JVN#38784555: Multiple vulnerabilities in UNIVERGE SV9500/SV8500 series

Remote system maintenance feature of UNIVERGE SV9500/SV8500 series' Web based remote maintenance console contains multiple vulnerabilities listed below. OS Command Injection CWE-78 - CVE-2020-5685 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H| Base Score...

CVE-2020-35851

HGiga MailSherlock does not validate specific parameters properly. Attackers can use the vulnerability to launch Command inject attacks remotely and execute arbitrary commands of the system...

FasterXML jackson-databind suffers from a command execution vulnerability (CNVD-2021-01853)

FasterXML Jackson is a U.S. FasterXML company for Java data processing tools . jackson-databind is one of the components with data binding capabilities . A command execution vulnerability exists in FasterXML jackson-databind. An attacker can exploit this vulnerability to execute arbitrary command...

Zoom Meeting Connector Post-Auth Remote Root

!/usr/bin/python -- coding: UTF-8 -- zoomer.py Zoom Meeting Connector Post-auth Remote Root Exploit Jeremy Brown jbrown3264/gmail Dec 2020 The Meeting Connector Web Console listens on port 5480. On the dashboard under Network - Proxy, one can enable a proxy server. All of the fields are sanitized...

MailSherlock 操作系统命令注入漏洞

HGiga MailSherlock is an email archiving and auditing system that provides a complete email security solution. A command injection vulnerability exists in HGiga MailSherlock. The vulnerability stems from MailSherlock failing to properly validate specific parameters. An attacker can exploit this...

Command execution vulnerability exists in FasterXML jackson-databind (CNVD-2021-00629)

FasterXML Jackson is a U.S. FasterXML company for Java data processing tools . jackson-databind is one of the components with data binding capabilities . A command execution vulnerability exists in FasterXML jackson-databind, which can be exploited by an attacker to execute arbitrary commands...

Webmin Arbitrary Command Execution Vulnerability (CNVD-2021-07125)

Webmin is a Web-based system configuration tool for Unix-like systems, and the latest version can also be installed and run on Windows. An arbitrary command execution vulnerability exists in Webmin 1.962 and earlier versions. An attacker can exploit this vulnerability to execute arbitrary command...

Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Webmin 1.962 - Package Update Escape Bypass RCE Metasploit', 'Description' = %q This module exploits an arbitrary command execution vulnerability...

The vulnerability of the Rake::FileList class implementation in the Rake tool for automating the compilation of software code allows a attacker to execute arbitrary commands.

The vulnerability of the Rake::FileList class implementation in the Rake tool for automating the compilation of software code is related to the lack of measures taken to eliminate special elements used in operating system commands. Exploiting this vulnerability allows an attacker to execute...

CVE-2020-35606

Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840...

CVE-2020-35606

Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840...

Command injection

Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840...

CVE-2020-35606

CVE-2020-35606 affects Webmin 1.962 and earlier. An authenticated user in the Package Updates module can trigger arbitrary commands with root privileges via vectors involving %0A and %0C, due to an incomplete fix for CVE-2019-12840. Public references describe this as a remote command execution vu...

CVE-2020-35606

Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840...

CVE-2020-25494

Xinuos formerly SCO Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to cgi-bin/printbook...

CVE-2020-25494

CVE-2020-25494 affects Xinuos OpenServer v5/v6. The vulnerability is in the CGI component cgi-bin/printbook (parameters outputform and toclevels), enabling shell metacharacter input and arbitrary command execution. Exploitation details in public sources confirm OS command injection with remote, u...

Xinuos Openserver Parameter Injection Vulnerability

Xinuos Openserver is a FreeBSD-based operating system from the US company Xinuos. A security vulnerability exists in Xinuos formerly SCO Openserver versions v5 and v6 that allows an attacker to execute arbitrary commands to the cgi-bin printbook via the shell metacharacter outputform or toclevels...

Vulnerabilities fixed in Brocade Fabric OS

Broadcom has released updates to fix vulnerabilities in Brocade Fabric OS. An authenticated malicious person without the proper LDAP group memberships could log into a switch as a regular user. The switch is only vulnerable to this to this when it is active in "Virtual Fabric" mode. Also, a local...

D-Link DSR-250 Command Injection Vulnerability

The D-Link DSR-250 is an 8-port Gigabit VPN router with dynamic Web content filtering. A command injection vulnerability exists in the Unified Services Router web interface of the D-Link DSR-250 3.17. The vulnerability stems from a lack of authentication of input provided in a multipart HTTP POST...

CVE-2020-25757

A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17...