W Shadow
Products
2- 9 CVEs
- 1 CVE
Recent CVEs
10| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-12424 | Cri | 0.64 | 9.8 | 0.03 | Aug 4, 2017 | In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege… | ||
| CVE-2020-20982 | Cri | 0.63 | 9.6 | 0.06 | Nov 3, 2021 | Cross Site Scripting (XSS) vulnerability in shadoweb wdja v1.5.1, allows attackers to execute arbitrary code and gain escalated privileges, via the backurl parameter to /php/passport/index.php. | ||
| CVE-2016-6252 | Hig | 0.51 | 7.8 | 0.00 | Feb 17, 2017 | Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. | ||
| CVE-2005-4890 | Hig | 0.44 | 7.8 | 0.01 | Nov 4, 2019 | There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process. | ||
| CVE-2020-21658 | Med | 0.42 | 6.5 | 0.00 | Oct 6, 2021 | A Cross-Site Request Forgery (CSRF) in WDJA CMS v1.5.2 allows attackers to arbitrarily add administrator accounts via a crafted URL. | ||
| CVE-2020-23631 | Med | 0.40 | 6.1 | 0.00 | Jan 11, 2021 | Cross-site request forgery (CSRF) in admin/global/manage.php in WDJA CMS 1.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via the tongji parameter. | ||
| CVE-2013-4235 | Med | 0.31 | 4.7 | 0.00 | Dec 3, 2019 | shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees | ||
| CVE-2024-24876 | Med | 0.28 | 4.3 | 0.00 | Feb 21, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor.This issue affects Admin Menu Editor: from n/a through 1.12. | ||
| CVE-2023-29383 | Low | 0.00 | 3.3 | 0.00 | Apr 14, 2023 | In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the… | ||
| CVE-2011-0721 | 0.00 | — | 0.02 | Feb 19, 2011 | Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users to add new users or groups to /etc/passwd via the GECOS field. |
- risk 0.64cvss 9.8epss 0.03
In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege…
- risk 0.63cvss 9.6epss 0.06
Cross Site Scripting (XSS) vulnerability in shadoweb wdja v1.5.1, allows attackers to execute arbitrary code and gain escalated privileges, via the backurl parameter to /php/passport/index.php.
- risk 0.51cvss 7.8epss 0.00
Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap.
- risk 0.44cvss 7.8epss 0.01
There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.
- risk 0.42cvss 6.5epss 0.00
A Cross-Site Request Forgery (CSRF) in WDJA CMS v1.5.2 allows attackers to arbitrarily add administrator accounts via a crafted URL.
- risk 0.40cvss 6.1epss 0.00
Cross-site request forgery (CSRF) in admin/global/manage.php in WDJA CMS 1.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via the tongji parameter.
- risk 0.31cvss 4.7epss 0.00
shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees
- risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor.This issue affects Admin Menu Editor: from n/a through 1.12.
- risk 0.00cvss 3.3epss 0.00
In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the…
- CVE-2011-0721Feb 19, 2011risk 0.00cvss —epss 0.02
Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users to add new users or groups to /etc/passwd via the GECOS field.