GHSA-MG5H-F3Q8-C96G Apache OpenMeetings vulnerable to remote code execution via null-bye injection

An attacker who has gained access to an admin account can perform RCE via null-byte injection Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0...

CVE-2023-29246

An attacker who has gained access to an admin account can perform RCE via null-byte injection Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0...

CVE-2023-29246

An attacker who has gained access to an admin account can perform RCE via null-byte injection Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0...

CVE-2023-29246 Apache OpenMeetings: allows null-byte Injection

An attacker who has gained access to an admin account can perform RCE via null-byte injection Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0...

CVE-2023-29246

CVE-2023-29246 affects Apache OpenMeetings 2.0.0–7.1.0. A code execution vulnerability arises from improper input validation, enabling RCE via null-byte injection once an admin account is compromised. Several sources corroborate the affected product/version range and the RCE impact. Mitigation in...

CVE-2023-29246 Apache OpenMeetings: allows null-byte Injection

An attacker who has gained access to an admin account can perform RCE via null-byte injection Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0...

CVE-2022-47879

A Remote Code Execution RCE vulnerability in /be/rpc.php in Jedox 2020.2.5 allows remote authenticated users to load arbitrary PHP classes from the 'rtn' directory and execute its methods. NOTE: The vendor states that the vulnerability affects installations running version 22.5 or earlier. The...

Multiple Ruckus Wireless Products CSRF and RCE Vulnerability

Ruckus Wireless Access Point AP software contains an unspecified vulnerability in the web services component. If the web services component is enabled on the AP, an attacker can perform cross-site request forgery CSRF or remote code execution RCE. This vulnerability impacts Ruckus ZoneDirector,...

CVE-2022-47879

Summary: CVE-2022-47879 affects Jedox. A remote authenticated RCE exists in /be/rpc.php (and /be/erpc.php per exploit sources) where an attacker can load arbitrary PHP classes from the rtn directory and execute methods. Affected version: Jedox 2020.2.5 and earlier; vendor notes the issue affects ...

CVE-2023-31502

Altenergy Power Control Software C1.2.5 was discovered to contain a remote code execution RCE vulnerability via the component /models/managementmodel.php...

Privilege escalation (PR)/RCE from account through class sheet

Impact It's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. Steps to Reproduce: 1. Edit your user profile with the object editor and add an object of type DocumentSheetBinding with value Default Class Sheet 1. Edit your user profile with the...

Pentaho Business Server Auth Bypass and Server Side Template Injection RCE

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is vulnerable to an authentication bypass CVE-2022-43939 and a Server Side Template Injection SSTI vulnerability CVE-2022-43769 that can be chained together to achieve unauthenticated code...

CVE-2022-47129

PHPOK v6.3 is identified as affected by a remote code execution (RCE) vulnerability. The provided sources confirm an RCE impact but do not include concrete technical details about the root cause, vectors, or a verified fix. CVSS data from the initial entry indicates a high-severity, network-based...

CVE-2023-31502

CVE-2023-31502 affects Altenergy Power Control Software C1.2.5, where a remote code execution (RCE) vulnerability is exposed via the component /models/management_model.php. The root cause is not detailed in the provided documents beyond the RCE path, but CVSS v3.1 metrics indicate network access,...

CVE-2023-31502

Altenergy Power Control Software C1.2.5 was discovered to contain a remote code execution RCE vulnerability via the component /models/managementmodel.php...

Pentaho Business Server Authentication Bypass / SSTI / Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Pentaho Business Server Auth Bypass and Server Side Template Injection RCE', 'Description' = %q Hitachi Vantara Pentaho Business Analytics Server...

ManageEngine ADManager Plus <= Build 7005 RCE (deprecated)

This plugin has been deprecated. Use manageengineadauditpluscve-2021-42847.nbin plugin ID 155716 instead. %NASLMINLEVEL 80900 C Tenable, Inc. @DEPRECATED@ Disabled on 2023/05/12. Deprecated by manageengineadauditpluscve-2021-42847.nbin include'compat.inc'; if description scriptid175389;...

Zyxel chained RCE using LFI and weak password derivation algorithm

This module exploits multiple vulnerabilities in the zhttpd binary /bin/zhttpd and zcmd binary /bin/zcmd. It is present on more than 40 Zyxel routers and CPE devices. The remote code execution vulnerability can be exploited by chaining the local file disclosure vulnerability in the zhttpd binary...

Update now! May 2023 Patch Tuesday tackles three zero-days

Its that time of the month again: We're looking at May's Patch Tuesday roundup. Microsoft has released its monthly update, and while the total number of patched vulnerabilities is relatively low at 38, among them are three zero-day vulnerabilities. Microsoft classifies a vulnerability as a zero-d...

Microsoft Message Queuing RCE (CVE-2023-21554, QueueJumper)

Binary data msmq2023-04.nbin...