Input validation

A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17...

CVE-2020-25757

CVE-2020-25757 affects D-Link DSR-series VPN routers (DSR-150, DSR-250, DSR-500, DSR-1000AC) running firmware 3.14 and 3.17. The root cause is inadequate input validation and access controls in Lua CGI handlers, allowing user-supplied data to reach system command APIs (os.popen) and enabling arbi...

CVE-2020-25757

A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17...

CVE-2020-8283

An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9...

CVE-2020-8283

An authorised user on a Windows host running Citrix Universal Print Server can perform arbitrary command execution as SYSTEM in CVAD versions before 2009, 1912 LTSR CU1 hotfixes CTX285870 and CTX286120, 7.15 LTSR CU6 hotfix CTX285344 and 7.6 LTSR CU9...

CVE-2020-5635

Aterm SA3500G firmware versions prior to Ver. 3.5.9 allows an attacker on the adjacent network to send a specially crafted request to a specific URL, which may result in an arbitrary command execution...

CVE-2020-5636

Aterm SA3500G firmware versions prior to Ver. 3.5.9 allows an attacker with an administrative privilege to send a specially crafted request to a specific URL, which may result in an arbitrary command execution...

CVE-2020-5636

Aterm SA3500G firmware versions prior to Ver. 3.5.9 allows an attacker with an administrative privilege to send a specially crafted request to a specific URL, which may result in an arbitrary command execution...

CVE-2020-5635

Aterm SA3500G firmware versions prior to Ver. 3.5.9 allows an attacker on the adjacent network to send a specially crafted request to a specific URL, which may result in an arbitrary command execution...

Command injection

Aterm SA3500G firmware versions prior to Ver. 3.5.9 allows an attacker on the adjacent network to send a specially crafted request to a specific URL, which may result in an arbitrary command execution...

Command injection

Aterm SA3500G firmware versions prior to Ver. 3.5.9 allows an attacker with an administrative privilege to send a specially crafted request to a specific URL, which may result in an arbitrary command execution...

CVE-2020-5636

Aterm SA3500G firmware versions prior to Ver. 3.5.9 allows an attacker with an administrative privilege to send a specially crafted request to a specific URL, which may result in an arbitrary command execution...

Liftoff GateOne 输入验证错误漏洞

Liftoff GateOne is a terminal emulator and SSH client based on an HTML5 implementation. An arbitrary command execution vulnerability exists in Liftoff GateOne. A remote attacker can exploit this vulnerability to execute arbitrary commands via shell metacharacters in the port field when attempting...

CVE-2020-15375

Brocade Fabric OS versions before v9.0.0, v8.2.2c, v8.2.1e, v8.1.2k, v8.2.0CBN3, v7.4.2g contain an improper input validation weakness in the command line interface when secccrypptocfg is invoked. The vulnerability could allow a local authenticated user to run arbitrary commands and perform...

Command Injection

Overview curljs is a package that wraps the functionality of curl into an easy to use node module Affected versions of this package are vulnerable to Command Injection. PoC var a=require"curljs"; a"' & touch JHU '" Remediation There is no fixed version for curljs. Credit: JHU System Security Lab...

CVE-2020-7789

CVE-2020-7789 affects the package node-notifier prior to 9.0.0. The flaw allows an attacker to run arbitrary commands on Linux machines because the options params are not sanitised when passed as an array. Remediation: upgrade node-notifier to a fixed version (9.0.0 or newer). The connected docum...

Nec Platforms Aterm SAG firmware Operating System Command Injection Vulnerability

The Nec Platforms Aterm SA3500G is an appliance from Japan's Nec Platforms that provides security for corporate intranet environments. The appliance includes features such as antivirus, firewall, intrusion detection defense, routing, and link layer support. A security vulnerability exists in the...

Lovecraft pc client suffers from dll hijacking vulnerability

Aqiyi pc client is a client software that focuses on video playback under Aqiyi. There is a dll hijacking vulnerability in Aqiyi pc client, which can be exploited by attackers to execute arbitrary commands...

HPE Edgeline Infrastructure Management 授权问题漏洞

HPE Edgeline Infrastructure Management is a software from Hewlett-Packard HPE for data center environments to manage Edge devices. A security vulnerability exists in HPE Edgeline Infrastructure Manager. An attacker could exploit the vulnerability to bypass remote authentication to execute arbitra...

CVE-2019-19872

An issue was discovered in B&R Industrial Automation APROL before R4.2 V7.08. The AprolLoader could be used to inject and execute arbitrary unintended commands via an unspecified attack scenario, a different vulnerability than CVE-2019-16364...