Command injection

An issue was discovered in Softing uaGate SI, MB, 840D firmware through 1.71.00.1225. A CGI script is vulnerable to command injection via a maliciously crafted form parameter...

CVE-2019-11527

CVE-2019-11527 involves Softing uaGate SI 1.60.01, where a CGI script is vulnerable to command injection via a maliciously crafted URL parameter. The vulnerability is documented across multiple sources (NVD, Red Hat, CNVD, CVE lists). CVSSv3.1 vectors indicate an attack vector of NETWORK with low...

CVE-2019-11527

An issue was discovered in Softing uaGate SI 1.60.01. A CGI script is vulnerable to command injection with a maliciously crafted url parameter...

CVE-2019-13273

In Xymon through 4.3.28, a buffer overflow vulnerability exists in the csvinfo CGI script. The overflow may be exploited by sending a crafted GET request that triggers an sprintf of the srcdb parameter...

CVE-2019-13273

In Xymon through 4.3.28, a buffer overflow vulnerability exists in the csvinfo CGI script. The overflow may be exploited by sending a crafted GET request that triggers an sprintf of the srcdb parameter...

Buffer overflow

In Xymon through 4.3.28, a buffer overflow vulnerability exists in the csvinfo CGI script. The overflow may be exploited by sending a crafted GET request that triggers an sprintf of the srcdb parameter...

CVE-2019-13273

CVE-2019-13273 affects Xymon up to version 4.3.28, where the csvinfo CGI script contains a buffer overflow caused by a crafted GET request that triggers an sprintf on the srcdb parameter. This is a server-side vulnerability in the web interface (csvinfo.c) that can lead to memory corruption. The ...

CVE-2019-13274

In CVE-2019-13274, the affected software is Xymon up to version 4.3.28, where the csvinfo CGI script is vulnerable due to insufficient filtering of the db parameter, enabling a cross-site scripting (XSS) issue. The connected sources consistently describe the vulnerability and its presence in Xymo...

CVE-2019-7617

When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing...

PYSEC-2019-178

When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing...

Mitel 6869i Voip Deskphone 4.2.2032 Command Injection

BlueBox Security http://www.bluebox-security.de/ securityatbluebox-security.de bbs-2019.001.txt 08-August-2019 Vendor: Mitel Affected Products: Mitel 6869i Voip Deskphone Version 4.2.2032 - SIP Not Affected: unknown Vulnerability: Mitel 6869i SIP Deskphone 4.2.2032: Unauthenticated Bash Command...

CVE-2019-13398

Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrlsaveprofile.cgi save parameter and cgi-bin/ddns.cgi...

Sql injection

Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrlsaveprofile.cgi save parameter and cgi-bin/ddns.cgi...

CVE-2019-13398

Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrlsaveprofile.cgi save parameter and cgi-bin/ddns.cgi...

CVE-2019-13398

CVE-2019-13398 affects Dynacolor FCM-MB40 v1.2.0.0 devices. The vulnerability is a command-injection flaw in CGI scripts (cgi-bin/camctrl_save_profile.cgi and cgi-bin/ddns.cgi) that allows a remote attacker to execute arbitrary commands by supplying crafted parameters. This stems from unsafe inpu...

Citrix SD-WAN Appliance < 10.2.3 Unauthenticated Blind SQL Injection

The remote Citrix SD-WAN Appliance is affected by an SQL injection vulnerability due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this issue to inject or manipulate SQL queries in the back-end database, resulting in the manipulation of arbitrary...

Command injection

An issue was discovered on ASMAX AR-804gu 66.34.1 devices. There is Command Injection via the cgi-bin/script query string...

devolo dLAN 550 duo+ 3.1.0-1 Starter Kit Remote Code Execution

devolo dLAN 550 duo+ Starter Kit Remote Code Execution Vendor: devolo AG Product web page: https://www.devolo.com Affected version: dLAN 500 AV Wireless+ 3.1.0-1 i386 Summary: Devolo dLANAr 550 duo+ Starter Kit is Powerlineadapter which is a cost-effective and helpful networking alternative for a...

FutureNet NXR-G240 Series ShellShock Command Injection

-- coding: utf-8 -- Title: FutureNet NXR-G240 Series - "ShellShock" Remote Command Injection Date: 2018-06-12 Author: Nassim Asrir You have a Q ? Contact me at: https://www.linkedin.com/in/nassim-asrir-b73a57122/ Vendor: http://www.centurysys.co.jp/ CVE: CVE-2014-6271 Greetz to : Nadia BENCHIKHA...

[SECURITY] Fedora 28 Update: mod_perl-2.0.10-11.fc28

Modperl incorporates a Perl interpreter into the Apache web server, so that the Apache web server can directly execute Perl code. Modperl links the Perl run-time library into the Apache web server and provides an object-oriented Perl interface for Apache's C language API. The end result is a...