ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell.
Tag: Command Injection
ASA-2019-00551 – PuTTY: Malicious clipboard content injection in bracketed paste mode
In the PuTTY terminal, bracketed paste mode was broken in 0.72, in a way that made the pasted data look like manual keyboard input. So any application relying on the bracketing sequences to protect against malicious clipboard contents would have been misled.
ASA-2019-00543 – radare2: Command injection in bin_symbols()
In radare2 before 3.9.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to an insufficient fix for CVE-2019-14745 and improper handling of symbol names embedded in executables.
ASA-2019-00542 – radare2: Command injection in bin_symbols()
In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables.
ASA-2019-00523 – Rexical, Nokogiri: Command Injection Vulnerability
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries.
ASA-2019-00511 – Webmin: Unauthenticated Remote Code Execution
Webmin releases contain a vulnerability that allows remote command execution. The parameter old in password_change.cgi contains a command injection vulnerability.
ASA-2019-00385 – London Trust Media Private Internet Access: Command Injection
A vulnerability in the London Trust Media Private Internet Access (PIA)VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges.
ASA-2019-00129 – Sourcetree: Command Injection via URI handling
Sourcetree for Windows before version 3.0.10 was vulnerable to CVE-2018-20236. A remote attacker able to send a URI to a Sourcetree for Windows user is able to exploit this issue to gain code execution on the system.