Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Europe B.V. Equipment: smartRTU and INEA ME-RTU Vulnerabilities: OS Command Injection, Improper Access Control, Cross-site Scripting, Use of Hard-coded Credentials, Unprotected...

A1:Injection — Top 10 OWASP 2017

A1:Injection — Top 10 OWASP 2017 💉 Introduction Injection is an issue that arises quite often and in several forms, things like SQL databases for example might contain issues such as SQL injection and the same might go for things like LDAP, XML, OS commands,… . In other words, there is a range of...

ROS-2-1430

2.1430 Vulnerability in SpamAssassin spam filtering tool CVE-2020-1946 1. Vulnerability Description: CVE-2020-1946 A vulnerability in the SpamAssassin spam filtering tool, is related to improper input validation when processing rule configuration .cf files. Exploitation of the vulnerability could...

ROS-2-1009

2.1009 Vulnerability in SpamAssassin spam filtering tool CVE-2020-1946 1. Vulnerability Description: CVE-2020-1946 A vulnerability in the SpamAssassin spam filtering tool, is related to improper input validation when processing rule configuration .cf files. Exploitation of the vulnerability could...

ROS-2-1307

2.1307 Vulnerability in SpamAssassin spam filtering tool CVE-2020-1946 1. Vulnerability Description: CVE-2020-1946 A vulnerability in the SpamAssassin spam filtering tool, is related to improper input validation when processing rule configuration .cf files. Exploitation of the vulnerability could...

GHSA-2C83-WFV3-Q25F Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ZMarkdown

Impact A Remote Command Execution vulnerability was found in the rebber module, which allowed execution of arbitrary commands. The reported problem came from CodeBlocks, which could be escaped to insert malicious LaTeX. Anyone using rebber without sanitation of code content or a custom macro is...

OS Command Injection

zeppelin-zengine is vulnerable to OS command injection. An attacker is able to inject bash commands into Spark interpreter settings...

OS Command Injection in bikeshed

This affects the package bikeshed before 3.0.0. This can occur when an untrusted source file containing Inline Tag Command metadata is processed. When an arbitrary OS command is executed, the command output would be included in the HTML output...

Exploit for OS Command Injection in Strapi

CVE-2019-19609 Strap...

CVE-2021-27944

Several high privileged APIs on the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs do not enforce access controls, allowing an unauthenticated threat actor to access privileged functionality, leading to OS command execution. The specific attack methodology is a file upload...

Design/Logic Flaw

Several high privileged APIs on the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs do not enforce access controls, allowing an unauthenticated threat actor to access privileged functionality, leading to OS command execution. The specific attack methodology is a file upload...

CVE-2021-27944

CVE-2021-27944 affects Vizio P65-F1 (firmware 6.0.31.4-2) and E50x-E1 (firmware 10.0.31.4-2). Unauthenticated access to multiple high‑privilege APIs allows privileged functionality use via a file upload, resulting in OS command execution. Root cause: lack of access controls on these APIs. Public ...

CVE-2021-27944

Several high privileged APIs on the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs do not enforce access controls, allowing an unauthenticated threat actor to access privileged functionality, leading to OS command execution. The specific attack methodology is a file upload...

BinderHub 操作系统命令注入漏洞

BinderHub is a kubernetes-based cloud service that allows users to share replicable interactive computing environments from a codebase. BinderHub suffers from an operating system command injection vulnerability. An attacker can exploit this vulnerability to execute code in the BinderHub context a...

Command injection

Network Attached Storage on LG N1T1 10124 devices allows an unauthenticated attacker to gain root access via OS command injection in the en/ajp/plugins/access.ssh/checkInstall.php destServer parameter...

CVE-2021-38306

Network Attached Storage on LG N1T1 10124 devices allows an unauthenticated attacker to gain root access via OS command injection in the en/ajp/plugins/access.ssh/checkInstall.php destServer parameter...

CVE-2021-38306

The CVE-2021-38306 entry concerns LG N1T1*** Network Attached Storage. Affected component: the en/ajp/plugins/access.ssh/checkInstall.php endpoint (destServer parameter). Root cause: OS command injection leading to unauthenticated remote code execution. Impact: attacker could gain root access on ...

API8: Injection☝️ — What you need to know

API8: Injection☝️ — What you need to know Introduction API8:2019 Injection What is Injection? API’s with the following properties are open to injection flaws: When we don’t sanitize the input from the front-end we are opening ourselves to a world of problems, this would allow the user to input...

Adobe Illustrator 2021 OS Command Injection Vulnerability

Adobe Illustrator 2021 is a vector graphics software. Adobe Illustrator 2021 version 25.2.3 and earlier is vulnerable to a security flaw. An attacker can exploit this vulnerability to achieve arbitrary code execution in the context of the current user...

CVE-2021-28634

Acrobat Reader DC versions 2021.005.20054 and earlier, 2020.004.30005 and earlier and 2017.011.30197 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command. An authenticated attacker could leverage this vulnerability to achieve arbitrary code execution on...