Search
Total
1052 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9862 | 1 Apple | 7 Icloud, Ipad Os, Iphone Os and 4 more | 2021-07-21 | 6.8 MEDIUM | 7.8 HIGH |
| A command injection issue existed in Web Inspector. This issue was addressed with improved escaping. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Copying a URL from Web Inspector may lead to command injection. | |||||
| CVE-2020-35136 | 1 Dolibarr | 1 Dolibarr | 2021-07-21 | 9.0 HIGH | 7.2 HIGH |
| Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php. | |||||
| CVE-2020-24899 | 1 Nagios | 1 Nagios Xi | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerability. An authenticated user can inject additional commands into normal webapp query. | |||||
| CVE-2020-28494 | 1 Totaljs | 1 Total.js | 2021-07-21 | 7.5 HIGH | 8.6 HIGH |
| This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option shell set to true and because the type parameter is not properly sanitized. | |||||
| CVE-2020-28426 | 1 Kill-process-on-port Project | 1 Kill-process-on-port | 2021-07-21 | 7.5 HIGH | 7.3 HIGH |
| All versions of package kill-process-on-port are vulnerable to Command Injection via a.getProcessPortId. | |||||
| CVE-2020-29664 | 1 Dji | 2 Mavic 2, Mavic 2 Firmware | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| A command injection issue in dji_sys in DJI Mavic 2 Remote Controller before firmware version 01.00.0510 allows for code execution via a malicious firmware upgrade packet. | |||||
| CVE-2020-36199 | 1 Kaspersky | 1 Tinycheck | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| TinyCheck before commits 9fd360d and ea53de8 was vulnerable to command injection due to insufficient checks of input parameters in several places. | |||||
| CVE-2020-27542 | 1 Company | 2 Cs-c2shw, Cs-c2shw Firmware | 2021-07-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| Rostelecom CS-C2SHW 5.0.082.1 is affected by: Bash command injection. The camera reads configuration from QR code (including network settings). The static IP configuration from QR code is copied to the file /config/ip-static and after reboot data from this file is inserted into bash command (without any escaping). So bash injection is possible. Camera doesn't parse QR codes if it's already successfully configured. Camera is always rebooted after successful configuration via QR code. | |||||
| CVE-2020-7794 | 1 Buns Project | 1 Buns | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function install(requestedModule). | |||||
| CVE-2020-7784 | 1 Ts-process-promises Project | 1 Ts-process-promises | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package ts-process-promises. The injection point is located in line 45 in main entry of package in lib/process-promises.js. The vulnerability is demonstrated with the following PoC: | |||||
| CVE-2020-35797 | 1 Netgear | 2 Nms300, Nms300 Firmware | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an unauthenticated attacker. | |||||
| CVE-2020-35789 | 1 Netgear | 2 Nms300, Nms300 Firmware | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| NETGEAR NMS300 devices before 1.6.0.27 are affected by command injection by an authenticated user. | |||||
| CVE-2020-10209 | 1 Amino | 12 Ak45x, Ak45x Firmware, Ak5xx and 9 more | 2021-07-21 | 9.3 HIGH | 8.1 HIGH |
| Command Injection in the CPE WAN Management Protocol (CWMP) registration in Amino Communications AK45x series, AK5xx series, AK65x series, Aria6xx series, Aria7/AK7Xx series and Kami7B allows man-in-the-middle attackers to execute arbitrary commands with root level privileges. | |||||
| CVE-2020-35714 | 1 Linksys | 2 Re6500, Re6500 Firmware | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Belkin LINKSYS RE6500 devices before 1.0.11.001 allow remote authenticated users to execute arbitrary commands via goform/systemCommand?command= in conjunction with the goform/pingstart program. | |||||
| CVE-2020-8466 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could allow an unauthenticated attacker to execute certain commands by providing a manipulated password. | |||||
| CVE-2020-28440 | 1 Corenlp-js-interface Project | 1 Corenlp-js-interface | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function. | |||||
| CVE-2020-29311 | 1 Ubilling | 1 Ubilling | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software. | |||||
| CVE-2020-15929 | 1 Ortussolutions | 1 Testbox | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters passed to system/runners/HTMLRunner.cfm allow an attacker to write an arbitrary CFM file (within the application's context) containing attacker-defined CFML tags, leading to Remote Code Execution. | |||||
| CVE-2020-4006 | 3 Linux, Microsoft, Vmware | 7 Linux Kernel, Windows, Cloud Foundation and 4 more | 2021-07-21 | 9.0 HIGH | 9.1 CRITICAL |
| VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability. | |||||
| CVE-2020-29381 | 1 Vsolcn | 10 V1600d, V1600d-mini, V1600d-mini Firmware and 7 more | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename. | |||||
| CVE-2020-25557 | 1 Cmsuno Project | 1 Cmsuno | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. After that, when attacker logs in to the application, attacker's code will be run. As a result of this vulnerability, authenticated user can run command on the server. | |||||
| CVE-2020-28347 | 1 Tp-link | 2 Ac1750, Ac1750 Firmware | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled. | |||||
| CVE-2020-7129 | 1 Arubanetworks | 1 Airwave Glass | 2021-07-21 | 9.0 HIGH | 7.2 HIGH |
| A remote execution of arbitrary commands vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2. | |||||
| CVE-2020-7373 | 1 Vbulletin | 1 Vbulletin | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is the preferred CVE ID to track this vulnerability. | |||||
| CVE-2020-24632 | 1 Arubanetworks | 1 Airwave Glass | 2021-07-21 | 9.0 HIGH | 7.2 HIGH |
| A remote execution of arbitrary commandss vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2. | |||||
| CVE-2020-25483 | 1 Ucms Project | 1 Ucms | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server. | |||||
| CVE-2020-11496 | 1 Sprecher-automation | 1 Sprecon-e | 2021-07-21 | 7.2 HIGH | 6.7 MEDIUM |
| Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to local configuration files can therefore insert malicious commands that are executed after compiling them to valid parameter files (“PDLs”), transferring them to the device, and restarting the device. | |||||
| CVE-2020-26582 | 1 Dlink | 2 Dap-1360u, Dap-1360u Firmware | 2021-07-21 | 9.0 HIGH | 8.8 HIGH |
| D-Link DAP-1360U before 3.0.1 devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the IP JSON value for ping (aka res_config_action=3&res_config_id=18). | |||||
| CVE-2020-7730 | 1 Bestzip Project | 1 Bestzip | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The package bestzip before 2.1.7 are vulnerable to Command Injection via the options param. | |||||
| CVE-2021-34612 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-07-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-34615 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-07-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-34613 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-07-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-34616 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-07-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-34611 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-07-12 | 9.0 HIGH | 7.2 HIGH |
| A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-34614 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-07-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-34610 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2021-07-12 | 9.0 HIGH | 7.2 HIGH |
| A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-31838 | 1 Mcafee | 1 Mvision Edr | 2021-07-02 | 9.0 HIGH | 9.1 CRITICAL |
| A command injection vulnerability in MVISION EDR (MVEDR) prior to 3.4.0 allows an authenticated MVEDR administrator to trigger the EDR client to execute arbitrary commands through PowerShell using the EDR functionality 'execute reaction'. | |||||
| CVE-2020-17759 | 2 Evernote, Microsoft | 4 Evernote, Windows 10, Windows 7 and 1 more | 2021-07-01 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was found in the Evernote client for Windows 10, 7, and 2008 in the protocol handler. This enables attackers for arbitrary command execution if the user clicks on a specially crafted URL. AKA: WINNOTE-19941. | |||||
| CVE-2020-21785 | 1 Ibos | 1 Ibos | 2021-07-01 | 6.5 MEDIUM | 8.8 HIGH |
| In IBOS 4.5.4 Open, the database backup has Command Injection Vulnerability. | |||||
| CVE-2014-9114 | 3 Fedoraproject, Kernel, Opensuse | 3 Fedora, Util-linux, Opensuse | 2021-06-29 | 7.2 HIGH | 7.8 HIGH |
| Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code. | |||||
| CVE-2021-34809 | 1 Synology | 1 Download Station | 2021-06-24 | 6.5 MEDIUM | 8.8 HIGH |
| Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors. | |||||
| CVE-2017-18377 | 1 Goahead | 2 Wireless Ip Camera Wificam, Wireless Ip Camera Wificam Firmware | 2021-06-22 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters in the pwd variable, as demonstrated by a set_ftp.cgi?svr=192.168.1.1&port=21&user=ftp URI. | |||||
| CVE-2019-7198 | 1 Qnap | 2 Qts, Quts Hero | 2021-06-21 | 7.5 HIGH | 9.8 CRITICAL |
| This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later | |||||
| CVE-2021-28811 | 1 Roonlabs | 1 Roon Server | 2021-06-21 | 6.5 MEDIUM | 7.2 HIGH |
| If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. Roon Labs has already fixed this vulnerability in the following versions: Roon Server 2021-05-18 and later | |||||
| CVE-2021-32090 | 1 Localstack | 1 Localstack | 2021-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| The dashboard component of StackLift LocalStack 0.12.6 allows attackers to inject arbitrary shell commands via the functionName parameter. | |||||
| CVE-2021-3515 | 1 2ndquadrant | 1 Pglogical | 2021-06-14 | 7.2 HIGH | 6.7 MEDIUM |
| A shell injection flaw was found in pglogical in versions before 2.3.4 and before 3.6.26. An attacker with CREATEDB privileges on a PostgreSQL server can craft a database name that allows execution of shell commands as the postgresql user when calling pglogical.create_subscription(). | |||||
| CVE-2015-1877 | 2 Debian, Freedesktop | 2 Debian Linux, Xdg-utils | 2021-06-14 | 6.8 MEDIUM | 8.8 HIGH |
| The open_generic_xdg_mime function in xdg-open in xdg-utils 1.1.0 rc1 in Debian, when using dash, does not properly handle local variables, which allows remote attackers to execute arbitrary commands via a crafted file. | |||||
| CVE-2021-28812 | 1 Qnap | 4 Qts, Quts Hero, Qutscloud and 1 more | 2021-06-11 | 6.5 MEDIUM | 8.8 HIGH |
| A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Video Station versions prior to 5.5.4 on QTS 4.5.2; versions prior to 5.5.4 on QuTS hero h4.5.2; versions prior to 5.5.4 on QuTScloud c4.5.4. This issue does not affect: QNAP Systems Inc. Video Station on QTS 4.3.6; on QTS 4.3.3. | |||||
| CVE-2019-25029 | 1 Versa-networks | 1 Versa Director | 2021-06-07 | 10.0 HIGH | 9.8 CRITICAL |
| In Versa Director, the command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. | |||||
| CVE-2021-22899 | 1 Pulsesecure | 1 Pulse Connect Secure | 2021-06-04 | 6.5 MEDIUM | 8.8 HIGH |
| A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature | |||||