KDE Frameworks < 5.61.0 is vulnerable to a command injection vulnerability in the KDesktopFile class. When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function. Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.
- https://github.com/zeropwn/vulnerability-reports-and-pocs/blob/master/kde-kdesktopfile-command-injection.txt
- https://kde.org/info/security/advisory-20190807-1.txt
Axway SecureTransport versions 5.3 through 5.0 (and potentially others) are vulnerable to an unauthenticated blind XML injection (& XXE) vulnerability in the resetPassword functionality via the REST API. If executed properly, this vulnerablity can lead to local file disclosure, DOS or URI invocation attacks (e.g SSRF->RCE). It's worth noting that in version 5.4 the v1 API was deprecated... but not removed entirely. Meaning that you can still trigger this vulnerability on updated installations if they have the v1.0, v1.1, v1.2 or v1.3 in the /api/ directory.
- https://github.com/zeropwn/vulnerability-reports-and-pocs/blob/master/Axway-secure-transport-5-xml-injection.txt
- https://zero.lol/2019-07-21-axway-securetransport-xml-injection/
An issue was discovered in Electronic Arts Origin before 10.5.39. Due to improper sanitization of the origin:// and origin2:// URI schemes, it is possible to inject additional arguments into the Origin process and ultimately leverage code execution by loading a backdoored Qt plugin remotely via the platformpluginpath argument supplied with a Windows network share.
- https://github.com/zeropwn/vulnerability-reports-and-pocs/blob/master/EA-Origin-RCE-CVE-2019-12828.md
- https://zero.lol/2019-05-22-fun-with-uri-handlers/
The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices communication.
- https://github.com/zeropwn/vulnerability-reports-and-pocs/blob/master/EA-Origin-RCE-CVE-2019-11354.md
- https://zero.lol/2019-05-13-xss-to-rce/
On Saturday, August 19, Dominik Penner and Manny Mand, two security researchers with Project Insecurity, revealed that TRS systems developed by Soleo Communications were impacted by a local file disclosure vulnerability.
The two explained that this vulnerability, caused by improper input sanitization, allows an attacker to determine what files are stored on a TRS system, and then access the files via its web interface.
Penner and Mand believe an attacker would be able to use this vulnerability to retrieve source code files present on the TRS system or the underlying web server.
"Within the source code lies passwords which allow the servlet to communicate with other services, such as SQL/LDAP," the two said in a report published over the weekend. "An attacker could extract these passwords from within the source files, and further escalate their privileges on the server, or even use said information in a social engineering attack."
- SQL Injection (x9)
- Remote Code Execution (x4)
- Information Disclosure (x3)
- Arbitrary Read/Write
- Unrestricted File Upload
- Cross-Site Request Forgery to RCE
- Authentication Bypass
Exploits an information disclosure vulnerability commonly found in many Linksys routers.
https://github.com/zeropwn/vulnerability-reports-and-pocs/blob/master/Linksys-Smart-WiFi-Information-Disclosure.py https://badpackets.net/over-25000-linksys-smart-wi-fi-routers-vulnerable-to-sensitive-information-disclosure-flaw/