GHSA-HCWQ-X9FW-8CFQ @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

Summary The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host...

Command Injection

Overview @apostrophecms/cli is a Commandline generator and configurator for Apostrophe CMS Affected versions of this package are vulnerable to Command Injection via the apos create command when user-supplied input from the password prompt is embedded directly into a shell command without proper...

PT-2026-41135

Summary The @apostrophecms/cli package contains a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host...

MiracleLinux 7 : gvfs-1.36.2-3.el7 (AXSA:2019-4036:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2019-4036:01 advisory. gvfs: Incorrect authorization in admin backend allows privileged users to read and modify arbitrary files without prompting for password CVE-2019-3827 Tenabl...

Apple iOS和Apple iPadOS 安全漏洞

Apple iOS and Apple iPadOS are products of Apple Inc. Apple iOS is an operating system developed for mobile devices, and Apple iPadOS is an operating system for iPad tablets. A security vulnerability exists in Apple iOS version 26.2 and Apple iPadOS version 26.2, which stems from a logic issue th...

Siemens Ruggedcom ROX Incorrect Implementation of Authentication Algorithm (CVE-2023-4641)

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from...

EUVD-2017-1426

Malware in sbrugna...

EUVD-2021-9077

Malicious code in bioql PyPI...

Liferay Portal和Liferay DXP 安全漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...

Linux Distros Unpatched Vulnerability : CVE-2024-39894

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry e.g., for su and Sudo because of an ObscureKeystrokeTiming...

Ubuntu 14.04 LTS / 16.04 LTS : cifs-utils vulnerabilities (USN-7688-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-7688-1 advisory. Aurlien Aptel discovered that cifs-utils invoked a shell when requesting a password. In certain environments, a local attacker could possibly...

CLSA-2025-1748945064 Fix CVE(s): CVE-2019-10206, CVE-2019-14856

SECURITY UPDATE: password prompt vulnerability from template expansion - debian/patches/CVE-2019-10206.patch: prevent templating of passwords from prompt to avoid special characters triggering it incorrectly - CVE-2019-10206 - debian/patches/CVE-2019-14856.patch: fix incomplete CVE-2019-10206 pat...

CVE-2023-23493

A logic issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.2, macOS Monterey 12.6.3. An encrypted volume may be unmounted and remounted by a different user without prompting for the password...

CVE-2019-8522

A logic issue was addressed with improved state management. This issue is fixed in macOS Mojave 10.14.4. An encrypted volume may be unmounted and remounted by a different user without prompting for the password...

CVE-2019-15929

In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them...

CVE-2025-31124

CVE-2025-31124 (Zitadel) describes a user enumeration flaw in the login flow caused by normalization of the username when the “Ignoring unknown usernames” setting is enabled. Although the UI prompts for a password and returns “Username or Password invalid” for non-existent users, the normalizatio...

CVE-2025-26793

The Web GUI configuration panel of Hirsch formerly Identiv and Viscount Enterphone MESH through 2024 ships with default credentials username freedom, password viscount. The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires ma...

CVE-2024-54466

An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. An encrypted volume may be accessed by a different user without prompting for the password...

PT-2024-36343 · Apple · Apple Macos

Name of the Vulnerable Software and Affected Versions: macOS versions prior to 13.7.2 macOS versions prior to 14.7.2 macOS versions prior to 15.2 Description: An authorization issue was addressed with improved state management. This issue allows a different user to access an encrypted volume...

CVE-2024-53992 unzip-bot Allows Remote Code Execution (RCE) via archive extraction, password prompt, or video upload

unzip-bot is a Telegram bot to extract various types of archives. Users could exploit unsanitized inputs to inject malicious commands that are executed through subprocess.Popen with shell=True. Attackers can exploit this vulnerability using a crafted archive name, password, or video name. This...