CVE-2023-39517

Joplin is a free, open source note taking and to-do application. A Cross site scripting XSS vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer packages/renderer/htmlUtils.ts::sanitizeHtml preserves links. However,...

CVE-2023-39517 Cross site scripting (XSS) when clicking on an untrusted `<map>` link in Joplin

Joplin is a free, open source note taking and to-do application. A Cross site scripting XSS vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer packages/renderer/htmlUtils.ts::sanitizeHtml preserves links. However,...

CVE-2023-39517

Joplin (note-taking app) has a documented XSS vulnerability (CVE-2023-39517) in affected versions where clicking an untrusted image link can execute shell commands. The HTML sanitizer in packages/renderer/htmlUtils.ts::sanitizeHtml preserves and links, but does not remove target or href attribu...

CVE-2023-39517 Cross site scripting (XSS) when clicking on an untrusted `<map>` link in Joplin

Joplin is a free, open source note taking and to-do application. A Cross site scripting XSS vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer packages/renderer/htmlUtils.ts::sanitizeHtml preserves links. However,...

Joplin Security Vulnerabilities

Joplin is an open source notes and to-do list application. A security vulnerability exists in Joplin versions prior to 2.12.8. An attacker can exploit the vulnerability to execute arbitrary shell commands...

Joplin Security Vulnerabilities

Joplin is an open source notes and to-do list application. A security vulnerability exists in Joplin versions prior to 2.13.3. An attacker can exploit the vulnerability to execute arbitrary shell commands...

CVE-2024-1880

CVE-2024-1880 concerns the significant-gravitas/autogpt project, where the MacOSTTS component (MacOS Text-To-Speech) in the _speech method uses os.system to run the say command with user-supplied text. This allows OS command injection and potential arbitrary code execution when AutoGPT is run wit...

Auto-GPT Operating System Command Injection Vulnerability

Auto-GPT is an artificial intelligence software agent program open-sourced by Significant Gravitas. An operating system command injection vulnerability exists in Auto-GPT version 0.5.0 up to and including version 5.1.0, which stems from an improper neutralization of special elements used in...

Command Injection

swiftmailer/swiftmailer is vulnerable to Command Injection. The vulnerability is due to improper handling of the "From" header when it comes from a non-trusted source and when no "Return-Path" is configured, which allows an attacker to execute arbitrary shell commands...

Facebook Tacacs+ 安全漏洞

Facebook Tacacs+ is a daemon library from Facebook Inc. in the United States. A security vulnerability exists in Facebook Tacacs+ version F4.0.4.28 and earlier, which originates from allowing users to configure authorization checks as shell commands via the tacplus.cfg configuration file...

CVE-2024-33344

D-Link DIR-822+ V1.0.5 was found to contain a command injection in ftext function of uploadfirmware.cgi, which allows remote attackers to execute arbitrary commands via shell...

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution Exploit

This Metasploit module exploits two vulnerabilities in Palo Alto Networks PAN-OS that allow an unauthenticated attacker to create arbitrarily named files and execute shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or GlobalProtect Portal enabled and telemetry...

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution', 'Description' = %q This module exploits two vulnerabilities in Palo Alto Networ...

CVE-2023-38290

Certain software builds for the BLU View 2 and Sharp Rouvo V Android devices contain a vulnerable pre-installed app with a package name of com.evenwell.fqc versionCode='9020801', versionName='9.0208.01' ; versionCode='9020913', versionName='9.0209.13' ; versionCode='9021203',...

CVE-2023-38294

Certain software builds for the Itel Vision 3 Turbo Android device contain a vulnerable pre-installed app with a package name of com.transsion.autotest.factory versionCode='7', versionName='1.8.02203101027' that allows local third-party apps to execute arbitrary shell commands in its context syst...

PT-2024-12699 · Itel +1 · Itel Vision 3 Turbo +1

Name of the Vulnerable Software and Affected Versions: Itel Vision 3 Turbo Android device with pre-installed app com.transsion.autotest.factory version 1.8.0220310 1027 Description: The vulnerability in the com.transsion.autotest.factory app allows local third-party apps to execute arbitrary shel...

CVE-2023-38294

The CVE-2023-38294 issue affects Itel Vision 3 Turbo devices with a pre-installed vulnerable app com.transsion.autotest.factory (versionCode 7, versionName 1.8.0(220310_1027)). The root cause is inadequate access control in this component, enabling local third‑party apps to execute arbitrary shel...

CVE-2023-38290

CVE-2023-38290 affects BLU View 2 and Sharp Rouvo V Android devices due to a vulnerable pre-installed com.evenwell.fqc app. The issue: inadequate access control lets local third-party apps execute arbitrary shell commands in the app’s system context without special permissions, enabling actions s...

PT-2024-12695 · Unknown · Com.Evenwell.Fqc

Name of the Vulnerable Software and Affected Versions: com.evenwell.fqc version 9.0208.01 com.evenwell.fqc version 9.0209.13 com.evenwell.fqc version 9.0212.03 Description: The vulnerability in the com.evenwell.fqc app allows local third-party apps to execute arbitrary shell commands in its conte...

CVE-2023-38294

Certain software builds for the Itel Vision 3 Turbo Android device contain a vulnerable pre-installed app with a package name of com.transsion.autotest.factory versionCode='7', versionName='1.8.02203101027' that allows local third-party apps to execute arbitrary shell commands in its context syst...