Displaying 1 - 20 of 38219

CVSS: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

This strike exploits a file upload vulnerability in Apache Struts2. When an attacker sends an HTTP request with a crafted parameter to the server a denial of service condition on the file upload functionality will occur.

CVSS: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

This strike exploits an infinite loop vulnerability in the WebSocket module of Apache Tomcat. The vulnerability is caused by improper validations of the extended payload length. A remote, unauthenticated attacker can send crafted WebSocket requests to the server resulting in each of the worker nodes entering an infinite loop; multiple such requests could lead to a denial of service. Note: The strike...

CVSS: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

This strike simulates a malspam phishing email that has been seen in the wild AZORult and Neutrino malware. This specific phishing attempt is related to the AZORult Neutrino Sept 2018 malware campaign.

CVSS: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

An information disclosure vulnerability exists in Oracle iPlanet Web Server versions 7.x and prior. By accessing specific paths related to the admin panel, a remote unauthenticated attacker may obtain sensitive information regarding servers configuration.

CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

An Use-After-Free vulnerability exists in Adobe Reader and Acrobat due to incorrect manipulation of objects in memory. The vulnerability exists in AcroForm.api dynamic library and may be triggered by a Field object that begins with an UTF-16 BE BOM sequence. An attacker may execute arbitrary code on a victims system by enticing the victim to open a crafted PDF file.

CVSS: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

An information disclosure vulnerability has been reported in the Windows Media Foundation component of Microsoft Windows. The vulnerability is due to improper handling of objects in memory. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted QuickTime media file. Successful exploitation could result in the execution of arbitrary code within the context of...

CVSS: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

This strike exploits a vulnerability in Spidermonkey, the Javascript engine of Mozilla Firefox. An attacker can craft Javascript promise resolutions in such a way that make it possible to cause an out-of-bounds read off the end of an array resized during script execution. This can lead to a denial of service or potentially allow for remote code execution to occur.

CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via a crafted HTTP request. A remote attacker can use this vulnerability to either execute shell commands under root privileges on versions before 1.0.19.20 or inject HTML in password recovery emails on versions before 1.0.20.17.

CVSS: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)

An image injection vulnerability exists in Oracle iPlanet Web Server versions 7.0.x, due to poor productNameSrc HTTP parameter sanitization. By tricking an admin to follow a crafted URL, a remote attacker may perform phishing attacks by injecting a custom image in the admin panel.

CVSS: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

A remote command injection exists in multiple TP-Link Cloud Camera devices NC2XX due to lack of user input sanitization. By sending a crafted sysname POST parameter to /setsysname.fcgi path, a remote authenticated commander may execute arbitrary commands on the target system.

CVSS: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

A denial of service vulnerability exists in BIND DNS Server versions 9.0.0-9.11.18, 9.12.0-9.12.4-P2, 9.14.0-9.14.11, 9.16.0-9.16.2-9.17.0 to 9.17.1 due to lack of Mac field size check when parsing TSIG records. A remote attacker may conduct a denial of service attack by sending a crafted DNS packet which leads to abnormal process termination due to a failed assertion.

CVSS: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

A memory corruption vulnerability has been reported in Adobe Type Manager component of Microsoft Windows. The vulnerability is due to improper handling of specially crafted BlendDesignPositions array in multiple master Type 1 fonts. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted font file. Successful exploitation could result either in the execution of...

CVSS: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for the option to pass command line arguments to the system during the creation of a user but does not properly validate the arguments passed via the groupname parameter. It is possible to execute system commands as a root user on a vulnerable device.

CVSS: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

This strike exploits a command injection vulnerability in Centreon 19.10. The vulnerability is due to improper validation of the server ip parameter in a HTTP request. An authenticated attacker could exploit this by sending a maliciously crafted request to the server. A successful attack may result in arbitrary command execution in the context of the server process.

CVSS: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for an attacker to execute a cross site scripting attack against the system by performing HTML injection via the sysname parameter. It is then possible to hijack the user session the vulnerable system.

CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

A memory corruption vulnerability has been reported in Windows Media Foundation component of Microsoft Windows. The vulnerability is due to improper handling of objects in memory. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted ASF media file. Successful exploitation could result in the execution of arbitrary code within the context of the user running...

CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for the option to pass command line arguments to the system during the creation of a user but does not properly validate the arguments passed. It is possible to execute system commands as a root user on a vulnerable device.

CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

A command injection vulnerability exists in ASUSWRT firmware version 3.0.0.4.382.50624 and earlier. The flaw results from lack of user input validation for HTTP parameters on the appGet.cgi path. By sending a crafted hook parameter, a remote attacker may execute arbitrary OS commands as the root user.

CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for the option to pass command line arguments to the system during the creation of a user but does not properly validate the arguments passed via the password parameter. It is possible to execute system commands as a root user on a vulnerable device.

CVSS: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

This strike simulates a phishing email that has been seen in the wild during the COVID-19 pandemic. This specific phishing attempt is related to the Hancitor April 2020 malware campaign and tries to trick the user into clicking a malicious link by using COVID-19 insurance as a lure. From the headers we can see the header was originally sent from a Russian TLD which has been associated with other...

Pages