Search
Total
898 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2253 | 1 Webhmi | 2 Webhmi, Webhmi Firmware | 2022-07-13 | 9.0 HIGH | 9.1 CRITICAL |
| A user with administrative privileges in Distributed Data Systems WebHMI 4.1.1.7662 may send OS commands to execute on the host server. | |||||
| CVE-2022-33328 | 1 Robustel | 2 R1510, R1510 Firmware | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/remove/` API is affected by a command injection vulnerability. | |||||
| CVE-2022-33327 | 1 Robustel | 2 R1510, R1510 Firmware | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/remove_sniffer_raw_log/` API is affected by a command injection vulnerability. | |||||
| CVE-2022-33326 | 1 Robustel | 2 R1510, R1510 Firmware | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/config_rollback/` API is affected by a command injection vulnerability. | |||||
| CVE-2022-33325 | 1 Robustel | 2 R1510, R1510 Firmware | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/clear_tools_log/` API is affected by command injection vulnerability. | |||||
| CVE-2022-33314 | 1 Robustel | 2 R1510, R1510 Firmware | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/action/import_sdk_file/` API is affected by command injection vulnerability. | |||||
| CVE-2022-33313 | 1 Robustel | 2 R1510, R1510 Firmware | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/action/import_https_cert_file/` API is affected by command injection vulnerability. | |||||
| CVE-2022-33312 | 1 Robustel | 2 R1510, R1510 Firmware | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/action/import_cert_file/` API is affected by command injection vulnerability. | |||||
| CVE-2022-33329 | 1 Robustel | 2 R1510, R1510 Firmware | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/set_sys_time/` API is affected by a command injection vulnerability. | |||||
| CVE-2021-28958 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. | |||||
| CVE-2021-45987 | 1 Tendacn | 4 G1, G1 Firmware, G3 and 1 more | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetNetCheckTools. This vulnerability allows attackers to execute arbitrary commands via the hostName parameter. | |||||
| CVE-2021-39065 | 2 Ibm, Linux | 2 Spectrum Copy Data Management, Linux Kernel | 2022-07-12 | 10.0 HIGH | 9.8 CRITICAL |
| IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the Spectrum Copy Data Management Admin Console login and uploadcertificate function . A remote attacker could inject arbitrary shell commands which would be executed on the affected system. IBM X-Force ID: 214958. | |||||
| CVE-2021-45966 | 1 Pascom | 1 Cloud Phone System | 2022-07-12 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Pascom Cloud Phone System before 7.20.x. In the management REST API, /services/apply in exd.pl allows remote attackers to execute arbitrary code via shell metacharacters. | |||||
| CVE-2021-22502 | 1 Microfocus | 1 Operation Bridge Reporter | 2022-07-12 | 10.0 HIGH | 9.8 CRITICAL |
| Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server. | |||||
| CVE-2021-46314 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetNetworkTomographySettings.php of D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin because backticks can be used for command injection when judging whether it is a reasonable domain name. | |||||
| CVE-2021-26810 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2022-07-12 | 10.0 HIGH | 9.8 CRITICAL |
| D-link DIR-816 A2 v1.10 is affected by a remote code injection vulnerability. An HTTP request parameter can be used in command string construction in the handler function of the /goform/dir_setWanWifi, which can lead to command injection via shell metacharacters in the statuscheckpppoeuser parameter. | |||||
| CVE-2021-34111 | 1 Thecus | 2 N4800eco, N4800eco Firmware | 2022-07-12 | 10.0 HIGH | 9.8 CRITICAL |
| Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php. | |||||
| CVE-2021-23399 | 1 Wincred Project | 1 Wincred | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package wincred. If attacker-controlled user input is given to the getCredential function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. | |||||
| CVE-2021-27692 | 1 Tendacn | 4 G1, G1 Firmware, G3 and 1 more | 2022-07-12 | 10.0 HIGH | 9.8 CRITICAL |
| Command Injection in Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted "action/umountUSBPartition" request. This occurs because the "formSetUSBPartitionUmount" function executes the "doSystemCmd" function with untrusted input. | |||||
| CVE-2021-42897 | 1 Feminer Wms Project | 1 Feminer Wms | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| A remote command execution (RCE) vulnerability was found in FeMiner wms V1.0 in /wms/src/system/datarec.php. The $_POST[r_name] is directly passed into the $mysqlstr and is executed by exec. | |||||
| CVE-2020-25223 | 1 Sophos | 1 Unified Threat Management | 2022-07-12 | 10.0 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11 | |||||
| CVE-2021-36260 | 1 Hikvision | 512 Ds-2cd2021g1-i\(w\), Ds-2cd2021g1-i\(w\) Firmware, Ds-2cd2023g2-i\(u\) and 509 more | 2022-07-12 | 9.3 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands. | |||||
| CVE-2021-45986 | 1 Tendacn | 4 G1, G1 Firmware, G3 and 1 more | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetUSBShareInfo. This vulnerability allows attackers to execute arbitrary commands via the usbOrdinaryUserName parameter. | |||||
| CVE-2021-21809 | 1 Moodle | 1 Moodle | 2022-07-12 | 9.0 HIGH | 9.1 CRITICAL |
| A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities. | |||||
| CVE-2021-27691 | 1 Tendacn | 6 G0, G0 Firmware, G1 and 3 more | 2022-07-12 | 10.0 HIGH | 9.8 CRITICAL |
| Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request. This occurs because the "formSetDebugCfg" function executes glibc's system function with untrusted input. | |||||
| CVE-2014-0156 | 1 Manageiq | 1 Awesomespawn | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Awesome spawn contains OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments. If untrusted input was included in command arguments, attacker could use this flaw to execute arbitrary command. | |||||
| CVE-2020-21937 | 1 Motorola | 2 Cx2, Cx2 Firmware | 2022-07-10 | 10.0 HIGH | 9.8 CRITICAL |
| An command injection vulnerability in HNAP1/SetWLanApcliSettings of Motorola CX2 router CX 1.0.2 Build 20190508 Rel.97360n allows attackers to execute arbitrary system commands. | |||||
| CVE-2020-23151 | 1 Rconfig | 1 Rconfig | 2022-07-10 | 7.5 HIGH | 9.8 CRITICAL |
| rConfig 3.9.5 allows command injection by sending a crafted GET request to lib/ajaxHandlers/ajaxArchiveFiles.php since the path parameter is passed directly to the exec function without being escaped. | |||||
| CVE-2020-22724 | 1 Mercury | 4 Mer1200, Mer1200 Firmware, Mer1200g and 1 more | 2022-07-10 | 10.0 HIGH | 9.8 CRITICAL |
| A remote command execution vulnerability exists in add_server_service of PPTP_SERVER in Mercury Router MER1200 v1.0.1 and Mercury Router MER1200G v1.0.1. | |||||
| CVE-2022-31885 | 1 Marvalglobal | 1 Marval Msm | 2022-07-08 | 7.5 HIGH | 9.8 CRITICAL |
| Marval MSM v14.19.0.12476 is vulnerable to OS Command Injection due to the insecure handling of VBScripts. | |||||
| CVE-2022-31767 | 2 Ibm, Linux | 2 Cics Tx, Linux Kernel | 2022-07-05 | 10.0 HIGH | 9.8 CRITICAL |
| IBM CICS TX Standard and Advanced 11.1 could allow a remote attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 227980. | |||||
| CVE-2022-26147 | 1 Quectel | 2 Rg502q-ea, Rg502q-ea Firmware | 2022-06-29 | 10.0 HIGH | 9.8 CRITICAL |
| The Quectel RG502Q-EA modem before 2022-02-23 allow OS Command Injection. | |||||
| CVE-2022-30329 | 1 Trendnet | 2 Tew-831dr, Tew-831dr Firmware | 2022-06-27 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. An OS injection vulnerability exists within the web interface, allowing an attacker with valid credentials to execute arbitrary shell commands. | |||||
| CVE-2022-31795 | 1 Fujitsu | 2 Eternus Cs8000, Eternus Cs8000 Firmware | 2022-06-27 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the grel_finfo function in grel.php. An attacker is able to influence the username (user), password (pw), and file-name (file) parameters and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. | |||||
| CVE-2022-31794 | 1 Fujitsu | 2 Eternus Cs8000, Eternus Cs8000 Firmware | 2022-06-27 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the requestTempFile function in hw_view.php. An attacker is able to influence the unitName POST parameter and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. | |||||
| CVE-2019-5129 | 1 Youphptube | 1 Youphptube Encoder | 2022-06-27 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getSpiritsFromVideo.php is vulnerable to a command injection attack. | |||||
| CVE-2019-5127 | 1 Youphptube | 1 Youphptube Encoder | 2022-06-27 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImage.php is vulnerable to a command injection attack. | |||||
| CVE-2019-5128 | 1 Youphptube | 1 Youphptube Encoder | 2022-06-27 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection have been found in YouPHPTube Encoder. A successful attack could allow an attacker to compromise the server. Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube. The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack. | |||||
| CVE-2019-25065 | 1 Opennetadmin | 1 Opennetadmin | 2022-06-15 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in OpenNetAdmin 18.1.1. It has been rated as critical. Affected by this issue is some unknown functionality. The manipulation leads to privilege escalation. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-1986 | 1 Gogs | 1 Gogs | 2022-06-15 | 7.5 HIGH | 9.8 CRITICAL |
| OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9. | |||||
| CVE-2019-5138 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2022-06-13 | 9.0 HIGH | 9.9 CRITICAL |
| An exploitable command injection vulnerability exists in encrypted diagnostic script functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file can cause arbitrary busybox commands to be executed, resulting in remote control over the device. An attacker can send diagnostic while authenticated as a low privilege user to trigger this vulnerability. | |||||
| CVE-2021-34079 | 1 Docker-tester Project | 1 Docker-tester | 2022-06-09 | 10.0 HIGH | 9.8 CRITICAL |
| OS Command injection vulnerability in Mintzo Docker-Tester through 1.2.1 allows attackers to execute arbitrary commands via shell metacharacters in the 'ports' entry of a crafted docker-compose.yml file. | |||||
| CVE-2021-34080 | 1 Ssl-utils Project | 1 Ssl-utils | 2022-06-09 | 10.0 HIGH | 9.8 CRITICAL |
| OS Command Injection vulnerability in es128 ssl-utils 1.0.0 for Node.js allows attackers to execute arbitrary commands via unsanitized shell metacharacters provided to the createCertRequest() and the createCert() functions. | |||||
| CVE-2021-34082 | 1 Proctree Project | 1 Proctree | 2022-06-09 | 10.0 HIGH | 9.8 CRITICAL |
| OS Command Injection vulnerability in allenhwkim proctree through 0.1.1 and commit 0ac10ae575459457838f14e21d5996f2fa5c7593 for Node.js, allows attackers to execute arbitrary commands via the fix function. | |||||
| CVE-2021-34084 | 1 S3-uploader Project | 1 S3-uploader | 2022-06-09 | 10.0 HIGH | 9.8 CRITICAL |
| OS command injection vulnerability in Turistforeningen node-s3-uploader through 2.0.3 for Node.js allows attackers to execute arbitrary commands via the metadata() function. | |||||
| CVE-2021-42872 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2022-06-09 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK EX1200T V4.1.2cu.5215 is affected by a command injection vulnerability that can remotely execute arbitrary code. | |||||
| CVE-2022-20797 | 1 Cisco | 1 Secure Network Analytics | 2022-06-09 | 9.0 HIGH | 9.1 CRITICAL |
| A vulnerability in the web-based management interface of Cisco Secure Network Analytics, formerly Cisco Stealthwatch Enterprise, could allow an authenticated, remote attacker to execute arbitrary commands as an administrator on the underlying operating system. This vulnerability is due to insufficient user input validation by the web-based management interface of the affected software. An attacker could exploit this vulnerability by injecting arbitrary commands in the web-based management interface. A successful exploit could allow the attacker to make configuration changes on the affected device or cause certain services to restart unexpectedly. | |||||
| CVE-2020-7645 | 1 Google | 1 Chrome-launcher | 2022-06-08 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems. | |||||
| CVE-2019-5029 | 1 Exhibitor Project | 1 Exhibitor | 2022-06-07 | 10.0 HIGH | 9.8 CRITICAL |
| An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process. | |||||
| CVE-2022-1360 | 1 Cambiumnetworks | 1 Cnmaestro | 2022-06-06 | 7.5 HIGH | 9.8 CRITICAL |
| The affected On-Premise cnMaestro is vulnerable to execution of code on the cnMaestro hosting server. This could allow a remote attacker to change server configuration settings. | |||||