CVE-2019-11444

Affected software: Liferay Portal CE 7.1.2 GA3. Issue: Groovy script console allows OS command execution via a command.execute() call (def cmd = ...) in ServerAdminPortlet_script. Exploitation requires valid application administrator credentials. Impact: remote command execution with high severit...

PT-2019-12309 · Liferay · Liferay Portal

Name of the Vulnerable Software and Affected Versions: Liferay Portal CE version 7.1.2 GA3 Description: An issue in Liferay Portal CE allows an attacker to execute OS commands using the Groovy script console. This can be achieved via a command.execute call. The attacker needs valid credentials fo...

Apache Tomcat OS Command Injection vulnerability

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by...

CVE-2019-10880

Within multiple XEROX products a vulnerability allows remote command execution on the Linux system, as the "nobody" user through a crafted "HTTP" request OS Command Injection vulnerability in the HTTP interface. Depending upon configuration authentication may not be necessary...

CVE-2019-10880

Within multiple XEROX products a vulnerability allows remote command execution on the Linux system, as the "nobody" user through a crafted "HTTP" request OS Command Injection vulnerability in the HTTP interface. Depending upon configuration authentication may not be necessary...

CVE-2019-10880

CVE-2019-10880 affects Xerox ColorQube/XEROX products; vulnerability is a remote command execution via the HTTP interface. Root cause: OS Command Injection in the HTTP interface, exploitable by sending a crafted HTTP request, with the affected environment allowing the attacker to run commands as ...

ICSA-19-099-02 Siemens Spectrum Power 4.7

1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: Spectrum Power 4.7 Vulnerability: Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability in versions of Spectrum Power 4 using the user-specific...

CVE-2019-11001

CVE-2019-11001 affects Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W through version 1.0.227. An authenticated admin can use the TestEmail functionality to inject and execute OS commands as root (shell metacharacters in addr1). This is documented in multiple feeds (NVD and Red Hat) and...

CVE-2019-11001

On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and run OS commands as root, as demonstrated by shell metacharacters in the addr1 field...

Command injection

An issue was discovered on D-Link DSL-3782 devices with firmware 1.01. An OS command injection vulnerability in Acl.asp allows a remote authenticated attacker to execute arbitrary OS commands via the ScrIPaddrEndTXT parameter...

CVE-2018-17990

CVE-2018-17990 affects D-Link DSL-3782 devices running firmware 1.01. The vulnerability is an OS command injection in Acl.asp that allows a remote authenticated attacker to execute arbitrary OS commands via the ScrIPaddrEndTXT parameter. No exploitation details are provided in the connected docum...

CVE-2018-5757

An issue was discovered on AudioCodes 450HD IP Phone devices with firmware 3.0.0.535.106. The traceroute and ping functionality, which uses a parameter in a request to command.cgi from the Monitoring page in the web UI, unsafely puts user-alterable data directly into an OS command, leading to...

CVE-2018-5757

AudioCodes 450HD IP Phone devices running firmware 3.0.0.535.106 are affected by CVE-2018-5757. The traceroute and ping functions on the Monitoring page’s web UI pass a user-controllable parameter from a request to command.cgi into an OS command, enabling remote code execution via shell metachara...

CVE-2019-5414

If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in a third-party module kill-port 1.3.2...

Design/Logic Flaw

If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in a third-party module kill-port 1.3.2...

CVE-2018-20323

www/soap/application/MCSoap/Logs.php in MailCleaner Community Edition 2018.08 allows remote attackers to execute arbitrary OS commands...

CVE-2018-20323

CVE-2018-20323 affects MailCleaner Community Edition 2018.08. The vulnerability is a command-injection in www/soap/application/MCSoap/Logs.php that allows an authenticated user to execute arbitrary OS commands on the web server when accessing the /admin/managetracing/search/search endpoint. Publi...

Starbucks: Webshell via File Upload on ecjobs.starbucks.com.cn

Summary: OS Command Injection which can let the attacker who get more important information of the server,such as disclosures internal source code of the webapp,database data and invade the internal network. Description: I found that users can upload asp/aspx and other dynamic files via the avata...

Motorola C1 and Motorola M2 OS Command Injection Vulnerability (CNVD-2019-34638)

The Motorola C1 and Motorola M2 are both routers from Motorola USA. An operating system command injection vulnerability exists in the Motorola C1 and Motorola M2. The vulnerability can be exploited to execute arbitrary operating system commands with the help of a specially crafted request...

OS Command Injection

studio-42/elfinder is vulnerable to OS command injection. Improper processing of the image upload function in the PHP connector allows a remote attacker to inject and execute arbitrary OS commands on the host system...