| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php (lines 107-108) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). This is identical in pattern to the Juniper plugin vulnerability. The $msg variable contains unsanitized attack data from command-line arguments. An attacker who can influence argv[] values can inject arbitrary shell commands. The fix is to replace exec() with file_put_contents() or use escapeshellarg(). |
| In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an authenticated DVRIP protocol (TCP port 34567) request to the NetWork.NetCommon configuration handler, because system() is used. |
| DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
| Contributor PHP Object Injection in Fusion Builder <= 3.15.4 versions. |
| Unauthenticated Local File Inclusion in Nexio <= 1.10.0 versions. |
| Unauthenticated Local File Inclusion in MaxiNet <= 1.2.10 versions. |
| Unauthenticated Local File Inclusion in Iona <= 1.0.8 versions. |
| Unauthenticated Local File Inclusion in CopyPress <= 1.4.5 versions. |
| Unauthenticated Local File Inclusion in Especio <= 1.0 versions. |
| Unauthenticated Arbitrary File Deletion in Car Zone <= 3.7 versions. |
| Unauthenticated Local File Inclusion in Abelle <= 1.22 versions. |
| Unauthenticated Local File Inclusion in Mission <= 1.22 versions. |
| Unauthenticated Local File Inclusion in Dom <= 1.24 versions. |
| Unauthenticated Local File Inclusion in Putter <= 1.17 versions. |
| Unauthenticated Local File Inclusion in Medeus <= 1.14 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Grand Car Rental <= 3.7 versions. |
| The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL. |
| Unauthenticated Local File Inclusion in Printo <= 1.11 versions. |
| Unauthenticated Local File Inclusion in Gita <= 1.11 versions. |
| Unauthenticated Local File Inclusion in Grecko <= 5.17 versions. |
