Search
Total
1052 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-6649 | 1 Emc | 2 Recoverpoint, Recoverpoint For Virtual Machines | 2017-03-08 | 7.2 HIGH | 6.7 MEDIUM |
| EMC RecoverPoint versions before 4.4.1.1 and EMC RecoverPoint for Virtual Machines versions before 5.0 are affected by multiple command injection vulnerabilities where a malicious administrator with configuration privileges may bypass the user interface and escalate his privileges to root. | |||||
| CVE-2016-10098 | 1 Sendquick | 4 Avera Sms Gateway, Avera Sms Gateway Firmware, Entera Sms Gateway and 1 more | 2017-02-10 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on SendQuick Entera and Avera devices before 2HF16. Multiple Command Injection vulnerabilities allow attackers to execute arbitrary system commands. | |||||
| CVE-2016-0396 | 1 Ibm | 1 Bigfix Platform | 2017-02-07 | 6.8 MEDIUM | 8.1 HIGH |
| IBM Tivoli Endpoint Manager could allow a user under special circumstances to inject commands that would be executed with unnecessary higher privileges than expected. | |||||
| CVE-2015-3441 | 1 Genexia | 1 Drgos | 2017-01-18 | 9.0 HIGH | 8.8 HIGH |
| The Parental Control panel in Genexis devices with DRGOS before 1.14.1 allows remote authenticated users to execute arbitrary CLI commands via the (1) start_hour, (2) start_minute, (3) end_hour, (4) end_minute, or (5) hostname parameter. | |||||
| CVE-2016-10107 | 1 Western Digital | 1 Mycloud Nas | 2017-01-05 | 10.0 HIGH | 9.8 CRITICAL |
| Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 index.php page via a modified Cookie header. | |||||
| CVE-2014-8630 | 2 Fedoraproject, Mozilla | 2 Fedora, Bugzilla | 2017-01-03 | 6.5 MEDIUM | N/A |
| Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name. | |||||
| CVE-2014-7285 | 1 Symantec | 1 Web Gateway | 2017-01-03 | 6.5 MEDIUM | N/A |
| The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts. | |||||
| CVE-2015-2051 | 1 D-link | 2 Dir-645, Dir-645 Firmware | 2016-12-31 | 10.0 HIGH | N/A |
| The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface. | |||||
| CVE-2015-1815 | 2 Fedoraproject, Selinux | 2 Fedora, Setroubleshoot | 2016-12-31 | 10.0 HIGH | N/A |
| The get_rpm_nvr_by_file_path_temporary function in util.py in setroubleshoot before 3.2.22 allows remote attackers to execute arbitrary commands via shell metacharacters in a file name. | |||||
| CVE-2015-1986 | 1 Ibm | 1 Tivoli Storage Manager Fastback | 2016-12-30 | 10.0 HIGH | N/A |
| The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to execute arbitrary commands via unspecified vectors, a different vulnerability than CVE-2015-1938. | |||||
| CVE-2015-2265 | 2 Canonical, Linuxfoundation | 2 Ubuntu Linux, Cups-filters | 2016-12-28 | 7.5 HIGH | N/A |
| The remove_bad_chars function in utils/cups-browsed.c in cups-filters before 1.0.66 allows remote IPP printers to execute arbitrary commands via consecutive shell metacharacters in the (1) model or (2) PDL. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707. | |||||
| CVE-2015-1949 | 1 Ibm | 1 Tivoli Storage Manager Fastback | 2016-12-28 | 10.0 HIGH | N/A |
| The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to execute arbitrary commands with SYSTEM privileges via unspecified vectors. | |||||
| CVE-2015-1938 | 1 Ibm | 1 Tivoli Storage Manager Fastback | 2016-12-28 | 10.0 HIGH | N/A |
| The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to execute arbitrary commands via unspecified vectors, a different vulnerability than CVE-2015-1986. | |||||
| CVE-2016-9835 | 1 Zikula | 1 Zikula Application Framework | 2016-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| Directory traversal vulnerability in file "jcss.php" in Zikula 1.3.x before 1.3.11 and 1.4.x before 1.4.4 on Windows allows a remote attacker to launch a PHP object injection by uploading a serialized file. | |||||
| CVE-2016-6656 | 1 Pivotal Software | 1 Greenplum | 2016-12-22 | 6.5 MEDIUM | 7.2 HIGH |
| An issue was discovered in Pivotal Greenplum before 4.3.10.0. Creation of external tables using GPHDFS protocol has a vulnerability whereby arbitrary commands can be injected into the system. In order to exploit this vulnerability the user must have superuser 'gpadmin' access to the system or have been granted GPHDFS protocol permissions in order to create a GPHDFS external table. | |||||
| CVE-2015-6547 | 1 Symantec | 1 Web Gateway | 2016-12-22 | 8.3 HIGH | N/A |
| The management console on Symantec Web Gateway (SWG) appliances with software before 5.2.2 DB 5.0.0.1277 allows remote authenticated users to execute arbitrary commands at boot time via unspecified vectors. | |||||
| CVE-2016-1000156 | 1 Mailcwp Project | 1 Mailcwp | 2016-12-15 | 7.5 HIGH | 9.8 CRITICAL |
| Mailcwp remote file upload vulnerability incomplete fix v1.100 | |||||
| CVE-2015-5082 | 1 Endian Firewall | 1 Endian Firewall | 2016-12-08 | 10.0 HIGH | N/A |
| Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi. | |||||
| CVE-2015-5080 | 1 Citrix | 2 Netscaler Application Delivery Controller Firmware, Netscaler Gateway Firmware | 2016-12-07 | 9.0 HIGH | N/A |
| The Management Interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.1 before 10.1.132.8, 10.5 before Build 56.15, and 10.5.e before Build 56.1505.e allows remote authenticated users to execute arbitrary shell commands via shell metacharacters in the filter parameter to rapi/ipsec_logs. | |||||
| CVE-2015-4974 | 1 Ibm | 2 General Parallel File System, Spectrum Scale | 2016-12-06 | 7.2 HIGH | N/A |
| IBM General Parallel File System (GPFS) 3.5.x before 3.5.0.27 and 4.1.x before 4.1.1.2 and Spectrum Scale 4.1.1.x before 4.1.1.2 allow local users to obtain root privileges for command execution via unspecified vectors. | |||||
| CVE-2015-5003 | 1 Ibm | 1 Tivoli Monitoring | 2016-12-06 | 8.5 HIGH | 8.5 HIGH |
| The portal in IBM Tivoli Monitoring (ITM) 6.2.2 through FP9, 6.2.3 through FP5, and 6.3.0 before FP7 allows remote authenticated users to execute arbitrary commands by leveraging Take Action view authority and providing crafted input. | |||||
| CVE-2015-2846 | 1 Bittorrent | 1 Sync | 2016-12-03 | 9.3 HIGH | N/A |
| BitTorrent Sync allows remote attackers to execute arbitrary commands via a crafted btsync: link. | |||||
| CVE-2016-1388 | 1 Cisco | 3 Network Analysis Module, Prime Network Analysis Module Software, Prime Virtual Network Analysis Module Software | 2016-11-30 | 7.5 HIGH | 9.8 CRITICAL |
| Cisco Prime Network Analysis Module (NAM) before 6.1(1) patch.6.1-2-final and 6.2.x before 6.2(1) and Prime Virtual Network Analysis Module (vNAM) before 6.1(1) patch.6.1-2-final and 6.2.x before 6.2(1) allow remote attackers to execute arbitrary OS commands via a crafted HTTP request, aka Bug ID CSCuy21882. | |||||
| CVE-2016-2875 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2016-11-28 | 9.0 HIGH | 8.8 HIGH |
| IBM Security QRadar SIEM 7.1.x and 7.2.x before 7.2.7 allows remote authenticated users to execute arbitrary OS commands as root via unspecified vectors. | |||||
| CVE-2016-0328 | 1 Ibm | 1 Security Guardium Database Activity Monitor | 2016-11-28 | 7.2 HIGH | 7.8 HIGH |
| IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 allows local users to obtain administrator privileges for command execution via unspecified vectors. | |||||
| CVE-2016-0326 | 1 Ibm | 2 Rational Collaborative Lifecycle Management, Rational Quality Manager | 2016-11-28 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Rational Quality Manager (RQM) and Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.x before 4.0.7 iFix11, 5.x before 5.0.2 iFix17, and 6.x before 6.0.1 ifix3 allow remote authenticated users to execute arbitrary OS commands via a crafted "HTML request." | |||||
| CVE-2016-0236 | 1 Ibm | 1 Security Guardium Database Activity Monitor | 2016-11-28 | 9.0 HIGH | 8.8 HIGH |
| IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 allows remote authenticated users to execute arbitrary commands with root privileges via the search field. | |||||
| CVE-2015-5453 | 1 Watchguard | 1 Xcs | 2016-11-28 | 6.5 MEDIUM | N/A |
| Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to ADMIN/mailqueue.spl. | |||||
| CVE-2015-4930 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2016-11-28 | 9.0 HIGH | N/A |
| IBM QRadar SIEM 7.1 MR2 before Patch 11 IF02 and 7.2.x before 7.2.5 Patch 4 allows remote authenticated users to execute arbitrary commands with root privileges by leveraging admin access. | |||||
| CVE-2016-5640 | 1 Crestron | 2 Airmedia Am-100, Airmedia Am-100 Firmware | 2016-08-15 | 10.0 HIGH | 9.8 CRITICAL |
| Directory traversal vulnerability in cgi-bin/rftest.cgi on Crestron AirMedia AM-100 devices with firmware before 1.4.0.13 allows remote attackers to execute arbitrary commands via a .. (dot dot) in the ATE_COMMAND parameter. | |||||
| CVE-2016-4822 | 1 Corega | 2 Cg-wlbargnl, Cg-wlbargnl Firmware | 2016-06-28 | 5.2 MEDIUM | 8.0 HIGH |
| Corega CG-WLBARGL devices allow remote authenticated users to execute arbitrary commands via unspecified vectors. | |||||
| CVE-2015-0857 | 2 Debian, Tardiff Project | 2 Debian Linux, Tardiff | 2016-05-09 | 10.0 HIGH | 9.8 CRITICAL |
| Cool Projects TarDiff allows remote attackers to execute arbitrary commands via shell metacharacters in the name of a (1) tar file or (2) file within a tar file. | |||||
| CVE-2016-2332 | 1 Systech | 2 Syslink Sl-1000 Modular Gateway, Syslink Sl-1000 Modular Gateway Firmware | 2016-05-04 | 9.0 HIGH | 8.8 HIGH |
| flu.cgi in the web interface on SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with firmware before 01A.8 allows remote authenticated users to execute arbitrary commands via the 5066 (aka dnsmasq) parameter. | |||||
| CVE-2015-0538 | 1 Emc | 1 Autostart | 2016-04-01 | 9.3 HIGH | N/A |
| ftagent.exe in EMC AutoStart 5.4.x and 5.5.x before 5.5.0.508 HF4 allows remote attackers to execute arbitrary commands via crafted packets. | |||||
| CVE-2014-6260 | 1 Zenoss | 1 Zenoss Core | 2016-03-21 | 6.8 MEDIUM | N/A |
| Zenoss Core through 5 Beta 3 does not require a password for modifying the pager command string, which allows remote attackers to execute arbitrary commands or cause a denial of service (paging outage) by leveraging an unattended workstation, aka ZEN-15412. | |||||
| CVE-2015-7541 | 1 Colorscore Project | 1 Colorscore | 2016-01-18 | 10.0 HIGH | 10.0 CRITICAL |
| The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metacharacters in the (1) image_path, (2) colors, or (3) depth variable. | |||||
| CVE-2015-5011 | 1 Ibm | 2 Integration Bus, Websphere Message Broker | 2015-10-27 | 3.2 LOW | N/A |
| IBM WebSphere Message Broker 8 before 8.0.0.6 and Integration Bus 9 before 9.0.0.4 do not check authorization for MQSISTARTMSGFLOW and MQSISTOPMSGFLOW commands, which allows local users to bypass intended access restrictions, and start or stop a service, by issuing a command. | |||||
| CVE-2015-7839 | 1 Solarwinds | 1 Log And Event Manager | 2015-10-16 | 7.5 HIGH | N/A |
| SolarWinds Log and Event Manager (LEM) allows remote attackers to execute arbitrary commands on managed computers via a request to services/messagebroker/nonsecurestreamingamf involving the traceroute functionality. | |||||
| CVE-2015-2011 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2015-10-05 | 9.0 HIGH | N/A |
| The xmlrpc.cgi Webmin script in IBM QRadar SIEM 7.1 MR2 before Patch 11 IF02 and 7.2.x before 7.2.5 Patch 4 allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors. | |||||
| CVE-2015-5274 | 1 Redhat | 1 Openshift | 2015-09-22 | 6.5 MEDIUM | N/A |
| rubygem-openshift-origin-console in Red Hat OpenShift 2.2 allows remote authenticated users to execute arbitrary commands via a crafted request to the Broker. | |||||
| CVE-2015-5190 | 1 Pacemaker\/corosync Configuration System Project | 1 Pacemaker\/corosync Configuration System | 2015-09-04 | 8.5 HIGH | N/A |
| The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via "escape characters" in a URL. | |||||
| CVE-2015-5474 | 2 Bittorrent, Utorrent | 2 Bittorrent, Utorrent | 2015-08-13 | 9.3 HIGH | N/A |
| BitTorrent and uTorrent allow remote attackers to inject command line parameters and execute arbitrary commands via a crafted URL using the (1) bittorrent or (2) magnet protocol. | |||||
| CVE-2015-4525 | 1 Emc | 1 Isilon Onefs | 2015-07-08 | 9.0 HIGH | N/A |
| The log-gather implementation in the web administration interface in EMC Isilon OneFS 6.5.x.x through 7.1.1.x before 7.1.1.5 and 7.2.0.x before 7.2.0.2 allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors. | |||||
| CVE-2015-4336 | 1 Xcloner | 1 Xcloner | 2015-06-18 | 6.5 MEDIUM | N/A |
| cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as demonstrated by using the backup comments feature to create the file. | |||||
| CVE-2015-2208 | 1 Avinu | 1 Phpmoadmin | 2015-03-12 | 7.5 HIGH | N/A |
| The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter. | |||||
| CVE-2015-0934 | 1 Sharelatex | 1 Sharelatex | 2015-03-04 | 6.5 MEDIUM | N/A |
| Common LaTeX Service Interface (CLSI) before 0.1.3, as used in ShareLaTeX before 0.1.3, allows remote authenticated users to execute arbitrary code via ` (backtick) characters in a filename. | |||||
| CVE-2014-9682 | 1 Dns-sync Project | 1 Dns-sync | 2015-03-02 | 10.0 HIGH | N/A |
| The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function. | |||||
| CVE-2014-9277 | 1 Mediawiki | 1 Mediawiki | 2015-01-06 | 7.5 HIGH | N/A |
| The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-domain-policy> in a PHP format request, which causes the string length to change when converting the request to <NOT-cross-domain-policy>. | |||||
| CVE-2013-7418 | 1 Ipcop | 1 Ipcop | 2015-01-05 | 6.5 MEDIUM | N/A |
| cgi-bin/iptablesgui.cgi in IPCop (aka IPCop Firewall) before 2.1.5 allows remote authenticated users to execute arbitrary code via shell metacharacters in the TABLE parameter. NOTE: this can be exploited remotely by leveraging a separate cross-site scripting (XSS) vulnerability. | |||||
| CVE-2014-1905 | 1 Videowhisper | 1 Videowhisper Live Streaming Integration | 2014-12-30 | 10.0 HIGH | N/A |
| Unrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, and then accessing the file via a direct request to a wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/ pathname, as demonstrated by a .php.jpg filename. | |||||