TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection vulnerability. In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root. NC210 devices cannot be exploited directly via /setsysname.cgi due to proper input validation. NC210 devices are still vulnerable since swBonjourStartHTTP did not perform any validation when reading the alias name from the configuration file. The configuration file can be written, and code execution can be achieved by combining this issue with CVE-2020-12110.
65581bfcfd69f6bd2c8b8917eda921c4The Navy Federal site at navyfederal.org suffered from a cross site scripting vulnerability.
455aedc855366fcbd0be7206169b22fcMantis Bug Tracker version 2.3.0 suffers from a remote code execution vulnerability.
b8224e074922b7417247b27948ca6d30SpamTitan version 7.07 suffers from an authenticated remote code execution vulnerability.
ca2b9bc9d086483e304d942fc84321d8D-Link DGS-1210-28 suffers from a denial of service vulnerability.
280f38f62e0191ec43d18f200e5f7ae7This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor.
dfa46dafd7f5bbc3e8f526a18d5976b2Microsoft SQL Server Reporting Services 2016 suffers from a remote code execution vulnerability.
ce6d37b9f76993c4ef670912502b7095This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exchange Server. Authentication is required to exploit this vulnerability. Additionally, the target user must have the "Data Loss Prevention" role assigned and an active mailbox. If the user is in the "Compliance Management" or greater "Organization Management" role groups, then they have the "Data Loss Prevention" role. Since the user who installed Exchange is in the "Organization Management" role group, they transitively have the "Data Loss Prevention" role. The specific flaw exists within the processing of the New-DlpPolicy cmdlet. The issue results from the lack of proper validation of user-supplied template data when creating a DLP policy. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Tested against Exchange Server 2016 CU14 on Windows Server 2016.
4817f312503fe0d215155d229b4a3b48This Metasploit module exploits a command injection vulnerability in Mida Solutions eFramework version 2.9.0 and prior. The ajaxreq.php file allows unauthenticated users to inject arbitrary commands in the PARAM parameter to be executed as the apache user. The sudo configuration permits the apache user to execute any command as root without providing a password, resulting in privileged command execution as root. This module has been successfully tested on Mida Solutions eFramework-C7-2.9.0 virtual appliance.
1b7215ff6d3355202c2e796fb94a2cac1CRM versions 8.6.7 and below suffer from an insecure direct object reference vulnerability.
664d037a79e2d8723d7d5d4b3092e00bAcronis Cyber Backup version 12.5 Build 16341 suffers from a server-side request forgery vulnerability.
91fb344eebf7d5d7a6562e49e011ffc4Piwigo version 2.10.1 suffers from a cross site scripting vulnerability.
90f9620f90a6434b4de66b7345b64f84Proof of concept exploit for the Windows Zerologon vulnerability as noted in CVE-2020-1472. By default, it changes the password of the domain controller account.
1d075193b9c51dbeb9ca38bebe03fe52ThinkAdmin version 6 suffers from an arbitrary file read vulnerability.
32b0ce662805c15820a8b2d9289a212cTailor MS version 1.0 suffers from a cross site scripting vulnerability.
8b140ec9d3e79e50039c0fd163119144Joomla! paGO Commerce component 2.5.9.0 suffers from an authenticated remote SQL injection vulnerability.
b263454605d8c97245dabcd00bf58c76The installer in Pearson Vue VTS version 2.3.1911 suffers from an unquoted service path vulnerability.
c5bf08275d53520a31d70d779914ae2aRAD SecFlow-1v version SF_0290_2.3.01.26 suffers from a cross site request forgery vulnerability.
726c088a7cfd8991d27d84005f12a9d7Rapid7 Nexpose Installer version 6.6.39 suffers from an unquoted service path vulnerability.
779582d9267975b0b34cb162ca6cededRAD SecFlow-1v version SF_0290_2.3.01.26 suffers from a persistent cross site scripting vulnerability.
db0937fcd3284d7891614e99c1b9a8a9A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.
af84b28deac71be6c5fa63ed3e242c89Microsoft Windows TCPIP Finger Command finger.exe that ships with the OS, can be used as a file downloader and makeshift C2 channel. Legitimate use of Windows Finger Command is to send Finger Protocol queries to remote Finger daemons to retrieve user information. However, the finger client can also save the remote server response to disk using the command line redirection operator.
cf1c7a658300820f34037e5d7395ac66This Metasploit module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the ServerLevelPluginDll value using dnscmd.exe to create a registry key at HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ named ServerLevelPluginDll that can be made to point to an arbitrary DLL.
a9fb3457e349592a8a89e98cdf5e1403VTENEXT 19 CE suffers from a remote code execution vulnerability.
7e1925aab1a49335535c175d97fc5fbaTea LaTex version 1.0 suffers from an unauthenticated remote code execution vulnerability.
eacc96ce287373be9a31e4ae72cf492b
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed