Search
Total
472 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25217 | 1 Grandstream | 14 Grp2612, Grp2612 Firmware, Grp2612p and 11 more | 2022-07-10 | 9.0 HIGH | 7.2 HIGH |
| Grandstream GRP261x VoIP phone running firmware version 1.0.3.6 (Base) allows Command Injection as root in its administrative web interface. | |||||
| CVE-2020-10580 | 1 Invigo | 1 Automatic Device Management | 2022-07-10 | 6.5 MEDIUM | 8.8 HIGH |
| A command injection on the /admin/broadcast.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote authenticated attackers to execute arbitrary PHP code on the server as the user running the application. | |||||
| CVE-2020-18885 | 1 Phpmywind | 1 Phpmywind | 2022-07-10 | 6.5 MEDIUM | 7.2 HIGH |
| Command Injection in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the "text color" field of the component '/admin/web_config.php'. | |||||
| CVE-2022-32154 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2022-06-24 | 4.0 MEDIUM | 8.1 HIGH |
| Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will. | |||||
| CVE-2020-36529 | 1 Ibm | 1 Sevone Network Performance Management | 2022-06-14 | 8.5 HIGH | 8.8 HIGH |
| A vulnerability classified as critical has been found in SevOne Network Management System up to 5.7.2.22. This affects the file traceroute.php of the Traceroute Handler. The manipulation leads to privilege escalation with a command injection. It is possible to initiate the attack remotely. | |||||
| CVE-2021-23727 | 2 Celeryproject, Fedoraproject | 3 Celery, Extra Packages For Enterprise Linux, Fedora | 2022-06-14 | 6.0 MEDIUM | 7.5 HIGH |
| This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system. | |||||
| CVE-2019-9972 | 2 3cx, Debian | 3 Phone System, Phone System Firmware, Debian Linux | 2022-06-14 | 9.0 HIGH | 8.8 HIGH |
| PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an authenticated attacker to run arbitrary commands with the phonesystem user privileges because of "<space><space> followed by <shift><enter>" mishandling. | |||||
| CVE-2017-2832 | 1 Foscam | 2 C1, C1 Firmware | 2022-06-07 | 9.0 HIGH | 7.2 HIGH |
| An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during a password change resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability. | |||||
| CVE-2017-2833 | 1 Foscam | 2 C1, C1 Firmware | 2022-06-07 | 8.5 HIGH | 7.5 HIGH |
| An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters resulting in command injection during the boot process. To trigger this vulnerability, an attacker needs to send an HTTP request and reboot the device. | |||||
| CVE-2022-29184 | 1 Thoughtworks | 1 Gocd | 2022-06-06 | 6.5 MEDIUM | 8.8 HIGH |
| GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where "pipelines-as-code" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image. | |||||
| CVE-2021-25150 | 2 Arubanetworks, Siemens | 3 Instant, Scalance W1750d, Scalance W1750d Firmware | 2022-06-04 | 9.0 HIGH | 8.8 HIGH |
| A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.4 and below. Aruba has released patches for Aruba Instant that address this security vulnerability. | |||||
| CVE-2021-25146 | 2 Arubanetworks, Siemens | 3 Instant, Scalance W1750d, Scalance W1750d Firmware | 2022-06-04 | 9.0 HIGH | 7.2 HIGH |
| A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability. | |||||
| CVE-2021-23326 | 1 The-guild | 1 Graphql-tools | 2022-05-27 | 7.5 HIGH | 8.8 HIGH |
| This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection. | |||||
| CVE-2021-28927 | 2 Libretro, Microsoft | 2 Retroarch, Windows | 2022-05-27 | 4.6 MEDIUM | 7.8 HIGH |
| The text-to-speech engine in libretro RetroArch for Windows 1.9.0 passes unsanitized input to PowerShell through platform_win32.c via the accessibility_speak_windows function, which allows attackers who have write access on filesystems that are used by RetroArch to execute code via command injection using specially a crafted file and directory names. | |||||
| CVE-2022-24394 | 1 Fidelissecurity | 2 Deception, Network | 2022-05-26 | 9.0 HIGH | 8.8 HIGH |
| Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “update_checkfile” value for the “filename” parameter. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response via an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability. | |||||
| CVE-2022-24393 | 1 Fidelissecurity | 2 Deception, Network | 2022-05-26 | 9.0 HIGH | 8.8 HIGH |
| Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “check_vertica_upgrade” value for the “cpIp” parameter. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response via an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability. | |||||
| CVE-2022-24392 | 1 Fidelissecurity | 2 Deception, Network | 2022-05-26 | 9.0 HIGH | 8.8 HIGH |
| Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “feed_comm_test” value for the “feed” parameter. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response via an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability. | |||||
| CVE-2022-24390 | 1 Fidelissecurity | 2 Deception, Network | 2022-05-26 | 6.5 MEDIUM | 8.8 HIGH |
| Vulnerability in rconfig “remote_text_file” enables an attacker with user level access to the CLI to inject user level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability. | |||||
| CVE-2022-24389 | 1 Fidelissecurity | 2 Deception, Network | 2022-05-26 | 9.0 HIGH | 8.8 HIGH |
| Vulnerability in rconfig “cert_utils” enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability. | |||||
| CVE-2022-24388 | 1 Fidelissecurity | 2 Deception, Network | 2022-05-26 | 9.0 HIGH | 8.8 HIGH |
| Vulnerability in rconfig “date” enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability. | |||||
| CVE-2022-27224 | 1 Galsys | 2 Nts-6002-gps, Nts-6002-gps Firmware | 2022-05-23 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Galleon NTS-6002-GPS 4.14.103-Galleon-NTS-6002.V12 4. An authenticated attacker can perform command injection as root via shell metacharacters within the Network Tools section of the web-management interface. All three networking tools are affected (Ping, Traceroute, and DNS Lookup) and their respective input fields (ping_address, trace_address, nslookup_address). | |||||
| CVE-2022-27806 | 1 F5 | 4 Big-ip Access Policy Manager, Big-ip Advanced Web Application Firewall, Big-ip Application Security Manager and 1 more | 2022-05-13 | 6.0 MEDIUM | 7.2 HIGH |
| On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing command injection vulnerabilities in undisclosed URIs in F5 BIG-IP Guided Configuration. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2021-43160 | 1 Ruijienetworks | 6 Reyeeos, Rg-ew1200, Rg-ew1200g Pro and 3 more | 2022-05-12 | 6.5 MEDIUM | 8.8 HIGH |
| A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the switchFastDhcp function in /cgi-bin/luci/api/diagnose. | |||||
| CVE-2021-43161 | 1 Ruijienetworks | 6 Reyeeos, Rg-ew1200, Rg-ew1200g Pro and 3 more | 2022-05-12 | 6.5 MEDIUM | 8.8 HIGH |
| A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the doSwitchApi function in /cgi-bin/luci/api/switch. | |||||
| CVE-2021-43162 | 1 Ruijienetworks | 6 Reyeeos, Rg-ew1200, Rg-ew1200g Pro and 3 more | 2022-05-12 | 6.5 MEDIUM | 8.8 HIGH |
| A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the runPackDiagnose function in /cgi-bin/luci/api/diagnose. | |||||
| CVE-2021-43159 | 1 Ruijienetworks | 6 Reyeeos, Rg-ew1200, Rg-ew1200g Pro and 3 more | 2022-05-12 | 6.5 MEDIUM | 8.8 HIGH |
| A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the setSessionTime function in /cgi-bin/luci/api/common.. | |||||
| CVE-2021-0253 | 1 Juniper | 4 Junos, Nfx150, Nfx250 and 1 more | 2022-05-12 | 4.6 MEDIUM | 7.8 HIGH |
| NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby allowing an attacker to elevate their privileges via the Junos Device Management Daemon (JDMD) process. This issue affects Juniper Networks Junos OS on NFX Series 17.2 version 17.2R1 and later versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R2-S5, 18.4R3-S5; 19.1 versions prior to 19.1R1-S3; 19.2 version 19.1R2 and later versions prior to 19.2R3; 19.3 versions prior to 19.3R3; 19.4 versions prior to 19.4R2-S2. 19.4 versions 19.4R3 and above. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R1. This issue does not affect the JDMD as used by Junos Node Slicing such as External Servers use in conjunction with Junos Node Slicing and In-Chassis Junos Node Slicing on MX480, MX960, MX2008, MX2010, MX2020. | |||||
| CVE-2021-0252 | 1 Juniper | 4 Junos, Nfx150, Nfx250 and 1 more | 2022-05-12 | 4.6 MEDIUM | 7.8 HIGH |
| NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allowing an attacker to elevate their privileges via the Junos Device Management Daemon (JDMD) process. This issue affects Juniper Networks Junos OS on NFX Series: 18.1 version 18.1R1 and later versions prior to 18.2R3-S5; 18.3 versions prior to 18.3R2-S4, 18.3R3-S3; 18.4 versions prior to 18.4R2-S5, 18.4R3-S4; 19.1 versions prior to 19.1R1-S3, 19.1R2; 19.2 versions prior to 19.2R1-S5, 19.2R2. This issue does not affect: Juniper Networks Junos OS versions prior to 18.1R1. This issue does not affect the JDMD as used by Junos Node Slicing such as External Servers use in conjunction with Junos Node Slicing and In-Chassis Junos Node Slicing on MX480, MX960, MX2008, MX2010, MX2020. | |||||
| CVE-2021-34592 | 1 Bender | 4 Cc612, Cc612 Firmware, Cc613 and 1 more | 2022-05-12 | 6.5 MEDIUM | 8.8 HIGH |
| In Bender/ebee Charge Controllers in multiple versions are prone to Command injection via Web interface. An authenticated attacker could enter shell commands into some input fields. | |||||
| CVE-2022-20799 | 1 Cisco | 8 Rv340, Rv340 Firmware, Rv340w and 5 more | 2022-05-11 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system of the affected device. To exploit these vulnerabilities, an attacker would need to have valid Administrator credentials on the affected device. | |||||
| CVE-2022-20801 | 1 Cisco | 8 Rv340, Rv340 Firmware, Rv340w and 5 more | 2022-05-11 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system of the affected device. To exploit these vulnerabilities, an attacker would need to have valid Administrator credentials on the affected device. | |||||
| CVE-2021-31854 | 1 Mcafee | 1 Agent | 2022-05-10 | 9.3 HIGH | 7.8 HIGH |
| A command Injection Vulnerability in McAfee Agent (MA) for Windows prior to 5.7.5 allows local users to inject arbitrary shell code into the file cleanup.exe. The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges. | |||||
| CVE-2021-37106 | 1 Huawei | 1 Fusioncompute | 2022-05-03 | 9.0 HIGH | 7.2 HIGH |
| There is a command injection vulnerability in CMA service module of FusionCompute 6.3.0, 6.3.1, 6.5.0 and 8.0.0 when processing the default certificate file. The software constructs part of a command using external special input from users, but the software does not sufficiently validate the user input. Successful exploit could allow the attacker to inject certain commands to the system. | |||||
| CVE-2020-10514 | 1 Icatchinc | 1 Dvr Firmware | 2022-05-03 | 6.5 MEDIUM | 8.8 HIGH |
| iCatch DVR firmware before 20200103 do not validate function parameter properly, resulting attackers executing arbitrary command. | |||||
| CVE-2021-1560 | 1 Cisco | 1 Dna Spaces\ | 2022-04-26 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, remote attacker to perform a command injection attack on an affected device. These vulnerabilities are due to insufficient input sanitization when executing affected commands. A high-privileged attacker could exploit these vulnerabilities on a Cisco DNA Spaces Connector by injecting crafted input during command execution. A successful exploit could allow the attacker to execute arbitrary commands as root within the Connector docker container. | |||||
| CVE-2021-20991 | 1 Fibaro | 4 Home Center 2, Home Center 2 Firmware, Home Center Lite and 1 more | 2022-04-26 | 9.0 HIGH | 8.8 HIGH |
| In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability. | |||||
| CVE-2021-1580 | 1 Cisco | 2 Application Policy Infrastructure Controller, Cloud Application Policy Infrastructure Controller | 2022-04-26 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the web UI and API endpoints of Cisco Application Policy Infrastructure Controller (APIC) or Cisco Cloud APIC could allow a remote attacker to perform a command injection or file upload attack on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-21668 | 2 Fedoraproject, Pypa | 2 Fedora, Pipenv | 2022-04-25 | 9.3 HIGH | 8.6 HIGH |
| pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability. | |||||
| CVE-2021-34362 | 1 Qnap | 3 Media Streaming Add-on, Qts, Quts Hero | 2022-04-25 | 6.5 MEDIUM | 7.2 HIGH |
| A command injection vulnerability has been reported to affect QNAP device running Media Streaming add-on. If exploited, this vulnerability allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of Media Streaming add-on: QTS 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QTS 4.5.4: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QTS 4.3.6: Media Streaming add-on 430.1.8.12 ( 2021/08/20 ) and later QTS 4.3.3: Media Streaming add-on 430.1.8.12 ( 2021/09/29 ) and later QuTS-Hero 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later | |||||
| CVE-2021-36024 | 1 Adobe | 2 Adobe Commerce, Magento Open Source | 2022-04-25 | 6.5 MEDIUM | 7.2 HIGH |
| Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution. | |||||
| CVE-2021-25162 | 2 Arubanetworks, Siemens | 3 Instant, Scalance W1750d, Scalance W1750d Firmware | 2022-04-22 | 9.3 HIGH | 8.1 HIGH |
| A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below. Aruba has released patches for Aruba Instant that address this security vulnerability. | |||||
| CVE-2021-41552 | 1 Commscope | 10 Arris Surfboard Sbg10, Arris Surfboard Sbg10 Firmware, Arris Surfboard Sbg6950ac2 and 7 more | 2022-02-23 | 5.8 MEDIUM | 8.8 HIGH |
| CommScope SURFboard SBG6950AC2 9.1.103AA23 devices allow Command Injection. | |||||
| CVE-2019-16864 | 2 Enterprisedt, Microsoft | 2 Completeftp Server, Windows | 2022-02-23 | 8.5 HIGH | 8.8 HIGH |
| CompleteFTPService.exe in the server in EnterpriseDT CompleteFTP before 12.1.4 allows Remote Code Execution by leveraging a Windows user account that has SSH access. The exec command is always run as SYSTEM. | |||||
| CVE-2021-37723 | 2 Arubanetworks, Siemens | 3 Arubaos, Scalance W1750d, Scalance W1750d Firmware | 2022-02-11 | 9.0 HIGH | 7.2 HIGH |
| A remote arbitrary command execution vulnerability was discovered in Aruba Operating System Software version(s): Prior to 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.16. Aruba has released patches for ArubaOS that address this security vulnerability. | |||||
| CVE-2021-37724 | 2 Arubanetworks, Siemens | 3 Arubaos, Scalance W1750d, Scalance W1750d Firmware | 2022-02-11 | 9.0 HIGH | 7.2 HIGH |
| A remote arbitrary command execution vulnerability was discovered in Aruba Operating System Software version(s): Prior to 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.16. Aruba has released patches for ArubaOS that address this security vulnerability. | |||||
| CVE-2019-11853 | 1 Sierrawireless | 9 Airlink Es450, Airlink Gx450, Airlink Lx40 and 6 more | 2022-02-09 | 6.5 MEDIUM | 7.2 HIGH |
| Several potential command injections vulnerabilities exist in the AT command interface of ALEOS before 4.11.0, and 4.9.4. | |||||
| CVE-2021-32849 | 1 Gerapy | 1 Gerapy | 2022-02-02 | 9.0 HIGH | 8.8 HIGH |
| Gerapy is a distributed crawler management framework. Prior to version 0.9.9, an authenticated user could execute arbitrary commands. This issue is fixed in version 0.9.9. There are no known workarounds. | |||||
| CVE-2021-42638 | 3 Apple, Linux, Printerlogic | 3 Macos, Linux Kernel, Web Stack | 2022-02-02 | 9.3 HIGH | 8.1 HIGH |
| PrinterLogic Web Stack versions 19.1.1.13 SP9 and below do not sanitize user input resulting in pre-auth remote code execution. | |||||
| CVE-2021-33964 | 1 Chinamobile | 2 An Lianbao Wf-1, An Lianbao Wf-1 Firmware | 2022-01-24 | 6.5 MEDIUM | 8.8 HIGH |
| China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRRuleFilter/set_firewall_level which receives parameters by POST request, and the parameter firewall_level has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands. | |||||
| CVE-2021-33965 | 1 Chinamobile | 2 An Lianbao Wf-1, An Lianbao Wf-1 Firmware | 2022-01-24 | 6.5 MEDIUM | 8.8 HIGH |
| China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRMesh/set_ZRMesh which receives parameters by POST request, and the parameter mesh_enable and mesh_device have a command injection vulnerability. An attacker can use the vulnerability to execute remote commands. | |||||