1765 matches found
Command injection
On the Alcatel-Lucent Enterprise ALE 8008 Cloud Edition Deskphone VoIP phone with firmware 1.50.13, a command injection missing input validation issue in the password change field for the Change Password interface allows an authenticated remote attacker in the same network to trigger OS commands...
CVE-2019-14260
On the Alcatel-Lucent Enterprise ALE 8008 Cloud Edition Deskphone VoIP phone with firmware 1.50.13, a command injection missing input validation issue in the password change field for the Change Password interface allows an authenticated remote attacker in the same network to trigger OS commands...
Command injection
On the Polycom Obihai Obi1022 VoIP phone with firmware 5.1.11, a command injection missing input validation issue in the NTP server IP address field for the "Time Service Settings web" interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands ...
CVE-2019-14259
On the Polycom Obihai Obi1022 VoIP phone with firmware 5.1.11, a command injection missing input validation issue in the NTP server IP address field for the "Time Service Settings web" interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands ...
CVE-2019-14259
CVE-2019-14259 affects the Polycom Obihai Obi1022 VoIP phone (firmware 5.1.11). The issue is a command injection due to missing input validation in the NTP server IP address field of the "Time Service Settings web" interface. An authenticated remote attacker on the same network can trigger OS com...
CVE-2019-10173
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON...
Deserialization of untrusted data
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON...
CVE-2019-10173
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON...
CVE-2019-10173
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON...
CVE-2019-10173
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON...
CVE-2019-10173
It was found that xstream API version 1.4.10 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. This a regression of...
Ke3chang APT Linked to Previously Undocumented Backdoor
The Ke3chang cyberespionage group, a.k.a. APT15, Mirage, Playful Dragon or Vixen Panda, has been tied to a backdoor called Okrum that has been used to target diplomatic missions throughout Europe and Latin America. The attribution widens the scope of known Ke3chang activity, an APT believed to be...
CVE-2019-1911
A vulnerability in the CLI of Cisco Unified Communications Domain Manager Cisco Unified CDM Software could allow an authenticated, local attacker to escape the restricted shell. The vulnerability is due to insufficient input validation of shell commands. An attacker could exploit this vulnerabili...
Input validation
A vulnerability in the CLI of Cisco Unified Communications Domain Manager Cisco Unified CDM Software could allow an authenticated, local attacker to escape the restricted shell. The vulnerability is due to insufficient input validation of shell commands. An attacker could exploit this vulnerabili...
dotCMS 5.1.5: Exploiting H2 SQL injection to RCE
Impact The SQL injection vulnerability can be exploited as an unauthenticated attacker via CSRF or as a user of the role Publisher. An attacker is able to execute stacked SQL queries which means it is possible to manipulate arbitrary database entries and even execute shell commands when the H2...
TP-Link Wi-Fi Extender Remote Code Execution Vulnerability
TP-LINK is a brand of P&L Technology Co., Ltd. and is a mainstream manufacturer engaged in the research and development, manufacturing and marketing of network and communication terminal equipment. A remote code execution vulnerability exists in TP-Link Wi-Fi extenders. It allows an attacker to...
CVE-2019-1878
A vulnerability in the Cisco Discovery Protocol CDP implementation for the Cisco TelePresence Codec TC and Collaboration Endpoint CE Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to...
CVE-2019-1878
A vulnerability in the Cisco Discovery Protocol CDP implementation for the Cisco TelePresence Codec TC and Collaboration Endpoint CE Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to...
Input validation
A vulnerability in the Cisco Discovery Protocol CDP implementation for the Cisco TelePresence Codec TC and Collaboration Endpoint CE Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to...
CVE-2019-1878
CVE-2019-1878 describes a shell-injection vulnerability in the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) software via the Cisco Discovery Protocol (CDP). The root cause is insufficient input validation of CDP packets, enabling an unauthenticated, adjacent attacker to craft CDP...