#rce

A command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE). Affected Products: All UniFi Access Points (Version 6.5.53 and earlier) All UniFi Switches (Version 6.5.32 and earlier) -USW Flex Mini excluded. Mitigation: Update UniFi Access Points to Version 6.5.62 or later. Update UniFi Switches to Version 6.5.59 or later.

1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Parasolid and Teamcenter Visualization Vulnerabilities: NULL Pointer Dereference, Out-of-bounds Read, Out-of-bounds Write, Allocation of Resources without Limits or Throttling 2. RISK EVALUATION An attacker could successfully exploit these vulnerabilities by tricking a user into opening a malicious file, allowing the attacker to cause a denial of service or perform remote code execution in the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Parasolid V34.1: versions prior to V34.1.258 Parasolid V35.0: versions prior to V35.0.254 Parasolid V35.1: versions prior to V35.1.171 Parasolid V35.1: versions prior to V35.1.197 Parasolid V35.1: versions prior to V35.1.184 Teamcenter Visualization V14.1: all versions Teamcenter Visualization V14.2: versions prior to V14.2.0.6 Teamcenter Visualization V14.3: all versions 3....

A remote code execution vulnerability in the webview component of OPPO Store app.

A remote code execution vulnerability in the webview component of OnePlus Mall app.

Categories: Exploits and vulnerabilities Categories: News Microsoft has announced patches for 87 vulnerabilities this month, including two that are being actively exploited. (Read more...) The post August Patch Tuesday stops actively exploited attack chain and more appeared first on Malwarebytes Labs.

## Impact The `import-in-the-middle` loader used by `@opentelemetry/instrumentation` works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. It allows for remote code execution in cases where an application passes user-supplied input directly to an `import()` function. ## Patches This vulnerability has been patched in `@opentelemetry/instrumentation` version `0.41.2` ## Workarounds - Do not pass any user-supplied input to `import()`. Instead, verify it against a set of allowed values. - If using `@opentelemetry/instrumentation` with support for EcmaScript Modules is not needed, ensure that none of the following options are set (either via command-line or the `NODE_OPTIONS` environment variable): ``` --experimental-loader=@opentelemetry/instrumentation/hook.mjs --experimental-loader @opentelemetry/instrumentation/hook.mjs --loader=import-in-the-middle/hook.mjs --loader import-in-the-middle/hook.m...

A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense before 23.7 allows attackers to execute arbitrary system commands.

Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created with a TRIGGER that allows for code execution. We use a sample database for our connection string to prevent corrupting real databases. Successfully tested against Metabase 0.46.6.

Ubuntu Security Notice 6278-1 - It was discovered that .NET did not properly handle the execution of certain commands. An attacker could possibly use this issue to achieve remote code execution. Benoit Foucher discovered that .NET did not properly implement the QUIC stream limit in HTTP/3. An attacker could possibly use this issue to cause a denial of service. It was discovered that .NET did not properly handle the disconnection of potentially malicious clients interfacing with a Kestrel server. An attacker could possibly use this issue to cause a denial of service.

Emagic Data Center Management Suite version 6.0 suffers from a remote command execution vulnerability.