Monthly Archive: September 2017

TeamWork TicketPlus allows Arbitrary File Upload in updateProfile. Date published : 2017-09-27 https://www.exploit-db.com/exploits/42796/

TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and changeCover. Date published : 2017-09-27 https://www.exploit-db.com/exploits/42797/

TeamWork Job Links allows Arbitrary File Upload in profileChange and coverChange. Date published : 2017-09-27 https://www.exploit-db.com/exploits/42795/

IBM Security Identity Manager Adapters 6.0 and 7.0 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM X-Force ID: 128621. Date published :...

The hevc_write_frame function in libbpg.c in libbpg 0.9.7 allows remote attackers to cause a denial of service (integer underflow and application crash) or possibly have unspecified other impact via a crafted BPG file, related...

The hevc_write_frame function in libbpg.c in libbpg 0.9.7 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a crafted BPG file, related...

Laravel before 5.5.10 mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison. Date published : 2017-09-27 https://github.com/laravel/framework/pull/21320 https://github.com/laravel/framework/releases/tag/v5.5.10

The sdp_parse_fmtp_config_h264 function in libavformat/rtpdec_h264.c in FFmpeg before 3.3.4 mishandles empty sprop-parameter-sets values, which allows remote attackers to cause a denial of service (heap buffer overflow) or possibly have unspecified other impact via a...

The Simple Student Result plugin before 1.6.4 for WordPress has an Authentication Bypass vulnerability because the fn_ssr_add_st_submit() function and fn_ssr_del_st_submit() function in functions.php only require knowing the student id number. Date published : 2017-09-27...

In GeniXCMS 1.1.4, gxadmin/index.php has XSS via the Menu ID field in a page=menus request. Date published : 2017-09-27 http://ph0rse.me/2017/09/21/GeniXCMS-1-1-4%E6%9C%80%E6%96%B0%E7%89%88%E6%9C%AC-getshell/

In the Upload Modules page in GeniXCMS 1.1.4, remote authenticated users can execute arbitrary PHP code via a .php file in a ZIP archive of a module. Date published : 2017-09-27 http://ph0rse.me/2017/09/21/GeniXCMS-1-1-4%E6%9C%80%E6%96%B0%E7%89%88%E6%9C%AC-getshell/

In the Install Themes page in GeniXCMS 1.1.4, remote authenticated users can execute arbitrary PHP code via a .php file in a ZIP archive of a theme. Date published : 2017-09-27 http://ph0rse.me/2017/09/21/GeniXCMS-1-1-4%E6%9C%80%E6%96%B0%E7%89%88%E6%9C%AC-getshell/

In GeniXCMS 1.1.4, /inc/lib/Control/Backend/menus.control.php has XSS via the id parameter. Date published : 2017-09-27 http://ph0rse.me/2017/09/21/GeniXCMS-1-1-4%E6%9C%80%E6%96%B0%E7%89%88%E6%9C%AC-getshell/

In GeniXCMS 1.1.4, /inc/lib/backend/menus.control.php has XSS via the id parameter. Date published : 2017-09-27 http://ph0rse.me/2017/09/21/GeniXCMS-1-1-4%E6%9C%80%E6%96%B0%E7%89%88%E6%9C%AC-getshell/