This vulnerability allows attackers to execute arbitrary commands via a crafted payload.Ĭommand injection vulnerability in Linksys MR8300 router while Registration to DDNS Service. TOTOLink A700RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the lang parameter in the function cstesystem. TOTOLINK A810R V5.9c.4050_B20190424 was discovered to contain a command injection vulnerability via the component downloadFile.cgi.
TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to command injection via cstecgi.cgi Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system. The payload compressor field in an rpm can be checked by using the rpm command line tool.ĬSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.Īrr-pm is an RPM reader/writer library written in Ruby. This vulnerability can only be exploited to inject command line arguments on Linux. Java's ProcessBuilder isn't vulnerable because of a check in ProcessBuilder.start. In all the versions of NuProcess where it forks processes by using the JVM's Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. NuProcess is an external process execution implementation for Java. This vulnerability allow unauthenticated users to execute commands on the operating system. In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs.
This allows authenticated users to execute commands on the operating system. Tenda i9 v1.0.0.8(3828) was discovered to contain a command injection vulnerability via the FormexeCommand function. TOTOLINK A860R V4.1.2cu.5182_B20201027 was discovered to contain a command injection via the component /cgi-bin/downloadFile.cgi. TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a command injection vulnerability via the UploadFirmwareFile function at /cgi-bin/cstecgi.cgi. TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a command injection vulnerability via the OpModeCfg function at /cgi-bin/cstecgi.cgi. AP Manager in Innovaphone before 13r2 Service Release 17 allows command injection via a modified service ID during app upload.
0 kommentar(er)
