Total
3665 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-12307 | 1 Asustor | 2 As602t, Data Master | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "name" POST parameter. | |||||
CVE-2018-16130 | 1 Mi | 2 Mi Router 3, Miwifi Os | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
System command injection in request_mitv in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary system commands via the "payload" URL parameter. | |||||
CVE-2018-0628 | 1 Nec | 2 Aterm Wg1200hp, Aterm Wg1200hp Firmware | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with administrator rights to execute arbitrary OS commands via HTTP request and response. | |||||
CVE-2019-7301 | 1 Zevenet | 1 Zen Load Balancer | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
Zen Load Balancer 3.10.1 allows remote authenticated admin users to execute arbitrary commands as root via shell metacharacters in the index.cgi?action=View_Cert certname parameter. | |||||
CVE-2018-20727 | 1 Nedi | 1 Nedi | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php. | |||||
CVE-2018-0635 | 1 Nec | 2 Aterm Hc100rc, Aterm Hc100rc Firmware | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via filename parameter. | |||||
CVE-2018-0629 | 1 Nec | 2 Aterm W300p, Aterm W300p Firmware | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
Aterm W300P Ver1.0.13 and earlier allows attacker with administrator rights to execute arbitrary OS commands via HTTP request and response. | |||||
CVE-2018-19290 | 1 Budabot | 1 Budabot | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command, resulting in a denial of service or possibly unspecified other impact, as demonstrated by the "!calc 5 x 5" command. In versions before 3.0, modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above, modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code. | |||||
CVE-2019-1652 | 1 Cisco | 4 Rv320, Rv320 Firmware, Rv325 and 1 more | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability. | |||||
CVE-2018-0708 | 1 Qnap | 1 Q\'center | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
Command injection vulnerability in networking of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands. | |||||
CVE-2018-11077 | 2 Dell, Vmware | 3 Emc Avamar, Emc Integrated Data Protection Appliance, Vsphere Data Protection | 2024-02-28 | 7.2 HIGH | 6.7 MEDIUM |
'getlogs' utility in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1 and 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 is affected by an OS command injection vulnerability. A malicious Avamar admin user may potentially be able to execute arbitrary commands under root privilege. | |||||
CVE-2018-16184 | 1 Ricoh | 16 D2200, D2200 Firmware, D5500 and 13 more | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
RICOH Interactive Whiteboard D2200 V1.6 to V2.2, D5500 V1.6 to V2.2, D5510 V1.6 to V2.2, and the display versions with RICOH Interactive Whiteboard Controller Type1 V1.6 to V2.2 attached (D5520, D6500, D6510, D7500, D8400) allows remote attackers to execute arbitrary commands via unspecified vectors. | |||||
CVE-2019-6487 | 1 Tp-link | 10 Tl-wdr3500, Tl-wdr3500 Firmware, Tl-wdr3600 and 7 more | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field. | |||||
CVE-2018-12313 | 1 Asustor | 2 As602t, Data Master | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
OS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands without authentication via the "rocommunity" URL parameter. | |||||
CVE-2018-0477 | 1 Cisco | 1 Ios Xe | 2024-02-28 | 7.2 HIGH | 6.7 MEDIUM |
A vulnerability in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability exist because the affected software improperly sanitizes command arguments, failing to prevent access to certain internal data structures on an affected device. An attacker who has privileged EXEC mode (privilege level 15) access to an affected device could exploit these vulnerabilities on the device by executing CLI commands that contain custom arguments. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the affected device. | |||||
CVE-2018-0709 | 1 Qnap | 1 Q\'center | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
Command injection vulnerability in date of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands. | |||||
CVE-2018-16090 | 1 Lenovo | 8 System Management Module Firmware, Thinkagile Hx Enclosure 7x81, Thinkagile Hx Enclosure 7y87 and 5 more | 2024-02-28 | 6.0 MEDIUM | 7.5 HIGH |
In System Management Module (SMM) versions prior to 1.06, the SMM certificate creation and parsing logic is vulnerable to post-authentication command injection. | |||||
CVE-2019-8318 | 1 Dlink | 2 Dir-878, Dir-878 Firmware | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetSysEmailSettings API function, as demonstrated by shell metacharacters in the SMTPServerPort field. | |||||
CVE-2019-7298 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2024-02-28 | 9.3 HIGH | 8.1 HIGH |
An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body, such as a body of ' /bin/telnetd' for the GetDeviceSettingsset API function. Consequently, an attacker can execute any command remotely when they control this input. | |||||
CVE-2018-17064 | 1 Dlink | 2 Dir-816 A2, Dir-816 A2 Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/sylogapply route. This could lead to command injection via the syslogIp parameter after /goform/clearlog is invoked. |