QuickBox 操作系统命令注入漏洞

QuickBox is a media server application and service management system from the QuickBox team. A code injection vulnerability exists in QuickBox Pro v2.5.8 and below due to a variable in the config.php file that accepts a GET parameter value and parses it as shellexec and fails to properly clean up...

gegl: shell expansion via a crafted pathname

Due to the use of the system command in the Magick-Load op used by gegl an attacker is able to craft a command line path that is able to lead to the execution of arbitrary shell commands that impacts availability, confidentiality and integrity...

gegl: shell expansion via a crafted pathname

Due to the use of the system command in the Magick-Load op used by gegl an attacker is able to craft a command line path that is able to lead to the execution of arbitrary shell commands that impacts availability, confidentiality and integrity...

Lens 操作系统命令注入漏洞

Lens is a distribution of the OpenLens repository that contains Team Lens-specific customizations released under the legacy EULA. An operating system command injection vulnerability exists in versions of Lens prior to 5.3.4 that originates when a customized helm chart configuration creates a helm...

Croogo 3.0.2 - Unrestricted File Upload Vulnerability

Exploit Title: Croogo 3.0.2 - Unrestricted File Upload Exploit Author: Enes Özeser Vendor Homepage: https://croogo.org/ Software Link: https://downloads.croogo.org/v3.0.2.zip Version: 3.0.2 Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 == 'setting-43' Unrestricted File Upload...

Croogo 3.0.2 Shell Upload

Exploit Title: Croogo 3.0.2 - Unrestricted File Upload Date: 06/12/2021 Exploit Author: Enes Özeser Vendor Homepage: https://croogo.org/ Software Link: https://downloads.croogo.org/v3.0.2.zip Version: 3.0.2 Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 == 'setting-43'...

CVE-2021-36195

Multiple command injection vulnerabilities in the command line interpreter of FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, and 6.1.0 through 6.1.2 may allow an authenticated attacker to execute arbitrary commands on the underlying system shell via specially crafted...

Croogo 3.0.2 - Remote Code Execution (Authenticated) Vulnerability

Exploit Title: Croogo 3.0.2 - Remote Code Execution Authenticated Exploit Author: Deha Berkin Bir Vendor Homepage: https://croogo.org/ Software Link: https://downloads.croogo.org/v3.0.2.zip Version: 3.0.2 Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 == Tutorial $command"; ? ...

PT-2021-23602 · Unknown +1 · Xorux Lpar2Rrd +1

Name of the Vulnerable Software and Affected Versions: XoruX LPAR2RRD and STOR2RRD versions prior to 7.30 Description: A shell command injection in the HW Events SNMP community allows authenticated remote attackers to execute arbitrary shell commands as the user running the service...

Design/Logic Flaw

In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shellexec call...

PT-2021-23280 · Misp · Misp

Name of the Vulnerable Software and Affected Versions: MISP versions prior to 2.4.148 Description: The issue arises from the mishandling of parameter data in the app/Lib/Export/OpendataExport.php file, which is used in a shell exec call. This could potentially lead to security issues...

CVE-2021-3317

KLog Server through 2.4.1 allows authenticated command injection. async.php calls shellexec on the original value of the source parameter...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection. The injection point is located in line 13 in index.js file in export.latestVersion function. PoC: var root = require"npm-help"; var module = "& touch JHU"; root.latestVersionmodule; Remediation There is no fixed versi...

KLog Command Injection Vulnerability

KLog is ZhaoKaiQiang KLog individual developers of a logging tool for Android development . The tool's main functions are to print line numbers, function calls, Json parsing, XML parsing, click to jump, Log information saved and other functions. A command injection vulnerability exists in KLog...

Klog Server 2.4.1 - Unauthenticated Command Injection (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Klog Server Unauthenticated Command Injection Vulnerability', 'Description' = %q This module exploits an unauthenticated command injection...

CTFtools

This repository is an offensive tool for web application exploitation, specifically targeting web servers. The primary vulnerability class is code execution RCE, with various exploitation techniques and payloads. The tool is designed to automate the exploitation process, making it easier for...

OS Command Injection

limdu is vulnerable to command injection. The vulnerability exists because it allows an attacker to inject malicious code via the function trainBatch in BinaryClassifierSet.js as it relies on shell execution, such as SVM Perf, SVM Linear or Adaboos...

Command Injection in Limdu

Impact The trainBatch function has a command injection vulnerability. Clients of the Limdu library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. Patches Patched in version 0.9.5. Workarounds Do not use trainBatch with classifiers that rely o...

LinuxKI Toolset 6.01 Remote Command Execution

This module exploits a vulnerability in LinuxKI Toolset 'LinuxKI Toolset 6.01 Remote Command Execution', 'Description' = %q This module exploits a vulnerability in LinuxKI Toolset MSFLICENSE, 'Author' = 'Cody Winkler', discovery and poc 'numan türle' msf exploit , 'References' = 'EDB', '48483',...

Command Injection

Overview npm-programmatic is a library that allows you to access npm commands programmatically from javascript. Affected versions of this package are vulnerable to Command Injection. The packages and option properties are concatenated together without any validation and are used by the exec...