Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Palo Alto Networks has shared remediation guidance for a recently disclosed critical security flaw impacting PAN-OS that has come under active exploitation. The vulnerability, tracked as CVE-2024-3400 CVSS score: 10.0, could be weaponized to obtain unauthenticated remote shell command execution o...

PT-2024-24747 · Jadx · Jadx

Name of the Vulnerable Software and Affected Versions: jadx versions prior to 1.5.0 Description: The issue concerns a Dex to Java decompiler where the package name is not filtered before concatenation, allowing an attacker to inject arbitrary code into the package name. This can be exploited to...

Lektor does not sanitize database path traversal

Lektor before 3.3.11 does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates directory, if the victim's web browser accesses an untrusted website that uses JavaScript to send requests to localhost port 5000, and the web browser is...

CVE-2024-28335

Lektor before 3.3.11 does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates directory, if the victim's web browser accesses an untrusted website that uses JavaScript to send requests to localhost port 5000, and the web browser is...

BIT-SPARK-2023-32007 Apache Spark: Shell command injection via Spark UI

UNSUPPORTED WHEN ASSIGNED The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in...

PT-2024-14064 · Ros2 · Ros2

Name of the Vulnerable Software and Affected Versions: ROS2 Robot Operating System 2 Foxy Fitzroy Description: An issue was discovered in shell command execution in ROS2, allowing an attacker to run arbitrary commands and cause other impacts. The issue is related to the ROS VERSION=2 and ROS PYTH...

Input validation

An issue was discovered in libremotedbg.so on TRENDnet TV-IP1314PI 5.5.3 200714 devices. Filtering of debug information is mishandled during use of popen. Consequently, an attacker can bypass validation and execute a shell command...

CVE-2023-49235

The CVE-2023-49235 entry affects TRENDnet TV-IP1314PI devices (firmware 5.5.3 200714) via libremote_dbg.so. The root cause is mishandled filtering of debug information during use of popen, which can allow an attacker to bypass validation and execute a shell command. Red Hat/NVD entries corroborat...

TRENDnet TV-IP1314PI Security Vulnerability

The TRENDnet TV-IP1314PI is a wireless network camera from TRENDnet. A security vulnerability exists in TRENDnet TV-IP1314PI version 5.5.3 200714, which stems from a security issue in libremotedbg.so, which incorrectly filters debugging information during popen use, and can be exploited by an...

PT-2024-13704 · Trendnet · Trendnet Tv-Ip1314Pi

Name of the Vulnerable Software and Affected Versions: TRENDnet TV-IP1314PI version 5.5.3 200714 Description: An issue was discovered in libremote dbg.so where filtering of debug information is mishandled during use of popen. Consequently, an attacker can bypass validation and execute a shell...

CVE-2023-49235

An issue was discovered in libremotedbg.so on TRENDnet TV-IP1314PI 5.5.3 200714 devices. Filtering of debug information is mishandled during use of popen. Consequently, an attacker can bypass validation and execute a shell command...

CVE-2023-40151

When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled UDR-A any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP t...

GHSA-8JPR-FF92-HPF9 Run Shell Command allows Cross-Site Request Forgery

Impact A cross site request forgery vulnerability in the admin tool for executing shell commands on the server allows an attacker to execute arbitrary shell commands by tricking an admin into loading the URL with the shell command. A very simple possibility for an attack are comments. When the...

CVE-2023-48292 XWiki Admin Tools Application Run Shell Command allows CSRF RCE attacks

The XWiki Admin Tools Application provides tools to help the administration of XWiki. Starting in version 4.4 and prior to version 4.5.1, a cross site request forgery vulnerability in the admin tool for executing shell commands on the server allows an attacker to execute arbitrary shell commands ...

Freewill Solutions iFIS Operating System Command Injection Vulnerability

Freewill Solutions iFIS Freewill Solutions SMART Trade is a multi-modal order management system for stock markets such as the Stock Exchange SET, Ho Chi Minh Stock Exchange HSX, and other stock markets from Freewill Solutions. A security vulnerability exists in Freewill Solutions iFIS version...

Debian: Security Advisory (DLA-3427-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian dla-3427 : libkpathsea-dev - security update

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3427 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3427-2 [email protected]...

Design/Logic Flaw

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5...

CVE-2023-32700

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5...

CVE-2023-32700

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5...