Total
3873 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26301 | 2 Microsoft, Ssh2 Project | 2 Windows, Ssh2 | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0. | |||||
| CVE-2020-26300 | 1 Systeminformation | 1 Systeminformation | 2024-11-21 | 7.5 HIGH | 5.9 MEDIUM |
| systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command injection vulnerability. Problem was fixed in version 4.26.2 with a shell string sanitation fix. | |||||
| CVE-2020-26294 | 1 Target | 1 Compiler | 2024-11-21 | 5.0 MEDIUM | 7.4 HIGH |
| Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets. | |||||
| CVE-2020-26284 | 1 Gohugo | 1 Hugo | 2024-11-21 | 8.5 HIGH | 7.7 HIGH |
| Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround. | |||||
| CVE-2020-26274 | 1 Systeminformation | 1 Systeminformation | 2024-11-21 | 7.5 HIGH | 6.4 MEDIUM |
| In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix. | |||||
| CVE-2020-26259 | 3 Debian, Fedoraproject, Xstream Project | 3 Debian Linux, Fedora, Xstream | 2024-11-21 | 6.4 MEDIUM | 6.8 MEDIUM |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories. | |||||
| CVE-2020-26245 | 1 Systeminformation | 1 Systeminformation | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
| npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite(). | |||||
| CVE-2020-26217 | 5 Apache, Debian, Netapp and 2 more | 15 Activemq, Debian Linux, Snapmanager and 12 more | 2024-11-21 | 9.3 HIGH | 8.0 HIGH |
| XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14. | |||||
| CVE-2020-26193 | 1 Dell | 1 Emc Powerscale Onefs | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Dell EMC PowerScale OneFS versions 8.1.0 - 9.1.0 contain an improper input validation vulnerability. A user with the ISI_PRIV_CLUSTER privilege may exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. | |||||
| CVE-2020-26085 | 1 Cisco | 1 Jabber | 2024-11-21 | 9.0 HIGH | 9.9 CRITICAL |
| Multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2020-25859 | 1 Qualcomm | 1 Qcmap | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| The QCMAP_CLI utility in the Qualcomm QCMAP software suite prior to versions released in October 2020 uses a system() call without validating the input, while handling a SetGatewayUrl() request. A local attacker with shell access can pass shell metacharacters and run arbitrary commands. If QCMAP_CLI can be run via sudo or setuid, this also allows elevating privileges to root. This version of QCMAP is used in many kinds of networking devices, primarily mobile hotspots and LTE routers. | |||||
| CVE-2020-25849 | 1 Openfind | 2 Mailaudit, Mailgates | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| MailGates and MailAudit products contain Command Injection flaw, which can be used to inject and execute system commands from the cgi parameter after attackers obtain the user’s access token. | |||||
| CVE-2020-25765 | 1 Westerndigital | 6 My Cloud Ex4100, My Cloud Expert Series Ex2, My Cloud Firmware and 3 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Addressed remote code execution vulnerability in reg_device.php due to insufficient validation of user input.in Western Digital My Cloud Devices prior to 5.4.1140. | |||||
| CVE-2020-25759 | 1 Dlink | 20 Dsr-1000, Dsr-1000 Firmware, Dsr-1000ac and 17 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered on D-Link DSR-250 3.17 devices. Certain functionality in the Unified Services Router web interface could allow an authenticated attacker to execute arbitrary commands, due to a lack of validation of inputs provided in multipart HTTP POST requests. | |||||
| CVE-2020-25757 | 1 Dlink | 20 Dsr-1000, Dsr-1000 Firmware, Dsr-1000ac and 17 more | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17. | |||||
| CVE-2020-25755 | 1 Enphase | 2 Envoy, Envoy Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered on Enphase Envoy R3.x and D4.x (and other current) devices. The upgrade_start function in /installer/upgrade_start allows remote authenticated users to execute arbitrary commands via the force parameter. | |||||
| CVE-2020-25618 | 1 Solarwinds | 1 N-central | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in SolarWinds N-Central 12.3.0.670. The sudo configuration has incorrect access control because the nable web user account is effectively able to run arbitrary OS commands as root (i.e., the use of root privileges is not limited to specific programs listed in the sudoers file). | |||||
| CVE-2020-25506 | 1 Dlink | 2 Dns-320, Dns-320 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution. | |||||
| CVE-2020-25499 | 1 Totolink | 26 A3002r, A3002r Firmware, A3002ru-v1 and 23 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote users to modify the system's 'Run Command'. An attacker can use this functionality to execute arbitrary OS commands on the router. | |||||
| CVE-2020-25494 | 1 Xinuos | 1 Openserver | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to cgi-bin/printbook. | |||||