Vulnerabilities (CVE)

Filtered by CWE-78
Total 3851 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-23789 2024-11-21 N/A 9.8 CRITICAL
Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to execute an arbitrary OS command on the affected product.
CVE-2024-23109 1 Fortinet 1 Fortisiem 2024-11-21 N/A 10.0 CRITICAL
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.
CVE-2024-23108 1 Fortinet 1 Fortisiem 2024-11-21 N/A 10.0 CRITICAL
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.1.0 through 7.1.1 and 7.0.0 through 7.0.2 and 6.7.0 through 6.7.8 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.2 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via via crafted API requests.
CVE-2024-23061 1 Totolink 2 A3300r, A3300r Firmware 2024-11-21 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the minute parameter in the setScheduleCfg function.
CVE-2024-23060 1 Totolink 2 A3300r, A3300r Firmware 2024-11-21 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the ip parameter in the setDmzCfg function.
CVE-2024-23059 1 Totolink 2 A3300r, A3300r Firmware 2024-11-21 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the username parameter in the setDdnsCfg function.
CVE-2024-23058 1 Totolink 2 A3300r, A3300r Firmware 2024-11-21 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the pass parameter in the setTr069Cfg function.
CVE-2024-23057 1 Totolink 2 A3300r, A3300r Firmware 2024-11-21 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the tz parameter in the setNtpCfg function.
CVE-2024-22942 1 Totolink 2 A3300r, A3300r Firmware 2024-11-21 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the hostName parameter in the setWanCfg function.
CVE-2024-22836 1 Akaunting 1 Akaunting 2024-11-21 N/A 9.8 CRITICAL
An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server.
CVE-2024-22445 1 Dell 1 Powerprotect Data Manager 2024-11-21 N/A 7.2 HIGH
Dell PowerProtect Data Manager, version 19.15 and prior versions, contain an OS command injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
CVE-2024-22423 2024-11-21 N/A 8.3 HIGH
yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using `--exec` with `%q` by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2024.04.09 fixes this issue by properly escaping `%`. It replaces them with `%%cd:~,%`, a variable that expands to nothing, leaving only the leading percent. It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using `--exec`, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade, avoid using any output template expansion in `--exec` other than `{}` (filepath); if expansion in `--exec` is needed, verify the fields you are using do not contain `"`, `|` or `&`; and/or instead of using `--exec`, write the info json and load the fields from it instead.
CVE-2024-22372 1 Elecom 10 Wrc-x1800gs-b, Wrc-x1800gs-b Firmware, Wrc-x1800gsa-b and 7 more 2024-11-21 N/A 6.8 MEDIUM
OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product.
CVE-2024-22366 1 Yamaha 10 Wlx202, Wlx202 Firmware, Wlx212 and 7 more 2024-11-21 N/A 6.8 MEDIUM
Active debug code exists in Yamaha wireless LAN access point devices. If a logged-in user who knows how to use the debug function accesses the device's management page, this function can be enabled by performing specific operations. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered. Affected products and versions are as follows: WLX222 firmware Rev.24.00.03 and earlier, WLX413 firmware Rev.22.00.05 and earlier, WLX212 firmware Rev.21.00.12 and earlier, WLX313 firmware Rev.18.00.12 and earlier, and WLX202 firmware Rev.16.00.18 and earlier.
CVE-2024-22228 1 Dell 1 Unity Operating Environment 2024-11-21 N/A 7.8 HIGH
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_cifssupport utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges.
CVE-2024-22227 1 Dell 1 Unity Operating Environment 2024-11-21 N/A 7.8 HIGH
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_dc utility. An authenticated attacker could potentially exploit this vulnerability, leading to the ability execute commands with root privileges.
CVE-2024-22225 1 Dell 1 Unity Operating Environment 2024-11-21 N/A 7.8 HIGH
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_supportassist utility. An authenticated attacker could potentially exploit this vulnerability, leading to execution of arbitrary operating system commands with root privileges.
CVE-2024-22224 1 Dell 1 Unity Operating Environment 2024-11-21 N/A 7.8 HIGH
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_nas utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges.
CVE-2024-22223 1 Dell 1 Unity Operating Environment 2024-11-21 N/A 7.8 HIGH
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability within its svc_cbr utility. An authenticated malicious user with local access could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application.
CVE-2024-22222 1 Dell 1 Unity Operating Environment 2024-11-21 N/A 7.8 HIGH
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability within its svc_udoctor utility. An authenticated malicious user with local access could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application.