Total
3666 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-1602 | 1 Juniper | 1 Junos | 2024-02-28 | 8.3 HIGH | 8.8 HIGH |
| When a device using Juniper Network's Dynamic Host Configuration Protocol Daemon (JDHCPD) process on Junos OS or Junos OS Evolved which is configured in relay mode it vulnerable to an attacker sending crafted IPv4 packets who may remotely take over the code execution of the JDHDCP process. This issue affect IPv4 JDHCPD services. This issue affects: Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S6; 15.1X49 versions prior to 15.1X49-D200; 15.1X53 versions prior to 15.1X53-D592; 16.1 versions prior to 16.1R7-S6; 16.2 versions prior to 16.2R2-S11; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R2-S8, 17.2R3-S3; 17.3 versions prior to 17.3R3-S6; 17.4 versions prior to 17.4R2-S7, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R3-S2; 18.2X75 versions prior to 18.2X75-D60; 18.3 versions prior to 18.3R1-S6, 18.3R2-S2, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3; 19.1 versions prior to 19.1R1-S3, 19.1R2; 19.2 versions prior to 19.2R1-S3, 19.2R2*. and All versions prior to 19.3R1 on Junos OS Evolved. This issue do not affect versions of Junos OS prior to 15.1, or JDHCPD operating as a local server in non-relay mode. | |||||
| CVE-2019-18183 | 2 Fedoraproject, Pacman Project | 2 Fedora, Pacman | 2024-02-28 | 6.8 MEDIUM | 9.8 CRITICAL |
| pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file. | |||||
| CVE-2017-12945 | 1 Mersive | 2 Solstice, Solstice Firmware | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| Insufficient validation of user-supplied input for the Solstice Pod before 2.8.4 networking configuration enables authenticated attackers to execute arbitrary commands as root. | |||||
| CVE-2020-6842 | 1 Dlink | 2 Dch-m225, Dch-m225 Firmware | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| D-Link DCH-M225 1.05b01 and earlier devices allow remote authenticated admins to execute arbitrary OS commands via shell metacharacters in the media renderer name. | |||||
| CVE-2019-20215 | 1 Dlink | 2 Dir-859, Dir-859 Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP_ST is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters. | |||||
| CVE-2020-4210 | 2 Ibm, Linux | 2 Spectrum Protect, Linux Kernel | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175020. | |||||
| CVE-2019-19838 | 1 Ruckuswireless | 17 C110, E510, H320 and 14 more | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote attackers to execute OS commands via a POST request with the attribute xcmd=get-platform-depends to admin/_cmdstat.jsp via the uploadFile attribute. | |||||
| CVE-2020-8949 | 1 Gocloud | 10 Isp3000, Isp3000 Firmware, S2a and 7 more | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| Gocloud S2A_WL 4.2.7.16471, S2A 4.2.7.17278, S2A 4.3.0.15815, S2A 4.3.0.17193, S3A K2P MTK 4.2.7.16528, S3A 4.3.0.16572, and ISP3000 4.3.0.17190 devices allows remote attackers to execute arbitrary OS commands via shell metacharacters in a ping operation, as demonstrated by the cgi-bin/webui/admin/tools/app_ping/diag_ping/; substring. | |||||
| CVE-2019-13051 | 1 Pi-hole | 1 Pi-hole | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| Pi-Hole 4.3 allows Command Injection. | |||||
| CVE-2019-20500 | 1 Dlink | 2 Dwl-2600ap, Dwl-2600ap Firmware | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
| D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter. | |||||
| CVE-2019-15997 | 1 Cisco | 1 Dna Spaces\ | 2024-02-28 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in Cisco DNA Spaces: Connector could allow an authenticated, local attacker to perform a command injection attack and execute arbitrary commands on the underlying operating system as root. The vulnerability is due to insufficient validation of arguments passed to a specific CLI command. An attacker could exploit this vulnerability by including malicious input during the execution of the affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system as root. | |||||
| CVE-2019-12811 | 2 Activesoft, Microsoft | 2 Mybuilder, Windows | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| ActiveX Control in MyBuilder before 6.2.2019.814 allow an attacker to execute arbitrary command via the ShellOpen method. This can be leveraged for code execution | |||||
| CVE-2019-20216 | 1 Dlink | 2 Dir-859, Dir-859 Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because REMOTE_PORT is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters. | |||||
| CVE-2018-11805 | 2 Apache, Debian | 2 Spamassassin, Debian Linux | 2024-02-28 | 7.2 HIGH | 6.7 MEDIUM |
| In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. | |||||
| CVE-2020-1930 | 1 Apache | 1 Spamassassin | 2024-02-28 | 9.3 HIGH | 8.1 HIGH |
| A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges. | |||||
| CVE-2013-2060 | 1 Redhat | 1 Openshift | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| The download_from_url function in OpenShift Origin allows remote attackers to execute arbitrary commands via shell metacharacters in the URL of a request to download a cart. | |||||
| CVE-2019-17269 | 1 Intelliantech | 1 Remote Access | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| Intellian Remote Access 3.18 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the Ping Test field. | |||||
| CVE-2019-17095 | 1 Bitdefender | 2 Box 2, Box 2 Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability. | |||||
| CVE-2019-10803 | 1 Push-dir Project | 1 Push-dir | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable "opt.branch" is not validated before being provided to the "git" command within "index.js#L139". This could be abused by an attacker to inject arbitrary commands. | |||||
| CVE-2019-18910 | 1 Hp | 1 Thinpro | 2024-02-28 | 4.6 MEDIUM | 6.8 MEDIUM |
| The Citrix Receiver wrapper function does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with local user privileges. | |||||