Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-36381: Remote Code Execution(RCE) via insecure command formatting · Issue #2 · shenzhim/aaptjs

An issue was discovered in the singleCrunch function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters.

CVE
#js

Related news

CVE-2020-36380: Remote Code Execution(RCE) via insecure command formatting · Issue #2 · shenzhim/aaptjs

An issue was discovered in the crunch function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters.

CVE-2020-36379: Remote Code Execution(RCE) via insecure command formatting · Issue #2 · shenzhim/aaptjs

An issue was discovered in the remove function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters.

CVE-2020-26707: Remote Code Execution(RCE) via insecure command formatting · Issue #2 · shenzhim/aaptjs

An issue was discovered in the add function in Shenzhim AAPTJS 1.3.1 which allows attackers to execute arbitrary code via the filePath parameter.

CVE-2020-36376: Remote Code Execution(RCE) via insecure command formatting · Issue #2 · shenzhim/aaptjs

An issue was discovered in the list function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters.

CVE-2020-36377: Remote Code Execution(RCE) via insecure command formatting · Issue #2 · shenzhim/aaptjs

An issue was discovered in the dump function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters.

CVE-2020-36378: Remote Code Execution(RCE) via insecure command formatting · Issue #2 · shenzhim/aaptjs

An issue was discovered in the packageCmd function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters.

CVE-2021-33259

Several web interfaces in D-Link DIR-868LW 1.12b have no authentication requirements for access, allowing for attackers to obtain users' DNS query history.

CVE-2021-36547: Remote Code Execution via File in Mara version 7.5 · Issue #1 · r0ck3t1973/RCE

A remote code execution (RCE) vulnerability in the component /codebase/dir.php?type=filenew of Mara v7.5 allows attackers to execute arbitrary commands via a crafted PHP file.

CVE-2021-36548: RCE (Remote Code Execution via Theme Blog Monstra version 3.0.4) · Issue #470 · monstra-cms/monstra

A remote code execution (RCE) vulnerability in the component /admin/index.php?id=themes&action=edit_template&filename=blog of Monstra v3.0.4 allows attackers to execute arbitrary commands via a crafted PHP file.

CVE-2021-26610: KrCERT/CC - KISA 인터넷 보호나라&KrCERT

The move_uploaded_file function in godomall5 does not perform an integrity check of extension or authority when user upload file. This vulnerability allows an attacker to execute an remote arbitrary code.

CVE-2021-37933: CVE-2021-37933

An LDAP injection vulnerability in /account/login in Huntflow Enterprise before 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication. The vulnerability is due to insufficient server-side validation of the email parameter before using it to construct LDAP queries. An attacker could bypass authentication exploiting this vulnerability by sending login attempts in which there is a valid password but a wildcard character in email parameter.

CVE-2021-41568: TWCERT/CC台灣電腦網路危機處理暨協調中心-Tad Web - Improper Authorization

Tad Web is vulnerable to authorization bypass, thus remote attackers can exploit the vulnerability to use the original function of viewing bulletin boards and uploading files in the system.

FatPipe Networks WARP 10.2.2 Authorization Bypass

Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.

ECOA Building Automation System Authorization Bypass / IDOR

The BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access the hidden resources in the system and execute privileged functionalities.

CVE-2020-7832: KrCERT/CC - KISA 인터넷 보호나라&KrCERT

A vulnerability (improper input validation) in the DEXT5 Upload solution allows an unauthenticated attacker to download and execute an arbitrary file via AddUploadFile, SetSelectItem, DoOpenFile function.(CVE-2020-7832)

CVE-2019-17322: KrCERT/CC - KISA 인터넷 보호나라&KrCERT

ClipSoft REXPERT 1.0.0.527 and earlier version allows arbitrary file creation via a POST request with the parameter set to the file path to be written. This can be an executable file that is written to in the arbitrary directory. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.

CVE-2019-17326: KrCERT/CC - KISA 인터넷 보호나라&KrCERT

ClipSoft REXPERT 1.0.0.527 and earlier version allows remote attacker to arbitrary file deletion by issuing a HTTP GET request with a specially crafted parameter. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907