Search
Total
1052 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-38372 | 1 Kde | 1 Trojita | 2021-08-20 | 4.3 MEDIUM | 3.7 LOW |
| In KDE Trojita 0.7, man-in-the-middle attackers can create new folders because untagged responses from an IMAP server are accepted before STARTTLS. | |||||
| CVE-2021-38527 | 1 Netgear | 68 Cbr40, Cbr40 Firmware, Ex6100 and 65 more | 2021-08-19 | 10.0 HIGH | 9.8 CRITICAL |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects CBR40 before 2.5.0.14, EX6100v2 before 1.0.1.98, EX6150v2 before 1.0.1.98, EX6250 before 1.0.0.132, EX6400 before 1.0.2.158, EX6400v2 before 1.0.0.132, EX6410 before 1.0.0.132, EX6420 before 1.0.0.132, EX7300 before 1.0.2.158, EX7300v2 before 1.0.0.132, EX7320 before 1.0.0.132, EX7700 before 1.0.0.216, EX8000 before 1.0.1.232, R7800 before 1.0.2.78, RBK12 before 2.6.1.44, RBR10 before 2.6.1.44, RBS10 before 2.6.1.44, RBK20 before 2.6.1.38, RBR20 before 2.6.1.36, RBS20 before 2.6.1.38, RBK40 before 2.6.1.38, RBR40 before 2.6.1.36, RBS40 before 2.6.1.38, RBK50 before 2.6.1.40, RBR50 before 2.6.1.40, RBS50 before 2.6.1.40, RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, RBS850 before 3.2.16.6, RBS40V before 2.6.2.4, RBS50Y before 2.6.1.40, RBW30 before 2.6.2.2, and XR500 before 2.3.2.114. | |||||
| CVE-2021-38530 | 1 Netgear | 20 Rbk20, Rbk20 Firmware, Rbk40 and 17 more | 2021-08-19 | 10.0 HIGH | 9.8 CRITICAL |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects RBK40 before 2.5.1.16, RBR40 before 2.5.1.16, RBS40 before 2.5.1.16, RBK20 before 2.5.1.16, RBR20 before 2.5.1.16, RBS20 before 2.5.1.16, RBK50 before 2.5.1.16, RBR50 before 2.5.1.16, RBS50 before 2.5.1.16, and RBS50Y before 2.6.1.40. | |||||
| CVE-2021-38519 | 1 Netgear | 27 R6250, R6250 Firmware, R6300 and 24 more | 2021-08-19 | 6.5 MEDIUM | 7.2 HIGH |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6250 before 1.0.4.36, R6300v2 before 1.0.4.36, R6400 before 1.0.1.50, R6400v2 before 1.0.2.66, R6700v3 before 1.0.2.66, R6700 before 1.0.2.8, R6900 before 1.0.2.8, R7000 before 1.0.9.88, R6900P before 1.3.2.132, R7100LG before 1.0.0.52, R7900 before 1.0.3.10, R8000 before 1.0.4.46, R7900P before 1.4.1.50, R8000P before 1.4.1.50, and RAX80 before 1.0.1.40. | |||||
| CVE-2021-38529 | 1 Netgear | 8 D7800, D7800 Firmware, R7800 and 5 more | 2021-08-18 | 7.5 HIGH | 9.8 CRITICAL |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D7800 before 1.0.1.56, R7800 before 1.0.2.68, R8900 before 1.0.4.26, and R9000 before 1.0.4.26. | |||||
| CVE-2021-38528 | 1 Netgear | 12 D8500, D8500 Firmware, R6900p and 9 more | 2021-08-18 | 10.0 HIGH | 9.8 CRITICAL |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D8500 before 1.0.3.58, R6900P before 1.3.2.132, R7000P before 1.3.2.132, R7100LG before 1.0.0.64, WNDR3400v3 before 1.0.1.38, and XR300 before 1.0.3.56. | |||||
| CVE-2021-38520 | 1 Netgear | 8 R6400, R6400 Firmware, R6700 and 5 more | 2021-08-18 | 6.5 MEDIUM | 7.2 HIGH |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6400 before 1.0.1.52, R6400v2 before 1.0.4.84, R6700v3 before 1.0.4.84, R6700v2 before 1.2.0.62, R6900v2 before 1.2.0.62, and R7000P before 1.3.2.124. | |||||
| CVE-2021-38521 | 1 Netgear | 10 R6400, R6400 Firmware, R7900p and 7 more | 2021-08-18 | 6.5 MEDIUM | 7.2 HIGH |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6400 before 1.0.1.50, R7900P before 1.4.1.50, R8000P before 1.4.1.50, RAX75 before 1.0.1.62, and RAX80 before 1.0.1.62. | |||||
| CVE-2021-38518 | 1 Netgear | 12 Rax200, Rax200 Firmware, Rax75 and 9 more | 2021-08-18 | 6.5 MEDIUM | 7.2 HIGH |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects RAX200 before 1.0.4.120, RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12. | |||||
| CVE-2020-36463 | 1 Multiqueue Project | 1 Multiqueue | 2021-08-17 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in the multiqueue crate through 2020-12-25 for Rust. There are unconditional implementations of Send for InnerSend<RW, T>, InnerRecv<RW, T>, FutInnerSend<RW, T>, and FutInnerRecv<RW, T>. | |||||
| CVE-2020-36462 | 1 Syncpool Project | 1 Syncpool | 2021-08-17 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in the syncpool crate before 0.1.6 for Rust. There is an unconditional implementation of Send for Bucket2. | |||||
| CVE-2020-36459 | 1 Dces Project | 1 Dces | 2021-08-17 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in the dces crate through 2020-12-09 for Rust. The World type is marked as Send but lacks bounds on its EntityStore and ComponentStore. | |||||
| CVE-2020-36457 | 1 Lever Project | 1 Level | 2021-08-16 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox<T> implements the Send and Sync traits for all types T. | |||||
| CVE-2021-38189 | 1 Lettre | 1 Lettre | 2021-08-16 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the lettre crate before 0.9.6 for Rust. In an e-mail message body, an attacker can place a . character after two <CR><LF> sequences and then inject arbitrary SMTP commands. | |||||
| CVE-2020-36456 | 1 Toolshed Project | 1 Toolshed | 2021-08-16 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in the toolshed crate through 2020-11-15 for Rust. In CopyCell<T>, the Send trait lacks bounds on the contained type. | |||||
| CVE-2020-36455 | 1 Brokenlamp | 1 Slock | 2021-08-16 | 5.1 MEDIUM | 8.1 HIGH |
| An issue was discovered in the slock crate through 2020-11-17 for Rust. Slock<T> unconditionally implements Send and Sync. | |||||
| CVE-2020-36461 | 1 Noise Search Project | 1 Noise Search | 2021-08-16 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in the noise_search crate through 2020-12-10 for Rust. There are unconditional implementations of Send and Sync for MvccRwLock. | |||||
| CVE-2020-36451 | 1 Rcu Cell Project | 1 Rcu Cell | 2021-08-16 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in the rcu_cell crate through 2020-11-14 for Rust. There are unconditional implementations of Send and Sync for RcuCell<T>. | |||||
| CVE-2020-36450 | 1 Bunch Project | 1 Bunch | 2021-08-16 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in the bunch crate through 2020-11-12 for Rust. There are unconditional implementations of Send and Sync for Bunch<T>. | |||||
| CVE-2020-36449 | 1 Kekbit Project | 1 Kekbit | 2021-08-16 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in the kekbit crate before 0.3.4 for Rust. For ShmWriter<H>, Send is implemented without requiring H: Send. | |||||
| CVE-2020-36448 | 1 Cache Project | 1 Cache | 2021-08-16 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in the cache crate through 2020-11-24 for Rust. There are unconditional implementations of Send and Sync for Cache<K>. | |||||
| CVE-2021-38169 | 1 Roxy-wi | 1 Roxy-wi | 2021-08-13 | 6.5 MEDIUM | 8.8 HIGH |
| Roxy-WI through 5.2.2.0 allows command injection via /app/funct.py and /api/api_funct.py. | |||||
| CVE-2021-36705 | 1 Prolink | 2 Prc2402m, Prc2402m Firmware | 2021-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| In ProLink PRC2402M V1.0.18 and older, the set_TR069 function in the adm.cgi binary, accessible with a page parameter value of TR069 contains a trivial command injection where the value of the TR069_local_port parameter is passed directly to system. | |||||
| CVE-2021-36706 | 1 Prolink | 2 Prc2402m, Prc2402m Firmware | 2021-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| In ProLink PRC2402M V1.0.18 and older, the set_sys_cmd function in the adm.cgi binary, accessible with a page parameter value of sysCMD contains a trivial command injection where the value of the command parameter is passed directly to system. | |||||
| CVE-2021-36707 | 1 Prolink | 2 Prc2402m, Prc2402m Firmware | 2021-08-12 | 7.5 HIGH | 9.8 CRITICAL |
| In ProLink PRC2402M V1.0.18 and older, the set_ledonoff function in the adm.cgi binary, accessible with a page parameter value of ledonoff contains a trivial command injection where the value of the led_cmd parameter is passed directly to do_system. | |||||
| CVE-2018-20523 | 1 Mi | 37 Redmi 4a, Redmi 4a Firmware, Redmi 5 Plus and 34 more | 2021-08-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones allows content provider injection. In other words, a third-party application can read the user's cleartext browser history via an app.provider.query content://com.android.browser.searchhistory/searchhistory request. | |||||
| CVE-2015-5349 | 1 Apache | 2 Directory Studio, Ldap Studio | 2021-08-09 | 9.3 HIGH | 7.8 HIGH |
| The CSV export in Apache LDAP Studio and Apache Directory Studio before 2.0.0-M10 does not properly escape field values, which might allow attackers to execute arbitrary commands by leveraging a crafted LDAP entry that is interpreted as a formula when imported into a spreadsheet. | |||||
| CVE-2021-29143 | 1 Arubanetworks | 8 Aos-cx Firmware, Cx 6200f, Cx 6300 and 5 more | 2021-08-06 | 9.0 HIGH | 7.2 HIGH |
| A remote execution of arbitrary commands vulnerability was discovered in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): Aruba AOS-CX firmware: 10.04.xxxx - versions prior to 10.04.3070, 10.05.xxxx - versions prior to 10.05.0070, 10.06.xxxx - versions prior to 10.06.0110, 10.07.xxxx - versions prior to 10.07.0001. Aruba has released upgrades for Aruba AOS-CX devices that address this security vulnerability. | |||||
| CVE-2021-30124 | 1 Vscode-phpmd Project | 1 Vscode-phpmd | 2021-08-06 | 7.5 HIGH | 9.8 CRITICAL |
| The unofficial vscode-phpmd (aka PHP Mess Detector) extension before 1.3.0 for Visual Studio Code allows remote attackers to execute arbitrary code via a crafted phpmd.command value in a workspace folder. | |||||
| CVE-2021-23412 | 1 Gitlogplus Project | 1 Gitlogplus | 2021-08-02 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization. | |||||
| CVE-2021-21406 | 1 Combodo | 1 Itop | 2021-07-30 | 6.5 MEDIUM | 8.8 HIGH |
| Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vulnerability in the Setup Wizard when providing Graphviz executable path. The vulnerability is patched in version 2.7.4 and 3.0.0. | |||||
| CVE-2020-27575 | 1 Maxum | 1 Rumpus | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation. | |||||
| CVE-2020-10208 | 1 Amino | 12 Ak45x, Ak45x Firmware, Ak5xx and 9 more | 2021-07-21 | 9.0 HIGH | 9.9 CRITICAL |
| Command Injection in EntoneWebEngine in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows authenticated remote attackers to execute arbitrary commands with root user privileges. | |||||
| CVE-2020-13347 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 9.0 HIGH | 9.1 CRITICAL |
| A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable. | |||||
| CVE-2020-16257 | 1 Winstonprivacy | 2 Winston, Winston Firmware | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| Winston 1.5.4 devices are vulnerable to command injection via the API. | |||||
| CVE-2020-18568 | 1 Dlink | 4 Dsr-1000n, Dsr-1000n Firmware, Dsr-250 and 1 more | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The D-Link DSR-250 (3.14) DSR-1000N (2.11B201) UPnP service contains a command injection vulnerability, which can cause remote command execution. | |||||
| CVE-2020-24631 | 1 Arubanetworks | 1 Airwave Glass | 2021-07-21 | 9.0 HIGH | 7.2 HIGH |
| A remote execution of arbitrary commands vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2. | |||||
| CVE-2020-25506 | 1 Dlink | 2 Dns-320, Dns-320 Firmware | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution. | |||||
| CVE-2020-25499 | 1 Totolink | 26 A3002r, A3002r Firmware, A3002ru-v1 and 23 more | 2021-07-21 | 9.0 HIGH | 8.8 HIGH |
| TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run Command'. An attacker can use this functionality to execute arbitrary OS commands on the router. | |||||
| CVE-2020-25538 | 1 Cmsuno Project | 1 Cmsuno | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An authenticated attacker can inject malicious code into "lang" parameter in /uno/central.php file in CMSuno 1.6.2 and run this PHP code in the web page. In this way, attacker can takeover the control of the server. | |||||
| CVE-2020-28429 | 1 Geojson2kml Project | 1 Geojson2kml | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. PoC: var a =require("geojson2kml"); a("./","& touch JHU",function(){}) | |||||
| CVE-2020-28439 | 1 Corenlp-js-prefab Project | 1 Corenlp-js-prefab | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package corenlp-js-prefab. The injection point is located in line 10 in 'index.js.' It depends on a vulnerable package 'corenlp-js-interface.' Vulnerability can be exploited with the following PoC: | |||||
| CVE-2020-28464 | 1 Djv Project | 1 Djv | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| This affects the package djv before 2.1.4. By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine. | |||||
| CVE-2020-29056 | 2 Cdata, Cdatatec | 57 Fd1104 Firmware, 72408a, 72408a Firmware and 54 more | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on CDATA 72408A, 9008A, 9016A, 92408A, 92416A, 9288, 97016, 97024P, 97028P, 97042P, 97084P, 97168P, FD1002S, FD1104, FD1104B, FD1104S, FD1104SN, FD1108S, FD1204S-R2, FD1204SN, FD1204SN-R2, FD1208S-R2, FD1216S-R1, FD1608GS, FD1608SN, FD1616GS, FD1616SN, and FD8000 devices. One can escape from a shell and acquire root privileges by leveraging the TFTP download configuration. | |||||
| CVE-2020-35476 | 1 Opentsdb | 1 Opentsdb | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.) | |||||
| CVE-2020-4983 | 1 Ibm | 2 Spectrum Lsf, Spectrum Lsf Suite | 2021-07-21 | 4.6 MEDIUM | 7.8 HIGH |
| IBM Spectrum LSF 10.1 and IBM Spectrum LSF Suite 10.2 could allow a user on the local network who has privileges to submit LSF jobs to execute arbitrary commands. IBM X-Force ID: 192586. | |||||
| CVE-2020-7128 | 1 Arubanetworks | 1 Airwave Glass | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2. | |||||
| CVE-2020-7752 | 1 Systeminformation | 1 Systeminformation | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands. | |||||
| CVE-2020-7781 | 1 Connection-tester Project | 1 Connection-tester | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package connection-tester before 0.2.1. The injection point is located in line 15 in index.js. The following PoC demonstrates the vulnerability: | |||||
| CVE-2020-9127 | 1 Huawei | 12 Nip6300, Nip6300 Firmware, Nip6600 and 9 more | 2021-07-21 | 4.6 MEDIUM | 6.7 MEDIUM |
| Some Huawei products have a command injection vulnerability. Due to insufficient input validation, an attacker with high privilege may inject some malicious codes in some files of the affected products. Successful exploit may cause command injection.Affected product versions include:NIP6300 versions V500R001C30,V500R001C60;NIP6600 versions V500R001C30,V500R001C60;Secospace USG6300 versions V500R001C30,V500R001C60;Secospace USG6500 versions V500R001C30,V500R001C60;Secospace USG6600 versions V500R001C30,V500R001C60;USG9500 versions V500R001C30,V500R001C60. | |||||