Total
207 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-11751 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2020-08-24 | 8.8 High |
| Logging-related command line parameters are not properly sanitized when Firefox is launched by another program, such as when a user clicks on malicious links in a chat application. This can be used to write a log file to an arbitrary location such as the Windows 'Startup' folder. <br>*Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox < 69 and Firefox ESR < 68.1. | ||||
| CVE-2018-17456 | 4 Canonical, Debian, Git-scm and 1 more | 11 Ubuntu Linux, Debian Linux, Git and 8 more | 2020-08-24 | N/A |
| Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character. | ||||
| CVE-2019-6453 | 1 Mirc | 1 Mirc | 2020-08-24 | N/A |
| mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable). | ||||
| CVE-2018-10992 | 1 Lilypond | 1 Lilypond | 2020-08-24 | N/A |
| lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523. | ||||
| CVE-2019-15498 | 1 Getvera | 2 Vera Edge, Vera Edge Firmware | 2020-08-24 | N/A |
| cgi-bin/cmh/webcam.sh in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via --output argument injection in the username parameter to /cgi-bin/cmh/webcam.sh. | ||||
| CVE-2018-13386 | 1 Atlassian | 1 Sourcetree | 2020-08-24 | N/A |
| There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for Windows before version 2.6.9 are affected by this vulnerability. | ||||
| CVE-2019-12578 | 2 Linux, Londontrustmedia | 2 Linux Kernel, Private Internet Access Vpn Client | 2020-08-24 | N/A |
| A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The openvpn_launcher.64 binary is setuid root. This binary executes /opt/pia/openvpn-64/openvpn, passing the parameters provided from the command line. Care was taken to programmatically disable potentially dangerous openvpn parameters; however, the --route-pre-down parameter can be used. This parameter accepts an arbitrary path to a script/program to be executed when OpenVPN exits. The --script-security parameter also needs to be passed to allow for this action to be taken, and --script-security is not currently in the disabled parameter list. A local unprivileged user can pass a malicious script/binary to the --route-pre-down option, which will be executed as root when openvpn is stopped. | ||||
| CVE-2019-12148 | 1 Sangoma | 2 Session Border Controller, Session Border Controller Firmware | 2020-08-24 | 9.8 Critical |
| The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection vulnerability involving special characters in the username field. Upon successful exploitation, a remote unauthenticated user can login into the device's admin web portal without providing any credentials. This affects /var/webconfig/gui/Webconfig.inc.php. | ||||
| CVE-2019-12147 | 1 Sangoma | 2 Session Border Controller, Session Border Controller Firmware | 2020-08-24 | 9.8 Critical |
| The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the system (either via the web interface or via SSH) to achieve complete compromise of the device. This affects /var/webconfig/gui/Webconfig.inc.php and /usr/local/sng/bin/sng-user-mgmt. | ||||
| CVE-2019-8321 | 3 Debian, Opensuse, Rubygems | 3 Debian Linux, Leap, Rubygems | 2020-08-19 | 7.5 High |
| An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible. | ||||
| CVE-2020-3380 | 1 Cisco | 1 Data Center Network Manager | 2020-07-22 | 7.8 High |
| A vulnerability in the CLI of Cisco Data Center Network Manager (DCNM) could allow an authenticated, local attacker to elevate privileges to root and execute arbitrary commands on the underlying operating system. The vulnerability is due to insufficient restrictions during the execution of an affected CLI command. An attacker could exploit this vulnerability by authenticating as the fmserver user and submitting malicious input to a specific command. A successful exploit could allow the attacker to elevate privileges to root and execute arbitrary commands on the underlying operating system. | ||||
| CVE-2020-7496 | 1 Se | 1 Ecostruxure Operator Terminal Expert | 2020-06-18 | 7.8 High |
| A CWE-88: Argument Injection or Modification vulnerability exists in EcoStruxure Operator Terminal Expert 3.1 Service Pack 1 and prior (formerly known as Vijeo XD)which could cause unauthorized write access when opening the project file. | ||||
| CVE-2018-20234 | 1 Atlassian | 1 Sourcetree | 2020-05-11 | N/A |
| There was an argument injection vulnerability in Atlassian Sourcetree for macOS from version 1.2 before version 3.1.1 via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. | ||||
| CVE-2018-13385 | 1 Atlassian | 1 Sourcetree | 2020-05-11 | N/A |
| There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for macOS from 1.0b2 before 2.7.6 are affected by this vulnerability. | ||||
| CVE-2020-5546 | 1 Mitsubishielectric | 2 Iu1-1m20-d, Iu1-1m20-d Firmware | 2020-03-19 | 8.8 High |
| Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows an attacker on the same network segment to stop the network functions or execute malware via a specially crafted packet. | ||||
| CVE-2019-15541 | 1 Rustls Project | 1 Rustls | 2019-09-03 | N/A |
| rustls-mio/examples/tlsserver.rs in the rustls crate before 0.16.0 for Rust allows attackers to cause a denial of service (loop of conn_event and ready) by arranging for a client to never be writable. | ||||
| CVE-2019-13475 | 1 Mobatek | 1 Mobaxterm | 2019-07-16 | N/A |
| In MobaXterm 11.1, the mobaxterm: URI handler has an argument injection vulnerability that allows remote attackers to execute arbitrary commands when the user visits a specially crafted URL. Based on the available command-line arguments of the software, one can simply inject -exec to execute arbitrary commands. The additional arguments -hideterm and -exitwhendone in the payload make the attack less visible. | ||||
| CVE-2016-1000222 | 1 Elastic | 1 Logstash | 2019-06-17 | N/A |
| Logstash prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data. | ||||
| CVE-2019-11582 | 1 Atlassian | 1 Sourcetree | 2019-06-17 | N/A |
| An argument injection vulnerability in Atlassian Sourcetree for Windows's URI handlers, in all versions prior to 3.1.3, allows remote attackers to gain remote code execution through the use of a crafted URI. | ||||
| CVE-2018-11020 | 1 Amazon | 2 Fire Os, Kindle Fire Hd | 2019-01-17 | N/A |
| kernel/omap/drivers/rpmsg/rpmsg_omx.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device file /dev/rpmsg-omx1 with the command 3221772291, and cause a kernel crash. | ||||