CVE-2024-7700

The CVE-2024-7700 entry concerns Foreman where the vulnerability is a command-injection flaw in the Host Init Config template via the Install Packages field on the Register Host page. The root cause is the injection into the configuration, enabling potentially arbitrary command execution during h...

CVE-2024-7700 Foreman: command injection in "host init config" template via "install packages" field on foreman

A command injection flaw was found in the "Host Init Config" template in the Foreman application via the "Install Packages" field on the "Register Host" page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing...

CVE-2024-7700 Foreman: command injection in "host init config" template via "install packages" field on foreman

A command injection flaw was found in the "Host Init Config" template in the Foreman application via the "Install Packages" field on the "Register Host" page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing...

Incorrect Authorization

reddiscordbot is vulnerable to Incorrect Authorization. The vulnerability is due to the absence of a permission check in the commands.canmanagechannel command permission, allowing unauthorized users to execute commands intended for those with channel management permissions. Attackers can exploit...

CVE-2024-39905

The CVE-2024-39905 issue affects Red-DiscordBot caused by a bug in Red’s Core API: 3rd-party cogs using the can_manage_channel permission check may allow a user to run a command without channel management rights. Core commands/cogs are not affected. The vulnerability was patched in version 3.5.10...

CVE-2024-39905 Red-DiscordBot vulnerable to Incorrect Authorization in commands API

Red is a fully modular Discord bot. Due to a bug in Red's Core API, 3rd-party cogs using the @commands.canmanagechannel command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of t...

Kernel: bluetooth: Unauthorized management command execution

A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hcisock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth...

CVE-2024-4639

OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to a lack of neutralized inputs in IPSec configuration. An attacker could modify the intended commands sent to target functions, which could cause malicious users to execute unauthorized commands...

PT-2024-4413 · Moxa · Oncell G3470A-Lte Series

Name of the Vulnerable Software and Affected Versions: OnCell G3470A-LTE Series firmware versions v1.7.7 and prior Description: The issue is related to a lack of neutralized inputs in the IPSec configuration, allowing an attacker to modify intended commands sent to target functions. This could...

Netis MW5360 Remote Command Execution Exploit

The Netis MW5360 router has a command injection vulnerability via the password parameter on the login page. The vulnerability stems from improper handling of the "password" parameter within the router's web interface. The router's login page authorization can be bypassed by simply deleting the...

Command Injection

github.com/1panel-dev/1panel is vulnerable to Command injection. The vulnerability arises from insufficient input sanitization, that allowing attackers to write arbitrary files by exploiting the log retrieval API. This can lead to unauthorized command execution or arbitrary file write...

RHEL 7 : kernel-rt (RHSA-2024:2003)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2003 advisory. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirement...

Kernel: bluetooth: Unauthorized management command execution

A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hcisock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth...

CVE-2024-1520

The CVE-2024-1520 entry concerns an OS command injection in parisneo/lollms-webui, via improper validation of the discussion_id parameter on the /open_code_folder endpoint. Affected component is the web UI’s input handling, allowing an attacker to inject OS commands and achieve remote code execut...

Adobe Substance 3D Painter Buffer Overflow Vulnerability (CNVD-2024-15724)

Adobe Substance 3D Painter is a 3D texturing application from the American company Audobee Adobe. A buffer overflow vulnerability previously existed in Adobe Substance3D Painter version 9.1.1, which originated from the presence of an out-of-bounds read vulnerability that could lead to a sensitive...

Vulnerability fixed in Progress Kemp LoadMaster

Progress Kemp has fixed a vulnerability in LoadMaster. The vulnerability allows a malicious party to use specially API calls to issue system commands without being authorized. being authorized to do so. For successful exploitation, the malicious party must have access to the management interface...

Command injection

An OS command injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following version: Video Station 5.7.2 2023/11/23 and later...

CVE-2023-51022

TOTOlink EX1800T v9.1.0cu.2112B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘langFlag’ parameter of the setLanguageCfg interface of the cstecgi .cgi...

CVE-2023-51020

TOTOlink EX1800T v9.1.0cu.2112B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘langType’ parameter of the setLanguageCfg interface of the cstecgi .cgi...

CVE-2023-51019

TOTOlink EX1800T v9.1.0cu.2112B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘key5g’ parameter of the setWiFiExtenderConfig interface of the cstecgi .cgi...