The application interface MOBOTIX VMS allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Apple Quicktime versions prior to 7.7.79.80.95 suffer from .fpx and .psd file parsing memory corruption vulnerabilities. Multiple proof of concepts included.

Included in this archive is a whitepaper called Metaphor – A (real) real-life Stagefright exploit. It presents a thorough research on libstagefright and new techniques used to bypass ASLR. This archive also includes the Metaphor exploit that leverages CVE-2015-3864.

This Metasploit module exploits the unsecured User Manager REST API and a ZIP file path traversal in Apache Jetspeed-2, versions 2.3.0 and unknown earlier versions, to upload and execute a shell. Note: this exploit will create, use, and then delete a new admin user. Warning: in testing, exploiting the file upload clobbered the web interface […]

The Vulnerability Laboratory Core Research Team discovered an application-side mail encoding web vulnerability and filter bypass issue in the official PayPal Inc online-service web-application.

An independent vulnerability laboratory researcher discovered multiple sql injection vulnerabilities in the Cades online service web-application (2016-Q1).