CWE:
 

Topic
Date
Author
Med.
QNAP Qcenter Virtual Appliance 1.6.x Information Disclosure / Command Injection
13.07.2018
Core Security Technolo...


CVEMAP Search Results

CVE
Details
Description
2019-08-14
High
CVE-2019-12104

Updating...
 

 
The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by several post-authentication command injection vulnerabilities.

 
High
CVE-2019-12103

Updating...
 

 
The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by a pre-authentication command injection vulnerability.

 
2019-08-07
Medium
CVE-2019-14745

Vendor: Radare
Software: Radare2
 

 
In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables.

 
Medium
CVE-2019-14744

Vendor: Debian
Software: Debian linux
 

 
In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.

 
2019-08-02
Medium
CVE-2017-18442

Vendor: Cpanel
Software: Cpanel
 

 
cPanel before 64.0.21 allows demo accounts to execute Cpanel::SPFUI API commands (SEC-246).

 
Medium
CVE-2017-18400

Vendor: Cpanel
Software: Cpanel
 

 
cPanel before 68.0.15 allows local root code execution via cpdavd (SEC-333).

 
2019-08-01
Low
CVE-2016-10849

Vendor: Cpanel
Software: Cpanel
 

 
cPanel before 11.54.0.4 allows certain file-chmod operations in scripts/secureit (SEC-82).

 
Medium
CVE-2016-10843

Vendor: Cpanel
Software: Cpanel
 

 
cPanel before 11.54.0.4 allows code execution in the context of shared users via JSON-API (SEC-76).

 
High
CVE-2019-14260

Vendor: Al-enterprise
Software: 8008 firmware
 

 
On the Alcatel-Lucent Enterprise (ALE) 8008 Cloud Edition Deskphone VoIP phone with firmware 1.50.13, a command injection (missing input validation) issue in the password change field for the Change Password interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request.

 
High
CVE-2019-14259

Vendor: Polycom
Software: Obihai obi10...
 

 
On the Polycom Obihai Obi1022 VoIP phone with firmware 5.1.11, a command injection (missing input validation) issue in the NTP server IP address field for the "Time Service Settings web" interface allows an authenticated remote attacker in the same network to trigger OS commands via shell commands in a POST request.

 

 


Copyright 2019, cxsecurity.com

 

Back to Top