CVE-2024-50362

A CWE-78 "Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection'" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G = 1.6.3, EKI-6333AC-2GD = v1.6.3 and EKI-6333AC-1GPO = v1.2.1. The source of the vulnerability relies on...

Code Injection in swooningfish/ffmpeg-web-gui

Description The ffmpeg-web-gui project is a simple video converter written in PHP which uses the ffmpeg command to convert videos in HTML formats. The issue arises at the following line: https://github.com/swooningfish/ffmpeg-web-gui/blob/master/upload-and-convert.phpL176. The arbitrary command...

CVE-2020-1956

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation. Recent assessments: Assessed Attacker Value: 0 Assessed Attacker...

Node.js third-party modules: [treekill] RCE via insecure command concatenation (only Windows)

I would like to report a RCE issue in the treekill module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: treekill version: 1.0.0 npm page: https://www.npmjs.com/package/treekill Module Description treekill process and it's all children and child...

Node.js third-party modules: [node-df] RCE via insecure command concatenation

I would like to report a RCE issue in the node-df module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: node-df version: 0.1.4 npm page: https://www.npmjs.com/package/node-df Module Description node-df abbreviation of disk free is a cross-platform...