Ubiquiti Networks Community online service web application allows for malicious script code to be inserted in the filename.
002d12b4f423b45de91babce8e586c124de4cd418c0f8a59c5ba722de1cf4597Input passed to the 'file_name' parameter in 'get2post.php' script is not properly sanitised before being used to get the contents of a resource and delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server using a proxy tool.
b34289732116b4bcb2f1cc6baf7009b19a2cf9b4141f05c2872a8413c0e3056eup.time suffers from a privilege escalation issue. A normal user can elevate his/her privileges by sending a POST request setting the parameter 'userroleid' to 1. Cross site request forgery can be used to exploit this attack.
7d8991bd1c8571696c4d5bc0528881855899add84755aee81553925cb1fb5cd5up.time suffers from arbitrary command execution. Attackers can exploit this issue using the monitor service feature and adding a command with respected arguments to given binary for execution. In combination with the CSRF, privilege escalation, arbitrary text file creation, and renaming that file to php you can execute system commands with SYSTEM privileges.
949580b449c0517f641c161c6b8c3484aee9aca17ee184db120e309739d67e3fup.time version 7.5.0 allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Multiple cross site scripting vulnerabilities were also discovered. The issue is triggered when input passed via the multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
90f994cc5cd98108a1348a7bdc9bb5646926787ce5ab51d82604ccd07d720675SiteFactory CMS version 5.5.9 suffers from a directory traversal vulnerability.
e4ab1c3da31d5df71707d83aff72277e904feb00d2b2303509770774c51338d3Microsoft HTA (HTML Application) suffers from a remote code execution vulnerability.
bbdb1ff7a0240544683ac43328710d675b6ca6730cc5f656f38cbceae8da9dd3Vifi Radio version 1 suffers from a cross site request forgery vulnerability. Exploit to add administrator included.
11d68726482c4931dd8bc7f9412e5b40a7a7002254633c42a4116b2ca2be56fbVifi Radio version 1 suffers from a cross site request forgery vulnerability. Exploit to upload a shell included.
6e4d34f2dea11cbb4c459268cca16e9324f4452dfcc3d0ee46d37ee3d7f0c2d1PDF Shaper version 3.5 suffers from a buffer overflow vulnerability.
1a862bd6f348439cf319bf9e523b76685ab407b894d14f0f8869b6561ddf0418WebSolutions India Design CMS suffers from a remote SQL injection vulnerability.
c061545b9e430bd03eedcdc7c87c3bb0051c3de84e39af7ff0c47318939c2ae9Multiple ChiefPDF software such as PDF to Image Converter and PDF to Tiff Converter suffer from a buffer overflow vulnerability.
ffed99b419802af6605e6b28fb1865cc96f61850767f2496d2612b3364bc82e0Ubiquiti Networks suffers from a cross site scripting vulnerability.
a50cae4abbdd6321e36ece3542888a733c6cff6b46e247e0ef2451a3ed1e3697Flash suffers from a use-after-free vulnerability in SurfaceFilterList::CreateFromScriptAtom.
f25272c8a1f372c28e643e729835debc9a97b7068e8da8e97a5a220acf1e5a89Flash version 18.0.0.209 contains new mitigations to defend against corruptions of Vector.<uint> (and other) lengths. One of these mitigations, at Vector access time, compares the Vector's in-memory length with a representation of the same length XOR'ed with a secret cookie. The bypass comes about because the secret cookie value is stored inside a structure, and a pointer to that structure is stored alongside the Vector length.
fcdf12cd364c0ea733d2eac6b27e7d2f9f878fe5206bb8c75cbfc449ce599745There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
45e43f90ddcb052986798b06cfd1f46ebd1983e9b8561f2e5e9f429141da9e39If an mp3 file contains compressed ID3 data that is larger than 0x2aaaaaaa bytes, an integer overflow will occur in allocating the buffer to contain its converted string data, leading to a large copy into a small buffer. A sample fla, swf and mp3 are attached. Put id34.swf and tag.mp3 in the same folder to reproduce the issue. This issue only works on 64 bit platforms.
35155caf981a1919c824478ec4353bf7b0386be80fed9f35592dd6d487b2c05cThe Shared Object constructor does not check that the object it is provided is of type Object before setting it to be of type SharedObject. This can cause problems if another method (such as Sound.loadSound) calls into script between checking the input object type, and casting its native object.
19f7464f744154d2d6dd211423377f3e324df119f1b2817fad6a0f7b4e6ae5f4A crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.
6730e4bcb74ff3ada116f87db7b421bf1d013003c83ef00b178f449904c4d335The maintenance service creates a log file in a user writable location. It's possible to change the log file to a hardlink to another file to cause file corruption or elevation of privilege.
9a1d92cce93d1ad86dd9eac6ec55a2b6aedcc3249f5d93fb13aea55da6b68ba6Flash suffers from a heap-based buffer overflow due to an indexing error when loading FLV files.
4673942893163cde81ade110d85287f3016da128ff399dfaf5a45be550ea11c7Flash suffers from a heap-based buffer overflow vulnerability.
6dc90c34eaf395d7b5fc097c96fc3bbf1b826f568a8b16ab718447c06a8884a7A crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86. The crash is caused by a 1 bit delta from the original file at offset 0x31B.
03f7aa286c6f7a41a1b151784a5669dfb726e0a84605f216c88584600f74d02fA crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.
a0cd6e10f73a59037ae74f44a92933339dbaf1a11fe054b8edf070270dd6a4c0There is a type confusion issue in the TextFormat constructor that is reachable because the FileReference constructor does not verify that the incoming object is of type Object (it only checks that the object is not native backed). The TextFormat constructor first sets a new object to type TextFormat, and then calls into script several times before setting the native backing object. If one of these script calls then calls into the FileReference constructor, the object can be set to type FileReference, and then the native object will be set to the TextFormat, leading to type confusion.
913b0be9845adb6b994362bb787074269b6c1eeb7980d5b0f158933108a65e1a
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed