This strike exploits an insecure deserialization vulnerability in Apache OFBiz. The vulnerability is a result of insufficient validation of XML-RPC requests in the SerializableParser class. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to a vulnerable server. Successful exploitation can lead to remote code execution, in the context of the user running...
CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
This strike exploits the vulnerability known as 'Zerologon'. This privilege escalation vulnerability is due to the insecure usage of AES-CFB8 encryption for Netlogon sessions in Microsoft Netlogon Remote Protocol (MS-NRPC). A remote (same LAN) unauthenticated attacker can exploit this vulnerability to impersonate the identity of any machine on a network when attempting to authenticate to...
CVSS: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
A remote code execution vulnerability exists in Wing FTP Server due to lack of user input sanitization for the Lua Console feature. By sending a crafted 'command' POST parameter, an authenticated user could execute arbitrary commands as the superuser.
CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
This strike exploits a command injection vulnerability in IBM Spectrum Protect Plus. The vulnerability is due to a combination of missing authentication of the hostname uri and a lack of input sanitization for injection or invalid characters in the hostname parameter. When an attacker sends an HTTP POST request to "/emi/api/hostname", command execution can occur.
CVSS: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
This strike exploits a file upload vulnerability in Apache Struts2. When an attacker sends an HTTP request with a crafted parameter to the server a denial of service condition on the file upload functionality will occur.
CVSS: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
This strike exploits a vulnerability in the TerraMaster NAS device. This device allows for the option to pass command line arguments to the system during the creation of a user but does not properly validate the arguments passed via the checkName parameter. It is possible to execute system commands as a root user on a vulnerable device.
CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
A remote command injection vulnerability exists in Intellian Aptus Web due to lack of user authentication when handling HTTP CGI requests. By sending a crafted JSON file with a POST request, a remote unauthenticated attacker may execute arbitrary system commands as the system's superuser.
CVSS: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
This strike exploits a vulnerability in Apple Webkit. Specifically, an attacker can craft JavaScript in such a way that when the Webcore SVGAnimateElementBase:resetAnimatedType method is invoked a Use After Free condition can occur . This can potentially lead to a denial of service or allow for remote code execution in the context of the current running process.
CVSS: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
This strike exploits an infinite loop vulnerability in the WebSocket module of Apache Tomcat. The vulnerability is caused by improper validations of the extended payload length. A remote, unauthenticated attacker can send crafted WebSocket requests to the server resulting in each of the worker nodes entering an infinite loop; multiple such requests could lead to a denial of service. Note: The strike...
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
A SQL injection vulnerability exists in D-Link Central WiFi Manager CWM(100) due to lack of user request authorization. The vulnerable code resides in '/web/Public/Conn.php' source and uses the HTTP 'dbSQL' parameter value to perform database lookups. By sending a crafted HTTP POST request, a remote unauthenticated attacker may gain access to the platform by adding user accounts...
CVSS: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
This strike exploits an out-of-bounds read vulnerability in Adobe Acrobat and Acrobat Reader. The vulnerability is due to the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure when handling PDF files. An attacker can exploit this vulnerability by creating a specially crafted PDF file and enticing a user to open it. Successful...
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
A remote code execution vulnerability exists in D-Link Central WiFi Manager CWM(100) due to lack of user-supplied data sanitization. The vulnerable code resides in '/web/Lib/Action/IndexAction.class.php' source and uses the HTTP 'Cookie' header value to construct a string which is later evalued as PHP code. By sending a crafted HTTP POST request, a remote unauthenticated attacker...
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
A server-side template injection vulnerability that leads to remote code execution exists in vBulletin due to a logic bug in the patch for CVE-2019-16759. By exploiting it, a remote unauthenticated attacker may execute arbitrary code using server's PHP engine.
Pages