Command Injection

github.com/1panel-dev/1panel is vulnerable to Command injection. The vulnerability arises from insufficient input sanitization, that allowing attackers to write arbitrary files by exploiting the log retrieval API. This can lead to unauthorized command execution or arbitrary file write...

GHSA-WPCV-5JGP-69F3 Genie Path Traversal vulnerability via File Uploads

Overview Path Traversal Vulnerability via File Uploads in Genie Impact Any Genie OSS users running their own instance and relying on the filesystem to store file attachments submitted to the Genie application may be impacted. Using this technique, it is possible to write a file with any...

1Panel arbitrary file write vulnerability

Summary There are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. We can use the following mirror configuration write symbol to achieve arbitrary file writing PoC Dockerfile FROM bash:latest COPY...

CVE-2024-34352 Arbitrary file write vulnerability in 1Panel

1Panel is an open source Linux server operation and maintenance management panel. Prior to v1.10.3-lts, there are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The mirror configuration write symbol...

CVE-2024-34352

CVE-2024-34352 affects the 1Panel project (open source Linux server O&M panel). Prior to v1.10.3-lts, command injection vulnerabilities allow arbitrary file writes and can lead to remote code execution. The root cause involves inadequate input filtering and an exploit path using the mirror config...

1Panel arbitrary file write vulnerability

There are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. We can use the following mirror configuration write symbol to achieve arbitrary file writing...

PT-2024-25809 · 1Panel · 1Panel

Name of the Vulnerable Software and Affected Versions: 1Panel versions prior to 1.10.3-lts Description: The issue is related to command injections in the project that are not well filtered, leading to arbitrary file writes and ultimately to remote code executions RCEs. The mirror configuration...

CVE-2024-25533

Error messages in RuvarOA v6.01 and v12.01 were discovered to leak the physical path of the website /WorkFlow/OfficeFileUpdate.aspx. This vulnerability can allow attackers to write files to the server or execute arbitrary commands via crafted SQL statements...

CVE-2024-25533

Error messages in RuvarOA v6.01 and v12.01 were discovered to leak the physical path of the website /WorkFlow/OfficeFileUpdate.aspx. This vulnerability can allow attackers to write files to the server or execute arbitrary commands via crafted SQL statements...

CVE-2024-25533

Error messages in RuvarOA v6.01 and v12.01 were discovered to leak the physical path of the website /WorkFlow/OfficeFileUpdate.aspx. This vulnerability can allow attackers to write files to the server or execute arbitrary commands via crafted SQL statements...

CVE-2024-25533

Error messages in RuvarOA v6.01 and v12.01 were discovered to leak the physical path of the website /WorkFlow/OfficeFileUpdate.aspx. This vulnerability can allow attackers to write files to the server or execute arbitrary commands via crafted SQL statements...

PT-2024-20995 · Ruvaroa · Ruvaroa

Name of the Vulnerable Software and Affected Versions: RuvarOA versions 6.01 through 12.01 Description: Error messages in RuvarOA were discovered to leak the physical path of the website, specifically at the /WorkFlow/OfficeFileUpdate.aspx endpoint. This issue can allow attackers to write files t...

CVE-2024-25533

CVE-2024-25533 affects RuvarOA v6.01–v12.01. Error messages disclose the server path at /WorkFlow/OfficeFileUpdate.aspx and, per multiple sources, allow writing files or executing arbitrary SQL via crafted statements due to insufficient input validation. Affected versions: 6.01–12.01. Root cause ...

PT-2024-18781 · Samsung · Galaxy Store

Name of the Vulnerable Software and Affected Versions: Galaxy Store versions prior to 4.5.71.8 Description: The issue is related to improper verification of intent by a broadcast receiver in Galaxy Store, allowing local attackers to write arbitrary files with the privilege of Galaxy Store...

Pterodactyl Wings vulnerable to Arbitrary File Write/Read

Impact If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. Workarounds Enabling the ignorepanelconfigupdates option or updating to th...

CVE-2024-34066 Arbitrary File Write/Read in Pterodactyl wings

Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. This issue h...

CVE-2024-34066 Arbitrary File Write/Read in Pterodactyl wings

Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. This issue h...

CVE-2023-39493

PDF-XChange Editor exportAsText Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must...

CVE-2023-39463

Triangle MicroWorks SCADA Data Gateway Trusted Certification Unrestricted Upload of File Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Triangle MicroWorks SCADA Data Gateway. Although authentication is requir...

CVE-2023-39463

Triangle MicroWorks SCADA Data Gateway Trusted Certification Unrestricted Upload of File Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Triangle MicroWorks SCADA Data Gateway. Although authentication is requir...