Total
1813 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-29895 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
| Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc. | |||||
| CVE-2024-29864 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Distrobox before 1.7.0.1 allows attackers to execute arbitrary code via command injection into exported executables. | |||||
| CVE-2024-29737 | 1 Apache | 1 Streampark | 2024-11-21 | N/A | 4.7 MEDIUM |
| In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Mitigation: all users should upgrade to 2.1.4 Background info: Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the "Build Argument". Note that there is no verification and interception of the special character "`". As a result, you will find that this injection command will be successfully executed after executing the build. In the latest version, the special symbol ` is intercepted. | |||||
| CVE-2024-29435 | 2024-11-21 | N/A | 4.1 MEDIUM | ||
| An issue discovered in Alldata v0.4.6 allows attacker to run arbitrary commands via the processId parameter. | |||||
| CVE-2024-29385 | 2024-11-21 | N/A | 9.0 CRITICAL | ||
| DIR-845L router <= v1.01KRb03 has an Unauthenticated remote code execution vulnerability in the cgibin binary via soapcgi_main function. | |||||
| CVE-2024-29366 | 2024-11-21 | N/A | 8.8 HIGH | ||
| A command injection vulnerability exists in the cgibin binary in DIR-845L router firmware <= v1.01KRb03. | |||||
| CVE-2024-29269 | 2024-11-21 | N/A | 8.8 HIGH | ||
| An issue discovered in Telesquare TLR-2005Ksh 1.0.0 and 1.1.4 allows attackers to run arbitrary system commands via the Cmd parameter. | |||||
| CVE-2024-28545 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Tenda AC18 V15.03.05.05 contains a command injection vulnerablility in the deviceName parameter of formsetUsbUnload function. | |||||
| CVE-2024-28354 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
| There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.@smb[%d].username in the apply.cgi interface, thereby gaining root shell privileges. | |||||
| CVE-2024-28353 | 2024-11-21 | N/A | 8.8 HIGH | ||
| There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.config.smb_admin_name in the apply.cgi interface, thereby gaining root shell privileges. | |||||
| CVE-2024-28328 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| CSV Injection vulnerability in the Asus RT-N12+ router allows administrator users to inject arbitrary commands or formulas in the client name parameter which can be triggered and executed in a different user session upon exporting to CSV format. | |||||
| CVE-2024-28125 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation. | |||||
| CVE-2024-28041 | 2024-11-21 | N/A | 8.8 HIGH | ||
| HGW BL1500HM Ver 002.001.013 and earlier allows a network-adjacent unauthenticated attacker to execute an arbitrary command. | |||||
| CVE-2024-27972 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Very Good Plugins WP Fusion Lite allows Command Injection.This issue affects WP Fusion Lite: from n/a through 3.41.24. | |||||
| CVE-2024-26298 | 2024-11-21 | N/A | 7.2 HIGH | ||
| Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. | |||||
| CVE-2024-26297 | 2024-11-21 | N/A | 7.2 HIGH | ||
| Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. | |||||
| CVE-2024-26296 | 2024-11-21 | N/A | 7.2 HIGH | ||
| Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. | |||||
| CVE-2024-26295 | 2024-11-21 | N/A | 7.2 HIGH | ||
| Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. | |||||
| CVE-2024-26294 | 2024-11-21 | N/A | 7.2 HIGH | ||
| Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. | |||||
| CVE-2024-26204 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Outlook for Android Information Disclosure Vulnerability | |||||