PT-2023-20494 · Sketchsvg · Sketchsvg

Name of the Vulnerable Software and Affected Versions: sketchsvg versions all Description: The issue is related to Arbitrary Code Injection when invoking shell.exec without proper sanitization or parametrization, specifically while concatenating the current directory as part of the command string...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection such that an attacker using a specially crafted payload may execute OS commands by using command chaining because during object initalization, there is no validation performed and the user provided path is used...

SUSE CVE-2021-23358

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized...

QNAP addresses a vulnerability in NAS devices

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary QNAP has released updates to address a security flaw in its network-attached storage NAS devices that allows arbitrary code injection. This vulnerability enables a remote attacker to run any SQL...

QNAP Fixes Critical Vulnerability in NAS Devices with Latest Security Updates

Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage NAS devices that could lead to arbitrary code injection. Tracked as CVE-2022-27596, the vulnerability is rated 9.8 out of a maximum of 10 on the CVSS scoring scale. It affects...

Arbitrary Code Injection

Tomcat Catalina is vulnerable to Arbitrary Code Injection. The vulnerability exists in the report function of JsonErrorReportValve.java due to improper escaping of inputs from JsonErrorReportValve which allows an attacker to inject invalid input values...

CVE-2022-32763

A cross-site scripting xss sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability...

Arbitrary Code Injection

akeneo/pim-community-dev is vulnerable to arbitrary code injection. The vulnerability exists in Location parameter in httpd.conf because of not properly validate user inputs which allows an attacker to inject and execute malicious code into the system...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the System.Drawing.Common function. Remediation Upgrade Akka to version 1.5.0-alpha3, 1.4.46 or higher. References - GitHub Issue...

Tenable Nessus < 10.1.0 Arbitrary Code Injection Vulnerability (TNS-2022-04)

Tenable Nessus is prone to an arbitrary code injection vulnerability. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that enable the assisted mapping capability may be vulnerable to arbitrary code injection due to CVE-2022-21797

Summary Python module Joblib used by IBM App Connect Enterprise Certified Container for mapping assistance in flow development. IBM App Connect Enterprise Certified Container DesignerAuthoring operands that enable mapping assistance may be vulnerable to arbitrary code injection. This bulletin...

Arbitrary Code Injection

azurecli is vulnerable to arbitrary code injection. The vulnerability exist in azurecli only when running on windows, due to incorrect input validations during the submission of values containing & or | symbols which allows an attacker to inject and execute malicious code into the system...

PT-2022-26221

Name of the Vulnerable Software and Affected Versions Zemana AntiMalware version 3.2.28 Watchdog Anti-Malware version 4.1.422 Description The issue allows for arbitrary code injection, which can be exploited to execute code in kernel mode. This can lead to disabling mandatory driver signature...

Cross Site Scripting (XSS)

ruoyi is vulnerable to cross-site scripting. The vulnerability exists in the updateAvatar function in SysProfileController.java due to the lack of sanitization in user input which allows an attacker to inject and execute arbitrary code via a crafted HTML file...

Arbitrary Code Injection

LDAP Account Manager LAM is a webfrontend for managing entries e.g. users, groups, DHCP settings stored in an LDAP directory. In versions prior to 8.0 the user name field at login could be used to enumerate LDAP data. This is only the case for LDAP search configuration. This issue has been fixed ...

Mobile web: upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary The mobile web view in Confluence is currently using underscore.js 1.3.3. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template functio...

UPM: upgrade Underscore.js to 1.13.1 or higher

h3. Issue Summary UPM is currently using underscore.js 1.4.4. However, it is being affected due to CVE-2021-23358 The package underscore from 1.13.0-0 and before 1.13.0-2 From 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variabl...

Remote Code Execution (RCE)

concrete5/core is vulnerable to remote code execution. The vulnerability exists due to insecure http requests which allow an attacker to inject and execute arbitrary codes into the system...

CVE-2022-23057

In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting XSS, due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile...

CVE-2022-24127

A Stored Cross-Site Scripting XSS vulnerability was discovered in ProjectGeneral/editprojectsettings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title apptitle field when editing an existing project. The payload i...