Total
1813 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-19950 | 1 Qnap | 2 Music Station, Qts | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| If exploited, this command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11. | |||||
| CVE-2018-19949 | 1 Qnap | 1 Qts | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109. | |||||
| CVE-2018-19911 | 1 Freeswitch | 1 Freeswitch | 2024-11-21 | 7.6 HIGH | 7.5 HIGH |
| FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used. | |||||
| CVE-2018-19451 | 2 Foxitsoftware, Microsoft | 2 Foxit Pdf Sdk Activex, Windows | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A command injection can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) Professional 5.4.0.1031 when using the Open File action on a Field. An attacker can leverage this to gain remote code execution. | |||||
| CVE-2018-19450 | 2 Foxitsoftware, Microsoft | 2 Foxit Pdf Sdk Activex, Windows | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A command injection can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) 5.4.0.1031 when parsing a launch action. An attacker can leverage this to gain remote code execution. | |||||
| CVE-2018-19445 | 2 Foxitsoftware, Microsoft | 2 Foxit Pdf Sdk Activex, Windows | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A command injection can occur for specially crafted PDF files in Foxit Reader SDK (ActiveX) Professional 5.4.0.1031 when the JavaScript API app.launchURL is used. An attacker can leverage this to gain remote code execution. | |||||
| CVE-2018-19418 | 2 Foxitsoftware, Microsoft | 2 Pdf Activex, Windows | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| Foxit PDF ActiveX before 5.5.1 allows remote code execution via command injection because of the lack of a security permission control. | |||||
| CVE-2018-19031 | 1 360 | 10 Safe Router P0, Safe Router P0 Firmware, Safe Router P1 and 7 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A command injection vulnerability exists when the authorized user passes crafted parameter to background process in the router. This affects 360 router series products (360 Safe Router P0,P1,P2,P3,P4), the affected version is V2.0.61.58897. | |||||
| CVE-2018-19013 | 1 Omron | 1 Cx-supervisor | 2024-11-21 | 4.9 MEDIUM | 5.0 MEDIUM |
| An attacker could inject commands to delete files and/or delete the contents of a file on CX-Supervisor (Versions 3.42 and prior) through a specially crafted project file. | |||||
| CVE-2018-17445 | 1 Citrix | 2 Netscaler Sd-wan, Sd-wan | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Command Injection issue was discovered in Citrix SD-WAN 10.1.0 and NetScaler SD-WAN 9.3.x before 9.3.6 and 10.0.x before 10.0.4. | |||||
| CVE-2018-17172 | 1 Xerox | 20 Altalink B8045, Altalink B8045 Firmware, Altalink B8055 and 17 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The web application on Xerox AltaLink B80xx before 100.008.028.05200, C8030/C8035 before 100.001.028.05200, C8045/C8055 before 100.002.028.05200, and C8070 before 100.003.028.05200 allows unauthenticated command injection. | |||||
| CVE-2018-16417 | 2 Arubanetworks, Siemens | 3 Instant, W1750d, W1750d Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Aruba Instant 4.x prior to 6.4.4.8-4.2.4.12, 6.5.x prior to 6.5.4.11, 8.3.x prior to 8.3.0.6, and 8.4.x prior to 8.4.0.1 allows Command injection. | |||||
| CVE-2018-15356 | 1 Eltex | 2 Esp-200, Esp-200 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An authenticated attacker can execute arbitrary code using command ejection in Eltex ESP-200 firmware version 1.2.0. | |||||
| CVE-2018-14893 | 1 Zyxel | 2 Nsa325 V2, Nsa325 V2 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API. | |||||
| CVE-2018-14746 | 1 Qnap | 1 Qts | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Command Injection vulnerability in QTS 4.3.5 build 20181013, QTS 4.3.4 build 20181008, QTS 4.3.3 build 20180829, QTS 4.2.6 build 20180829 and earlier versions could allow remote attackers to run arbitrary commands on the NAS. | |||||
| CVE-2018-14649 | 1 Redhat | 5 Ceph-iscsi-cli, Ceph Storage, Enterprise Linux Desktop and 2 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions. | |||||
| CVE-2018-14067 | 1 Greenpacket | 2 Dv-360, Dv-360 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Green Packet WiMax DV-360 2.10.14-g1.0.6.1 devices allow Command Injection, with unauthenticated remote command execution, via a crafted payload to the HTTPS port, because lighttpd listens on all network interfaces (including the external Internet) by default. NOTE: this may overlap CVE-2017-9980. | |||||
| CVE-2018-11106 | 1 Netgear | 10 Wc7500, Wc7500 Firmware, Wc7520 and 7 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| NETGEAR has released fixes for a pre-authentication command injection in request_handler.php security vulnerability on the following product models: WC7500, running firmware versions prior to 6.5.3.5; WC7520, running firmware versions prior to 2.5.0.46; WC7600v1, running firmware versions prior to 6.5.3.5; WC7600v2, running firmware versions prior to 6.5.3.5; and WC9500, running firmware versions prior to 6.5.3.5. | |||||
| CVE-2018-1000802 | 4 Canonical, Debian, Opensuse and 1 more | 4 Ubuntu Linux, Debian Linux, Leap and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace. | |||||
| CVE-2018-0730 | 1 Qnap | 1 Qts | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This command injection vulnerability in File Station allows attackers to execute commands on the affected device. To fix the vulnerability, QNAP recommend updating QTS to their latest versions. | |||||