- OffSec Courses
- Our Offer
- About Us
- Blog
- Kariera
- Contact
Atakujący może zakończyć działanie usługi Sparx Pro Cloud Server. Poprzez wysłanie specjalnie spreparowanego zapytania SQL możliwe jest wykonanie ataku typu Denial of Service (Denial of Service (DoS)). Problem został zidentyfikowany w wersjach do 6.1 włącznie. Pozostałe wersje nie zostały przetestowane i również mogą być podatne.
CVSS v4: 7.1
Attack Complexity: Low
Attack Requirements: None
Privileges Required: Low
Confidentiality (VC): None
Integrity (VI): None
Availability (VA): High
Confidentiality (SC): None
Integrity (SI): None
Sparx Pro Cloud Server jest podatny na Race Condition w końcówce /data_api/dl_internal_artifact.php. Aplikacja pobiera właściwości obiektu (param: guid), zapisuje odpowiedź lokalnie (DIR) pod nazwą i zawartością, którą kontroluje atakujący z dostępem do repozytorium. Plik jest usuwany po przetworzeniu, ale opóźnienie transmisji (duży plik / wolne połączenie) tworzy okno wyścigu. Wystarczy w tym czasie wysłać drugie żądanie wykonania złośliwego pliku PHP, co skutkuje zdalnym wykonaniem kodu. Problem został zidentyfikowany w wersjach do 6.1 włącznie. Pozostałe wersje nie zostały przetestowane i również mogą być podatne.
CVSS v4: 7.7
Attack Complexity: High
Attack Requirements: Present
Privileges Required: Low
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): High
Confidentiality (SC): Low
Integrity (SI): Low
Availability (SA): Low
Uwierzytelniony atakujący może modyfikować zachowanie klienta Sparx Enterprise Architect (np. za pomocą debugera) i zalogować się jako dowolny inny użytkownik lub administrator. Możliwe jest wtedy wprowadzenie zmian w repozytorium. Problem został zidentyfikowany w wersjach do 17.1 włącznie. Pozostałe wersje nie zostały przetestowane i również mogą być podatne.
CVSS v4: 8.7
Attack Requirements: None
Privileges Required: Low
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): High
Confidentiality (SC): None
Integrity (SI): None
Atakujący może wykonać zapytanie SQL bez uwierzytelniania w Sparx Pro Cloud Server. Umożliwia to pominięcie parametru zapytania “model” i wysłanie nazwy w binary blob w żądaniu POST. Problem został zidentyfikowany w wersjach do 6.1 włącznie. Pozostałe wersje nie zostały przetestowane i również mogą być podatne.
CVSS v4: 9.3
Attack Requirements: None
Privileges Required: None
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): Low
Confidentiality (SC): None
Integrity (SI): None
Serwer Sparx Pro Cloud jest podatny na atak Broken Access Control w komunikacji z bazą danych. Z powodu braku kontroli uprawnień, każdy użytkownik o niskich uprawnieniach może uruchamiać dowolne zapytania SQL w kontekście użytkownika bazy danych. Problem został zidentyfikowany w wersjach do 6.1 włącznie. Pozostałe wersje nie zostały przetestowane i również mogą być podatne.
CVSS v4: 8.7
Attack Requirements: None
Privileges Required: Low
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): Low
Confidentiality (SC): None
Pro3W CMS jest podatny na ataki typu SQL injection. Niewłaściwa neutralizacja danych wejściowych przekazywanych do formularza logowania umożliwia zdalnemu atakującemu obejście mechanizmu uwierzytelniania i uzyskanie uprawnień administracyjnych. Problem został zidentyfikowany w wersji 1.2.0 tego oprogramowania.
CVSS v4: 9.3
Attack Requirements: None
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): Low
Confidentiality (SC): None
The reporting functionality in Wyn Enterprise allows for code inclusion, but does not sufficiently restrict what code can be included. An attacker can use a low-privileged account to abuse this functionality and execute malicious code, load DLLs, and execute operating system commands on the host system with high-privileged applications. This issue is fixed in version 8.0.00204.0
CVSS v4: 8.7
Attack Requirements: None
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): High
Confidentiality (SC): None
A vulnerability in Ant Media Server Community Edition allows manipulation of headers in HTTP requests, enabling an unauthorized user to access all API functionalities (except for administrative ones) of the Ant Media Server Community Edition.
A directory traversal vulnerability in the file upload functionality in Gotenberg - before version 6.2.1 allows an attacker to upload and overwrite arbitrary writable files outside the intended directory.
This may lead to Denial of Service (DoS), modification of application behavior or code execution..
In affected TOTOLINK models based on Realtek SDK, the CAPTCHA text can be retrieved using a POST method {“topicurl”: “setting / getSanvas”} POST to the boafrm/formLogin URI, leading to CAPTCHA bypass.
The CAPTCHA text is also not needed when the attacker specifies valid credentials. An attacker can perform router actions via HTTP with basic authentication.
This affects A3002RU up to 2.0.0, A702R up to 2.1.3, N301RT up to 2.1.6 , N302R up to 3.4.0, N300RT up to 3.4.0, N200RE up to 4.0.0, N150RT up to 3.4.0 and N100RE up to 3.4.0.
On affected TOTOLINK routers based on Realtek SDK, an authenticated attacker can execute arbitrary operating system commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not accessible.
The vulnerability allows for complete takeover of the device.
This affects A3002RU up to 2.0.0, A702R up to 2.1.3, N301RT up to 2.1.6, N302R up to 3.4.0, N300RT up to 3.4.0, N200RE up to 4.0.0, N150RT up to 3.4.0, and N100RE up to 3.4.0.
A vulnerability has been discovered in routers based on the Realtek SDK (including Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21) that store passwords in plaintext (unencrypted).
Data stored in memory in the COMPCS format (apmib library) includes router administration passwords and other passwords in plaintext. The apmib library, upon initialization, dumps the entire contents of memory to the /web/config.dat file, which can be downloaded along with unencrypted user passwords.
A vulnerability has been discovered in Realtek SDK-based routers that utilize HTTP Basic authentication with a form-based login (including Realtek APMIB 0.11f and Boa HTTP server 0.94.14rc21), allowing remote attackers to retrieve the configuration, including sensitive data such as username and password.
The apmib library, upon initialization, dumps the entire contents of memory to the /web/config.dat file. This folder is used by the Boa HTTP server as a directory for indexing .If the router is configured for form-based authentication, access control only verifies access for certain URLs, but files with the ".dat" extension are not verified.
A vulnerability has been discovered in D-Link routers DWR-116 up to 1.06, DIR-140L up to 1.02, DIR-640L up to 1.02, DWR-512 up to 2.02, DWR-712 up to 2.02, DWR-912 up to 2.02, DWR-921 up to 2.02, and DWR-111 up to 1.01.
The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker exploiting CVE-2018-10822 can download this file without authentication using a Directory Traversal or Local File Inclusion (LFI) attack, thereby gaining full access to the device.
A directory traversal vulnerability has been discovered in the web interface of D-Link DWR-116 up to 1.06, DIR-140L up to 1.02, DIR-640L up to 1.02, DWR-512 up to 2.02, DWR-712 up to 2.02, DWR-912 up to 2.02, DWR-921 up to 2.02, and DWR-111 up to 1.01.
The vulnerability allows remote attackers to read arbitrary files by using /.. or // after "GET /uir" in a HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190.
A vulnerability has been discovered in ASUS asuswrt HTTPd server all versions <= 3.0.0.4.380.7743, where the administrator password is stored in plaintext in nvram.
By combining CVE-2017-15654 and CVE-2017-15653, an attacker can obtain the administrator password and log in to the device, only by knowing the approximate time of the administrator's login.
Multiple buffer overflow vulnerabilities exist in the ASUS HTTPd server in asuswrt version <= 3.0.0.4.376.X.
All were fixed in 3.0.0.4.378, but this one was not previously discovered. Some end-of-life routers have version 3.0.0.4.376.X are therefore currently vulnerable. This vulnerability allows for remote code execution (RCE) as admin when the admin visits selected pages on the router, after the attacker has previously caused a heap overflow on the router.
A vulnerability has been discovered in the ASUS asuswrt HTTPd server in all versions <= 3.0.0.4.380.7743, which uses highly predictable session tokens.
This vulnerability allows an attacker to gain access to the router's administrative interface if the administrator has recently logged in, bypassing the device's login IP verification (CVE-2017-15653).
Using the router's functionalities, it is possible to query the device for logged-in users without authentication, thus automating the process of obtaining the token.
A vulnerability has been discovered in the ASUS asuswrt HTTPd server in all versions <= 3.0.0.4.380.7743, which involves improper validation of the IP address from which a user can log in to the device.
By knowing the session token (obtained, for example, using CVE-2017-15654), an attacker can bypass the IP address restriction for device login by sending a specific value in the 'User-Agent' header.
ManageEngine Password Manager Pro (PMP) has a SQL Injection vulnerability in AdvanceSearch.class in AdventNetPassTrix.jar in versions older than 8.1 Build 8101.
The vulnerability we discovered allows remote, authenticated users to execute arbitrary SQL commands using the ANDOR parameter, thereby gaining access to other users' passwords stored in the system.
EN 
PL