page a couple of times to trigger the bug: ================================================================= -webkit-flow-into:...
Supervisor Authenticated Remote Code Execution(CVE-2017-11610)
Vulnerability Summary The following advisory describes an authenticated remote code execution vulnerability in Supervisor version 3.1.2 and Supervisor version 3.3.2. Supervisor is a client/server system that allows its users to monitor and control a number of processes on UNIX-like operating...
WebKit: use-after-free in WebCore::AccessibilityNodeObject::textUnderElement(CVE-2017-7048)
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector simply opening the...
WebKit: heap-buffer-overflow in WebCore::RenderSearchField::addSearchResult(CVE-2017-7049)
There is a heap buffer overflow in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= function go i.value = "1"; i.type = "search"; f.submit;...
WebKit: use-after-free in WebCore::InputType::element(CVE-2017-7042)
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= var runcount = 0; function go runcount++; ifruncount 2 return; i.type = "foo"; i.select; i.type =...
Microsoft Windows Kernel Local Information Disclosure Vulnerability(CVE-2017-8564)
We have discovered that the handler of the 0x120007 IOCTL in nsiproxy.sys \.\Nsi device discloses portions of uninitialized pool memory to user-mode clients, likely due to output structure alignment holes. On our test Windows 7 32-bit workstation, an example layout of the output buffer is as...
WebKit: JSC: uninitialized memory reference in arrayProtoFuncSplice
Here's a snippet of arrayProtoFuncSplice. EncodedJSValue JSCHOSTCALL arrayProtoFuncSpliceExecState exec ... result = JSArray::tryCreateForInitializationPrivatevm, exec-lexicalGlobalObject-arrayStructureForIndexingTypeDuringAllocationArrayWithUndecided, actualDeleteCount; if UNLIKELY!result...
WebKit: JSC: Incorrect scope register handling in DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry)
Here's a snippet of DFG::ByteCodeParser::flushInlineStackEntry inlineStackEntry. void flushInlineStackEntry inlineStackEntry ... if mgraph.needsScopeRegister flushmcodeBlock-scopeRegister; mcodeBlock| instead of |mcodeBlock|. But it doesn't. As a result, the scope register of...
WebKit: use-after-free in WebCore::getCachedWrapper(CVE-2017-7040)
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= function freememory var a; forvar i=0;i...
WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy(CVE-2017-7064)
WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy Here's a snippet of JSArray::appendMemcpy. bool JSArray::appendMemcpyExecState exec, VM& vm, unsigned startIndex, JSC::JSArray otherArray auto scope = DECLARETHROWSCOPEvm; if !canFastCopyvm, otherArray return false; IndexingType type =...
WebKit: use-after-free in WebCore::AccessibilityRenderObject::handleAriaExpandedChanged(CVE-2017-7043)
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector simply opening the...
WebKit: use-after-free in WebCore::RenderObject with accessibility enabled(CVE-2017-7046)
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector simply opening the...
WebKit: JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform(CVE-2017-7056)
Here is a snippet of ArgumentsEliminationPhase::transform case LoadVarargs: ... if candidate-op == PhantomNewArrayWithSpread || candidate-op == PhantomSpread ... if argumentCountIncludingThis limit storeArgumentCountIncludingThisargumentCountIncludingThis; // store arguments ... node-remove;...
WebKit: use-after-free in WebCore::Node::nextSibling(CVE-2017-7039)
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= function freememory var a; forvar i=0;i...
ManageEngine Desktop Central 10 Build 100087 RCE(CVE-2017-11346)
Description: When uploading a file, the FileUploadServlet class does not check the user-controlled fileName parameter using hasVulnerabilityInFileName function. This allows a remote attacker to create a malicious file and place it under a directory that allows server-side scripts to run, which...
Niushop v1. 05 beta 20170622 arbitrary file upload
No description provided by source...
Niushop v1. 05 beta 20170622 a SQL injection
No description provided by source...
FineCMS any url jump
No description provided by source...
Apache Kafka desrialization vulnerability
Apache kafka connect-api runtime contains a desrialization vul via FileOffsetBackingStore which leads to remote code execution, this can be exploited reliably in JDK1.7.005, below is a unit test for it: import junit.framework.Test; import junit.framework.TestCase; import junit.framework.TestSuite...
FineCMS front Desk injection#2
No description provided by source...
FineCMS reflective xss
No description provided by source...
appcms2. 0. 101 the latest version of the configuration improper command execution vulnerability
No description provided by source...
FineCMS front Desk injection#1
No description provided by source...
FineCMS front Desk unlimited getshell
No description provided by source...
FineCMS front Desk injection#3
No description provided by source...
Devil's Ivy vulnerability(CVE-2017-9765)
When we began a security analysis of remote configuration services last year, we had no idea it would lead us to uncover vulnerabilities that affect so many users. We have been studying the prevalence and nature of the vulnerabilities that arise in remote configuration services, so when we...
wstmall any reset a user's password
No description provided by source...
wstmall the latest version V1. 9. 4 a SQL injection#3
No description provided by source...
wstmall the latest version V1. 9. 4 a SQL injection#4
No description provided by source...
zzcms latest version /admin/linkmanage.php sql injection
No description provided by source...
wstmall the latest version V1. 9. 4 a SQL injection#2
No description provided by source...
wstmall the latest version V1. 9. 4 a SQL injection
No description provided by source...
wstmall \Apps\Home\Action\PanicsAction.class.php SQL injection
No description provided by source...
MetInfo 5.3.17 Authenticated Code Execution Vulnerability(CVE-2017-11347)
MetInfo 5.3.17 Authenticated Code Execution Vulnerability Technical Description: We can use the GPC data to register variables in admin/include/common.inc.php: php foreacharray'COOKIE', 'POST', 'GET' as $request foreach$$request as $key = $value $key0 != '' && $$key = daddslashes$value,0,0,1;...
ASUS wiress router Remote Command/Code Execution Vulnerability
Vulnerability Details Affected Vendor:RT-AC5300,RTAC1900P,RT-AC68U,RT-AC68P,RT-AC88U,RT-AC66U,RT-AC66UB1,RT-AC58U,RT-AC56U,RT-AC55U,RT-AC52U,RT-AC51U,RT-N18U,RT-N66U,RT-N56U,RT-AC3200,RT-AC3100,RTAC1200GU,RTAC1200G,RT-AC1200,RT-AC53,RT-N12HP,RT-N12HPB1,RT-N12D1,RT-N12+,RTN12+PRO,RT-N16,RT-N300...
Google Chrome: OOB access in RegExp Stubs
There is an out-of-bounds access in RegExp.prototype.exec and RegExp.prototype.test. The code defined in BranchIfFastRegExp checks whether a regular expression object has the default map, however, it is possible to alter the map after this check has been performed. This can cause inline fields,...
Nginx Remote Integer Overflow Vulnerability(CVE-2017-7529 )
A security issue was identified in nginx range filter. A specially crafted request might result in an integer overflow and incorrect processing of ranges, potentially resulting in sensitive information leak CVE-2017-7529. When using nginx with standard modules this allows an attacker to obtain a...
FineCMS multi vulnerablity
Reflected XSS in getimage.php Technical Description: file /application/lib/ajax/getimage.php the $POST'id' and $POST'name' and $GET'folder' without any validated, sanitised or output encoded. Proof of ConceptPoC http://yourfinecms/application/lib/ajax/getimage.php?folder=1 POST: id=1"alert1&name=...
Apache Struts 2 remote command execution vulnerability(S2-048)
Vulnerability overview Struts is a Apache Software Foundation ASF sponsored an open source project. By using JavaServlet/JSP technology, is implemented based on the Java EEWeb application of the MVC design pattern application framework, MVC is a classic design pattern in a classic product. But in...