Search
Total
1052 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-20156 | 1 Printer Project | 1 Printer | 2023-12-01 | N/A | 9.8 CRITICAL |
| A vulnerability was found in Exciting Printer and classified as critical. This issue affects some unknown processing of the file lib/printer/jobs/prepare_page.rb of the component Argument Handler. The manipulation of the argument URL leads to command injection. The patch is named 5f8c715d6e2cc000f621a6833f0a86a673462136. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217139. | |||||
| CVE-2023-49040 | 1 Tenda | 2 Ax1803, Ax1803 Firmware | 2023-12-01 | N/A | 9.8 CRITICAL |
| An issue in Tneda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the adslPwd parameter in the form_fast_setting_internet_set function. | |||||
| CVE-2023-49210 | 1 Node-openssl Project | 1 Node-openssl | 2023-11-30 | N/A | 9.8 CRITICAL |
| The openssl (aka node-openssl) NPM package through 2.0.0 was characterized as "a nonsense wrapper with no real purpose" by its author, and accepts an opts argument that contains a verb field (used for command execution). NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2022-37425 | 2 Linux, Opennebula | 2 Linux Kernel, Opennebula | 2023-11-30 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in OpenNebula OpenNebula core on Linux allows Remote Code Inclusion. | |||||
| CVE-2023-49213 | 1 Ironmansoftware | 1 Powershell Universal | 2023-11-30 | N/A | 8.8 HIGH |
| The API endpoints in Ironman PowerShell Universal 3.0.0 through 4.2.0 allow remote attackers to execute arbitrary commands via crafted HTTP requests if a param block is used, due to invalid sanitization of input strings. The fixed versions are 3.10.2, 4.1.10, and 4.2.1. | |||||
| CVE-2019-10095 | 1 Apache | 1 Zeppelin | 2023-11-24 | 10.0 HIGH | 9.8 CRITICAL |
| bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions. | |||||
| CVE-2023-1162 | 1 Draytek | 2 Vigor 2960, Vigor 2960 Firmware | 2023-11-22 | N/A | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5. Affected is an unknown function of the file mainfunction.cgi of the component Web Management Interface. The manipulation of the argument password leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-222258 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-24229 | 1 Draytek | 2 Vigor2960, Vigor2960 Firmware | 2023-11-22 | N/A | 7.8 HIGH |
| DrayTek Vigor2960 v1.5.1.4 allows an authenticated attacker with network access to the web management interface to inject operating system commands via the mainfunction.cgi 'parameter' parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-45625 | 2 Arubanetworks, Hp | 2 Arubaos, Instantos | 2023-11-21 | N/A | 7.2 HIGH |
| Multiple authenticated command injection vulnerabilities exist in the command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. | |||||
| CVE-2022-40752 | 3 Ibm, Linux, Microsoft | 5 Aix, Infosphere Information Server, Infosphere Information Server On Cloud and 2 more | 2023-11-18 | N/A | 9.8 CRITICAL |
| IBM InfoSphere DataStage 11.7 is vulnerable to a command injection vulnerability due to improper neutralization of special elements. IBM X-Force ID: 236687. | |||||
| CVE-2023-47253 | 1 Qualitor | 1 Qalitor | 2023-11-14 | N/A | 9.8 CRITICAL |
| Qualitor through 8.20 allows remote attackers to execute arbitrary code via PHP code in the html/ad/adpesquisasql/request/processVariavel.php gridValoresPopHidden parameter. | |||||
| CVE-2021-44051 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2023-11-14 | 6.5 MEDIUM | 8.8 HIGH |
| A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 5.0.0.1986 build 20220324 and later | |||||
| CVE-2020-2509 | 1 Qnap | 2 Qts, Quts Hero | 2023-11-14 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later | |||||
| CVE-2023-20220 | 1 Cisco | 1 Firepower Management Center | 2023-11-09 | N/A | 8.8 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. To exploit these vulnerabilities, the attacker must have valid device credentials, but does not need Administrator privileges. These vulnerabilities are due to insufficient validation of user-supplied input for certain configuration options. An attacker could exploit these vulnerabilities by using crafted input within the device configuration GUI. A successful exploit could allow the attacker to execute arbitrary commands on the device, including on the underlying operating system, which could also affect the availability of the device. | |||||
| CVE-2023-20219 | 1 Cisco | 1 Firepower Management Center | 2023-11-09 | N/A | 8.8 HIGH |
| Multiple vulnerabilities in the web management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. The attacker would need valid device credentials but does not require administrator privileges to exploit this vulnerability. These vulnerabilities are due to insufficient validation of user-supplied input for certain configuration options. An attacker could exploit these vulnerabilities by using crafted input within the device configuration GUI. A successful exploit could allow the attacker to execute arbitrary commands on the device including the underlying operating system which could also affect the availability of the device. | |||||
| CVE-2023-39834 | 1 Pbootcms | 1 Pbootcms | 2023-08-29 | N/A | 9.8 CRITICAL |
| PbootCMS below v3.2.0 was discovered to contain a command injection vulnerability via create_function. | |||||
| CVE-2023-38027 | 1 Myspotcam | 2 Sense, Sense Firmware | 2023-08-29 | N/A | 9.8 CRITICAL |
| SpotCam Co., Ltd. SpotCam Sense’s hidden Telnet function has a vulnerability of OS command injection. An remote unauthenticated attacker can exploit this vulnerability to execute command injection attack to perform arbitrary system commands or disrupt service. | |||||
| CVE-2023-37469 | 1 Icewhale | 1 Casaos | 2023-08-29 | N/A | 8.8 HIGH |
| CasaOS is an open-source personal cloud system. Prior to version 0.4.4, if an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands. Version 0.4.4 contains a patch for the issue. | |||||
| CVE-2023-4212 | 1 Trane | 8 Pivot, Pivot Firmware, Xl1050 and 5 more | 2023-08-29 | N/A | 6.8 MEDIUM |
| ?A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick. | |||||
| CVE-2020-22570 | 1 Memcached | 1 Memcached | 2023-08-25 | N/A | 7.5 HIGH |
| Memcached 1.6.0 before 1.6.3 allows remote attackers to cause a denial of service (daemon crash) via a crafted meta command. | |||||
| CVE-2023-39618 | 1 Totolink | 2 X5000r, X5000r Firmware | 2023-08-25 | N/A | 9.8 CRITICAL |
| TOTOLINK X5000R B20210419 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg interface. | |||||
| CVE-2023-39617 | 1 Totolink | 2 X5000r, X5000r Firmware | 2023-08-25 | N/A | 9.8 CRITICAL |
| TOTOLINK X5000R_V9.1.0cu.2089_B20211224 and X5000R_V9.1.0cu.2350_B20230313 were discovered to contain a remote code execution (RCE) vulnerability via the lang parameter in the setLanguageCfg function. | |||||
| CVE-2023-23564 | 1 Geomatika | 1 Isigeo Web | 2023-08-24 | N/A | 8.8 HIGH |
| An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to execute commands. | |||||
| CVE-2023-39809 | 1 Nvki | 1 Intelligent Broadband Subscriber Gateway | 2023-08-24 | N/A | 9.8 CRITICAL |
| N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a command injection vulnerability via the system_hostname parameter at /manage/network-basic.php. | |||||
| CVE-2023-34960 | 1 Chamilo | 1 Chamilo | 2023-08-24 | N/A | 9.8 CRITICAL |
| A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name. | |||||
| CVE-2023-20209 | 1 Cisco | 1 Telepresence Video Communication Server | 2023-08-24 | N/A | 7.2 HIGH |
| A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to establish a remote shell with root privileges. | |||||
| CVE-2023-4414 | 1 Byzoro | 1 Smart S85f | 2023-08-24 | N/A | 9.8 CRITICAL |
| A vulnerability was found in Beijing Baichuo Smart S85F Management Platform up to 20230807. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /log/decodmail.php. The manipulation of the argument file leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-237517 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-20017 | 1 Cisco | 1 Intersight Private Virtual Appliance | 2023-08-23 | N/A | 9.1 CRITICAL |
| Multiple vulnerabilities in Cisco Intersight Private Virtual Appliance could allow an authenticated, remote attacker to execute arbitrary commands using root-level privileges. The attacker would need to have Administrator privileges on the affected device to exploit these vulnerabilities. These vulnerabilities are due to insufficient input validation when extracting uploaded software packages. An attacker could exploit these vulnerabilities by authenticating to an affected device and uploading a crafted software package. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges. | |||||
| CVE-2023-20013 | 1 Cisco | 1 Intersight Private Virtual Appliance | 2023-08-23 | N/A | 9.1 CRITICAL |
| Multiple vulnerabilities in Cisco Intersight Private Virtual Appliance could allow an authenticated, remote attacker to execute arbitrary commands using root-level privileges. The attacker would need to have Administrator privileges on the affected device to exploit these vulnerabilities. These vulnerabilities are due to insufficient input validation when extracting uploaded software packages. An attacker could exploit these vulnerabilities by authenticating to an affected device and uploading a crafted software package. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges. | |||||
| CVE-2023-38902 | 1 Ruijie | 192 Rg-eap101, Rg-eap101 Firmware, Rg-eap101 V2 and 189 more | 2023-08-23 | N/A | 8.8 HIGH |
| A command injection vulnerability in RG-EW series home routers and repeaters v.EW_3.0(1)B11P219, RG-NBS and RG-S1930 series switches v.SWITCH_3.0(1)B11P219, RG-EG series business VPN routers v.EG_3.0(1)B11P219, EAP and RAP series wireless access points v.AP_3.0(1)B11P219, and NBC series wireless controllers v.AC_3.0(1)B11P219 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /cgi-bin/luci/api/cmd via the remoteIp field. | |||||
| CVE-2023-34215 | 1 Moxa | 2 Tn-5900, Tn-5900 Firmware | 2023-08-23 | N/A | 9.8 CRITICAL |
| TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability. This vulnerability stems from insufficient input validation and improper authentication in the certification-generation function, which could potentially allow malicious users to execute remote code on affected devices. | |||||
| CVE-2023-2910 | 1 Asustor | 1 Data Master | 2023-08-23 | N/A | 8.8 HIGH |
| Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below. | |||||
| CVE-2023-38866 | 1 Comfast | 2 Cf-xr11, Cf-xr11 Firmware | 2023-08-22 | N/A | 9.8 CRITICAL |
| COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected at function sub_415588. Attackers can send POST request messages to /usr/bin/webmgnt and inject commands into parameter interface and display_name. | |||||
| CVE-2023-38864 | 1 Comfast | 2 Cf-xr11, Cf-xr11 Firmware | 2023-08-22 | N/A | 9.8 CRITICAL |
| An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the protal_delete_picname parameter in the sub_41171C function at bin/webmgnt. | |||||
| CVE-2023-38861 | 1 Wavlink | 2 Wl-wn575a3, Wl-wn575a3 Firmware | 2023-08-22 | N/A | 9.8 CRITICAL |
| An issue in Wavlink WL_WNJ575A3 v.R75A3_V1410_220513 allows a remote attacker to execute arbitrary code via username parameter of the set_sys_adm function in adm.cgi. | |||||
| CVE-2023-33238 | 1 Moxa | 4 Tn-4900, Tn-4900 Firmware, Tn-5900 and 1 more | 2023-08-22 | N/A | 9.8 CRITICAL |
| TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command injection vulnerability. This vulnerability stems from inadequate input validation in the certificate management function, which could potentially allow malicious users to execute remote code on affected devices. | |||||
| CVE-2023-34214 | 1 Moxa | 4 Tn-4900, Tn-4900 Firmware, Tn-5900 and 1 more | 2023-08-22 | N/A | 9.8 CRITICAL |
| TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command-injection vulnerability. This vulnerability stems from insufficient input validation in the certificate-generation function, which could potentially allow malicious users to execute remote code on affected devices. | |||||
| CVE-2023-33239 | 1 Moxa | 4 Tn-4900, Tn-4900 Firmware, Tn-5900 and 1 more | 2023-08-22 | N/A | 9.8 CRITICAL |
| TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command injection vulnerability. This vulnerability stems from insufficient input validation in the key-generation function, which could potentially allow malicious users to execute remote code on affected devices. | |||||
| CVE-2023-34213 | 1 Moxa | 2 Tn-5900, Tn-5900 Firmware | 2023-08-22 | N/A | 9.8 CRITICAL |
| TN-5900 Series firmware versions v3.3 and prior are vulnerable to command-injection vulnerability. This vulnerability stems from insufficient input validation and improper authentication in the key-generation function, which could potentially allow malicious users to execute remote code on affected devices. | |||||
| CVE-2023-38863 | 1 Comfast | 2 Cf-xr11, Cf-xr11 Firmware | 2023-08-22 | N/A | 9.8 CRITICAL |
| An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the ifname and mac parameters in the sub_410074 function at bin/webmgnt. | |||||
| CVE-2023-38862 | 1 Comfast | 2 Cf-xr11, Cf-xr11 Firmware | 2023-08-22 | N/A | 9.8 CRITICAL |
| An issue in COMFAST CF-XR11 v.2.7.2 allows an attacker to execute arbitrary code via the destination parameter of sub_431F64 function in bin/webmgnt. | |||||
| CVE-2023-38865 | 1 Comfast | 2 Cf-xr11, Cf-xr11 Firmware | 2023-08-22 | N/A | 9.8 CRITICAL |
| COMFAST CF-XR11 V2.7.2 has a command injection vulnerability detected at function sub_4143F0. Attackers can send POST request messages to /usr/bin/webmgnt and inject commands into parameter timestr. | |||||
| CVE-2023-40293 | 1 Samsung | 1 Harman Infotainment | 2023-08-21 | N/A | 6.8 MEDIUM |
| Harman Infotainment 20190525031613 and later allows command injection via unauthenticated RPC with a D-Bus connection object. | |||||
| CVE-2023-39293 | 1 Mitel | 3 Mivoice Office 400, Mivoice Office 400 Smb Controller, Mivoice Office 400 Smb Controller Firmware | 2023-08-21 | N/A | 9.8 CRITICAL |
| A Command Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to execute arbitrary commands within the context of the system. | |||||
| CVE-2023-37566 | 1 Elecom | 4 Wrc-1167febk-a, Wrc-1167febk-a Firmware, Wrc-1167ghbk3-a and 1 more | 2023-08-18 | N/A | 8.0 HIGH |
| Command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary command by sending a specially crafted request to the web management page. Affected products and versions are as follows: WRC-1167GHBK3-A v1.24 and earlier, WRC-1167FEBK-A v1.18 and earlier, WRC-F1167ACF2 all versions, WRC-600GHBK-A all versions, WRC-733FEBK2-A all versions, WRC-1467GHBK-A all versions, WRC-1900GHBK-A all versions, and LAN-W301NR all versions. | |||||
| CVE-2023-37567 | 1 Elecom | 2 Wrc-1167ghbk3-a, Wrc-1167ghbk3-a Firmware | 2023-08-18 | N/A | 9.8 CRITICAL |
| Command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows a remote unauthenticated attacker to execute an arbitrary command by sending a specially crafted request to a certain port of the web management page. Affected products and versions are as follows: WRC-1167GHBK3-A v1.24 and earlier, WRC-F1167ACF2 all versions, WRC-600GHBK-A all versions, WRC-733FEBK2-A all versions, WRC-1467GHBK-A all versions, WRC-1900GHBK-A all versions, and LAN-W301NR all versions. | |||||
| CVE-2023-38034 | 1 Ui | 47 U6-enterprise, U6-enterprise-iw, U6-extender and 44 more | 2023-08-17 | N/A | 9.8 CRITICAL |
| A command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE). Affected Products: All UniFi Access Points (Version 6.5.53 and earlier) All UniFi Switches (Version 6.5.32 and earlier) -USW Flex Mini excluded. Mitigation: Update UniFi Access Points to Version 6.5.62 or later. Update UniFi Switches to Version 6.5.59 or later. | |||||
| CVE-2023-32781 | 1 Paessler | 1 Prtg Network Monitor | 2023-08-16 | N/A | 7.2 HIGH |
| A command injection vulnerability was identified in PRTG 23.2.84.1566 and earlier versions in the HL7 sensor where an authenticated user with write permissions could abuse the debug option to write new files that could potentially get executed by the EXE/Script sensor. The severity of this vulnerability is high and received a score of 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | |||||
| CVE-2023-32782 | 1 Paessler | 1 Prtg Network Monitor | 2023-08-16 | N/A | 7.2 HIGH |
| A command injection was identified in PRTG 23.2.84.1566 and earlier versions in the Dicom C-ECHO sensor where an authenticated user with write permissions could abuse the debug option to write new files that could potentially get executed by the EXE/Script sensor. The severity of this vulnerability is high and received a score of 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | |||||
| CVE-2022-39986 | 1 Raspap | 1 Raspap | 2023-08-15 | N/A | 9.8 CRITICAL |
| A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. | |||||