CVE-2024-39565

CVE-2024-39565 : J-Web XPath Injection in Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target device. Affected Junos OS versions include all before 21.2R3-S8; 21.4 before 21.4R3-S7; 22.2 before 22.2R3-S4; 22.3 before 22.3R3-S3; 22.4 before 22.4R3-S2...

Malicious code in twentytwentyone (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 022aaabc9c3c5a59caaeef5248c72ca2e27ebb9f2cf1dfd54cf1fe144fd43b77 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

PT-2024-4285 · Moxa · Oncell G3470A-Lte Series

Name of the Vulnerable Software and Affected Versions: OnCell G3470A-LTE Series firmware versions v1.7.7 and prior Description: The issue is related to a lack of neutralized inputs in the web key upload function, allowing an attacker to modify intended commands sent to target functions. This coul...

PT-2024-4398 · WordPress · Seopress

Name of the Vulnerable Software and Affected Versions: SEOPress versions prior to 7.9 Description: The issue is related to insufficient protection of some REST API routes in the SEOPress WordPress plugin, which can be combined with an Object Injection vulnerability to allow unauthenticated...

CVE-2023-46694

Vtenext 21.02 allows an authenticated attacker to upload arbitrary files, potentially enabling them to execute remote commands. This flaw exists due to the application's failure to enforce proper authentication controls when accessing the Ckeditor file manager functionality...

The vulnerability of the development package for integrating cloud services and communication functions in IoT devices. The Kalay SDK, a microprogramming software for video surveillance cameras like Owlet Cam v1 and Owlet Cam v2, has a flaw related to the failure to eliminate special elements used in the operating system’s command set. This allows attackers to execute arbitrary commands and increase their privileges.

The vulnerability of the development package for integrating cloud services and communication functions in IoT devices is related to the failure to remove special elements used in the operating system’s command set when executing system calls like IOCTL during the unpacking of updates. Exploiting...

Aruba Networks ArubaOS 和 InstantOS 安全漏洞

Aruba Networks ArubaOS and Aruba Networks InstantOS are both products of Aruba Networks, Inc.Aruba Networks ArubaOS is an operating system for Aruba Mobility-Defined Networks, including Mobility Controllers and Mobility Access Switches. Aruba Networks InstantOS is an Arch Linux-based distribution...

The vulnerability in the Avalanche mobile device management web component allows a hacker to execute arbitrary commands with SYSTEM privileges.

The vulnerability of the Avalanche mobile device management web component is related to an incorrect restriction on the path name to the restricted catalog. Exploiting this vulnerability allows a malicious actor to execute arbitrary commands with SYSTEM privileges remotely...

The vulnerability in the Avalanche mobile device management web component allows a hacker to execute arbitrary commands with SYSTEM privileges.

The vulnerability of the Avalanche mobile device management web component is related to an incorrect restriction on the path name to the restricted catalog. Exploiting this vulnerability allows a malicious actor to execute arbitrary commands with SYSTEM privileges remotely...

OESA-2024-1437 pcp security update

PCP provides a range of services that may be used to monitor and manage system performance. These services are distributed and scalable to accommodate the most complex system configurations and performance problems. Security Fixes: A flaw was found in PCP. The default pmproxy configuration expose...

OESA-2024-1436 pcp security update

PCP provides a range of services that may be used to monitor and manage system performance. These services are distributed and scalable to accommodate the most complex system configurations and performance problems. Security Fixes: A flaw was found in PCP. The default pmproxy configuration expose...

CVE-2024-2243

A vulnerability was found in csmock where a regular user of the OSH service anyone with a valid Kerberos ticket can use the vulnerability to disclose the confidential Snyk authentication token and to run arbitrary commands on OSH workers...

Malicious code in soundcloud-scrape (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 49aa7d872acd9b91dd62d1aec545292c8d638126b53eadcc46435726c1c4215a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Rancher API Server Cross-site Scripting Vulnerability

Impact A vulnerability has been identified in which unauthenticated cross-site scripting XSS in the API Server's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely. The attack vector was identifi...

CVE-2023-47566

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645...

The vulnerability of Websoft HCM’s automation software for HR processes lies in the lack of measures to neutralize instructions in dynamically executed code, allowing attackers to execute arbitrary commands within the system.

The vulnerability of Websoft HCM’s automation software for HR processes stems from the failure to implement measures to neutralize instructions within the dynamically executed code. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands within the system...

SE-elektronic GmbH E-DDC Code Injection Vulnerability

The SE-elektronic GmbH E-DDC is a freely configurable building controller from SE-elektronic GmbH, Germany. A code injection vulnerability exists in SE-elektronic GmbH E-DDC version 3.3 03.07.03 and earlier, which originates from allowing an attacker to send different commands to the system from...

PT-2024-18975

Name of the Vulnerable Software and Affected Versions OTCLient versions prior to commit db560de0b56476c87a2f967466407939196dd254 Description The issue concerns an expression injection vulnerability in the /mehah/otclient "Analysis - SonarCloud" workflow, allowing an attacker to run commands...

CVE-2023-41166

An issue was discovered in Stormshield Network Security SNS 3.7.0 through 3.7.39, 3.11.0 through 3.11.27, 4.3.0 through 4.3.22, 4.6.0 through 4.6.9, and 4.7.0 through 4.7.1. It's possible to know if a specific user account exists on the SNS firewall by using remote access commands...

CVE-2023-41166

An issue was discovered in Stormshield Network Security SNS 3.7.0 through 3.7.39, 3.11.0 through 3.11.27, 4.3.0 through 4.3.22, 4.6.0 through 4.6.9, and 4.7.0 through 4.7.1. It's possible to know if a specific user account exists on the SNS firewall by using remote access commands...