Webmin Package Updates RCE

This module exploits an arbitrary command injection in Webmin versions prior to 1.997. Webmin uses the OS package manager apt, yum, etc. to perform package updates and installation. Due to a lack of input sanitization, it is possibe to inject arbitrary command that will be concatenated to the...

CVE-2022-35555

A command injection vulnerability exists in /goform/exeCommand in Tenda W6 V1.0.0.94122, which allows attackers to construct cmdinput parameters for arbitrary command execution...

Webmin Package Updates Command Injection

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Webmin Package Updates RCE', 'Description' = %q This module exploits an arbitrary command injection in Webmin versions prior to 1.997. Webmin use...

PT-2022-23703 · Veritas · Netbackup

Name of the Vulnerable Software and Affected Versions: Veritas NetBackup versions 9.0.0.1 through 9.1.0.1 Description: The issue allows arbitrary command execution from any remote host that has access to a valid host-id NetBackup certificate/private key from the same domain. Recommendations: For...

Sql injection

Digiwin BPM’s function has insufficient validation for user input. An unauthenticated remote attacker can inject arbitrary SQL command to access, modify, delete database or disrupt service...

OS Command Injection in awesome spawn

Awesome spawn prior to version 1.2.0 contains OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments. If untrusted input was included in command arguments, attacker could use this flaw to execute arbitrary command...

GHSA-QPQW-MC85-QVM9 OS Command Injection in awesome spawn

Awesome spawn prior to version 1.2.0 contains OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments. If untrusted input was included in command arguments, attacker could use this flaw to execute arbitrary command...

Command injection

Awesome spawn contains OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments. If untrusted input was included in command arguments, attacker could use this flaw to execute arbitrary command...

CVE-2022-31794

An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 Control Center devices before 8.1A SP02 P04. The vulnerability resides in the requestTempFile function in hwview.php. An attacker is able to influence the unitName POST parameter and inject special characters such as semicolons,...

System command execution vulnerability in Selection tasks Jenkins Plugin

Jenkins Selection tasks Plugin 1.0 and earlier executes a user-specified program on the Jenkins controller, allowing attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as...

OS command injection in CryptoMove Plugin

CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration. This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS...

InHand Networks InRouter302 Command Execution Vulnerability

InHand Networks InRouter Series is a series of routers from InHand Networks, U.S.A. A command execution vulnerability exists in InHand Networks InRouter302 version V3.5.4, which can be exploited by attackers to cause arbitrary command execution...

Sql injection

A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized ENtyid, theID and EID fields used when an Edit action on an existing record is being performed...

CVE-2022-25995

A command execution vulnerability exists in the console inhand functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability...

TOTOLINK A7100RU 操作系统命令注入漏洞

The TOTOLINK A7100RU is a wireless router from TOTOLINK China. A command injection vulnerability exists in the TOTOLINK A7100RU v7.4cu.2313b20191024 firmware version, which stems from a command injection attack on the setL2tpServerCfg interface. An attacker can exploit this vulnerability to execu...

OS Command Injection in git-pull-or-clone

The package git-pull-or-clone before 2.0.2 is vulnerable to Command Injection due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn. However, the outpath parameter passed to it may be a...

D-Link DIR-825 G1 操作系统命令注入漏洞

The DIR-825 G1 is a router from D-Link in Taiwan, China. A command injection vulnerability exists in the D-Link DIR-825 G1 firmware version, which stems from a lack of parameter validation in the "webupg" binary file. The vulnerability can be exploited to execute arbitrary system commands with th...

Design/Logic Flaw

Netcommunity OG410X and OG810X series Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file...

Input validation

Improper input validation vulnerability in pfSense CE and pfSense Plus pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01 allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command...

CVE-2022-24299

Improper input validation vulnerability in pfSense CE and pfSense Plus pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01 allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command...