20 matches found
CVE-2026-27806
Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command"expect", "-c", script. Because the...
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
Summary The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command"expect", "-c", script. Because the password is inserted into Tcl brace-quoted send %s, a...
PT-2026-31406
Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command"expect", "-c", script. Because the...
EUVD-2004-0015
Malware in sbrugna...
K15650046: Tcl code injection security exposure
Security Advisory Description Certain coding practices may allow an attacker to inject arbitrary Tool Command Language Tcl commands, which can be executed in the security context of the target Tcl script by the running Tcl interpreter. Note: This issue affects any user-supplied Tcl code executed ...
CVE-2019-18937
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the Script Parser AddOn through 1.8 installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi script, which executes TCL script content from an HTTP POST request...
CVE-2019-18939
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the HM-Print AddOn through 1.2a installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi and exec1.cgi scripts, which execute TCL script content from an HTTP POST request...
Design/Logic Flaw
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the Script Parser AddOn through 1.8 installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi script, which executes TCL script content from an HTTP POST request...
Remote code execution
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the HM-Print AddOn through 1.2a installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi and exec1.cgi scripts, which execute TCL script content from an HTTP POST request...
CVE-2019-18939
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the HM-Print AddOn through 1.2a installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi and exec1.cgi scripts, which execute TCL script content from an HTTP POST request...
CVE-2018-7297
Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be exploited by unauthenticated attackers with access to the web interface...
Design/Logic Flaw
Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be exploited by unauthenticated attackers with access to the web interface...
CVE-2018-7297
Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be exploited by unauthenticated attackers with access to the web interface...
CVE-2018-7297
CVE-2018-7297 affects eQ-3 Homematic CCU2 (firmware 2.29.2 and earlier). The vulnerability exists in the TCL script interpreter, enabling remote code execution via unauthenticated access to the device’s web interface, allowing read/write access and command execution on the host. Reported via mult...
Oracle <= 8 8.1.5 Intelligent Agent Vulnerability (2)
No description provided by source. source: http://www.securityfocus.com/bid/585/info A vulnerability in the Oracle Intelligent Agent allows local malicious users to execute arbitrary commands and to create world writable files as the root user. The problem lies in the dbsnmp program located in...
CVE-2004-2471
SQL injection vulnerability in the sloth TCL script in QuoteEngine before 1.2.0 allow remote attackers to execute arbitrary SQL commands via unknown vectors...
CVE-2004-2471
The CVE-2004-2471 entry describes an SQL injection in the sloth TCL script of QuoteEngine prior to 1.2.0, enabling remote attackers to execute arbitrary SQL via unknown vectors. The vulnerability affects the QuoteEngine component and is documented with a high impact score (base 7.5; Confidentiali...
CVE-2004-0015
The CVE concerns vbox3:0.1.8 and earlier where root privileges were not properly relinquished before executing a user-supplied TCL script, enabling a local user to gain privileges. Affected: vbox3 (ISDN4Linux vocal system); root privilege leak via privilege drop failure. Debian DSAs confirm fixes...
CVE-2004-0015
vbox3 0.1.8 and earlier does not properly drop privileges before executing a user-provided TCL script, which allows local users to gain privileges...
DSA-418 vbox3 - privilege leak
Bulletin has no description...