This vulnerability allows remote attackers to execute arbitrary code on affected installations of BEC Technologies Multiple Routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2025-2773.
Posted by Andrey Stoykov on Mar 24
# Exploit Title: SQL Injection in Admin Functionality – dolphin.prov7.4.2
# Date: 03/2025
# Exploit Author: Andrey Stoykov
# Version: 7.4.2
# Date: 03/2025
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/03/friday-fun-pentest-series-21-sql.html
SQL Injection in Admin Functionality:
Steps to Reproduce:
1. Login as admin user and visit the page of “
http://192.168.58.170/dolphinCMS/administration/index.php?cat="
2….
Posted by Andrey Stoykov on Mar 24
# Exploit Title: Stored XSS via Send Message Functionality –
dolphin.prov7.4.2
# Date: 03/2025
# Exploit Author: Andrey Stoykov
# Version: 7.4.2
# Date: 03/2025
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/03/friday-fun-pentest-series-20-stored-xss.html
Stored XSS via Send Message Functionality:
Steps to Reproduce:
1. Login and visit “http://192.168.58.170/dolphinCMS/mail.php?mode=compose"
2. Add…
It was discovered that SmartDNS did not correctly align certain objects in
memory, leading to undefined behaviour. An attacker could possibly use this
issue to cause a denial of service or execute arbitrary code. This issue
only affected Ubuntu 22.04 LTS. (CVE-2024-24198, CVE-2024-24199)
It was discovered that SmartDNS did not correctly handle certain inputs,
which could lead to an integer overflow. A remote attacker could possibly
use this issue to cause a denial of service. This issue only affected
Ubuntu 24.04 LTS and Ubuntu 24.10. (CVE-2024-42643)
Multiple security issues were found in Rack, an interface for developing
web applications in Ruby, which could result in log injection or
information disclosure.
