Total
3666 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15430 | 1 Control-webpanel | 1 Webpanel | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_list_accounts.php. When parsing the username parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9736. | |||||
| CVE-2020-11941 | 1 Opmantek | 1 Open-audit | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Open-AudIT 3.2.2. There is OS Command injection in Discovery. | |||||
| CVE-2020-11852 | 1 Microfocus | 1 Secure Messaging Gateway | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| DKIM key management page vulnerability on Micro Focus Secure Messaging Gateway (SMG). Affecting all SMG Appliance running releases prior to July 2020. The vulnerability could allow a logged in user with rights to generate DKIM key information to inject system commands into the call to the DKIM system command. | |||||
| CVE-2018-21104 | 1 Netgear | 2 R7800, R7800 Firmware | 2024-02-28 | 5.2 MEDIUM | 6.8 MEDIUM |
| NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user. | |||||
| CVE-2020-17384 | 1 Cellopoint | 1 Cellos | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| Cellopoint Cellos v4.1.10 Build 20190922 does not validate URL inputted properly. With the cookie of the system administrator, attackers can inject and remotely execute arbitrary command to manipulate the system. | |||||
| CVE-2020-3336 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| A vulnerability in the software upgrade process of Cisco TelePresence Collaboration Endpoint Software and Cisco RoomOS Software could allow an authenticated, remote attacker to modify the filesystem to cause a denial of service (DoS) or gain privileged access to the root filesystem. The vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by sending requests with malformed parameters to the system using the console, Secure Shell (SSH), or web API. A successful exploit could allow the attacker to modify the device configuration or cause a DoS. | |||||
| CVE-2020-11490 | 1 Zevenet | 1 Zen Load Balancer | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| Manage::Certificates in Zen Load Balancer 3.10.1 allows remote authenticated admins to execute arbitrary OS commands via shell metacharacters in the index.cgi cert_issuer, cert_division, cert_organization, cert_locality, cert_state, cert_country, or cert_email parameter. | |||||
| CVE-2016-11022 | 1 Netgear | 6 Prosafe Wc7520, Prosafe Wc7520 Firmware, Prosafe Wc7600 and 3 more | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| NETGEAR Prosafe WC9500 5.1.0.17, WC7600 5.1.0.17, and WC7520 2.5.0.35 devices allow a remote attacker to execute code with root privileges via shell metacharacters in the reqMethod parameter to login_handler.php. | |||||
| CVE-2020-13151 | 1 Aerospike | 1 Aerospike Server | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service. | |||||
| CVE-2020-15428 | 1 Control-webpanel | 1 Webpanel | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_crons.php. When parsing the line parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9714. | |||||
| CVE-2020-13619 | 1 Locutus | 1 Locutus Php | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution. | |||||
| CVE-2020-15422 | 1 Control-webpanel | 1 Webpanel | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_mod_security.php. When parsing the archivo parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9731. | |||||
| CVE-2020-7619 | 1 Get-git-data Project | 1 Get-git-data | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data. | |||||
| CVE-2020-7635 | 1 Compass-compile Project | 1 Compass-compile | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| compass-compile through 0.0.1 is vulnerable to Command Injection.It allows execution of arbitrary commands via tha options argument. | |||||
| CVE-2019-15708 | 1 Fortinet | 4 Fortiap, Fortiap-s, Fortiap-u and 1 more | 2024-02-28 | 7.2 HIGH | 6.7 MEDIUM |
| A system command injection vulnerability in the FortiAP-S/W2 6.2.1, 6.2.0, 6.0.5 and below, FortiAP 6.0.5 and below and FortiAP-U below 6.0.0 under CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted ifconfig commands. | |||||
| CVE-2020-5352 | 1 Dell | 1 Emc Data Protection Advisor | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| Dell EMC Data Protection Advisor 6.4, 6.5 and 18.1 contain an OS command injection vulnerability. A remote authenticated malicious user may exploit this vulnerability to execute arbitrary commands on the affected system. | |||||
| CVE-2020-12393 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2024-02-28 | 4.6 MEDIUM | 7.8 HIGH |
| The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. | |||||
| CVE-2020-12242 | 1 Valvesoftware | 1 Source | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
| Valve Source allows local users to gain privileges by writing to the /tmp/hl2_relaunch file, which is later executed in the context of a different user account. | |||||
| CVE-2019-11689 | 1 Asustor | 1 Exfat Driver | 2024-02-28 | 9.3 HIGH | 8.1 HIGH |
| An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. When conducting license validation, exfat.cgi and exfatctl fail to properly validate server responses and pass unsanitized text to the system shell, resulting in code execution as root. | |||||
| CVE-2018-21109 | 1 Netgear | 2 R7800, R7800 Firmware | 2024-02-28 | 5.2 MEDIUM | 6.8 MEDIUM |
| NETGEAR R7800 devices before 1.0.2.60 are affected by command injection by an authenticated user. | |||||