#rce

Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the `sql_case` input field in `/web/generate.php`, allowing remote attackers to execute arbitrary SQL commands and potentially command injection, leading to remote code execution (RCE) under certain conditions.

A maximum-severity security flaw has been disclosed in the TP-Link Archer C5400X gaming router that could lead to remote code execution on susceptible devices by sending specially crafted requests. The vulnerability, tracked as CVE-2024-5035, carries a CVSS score of 10.0. It impacts all versions of the router firmware including and prior to 1_1.1.6. It has

ElkArte Forum version 1.1.9 suffers from a remote code execution vulnerability.

Red Hat Security Advisory 2024-3354-03 - Red Hat Fuse 7.13.0 release is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include HTTP request smuggling, bypass, denial of service, deserialization, and traversal vulnerabilities.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: AutomationDirect Equipment: Productivity PLCs Vulnerabilities: Buffer Access with Incorrect Length Value, Out-of-bounds Write, Stack-based Buffer Overflow, Improper Access Control, Active Debug Code, Insufficient Verification of Data Authenticity 2. RISK EVALUATION Successful exploitation of these vulnerabilities could lead to remote code execution and denial of service. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS AutomationDirect reports the following versions of Productivity PLCs are affected: Productivity 3000 P3-550E CPU: FW 1.2.10.9 Productivity 3000 P3-550E CPU: SW 4.1.1.10 Productivity 3000 P3-550 CPU: FW 1.2.10.9 Productivity 3000 P3-550 CPU: SW 4.1.1.10 Productivity 3000 P3-530 CPU: FW 1.2.10.9 Productivity 3000 P3-530 CPU: SW 4.1.1.10 Productivity 2000 P2-550 CPU: FW 1.2.10.10 Productivity 2000 P2-550 CPU: SW 4.1.1.10 Productivity 1000 P1-550 CPU: FW 1.2.10.10 Productivity ...

Ivanti on Tuesday rolled out fixes to address multiple critical security flaws in Endpoint Manager (EPM) that could be exploited to achieve remote code execution under certain circumstances. Six of the 10 vulnerabilities – from CVE-2024-29822 through CVE-2024-29827 (CVSS scores: 9.6) – relate to SQL injection flaws that allow an unauthenticated attacker within the same network to

A Server-Side Request Forgery (SSRF) vulnerability in the /Upgrade/FixConfig route in Open Library Foundation VuFind 2.0 through 9.1 before 9.1.1 allows a remote attacker to overwrite local configuration files to gain access to the administrator panel and achieve Remote Code Execution. A mitigating factor is that it requires the allow_url_include PHP runtime setting to be on, which is off in default installations. It also requires the /Upgrade route to be exposed, which is exposed by default after installing VuFind, and is recommended to be disabled by setting autoConfigure to false in config.ini.

This Metasploit module exploits an unauthenticated remote code execution vulnerability in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the submitIndex.php file, where user-supplied input is passed directly to the require() function without proper sanitization. By exploiting this, an attacker can leverage the PHP filter chaining technique to execute arbitrary PHP code on the server. This allows for the execution of commands and control over the affected system. The exploit is particularly dangerous because it does not require authentication, making it possible for any remote attacker to exploit this vulnerability.

An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands.

Under certain circumstances it is possible to execute an authorized foreign code in Shopware version prior to 5.2.25.