59255 results (0.068 seconds)

CVSS: 9.8EPSS: %CPEs: 1EXPL: 0

16 Jul 2025 — A command injection vulnerability exists in LILIN LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 due to insufficient sanitization of the FTP and NTP Server fields in the service configuration. An attacker with access to the configuration interface can upload a malicious XML file with injected shell commands in these fields. Upon subsequent configuration syncs, these commands are executed with elevated privileges. This vulnerability was exploited in the wild by the Moobo... • https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 9.0EPSS: %CPEs: 1EXPL: 3

16 Jul 2025 — An attacker can exploit this vulnerability by supplying crafted input to cause memory corruption and execute arbitrary code within the context of the current process. • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/x360_video_player_set_text_bof.rb • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •

CVSS: 9.8EPSS: %CPEs: 1EXPL: 2

16 Jul 2025 — By sending a specially crafted message to the UDP port 9256, an attacker can overwrite the structured exception handler (SEH) due to insufficient bounds checking on user-supplied input leading to remote code execution. • https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/misc/achat_bof.rb • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-121: Stack-based Buffer Overflow •

CVSS: 9.8EPSS: %CPEs: 1EXPL: 3

16 Jul 2025 — An unauthenticated arbitrary file upload vulnerability exists in Idera Up.Time Monitoring Station versions up to and including 7.2. The `wizards/post2file.php` script accepts arbitrary POST parameters, allowing attackers to upload crafted PHP files to the webroot. Successful exploitation results in remote code execution as the web server user. • https://www.vulncheck.com/advisories/idera-uptime-arbitrary-file-upload-rce • CWE-306: Missing Authentication for Critical Function CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 10.0EPSS: %CPEs: -EXPL: 3

16 Jul 2025 — A remote code execution vulnerability exists in multiple Netcore and Netis routers models with firmware released prior to August 2014 due to the presence of an undocumented backdoor listener on UDP port 53413. ... An unauthenticated remote attacker can send specially crafted UDP packets to execute arbitrary commands on the affected device. • https://www.vulncheck.com/advisories/netcore-netis-routers-backdoor-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-306: Missing Authentication for Critical Function CWE-912: Hidden Functionality •

CVSS: 7.5EPSS: %CPEs: 1EXPL: 0

16 Jul 2025 — An hsqldb-related remote code execution vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18. • https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04877en_us •

CVSS: 10.0EPSS: %CPEs: 6EXPL: 0

16 Jul 2025 — A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 7.7EPSS: %CPEs: 2EXPL: 0

16 Jul 2025 — A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as root. ... A successful exploit could allow the attacker to execute commands as the root user. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-3VpsXOxO • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 7.7EPSS: %CPEs: 2EXPL: 0

16 Jul 2025 — A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as root. ... A successful exploit could allow the attacker to execute commands as the root user. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-3VpsXOxO • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 9.8EPSS: %CPEs: 1EXPL: 0

16 Jul 2025 — A SQL Injection vulnerability was identified in the `/controle/control.php` endpoint, specifically in the `cargo` parameter, of WeGIA prior to version 3.4.5. A SQL Injection vulnerability was identified in the `/controle/control.php` endpoint, specifically in the `cargo` parameter, of WeGIA prior to version 3.4.5. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability... • https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-j3qv-v3m7-73pj • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •