Total
3666 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15423 | 1 Control-webpanel | 1 Webpanel | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. When parsing the dominio parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9732. | |||||
| CVE-2020-10674 | 1 Perlspeak Project | 1 Perlspeak | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| PerlSpeak through 2.01 allows attackers to execute arbitrary OS commands, as demonstrated by use of system and 2-argument open. | |||||
| CVE-2020-15893 | 1 Dlink | 2 Dir-816l, Dir-816l Firmware | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet. | |||||
| CVE-2020-11981 | 1 Apache | 1 Airflow | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands. | |||||
| CVE-2020-13124 | 1 Sabnzbd | 1 Sabnzbd | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| SABnzbd 2.3.9 and 3.0.0Alpha2 has a command injection vulnerability in the web configuration interface that permits an authenticated user to execute arbitrary Python commands on the underlying operating system. | |||||
| CVE-2020-13694 | 1 Quickbox | 1 Quickbox | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the mysql -e option. | |||||
| CVE-2020-11766 | 2 Avantfax, Ifax | 2 Avantfax, Hylafax | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| sendfax.php in iFAX AvantFAX before 3.3.6 and HylaFAX Enterprise Web Interface before 0.2.5 allows authenticated Command Injection. | |||||
| CVE-2020-3279 | 1 Cisco | 12 Rv016, Rv016 Firmware, Rv042 and 9 more | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers could allow an authenticated, remote attacker with administrative privileges to execute arbitrary commands on an affected device. The vulnerabilities exist because the web-based management interface does not properly validate user-supplied input to scripts. An attacker with administrative privileges that are sufficient to log in to the web-based management interface could exploit each vulnerability by sending malicious requests to an affected device. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system. | |||||
| CVE-2019-12132 | 1 Onap | 1 Open Network Automation Platform | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in ONAP SDNC before Dublin. By executing sla/dgUpload with a crafted filename parameter, an unauthenticated attacker can execute an arbitrary command. All SDC setups that include admportal are affected. | |||||
| CVE-2020-4180 | 1 Ibm | 1 Security Guardium | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| IBM Security Guardium 11.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 174735. | |||||
| CVE-2018-21152 | 1 Netgear | 14 D7800, D7800 Firmware, R7500 and 11 more | 2024-02-28 | 5.2 MEDIUM | 6.8 MEDIUM |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.34, R7500v2 before 1.0.3.26, R7800 before 1.0.2.42, R8900 before 1.0.3.10, R9000 before 1.0.3.10, WNDR4300v2 before 1.0.0.54, and WNDR4500v3 before 1.0.0.54. | |||||
| CVE-2020-5332 | 1 Rsa | 1 Archer | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain a command injection vulnerability. AN authenticated malicious user with administrator privileges could potentially exploit this vulnerability to execute arbitrary commands on the system where the vulnerable application is deployed. | |||||
| CVE-2018-21130 | 1 Netgear | 4 Wac505, Wac505 Firmware, Wac510 and 1 more | 2024-02-28 | 5.8 MEDIUM | 8.8 HIGH |
| Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects WAC505 before 5.0.0.17 and WAC510 before 5.0.0.17. | |||||
| CVE-2019-19940 | 1 Swisscom | 2 Centro Grande, Centro Grande Firmware | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| Incorrect input sanitation in text-oriented user interfaces (telnet, ssh) in Swisscom Centro Grande before 6.16.12 allows remote authenticated users to execute arbitrary commands via command injection. | |||||
| CVE-2020-14947 | 1 Factorfx | 1 Open Computer Software Inventory Next Generation | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid. | |||||
| CVE-2018-21100 | 1 Netgear | 2 R7800, R7800 Firmware | 2024-02-28 | 5.2 MEDIUM | 8.0 HIGH |
| NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user. | |||||
| CVE-2020-8958 | 1 Gpononu | 4 1ge\+3fe\+wifi Onu V2804rgw, 1ge\+3fe\+wifi Onu V2804rgw Firmware, 1ge Router Wifi Onu V2801rw and 1 more | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field. | |||||
| CVE-2020-15922 | 1 Midasolutions | 1 Eframework | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| There is an OS Command Injection in Mida eFramework 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. Authentication is required. | |||||
| CVE-2020-15610 | 1 Control-webpanel | 1 Webpanel | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_php_pecl.php. When parsing the modulo parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9728. | |||||
| CVE-2020-11016 | 1 Intelmq Manager Project | 1 Intelmq Manager | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| IntelMQ Manager from version 1.1.0 and before version 2.1.1 has a vulnerability where the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver. Version 2.1.1 fixes the vulnerability. | |||||