CVE-2023-29006 Order GLPI plugin vulnerable to remote code execution from authenticated user

The Order GLPI plugin allows users to manage order management within GLPI. Starting with version 1.8.0 and prior to versions 2.7.7 and 2.10.1, an authenticated user that has access to standard interface can craft an URL that can be used to execute a system command. Versions 2.7.7 and 2.10.1 conta...

CVE-2022-43999

CVE-2022-43999 affects BACKCLICK Professional 5.9.63. The issue arises from exposed CORBA management services, allowing arbitrary system commands to be executed on the server. Public documents assign a CRITICAL impact (CVSS v3.1: 9.8, network attack vector, no privileges or user interaction requi...

CM Download Manager < 2.8.6 - Admin+ Arbitrary File Upload

The plugin allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example. Activate PHP extension: - Log in and go to "CM Downloads" "Settings" "General". -...

CVE-2021-37289

Insecure Permissions in administration interface in Planex MZK-DP150N 1.42 and 1.43 allows attackers to execute system command as root via etcro/web/syscmd.asp...

CVE-2021-37289

Insecure Permissions in administration interface in Planex MZK-DP150N 1.42 and 1.43 allows attackers to execute system command as root via etcro/web/syscmd.asp...

Zeroshell 操作系统命令注入漏洞

Zeroshell is a Linux distribution for servers and embedded systems. Zeroshell version 3.9.5 suffers from an operating system command injection vulnerability that stems from a command injection issue in the /cgi-bin/kerbynet IP parameter. An authenticated attacker can use this vulnerability to...

Grav CMS Cross-Site Request Forgery (CSRF)

The Scheduler in Grav CMS through 1.7.0-rc.17 allows an attacker to execute a system command by tricking an admin into visiting a malicious website CSRF...

Delta Electronics DIAEnergie SQL Injection Vulnerability (CNVD-2022-36026)

Delta Electronics DIAEnergie is an industrial energy management system for monitoring and analyzing energy consumption in real time, calculating energy consumption and load characteristics, optimizing equipment performance, improving production processes and maximizing energy efficiency. Delta...

CVE-2022-1375

Delta Electronics DIAEnergie All versions prior to 1.8.02.004 has a blind SQL injection vulnerability exists in DIAEslogHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands...

CVE-2022-1366

Delta Electronics DIAEnergie All versions prior to 1.8.02.004 has a blind SQL injection vulnerability exists in HandlerChart.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands...

CVE-2022-1377

Delta Electronics DIAEnergie All versions prior to 1.8.02.004 has a blind SQL injection vulnerability exists in DIAErltHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands...

Delta Electronics DIAEnergie SQL注入漏洞

Delta Electronics DIAEnergie is an industrial energy management system for monitoring and analyzing energy consumption in real time, calculating energy consumption and load characteristics, optimizing equipment performance, improving production processes and maximizing energy efficiency. Delta...

ManageEngine ADSelfService Plus Custom Script Execution

This module exploits the "custom script" feature of ADSelfService Plus. The feature was removed in build 6122 as part of the patch for CVE-2022-28810. For purposes of this module, a "custom script" is arbitrary operating system command execution. This module uses an attacker provided "admin"...

CVE-2021-42324

The CVE-2021-42324 issue affects DCN S4600-10P-SI switches (pre-R0241.0470). Root cause: improper parameter validation in the console interface. An authenticated, low-privilege attacker can escape the sandbox and execute system commands as root via shell metacharacters in the capture command para...

CVE-2022-24803

CVE-2022-24803 concerns the Asciidoctor-include-ext extension (pre-0.4.0) that processes user-supplied input in AsciiDoc. The root cause is a command-injection risk in the include extension, allowing arbitrary system commands on the host OS, even when allow-uri-read is disabled. The issue is miti...

CVE-2022-24796

RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution RCE vulnerability in the file upload facility of the WebUI interface of RaspberryMatic exists. Missing input...

Asciidoctor 操作系统命令注入漏洞

Asciidoctor is a text processor written in Ruby by the Asciidoctor organization. The product supports converting AsciiDoc content to HTML5, DocBook, and other formats. An operating system command injection vulnerability exists in versions prior to Asciidoctor-include-ext 0.4.0 that could allow an...

CVE-2022-26836

Delta Electronics DIAEnergie All versions prior to 1.8.02.004 has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands...

Sql injection

Delta Electronics DIAEnergie All versions prior to 1.8.02.004 has a blind SQL injection vulnerability exists in HandlerTagKID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands...

Sql injection

Delta Electronics DIAEnergie All versions prior to 1.8.02.004 has a blind SQL injection vulnerability that exists in DIAEdmdsetHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands...