Security News

Fortinet is alerting customers of a critical OS command injection vulnerability in FortiSIEM report server that could be exploited by remote, unauthenticated attackers to execute commands through specially crafted API requests. "An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests." - Fortinet.

QNAP Systems published security advisories for two critical command injection vulnerabilities that impact multiple versions of the QTS operating system and applications on its network-attached storage devices. It is a command injection vulnerability that a remote attacker can exploit to execute commands via a network.

The popular D-Link DAP-X1860 WiFi 6 range extender is susceptible to a vulnerability allowing DoS attacks and remote command injection. An attacker within the extender's range can set up a WiFi network and deceptively name it similar to something the target is familiar with but include a tick in the name, like 'Olaf's Network,' for example.

Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions."This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent," Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week.

Zyxel is warning its NAS devices users to update their firmware to fix a critical severity command injection vulnerability. Zyxel has provided no workarounds or mitigations for CVE-2023-27992 in its latest advisory, so users of the impacted NAS devices are recommended to apply the available security updates as soon as possible.

Cisco on Wednesday rolled out security updates to address a critical flaw impacting its IP Phone 6800, 7800, 7900, and 8800 Series products. The vulnerability, tracked as CVE-2023-20078, is rated 9.8 out of 10 on the CVSS scoring system and is described as a command injection bug in the web-based management interface arising due to insufficient validation of user-supplied input.

Atlassian has released updates to address critical-severity updates in its centralized identity management platform, Crowd Server and Data Center, and in Bitbucket Server and Data Center, the company's solution for Git repository management. Rated critical, the issue in Crowd Server and Data Center is tracked as CVE-2022-43782 and is a misconfiguration that allows an attacker to bypass password checks when authenticating as the Crowd app and to call privileged API endpoints.

Zyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution. "A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device," the company said in an advisory published Thursday.

VMware has patched two security flaws, an OS command injection vulnerability and a file upload hole, in its Carbon Black App Control security product running on Windows. According to VMware, it could allow authenticated attackers with high privileges and network access to the VMware App Control administration interface to remotely execute commands on the server.

A command injection vulnerability exists in Fortinet's management interface for its FortiWeb web app firewall, according to infosec firm Rapid7. An authenticated attacker can use the vuln to execute commands as root on the Fortiweb device, Rapid7 said in a blog post.