CWE-78

CVE-2021-3342

February 23, 2023 by

EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted LaTeX input to a cgi/latex2png?latex= URI.

CVE-2021-3317

February 23, 2023 by

KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.

From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an “agent-update” command which was designed to patch the application binary. This “patching” command defaults to calling a trusted binary, but might be modified to an arbitrary value through a “c2-update” command. Said command is then executed using the same privileges as the application binary. This was addressed in version 0.10.0

CVE-2021-33032

February 23, 2023 by

A Remote Code Execution (RCE) vulnerability in the WebUI component of the eQ-3 HomeMatic CCU2 firmware up to and including version 2.57.5 and CCU3 firmware up to and including version 3.57.5 allows remote unauthenticated attackers to execute system commands as root via a simple HTTP request.

CVE-2021-33055

February 23, 2023 by

Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.

CVE-2021-3291

February 23, 2023 by

Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.