24 matches found
CVE-2026-23920 Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection
Host and event action script input is validated with a regex set by the administrator, but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands...
CVE-2025-70146
Missing authentication in multiple administrative action scripts under /admin/ in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to perform unauthorized administrative operations e.g.,adding records, deleting records via direct HTTP requests to affected endpoints without a...
CVE-2025-70146
CVE-2025-70146 affects ProjectWorlds Online Time Table Generator 1.0. Multiple administrative action scripts under /admin/ lack authentication, enabling remote attackers to perform unauthorized admin operations (e.g., add/delete records) via direct HTTP requests without a valid session. The vulne...
VulnCheck KEV: CVE-2022-28054
Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value...
EUVD-2022-32540
Malicious code in bioql PyPI...
CVE-2022-28054
Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value...
SUSE CVE-2014-3686
wpasupplicant and hostapd 0.7.2 through 2.2, when running with certain configurations and using wpacli or hostapdcli with action scripts, allows remote attackers to execute arbitrary commands via a crafted frame...
CVE-2022-28054
Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value...
CVE-2022-28054
Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value...
CVE-2022-28054
Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value...
CVE-2022-28054
The CVE-2022-28054 entry affects VanDyke Software VShell for Windows 4.6.2. The root cause is improper sanitization/cleanup of trigger action scripts, which enables an attacker to execute arbitrary code by supplying a crafted value. Impact is high: remote code execution with network access and no...
CVE-2022-28054
Improper sanitization of trigger action scripts in VanDyke Software VShell for Windows v4.6.2 allows attackers to execute arbitrary code via a crafted value...
PT-2022-18781 · Vandyke · Vshell For Windows
Name of the Vulnerable Software and Affected Versions: VanDyke Software VShell for Windows version 4.6.2 Description: The issue is related to improper sanitization of trigger action scripts, allowing attackers to execute arbitrary code via a crafted value. Recommendations: For VanDyke Software...
VanDyke Software VShell for Windows 安全漏洞
VanDyke Software VShell for Windows is used for multi-protocol secure file transfer by USA Vandyke Software. A security vulnerability exists in VanDyke Software VShell for Windows version 4.6.2, which originates from improper cleanup of trigger action scripts. An attacker could exploit the...
Microsoft Windows Server Elevation of Privilege Vulnerability (CNVD-2015-04664)
Microsoft Windows Server is a series of servers based on the windows operating system launched by the U.S. Microsoft Microsoft. A security vulnerability exists in the Windows Installer service for Microsoft Windows. A local attacker can exploit the vulnerability to gain privileges via custom acti...
Debian DLA-147-1 : wpasupplicant security update
It was discovered that wpasupplicant could be tricked into executing arbitrary commands when calling action scripts. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as...
[SECURITY] [DLA 147-1] wpasupplicant security update
Package : wpasupplicant Version : 0.6.10-2.1+deb6u1 CVE ID : CVE-2014-3686 It was discovered that wpasupplicant could be tricked into executing arbitrary commands when calling action scripts...
hostapd: wpa_cli and hostapd_cli remote command execution issue
A command injection flaw was found in the way the wpacli utility executed action scripts. If wpacli was run in daemon mode to execute an action script specified using the -a command line option, and wpasupplicant was configured to connect to a P2P group, malicious P2P group parameters could cause...
Mandriva Linux Security Advisory : wpa_supplicant (MDVSA-2014:211)
Updated wpasupplicant packages fix security vulnerability : A vulnerability was found in the mechanism wpacli and hostapdcli use for executing action scripts. An unsanitized string received from a remote device can be passed to a system call resulting in arbitrary command execution under the...
openSUSE Security Update : wpa_supplicant (openSUSE-SU-2014:1313-1)
add 0001-Add-osexec-helper-to-run-external-programs.patch - add 0002-wpacli-Use-osexec-for-action-script-execution.pat ch - fixing CVE-2014-3686 bnc900611 trying to abuse the action scripts in wpacli %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in...