Tag
#rce
**How could an attacker exploit this vulnerability?** An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.
**How could an attacker exploit this vulnerability?** An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.
Numbas versions prior to 7.3 suffer from a remote code execution vulnerability.
Sitecore version 8.2 suffers from a remote code execution vulnerability.
Akaunting versions 3.1.3 and below suffer from a remote command execution vulnerability.
pgAdmin 4 uses a file-based session management approach. The session files are saved on disk as pickle objects. When a user performs a request, the value of the session cookie 'pga4_session' is used to retrieve the file, then its content is deserialised, and finally its signature verified. The cookie value is split in 2 parts at the first '!' character. The first part is the session ID (sid), while the second is the session digest. The vulnerability lies in versions of pgAdmin prior to 8.4 where a method loads session files by concatenating the sessions folder - located inside the pgAdmin 4 DATA_DIR - with the session ID. Precisely, the two values are concatenated using the ['os.path.join'] function. It does not set a trusted base-path which should not be escaped
remote code execution in paddlepaddle/paddle 2.6.0
Red Hat Security Advisory 2024-1188-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include code execution, denial of service, memory leak, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
An issue in Open Source: RPyC v.4.00 thru v.5.3.1 allows a remote attacker to execute arbitrary code via a crafted script to the `__array__` attribute component. This vulnerability was introduced in [9f45f826](https://github.com/tomerfiliba-org/rpyc/commit/9f45f8269d4106905db61d82cd529cacdb178911). ### Attack Vector RPyC services that rely on the `__array__` attribute used by numpy are impacted. When the server-side exposes a method that calls the attribute named `__array__` for a a client provided netref (e.g., `np.array(client_netref)`), a remote attacker can craft a class which results in remote code execution ### Impact Assuming the system exposes a method that calls the attribute `__array__`, an attacker can execute code using the vulnerable component. ### Patches The fix is available in RPyC 6.0.0. The major version change is because some users may need to set `allow_pickle` to `True` when migrating to RPyC 6. ### Workarounds While the recommend fix is to upgrade to RPyC 6.0...
### Summary - Due to insufficient permission verification, user who can write a page use frontmatter feature. - Inadequate File Name Validation ### Details 1. Insufficient Permission Verification In Grav CMS, "[Frontmatter](https://learn.getgrav.org/17/content/headers)" refers to the metadata block located at the top of a Markdown file. Frontmatter serves the purpose of providing additional information about a specific page or post. In this feature, only administrators are granted access, while regular users who can create pages are not. However, if a regular user adds the data[_json][header][form] parameter to the POST Body while creating a page, they can use Frontmatter. The demonstration of this vulnerability is provided in video format. [Video Link](https://www.youtube.com/watch?v=EU1QA0idoWE) 2. Inadequate File Name Validation To create a Contact Form, Frontmatter and markdown can be written as follows: [Contact Form Example](https://learn.getgrav.org/17/forms/forms/example-fo...