Search
Total
472 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-1298 | 1 Cisco | 12 Sd-wan Firmware, Sd-wan Vbond Orchestrator, Sd-wan Vmanage and 9 more | 2021-01-27 | 9.0 HIGH | 8.8 HIGH |
| Multiple vulnerabilities in Cisco SD-WAN products could allow an authenticated attacker to perform command injection attacks against an affected device, which could allow the attacker to take certain actions with root privileges on the device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2020-4688 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2021-01-22 | 7.2 HIGH | 7.8 HIGH |
| IBM Security Guardium 10.6 and 11.2 could allow a local attacker to execute arbitrary commands on the system as an unprivileged user, caused by command injection vulnerability. IBM X-Force ID: 186700. | |||||
| CVE-2021-1146 | 1 Cisco | 9 Application Extension Platform, Rv110w, Rv110w Firmware and 6 more | 2021-01-19 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. Cisco has not released software updates that address these vulnerabilities. | |||||
| CVE-2020-14102 | 1 Mi | 4 Ax1800, Ax1800 Firmware, Rm1800 and 1 more | 2021-01-19 | 9.0 HIGH | 7.2 HIGH |
| There is command injection when ddns processes the hostname, which causes the administrator user to obtain the root privilege of the router. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26. | |||||
| CVE-2021-1149 | 1 Cisco | 9 Application Extension Platform, Rv110w, Rv110w Firmware and 6 more | 2021-01-15 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. Cisco has not released software updates that address these vulnerabilities. | |||||
| CVE-2021-1150 | 1 Cisco | 9 Application Extension Platform, Rv110w, Rv110w Firmware and 6 more | 2021-01-15 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. Cisco has not released software updates that address these vulnerabilities. | |||||
| CVE-2021-1148 | 1 Cisco | 9 Application Extension Platform, Rv110w, Rv110w Firmware and 6 more | 2021-01-15 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. Cisco has not released software updates that address these vulnerabilities. | |||||
| CVE-2021-1147 | 1 Cisco | 9 Application Extension Platform, Rv110w, Rv110w Firmware and 6 more | 2021-01-15 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device. Cisco has not released software updates that address these vulnerabilities. | |||||
| CVE-2020-2508 | 1 Qnap | 2 Qts, Quts Hero | 2021-01-14 | 6.5 MEDIUM | 7.2 HIGH |
| A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.1.1456 build 20201015 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) | |||||
| CVE-2020-17503 | 1 Barco | 5 Transform N, Transform Ndn-210 Lite, Transform Ndn-210 Pro and 2 more | 2021-01-14 | 6.5 MEDIUM | 7.2 HIGH |
| The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameter "locking" is not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards. | |||||
| CVE-2020-17504 | 1 Barco | 5 Transform N, Transform Ndn-210 Lite, Transform Ndn-210 Pro and 2 more | 2021-01-14 | 6.5 MEDIUM | 7.2 HIGH |
| The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users to the administration panel to perform authenticated remote code execution. An issue exists in ngpsystemcmd.php in which the http parameters "x_modules" and "y_modules" are not properly handled. The NDN-210 is part of Barco TransForm N solution and this vulnerability is patched from TransForm N version 3.8 onwards. | |||||
| CVE-2020-17502 | 1 Barco | 5 Transform N, Transform Ndn-210 Lite, Transform Ndn-210 Pro and 2 more | 2021-01-13 | 6.5 MEDIUM | 7.2 HIGH |
| Barco TransForm N before 3.8 allows Command Injection (issue 2 of 4). The NDN-210 has a web administration panel which is made available over https. There is a command injection issue that will allow authenticated users of the administration panel to perform authenticated remote code execution. An issue exists in split_card_cmd.php in which the http parameters xmodules, ymodules and savelocking are not properly handled. The NDN-210 is part of Barco TransForm N solution and includes the patch from TransForm N version 3.8 onwards. | |||||
| CVE-2018-19418 | 2 Foxitsoftware, Microsoft | 2 Pdf Activex, Windows | 2021-01-13 | 9.3 HIGH | 7.8 HIGH |
| Foxit PDF ActiveX before 5.5.1 allows remote code execution via command injection because of the lack of a security permission control. | |||||
| CVE-2020-29299 | 1 Zyxel | 7 Atp, Nsg, Nsg Firmware and 4 more | 2021-01-05 | 9.0 HIGH | 7.2 HIGH |
| Certain Zyxel products allow command injection by an admin via an input string to chg_exp_pwd during a password-change action. This affects VPN On-premise before ZLD V4.39 week38, VPN Orchestrator before SD-OS V10.03 week32, USG before ZLD V4.39 week38, USG FLEX before ZLD V4.55 week38, ATP before ZLD V4.55 week38, and NSG before 1.33 patch 4. | |||||
| CVE-2020-35798 | 1 Netgear | 60 R6400v2, R6400v2 Firmware, R6700v3 and 57 more | 2021-01-04 | 7.2 HIGH | 7.8 HIGH |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects R6400v2 before 1.0.4.84, R6700v3 before 1.0.4.84, R6900P before 1.3.2.124, R7000 before 1.0.11.100, R7000P before 1.3.2.124, R7800 before 1.0.2.74, R7850 before 1.0.5.60, R7900 before 1.0.4.26, R7960P before 1.4.1.50, R8000 before 1.0.4.52, R7900P before 1.4.1.50, R8000P before 1.4.1.50, RAX15 before 1.0.1.64, RAX20 before 1.0.1.64, RAX200 before 1.0.1.12, RAX45 before 1.0.2.66, RAX50 before 1.0.2.66, RAX75 before 1.0.3.102, RAX80 before 1.0.3.102, RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before 3.2.15.25, RBR850 before 3.2.15.25, RBS850 before 3.2.15.25, RBK842 before 3.2.15.25, RBR840 before 3.2.15.25, RBS840 before 3.2.15.25, RS400 before 1.5.0.48, and XR300 before 1.0.3.50. | |||||
| CVE-2020-35777 | 1 Netgear | 2 Dgn2200v1, Dgn2200v1 Firmware | 2020-12-30 | 7.7 HIGH | 8.4 HIGH |
| NETGEAR DGN2200v1 devices before v1.0.0.58 are affected by command injection. | |||||
| CVE-2020-25847 | 1 Qnap | 2 Qts, Quts Hero | 2020-12-30 | 6.5 MEDIUM | 8.8 HIGH |
| This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS hero. | |||||
| CVE-2020-9116 | 1 Huawei | 1 Fusioncompute | 2020-12-02 | 6.5 MEDIUM | 7.2 HIGH |
| Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege. | |||||
| CVE-2020-2490 | 1 Qnap | 1 Qts | 2020-11-30 | 6.5 MEDIUM | 7.2 HIGH |
| If exploited, the command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. QTS versions prior to 4.4.3.1421 on build 20200907. | |||||
| CVE-2020-2492 | 1 Qnap | 1 Qts | 2020-11-30 | 6.5 MEDIUM | 7.2 HIGH |
| If exploited, the command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. QTS versions prior to 4.4.3.1421 on build 20200907. | |||||
| CVE-2020-4636 | 2 Ibm, Linux | 2 Resilient Security Orchestration Automation And Response, Linux Kernel | 2020-10-19 | 6.5 MEDIUM | 7.2 HIGH |
| IBM Resilient OnPrem 38.2 could allow a privileged user to inject malicious commands through Python3 scripting. IBM X-Force ID: 185503. | |||||
| CVE-2020-26902 | 1 Netgear | 12 Rbk752, Rbk752 Firmware, Rbk852 and 9 more | 2020-10-16 | 8.3 HIGH | 8.8 HIGH |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects RBK752 before 3.2.15.25, RBR750 before 3.2.15.25, RBS750 before 3.2.15.25, RBK852 before 3.2.15.25, RBR850 before 3.2.15.25, and RBS850 before 3.2.15.25. | |||||
| CVE-2020-26920 | 1 Netgear | 6 Srk60, Srk60 Firmware, Srr60 and 3 more | 2020-10-16 | 5.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects SRK60 before 2.5.3.110, SRR60 before 2.5.3.110, and SRS60 before 2.5.3.110. | |||||
| CVE-2020-26907 | 1 Netgear | 6 Rbk852, Rbk852 Firmware, Rbr850 and 3 more | 2020-10-16 | 7.7 HIGH | 8.8 HIGH |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, and RBS850 before 3.2.16.6. | |||||
| CVE-2020-26909 | 1 Netgear | 4 D7800, D7800 Firmware, R7500v2 and 1 more | 2020-10-16 | 8.3 HIGH | 8.8 HIGH |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D7800 before 1.0.1.58 and R7500v2 before 1.0.3.48. | |||||
| CVE-2020-26914 | 1 Netgear | 28 D6200, D6200 Firmware, D7000 and 25 more | 2020-10-16 | 5.2 MEDIUM | 7.1 HIGH |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D6200 before 1.1.00.38, D7000 before 1.0.1.78, JR6150 before 1.0.1.24, R6020 before 1.0.0.42, R6050 before 1.0.1.24, R6080 before 1.0.0.42, R6120 before 1.0.0.66, R6220 before 1.1.0.100, R6260 before 1.1.0.64, R6700v2 before 1.2.0.62, R6800 before 1.2.0.62, R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, and WNR2020 before 1.1.0.62. | |||||
| CVE-2020-26929 | 1 Netgear | 4 R6220, R6220 Firmware, R6230 and 1 more | 2020-10-16 | 5.2 MEDIUM | 8.0 HIGH |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6220 before 1.1.0.100 and R6230 before 1.1.0.100. | |||||
| CVE-2019-14868 | 3 Apple, Debian, Ksh Project | 3 Mac Os X, Debian Linux, Ksh | 2020-10-09 | 7.2 HIGH | 7.8 HIGH |
| In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely. | |||||
| CVE-2019-15575 | 1 Gitlab | 1 Gitlab | 2020-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| A command injection exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed an attacker to inject commands via the API through the blobs scope. | |||||
| CVE-2019-6739 | 1 Malwarebytes | 1 Antimalware | 2020-10-06 | 6.8 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Malwarebytes Antimalware 3.6.1.2711. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page. There is an issue with the way the product handles URIs within certain schemes. The product does not warn the user that a dangerous navigation is about to take place. Because special characters in the URI are not sanitized, this could lead to the execution of arbitrary commands. An attacker can leverage this vulnerability to execute code in the context of the current user at medium integrity. Was ZDI-CAN-7162. | |||||
| CVE-2019-1646 | 1 Cisco | 12 Sd-wan, Vbond Orchestrator, Vedge 100 and 9 more | 2020-10-05 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the local CLI of the Cisco SD-WAN Solution could allow an authenticated, local attacker to escalate privileges and modify device configuration files. The vulnerability exists because user input is not properly sanitized for certain commands at the CLI. An attacker could exploit this vulnerability by sending crafted commands to the CLI of an affected device. A successful exploit could allow the attacker to establish an interactive session with elevated privileges. The attacker could then use the elevated privileges to further compromise the device or obtain additional configuration data from the device. | |||||
| CVE-2016-7076 | 1 Sudo Project | 1 Sudo | 2020-09-30 | 7.2 HIGH | 7.8 HIGH |
| sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges. | |||||
| CVE-2019-0541 | 1 Microsoft | 13 Excel Viewer, Internet Explorer, Office and 10 more | 2020-09-28 | 9.3 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input, aka "MSHTML Engine Remote Code Execution Vulnerability." This affects Microsoft Office, Microsoft Office Word Viewer, Internet Explorer 9, Internet Explorer 11, Microsoft Excel Viewer, Internet Explorer 10, Office 365 ProPlus. | |||||
| CVE-2019-20659 | 1 Netgear | 8 R6400, R6400 Firmware, R6700 and 5 more | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6400v2 before 1.0.4.84, R6700 before 1.0.2.8, R6700v3 before 1.0.4.84, R6900 before 1.0.2.8, and R7900 before 1.0.3.10. | |||||
| CVE-2019-18647 | 1 Untangle | 1 Ng Firewall | 2020-08-24 | 9.0 HIGH | 7.2 HIGH |
| The Untangle NG firewall 14.2.0 is vulnerable to an authenticated command injection when logged in as an admin user. | |||||
| CVE-2019-16305 | 2 Microsoft, Mobatek | 2 Windows, Mobaxterm | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to command injection. A crafted link can trigger a popup asking whether the user wants to run MobaXterm to handle the link. If accepted, another popup appears asking for further confirmation. If this is also accepted, command execution is achieved, as demonstrated by the MobaXterm://`calc` URI. | |||||
| CVE-2019-15051 | 1 Softing | 6 Uagate 840d, Uagate 840d Firmware, Uagate Mb and 3 more | 2020-08-24 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in Softing uaGate (SI, MB, 840D) firmware through 1.71.00.1225. A CGI script is vulnerable to command injection via a maliciously crafted form parameter. | |||||
| CVE-2018-19911 | 1 Freeswitch | 1 Freeswitch | 2020-08-24 | 7.6 HIGH | 7.5 HIGH |
| FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used. | |||||
| CVE-2018-19031 | 1 360 | 10 Safe Router P0, Safe Router P0 Firmware, Safe Router P1 and 7 more | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A command injection vulnerability exists when the authorized user passes crafted parameter to background process in the router. This affects 360 router series products (360 Safe Router P0,P1,P2,P3,P4), the affected version is V2.0.61.58897. | |||||
| CVE-2019-6986 | 1 Duraspace | 1 Vitro | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to execute arbitrary SPARQL via the uri parameter, leading to a regular expression denial of service (ReDoS), as demonstrated by crafted use of FILTER%20regex in a /individual?uri= request. | |||||
| CVE-2019-10640 | 1 Gitlab | 1 Gitlab | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in GitLab Community and Enterprise Edition before 11.7.10, 11.8.x before 11.8.6, and 11.9.x before 11.9.4. A regex input validation issue for the .gitlab-ci.yml refs value allows Uncontrolled Resource Consumption. | |||||
| CVE-2018-16417 | 2 Arubanetworks, Siemens | 3 Instant, W1750d, W1750d Firmware | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Aruba Instant 4.x prior to 6.4.4.8-4.2.4.12, 6.5.x prior to 6.5.4.11, 8.3.x prior to 8.3.0.6, and 8.4.x prior to 8.4.0.1 allows Command injection. | |||||
| CVE-2018-14893 | 1 Zyxel | 2 Nsa325 V2, Nsa325 V2 Firmware | 2020-08-24 | 9.0 HIGH | 8.8 HIGH |
| A system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API. | |||||
| CVE-2019-5323 | 1 Arubanetworks | 1 Airwave | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| There are command injection vulnerabilities present in the AirWave application. Certain input fields controlled by an administrative user are not properly sanitized before being parsed by AirWave. If conditions are met, an attacker can obtain command execution on the host. | |||||
| CVE-2019-3421 | 1 Ztw | 2 Zx297520v3, Zx297520v3 Firmware | 2020-08-24 | 7.7 HIGH | 8.0 HIGH |
| The 7520V3V1.0.0B09P27 version, and all earlier versions of ZTE product ZX297520V3 are impacted by a Command Injection vulnerability. Unauthorized users can exploit this vulnerability to control the user terminal system. | |||||
| CVE-2019-20655 | 1 Netgear | 4 Xr500, Xr500 Firmware, Xr700 and 1 more | 2020-08-24 | 4.6 MEDIUM | 7.8 HIGH |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects XR500 before 2.3.2.56 and XR700 before 1.0.1.20. | |||||
| CVE-2019-15010 | 1 Atlassian | 1 Bitbucket | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance. | |||||
| CVE-2017-2718 | 1 Huawei | 1 Fusionsphere Openstack | 2020-07-28 | 8.3 HIGH | 8.8 HIGH |
| FusionSphere OpenStack with software V100R006C00 and V100R006C10RC2 has two command injection vulnerabilities due to the insufficient input validation on one port. An attacker can exploit the vulnerabilities to gain root privileges by sending some messages with malicious commands. | |||||
| CVE-2017-1407 | 1 Ibm | 3 Security Identity Governance And Intelligence, Security Identity Manager, Security Privileged Identity Manager | 2020-07-20 | 9.0 HIGH | 8.8 HIGH |
| IBM Security Identity Manager Virtual Appliance 6.0 and 7.0 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 127394. | |||||
| CVE-2020-4059 | 1 Mversion Project | 1 Mversion | 2020-06-29 | 7.5 HIGH | 7.3 HIGH |
| In mversion before 2.0.0, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This vulnerability is patched by version 2.0.0. Previous releases are deprecated in npm. As a workaround, make sure to escape git commit messages when using the commitMessage option for the update function. | |||||