Total
3666 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-16072 | 1 Netsas | 1 Enigma Network Management Solution | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an attacker to execute arbitrary code because of improper neutralization of shell metacharacters in the ip_address variable within an snmp_browser action. | |||||
CVE-2020-15631 | 1 Dlink | 2 Dap-1860, Dap-1860 Firmware | 2024-02-28 | 5.8 MEDIUM | 8.0 HIGH |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1860 1.04B03_HOTFIX WiFi extenders. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the HNAP service, which listens on TCP port 80 by default. When parsing the SOAPAction header, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-10084. | |||||
CVE-2020-12107 | 1 Stengg | 2 Vpncrypt M10, Vpncrypt M10 Firmware | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows command injection via a text field, which allow full control over this module's Operating System. | |||||
CVE-2018-21098 | 1 Netgear | 2 R7800, R7800 Firmware | 2024-02-28 | 5.2 MEDIUM | 6.8 MEDIUM |
NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user. | |||||
CVE-2020-15611 | 1 Control-webpanel | 1 Webpanel | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_dashboard.php. When parsing the service_restart parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9734. | |||||
CVE-2020-11953 | 1 Rittal | 9 Cmc Iii Pu 7030.000, Cmc Iii Pu 7030.000 Firmware, Cmciii-pu-9333e0fb and 6 more | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
An issue was discovered on Rittal PDU-3C002DEC through 5.15.40 and CMCIII-PU-9333E0FB through 3.15.70_4 devices. Attackers can execute code. | |||||
CVE-2020-10882 | 1 Tp-link | 2 Ac1750, Ac1750 Firmware | 2024-02-28 | 8.3 HIGH | 8.8 HIGH |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9650. | |||||
CVE-2020-5556 | 1 Shihonkanri Plus Goout Project | 1 Shihonkanri Plus Goout | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
Shihonkanri Plus GOOUT Ver1.5.8 and Ver2.2.10 allows remote attackers to execute arbitrary OS commands via unspecified vectors. | |||||
CVE-2020-13252 | 1 Centreon | 1 Centreon | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page. | |||||
CVE-2019-19220 | 1 Bmcsoftware | 1 Control-m\/agent | 2024-02-28 | 8.5 HIGH | 8.8 HIGH |
BMC Control-M/Agent 7.0.00.000 allows OS Command Injection (issue 2 of 2). | |||||
CVE-2020-7623 | 1 Jscover Project | 1 Jscover | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument. | |||||
CVE-2020-15426 | 1 Control-webpanel | 1 Webpanel | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_migration_cpanel.php. When parsing the serverip parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9709. | |||||
CVE-2020-24572 | 1 Raspap | 1 Raspap | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
An issue was discovered in includes/webconsole.php in RaspAP 2.5. With authenticated access, an attacker can use a misconfigured (and virtually unrestricted) web console to attack the underlying OS (Raspberry Pi) running this software, and execute commands on the system (including ones for uploading of files and execution of code). | |||||
CVE-2020-15612 | 1 Control-webpanel | 1 Webpanel | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_ftp_manager.php. When parsing the userLogin parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9737. | |||||
CVE-2020-10603 | 1 Advantech | 1 Webaccess\/nms | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
WebAccess/NMS (versions prior to 3.0.2) does not properly sanitize user input and may allow an attacker to inject system commands remotely. | |||||
CVE-2020-7351 | 1 Netfortris | 1 Trixbox | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
An OS Command Injection vulnerability in the endpoint_devicemap.php component of Fonality Trixbox Community Edition allows an attacker to execute commands on the underlying operating system as the "asterisk" user. Note that Trixbox Community Edition has been unsupported by the vendor since 2012. This issue affects: Fonality Trixbox Community Edition, versions 1.2.0 through 2.8.0.4. Versions 1.0 and 1.1 are unaffected. | |||||
CVE-2019-15310 | 1 Linkplay | 1 Linkplay | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered on various devices via the Linkplay firmware. There is WAN remote code execution without user interaction. An attacker could retrieve the AWS key from the firmware and obtain full control over Linkplay's AWS estate, including S3 buckets containing device firmware. When combined with an OS command injection vulnerability within the XML Parsing logic of the firmware update process, an attacker would be able to gain code execution on any device that attempted to update. Note that by default all devices tested had automatic updates enabled. | |||||
CVE-2020-15606 | 1 Control-webpanel | 1 Webpanel | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_admin_apis.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9720. | |||||
CVE-2020-15432 | 1 Control-webpanel | 1 Webpanel | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_migration_cpanel.php. When parsing the filespace parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9743. | |||||
CVE-2020-12111 | 1 Tp-link | 4 Nc260, Nc260 Firmware, Nc450 and 1 more | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
Certain TP-Link devices allow Command Injection. This affects NC260 1.5.2 build 200304 and NC450 1.5.3 build 200304. |