CWE-78

CVE-2020-28426

February 26, 2023 by

All versions of package kill-process-on-port are vulnerable to Command Injection via a.getProcessPortId.

CVE-2020-28429

February 26, 2023 by

All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. PoC: var a =require(“geojson2kml”); a(“./”,”& touch JHU”,function(){})

CVE-2020-28431

February 26, 2023 by

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

CVE-2020-28432

February 26, 2023 by

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.

CVE-2020-28188

February 26, 2023 by

Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.