PT-2024-30098 · Unknown · Parisneo/Lollms-Webui

Name of the Vulnerable Software and Affected Versions: parisneo/lollms-webui version 9.5 Description: A remote code execution vulnerability exists in the parisneo/lollms-webui, specifically within the open file module. The vulnerability arises due to improper neutralization of special elements us...

CVE-2024-3126

A command injection vulnerability exists in the 'runxttsapiserver' function of the parisneo/lollms-webui application, specifically within the 'lollmsxtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utiliz...

Zope 5.9 Command Injection Vulnerability

Vulnerability Report Title: Command Argument Injection Vulnerability in Zope WSGI Instance Creation Script Leading to RCE Description: A command Argument injection vulnerability has been identified in the Zope WSGI instance creation script used by the Zope web application server framework, which ...

GLSA-202405-01 : Python, PyPy3: Multiple Vulnerabilities

The remote host is affected by the vulnerability described in GLSA-202405-01 Python, PyPy3: Multiple Vulnerabilities - An issue was found in CPython 3.12.0 subprocess module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the...

OS Command Injection

ansysgeometrycore is vulnerable for OS Command Injection. The vulnerability is due to calling a subprocess with shell=True within the startprogram function. This allows attackers to perform malicious operations on the current machine where the script is run...

GHSA-38JR-29FH-W9VM ansys-geometry-core OS Command Injection vulnerability

subprocess call with shell=True identified, security issue. Code On file src/ansys/geometry/core/connection/productinstance.py: 403 def startprogramargs: Liststr, localenv: Dictstr, str - subprocess.Popen: 404 """ 405 Start the program where the path is the first item of the args array argument...

ansys-geometry-core OS Command Injection vulnerability

subprocess call with shell=True identified, security issue. Code On file src/ansys/geometry/core/connection/productinstance.py: 403 def startprogramargs: Liststr, localenv: Dictstr, str - subprocess.Popen: 404 """ 405 Start the program where the path is the first item of the args array argument...

PT-2024-22792

Name of the Vulnerable Software and Affected Versions PyAnsys Geometry versions prior to 0.3.3 PyAnsys Geometry versions prior to 0.4.12 Description The issue concerns a Python client library for the Ansys Geometry service and other CAD Ansys products. Upon calling the start program method...

GHSA-X4X5-JV3X-9C7M `qiskit_ibm_runtime.RuntimeDecoder` can execute arbitrary code

Summary deserializing json data using qiskitibmruntime.RuntimeDecoder can be made to execute arbitrary code given a correctly formatted input string Details RuntimeDecoder is supposed to be able to deserialize JSON strings containing various special types encoded via RuntimeEncoder. However, one...

`qiskit_ibm_runtime.RuntimeDecoder` can execute arbitrary code

Summary deserializing json data using qiskitibmruntime.RuntimeDecoder can be made to execute arbitrary code given a correctly formatted input string Details RuntimeDecoder is supposed to be able to deserialize JSON strings containing various special types encoded via RuntimeEncoder. However, one...

SUSE CVE-2023-41334

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the TranformGraph.todotgraph function. A malicious user can provide a...

RCE in TranformGraph().to_dot_graph function

Summary RCE due to improper input validation in TranformGraph.todotgraph function Details Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to...

GHSA-H2X6-5JX5-46HF RCE in TranformGraph().to_dot_graph function

Summary RCE due to improper input validation in TranformGraph.todotgraph function Details Due to improper input validation a malicious user can provide a command or a script file as a value to savelayout argument, which will be placed as the first value in a list of arguments passed to...

UBUNTU-CVE-2023-41334

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the TranformGraph.todotgraph function. A malicious user can provide a...

CVE-2023-41334 astropy vulnerable to RCE in TranformGraph().to_dot_graph function

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the TranformGraph.todotgraph function. A malicious user can provide a...

CVE-2023-41334

Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the TranformGraph.todotgraph function. A malicious user can provide a...

Command Injection

paddlepaddle is vulnerable to Command Injection. The vulnerability is caused due to the lack of proper input validation in the user-supplied data savepath and name parameters, which are directly incorporated into the subprocess call. This can lead to command injection...

Code execution in metagpt

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.runscript passes shell metacharacters to subprocess.Popen...

PYSEC-2024-9

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.runscript passes shell metacharacters to subprocess.Popen...

CVE-2024-23750

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.runscript passes shell metacharacters to subprocess.Popen...