Total
3852 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-13023 | 1 Mi | 2 Mi Router 3, Miwifi Os | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter. | |||||
| CVE-2018-12972 | 1 Opentsdb | 1 Opentsdb | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in OpenTSDB 2.3.0. Many parameters to the /q URI can execute commands, including o, key, style, and yrange and y2range and their JSON input. | |||||
| CVE-2018-12692 | 1 Tp-link | 2 Tl-wa850re, Tl-wa850re Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| TP-Link TL-WA850RE Wi-Fi Range Extender with hardware version 5 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the wps_setup_pin parameter to /data/wps.setup.json. | |||||
| CVE-2018-12670 | 1 Sv3c | 4 H.264 Poe Ip Camera Firmware, Sv-b01poe-1080p-l, Sv-b11vpoe-1080p-l and 1 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B devices allow OS Command Injection. | |||||
| CVE-2018-12591 | 1 Ubnt | 2 Edgeswitch, Edgeswitch Firmware | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| Ubiquiti Networks EdgeSwitch version 1.7.3 and prior suffer from an improperly neutralized element in an OS command due to lack of protection on the admin CLI, leading to code execution and privilege escalation greater than administrators themselves are allowed. An attacker with access to an admin account could escape the restricted CLI and execute arbitrary shell instructions. | |||||
| CVE-2018-12577 | 1 Tp-link | 2 Tl-wr841n, Tl-wr841n Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The Ping and Traceroute features on TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices allow authenticated blind Command Injection. | |||||
| CVE-2018-12483 | 1 Ocsinventory-ng | 1 Ocsinventory Ng | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| OCS Inventory 2.4.1 is prone to a remote command-execution vulnerability. Specifically, this issue occurs because the content of the ipdiscover_analyser rzo GET parameter is concatenated to a string used in an exec() call in the PHP code. Authentication is needed in order to exploit this vulnerability. | |||||
| CVE-2018-12465 | 1 Microfocus | 1 Secure Messaging Gateway | 2024-11-21 | 9.0 HIGH | 9.1 CRITICAL |
| An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5). | |||||
| CVE-2018-12317 | 1 Asustor | 2 As-602t, Data Master | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| OS command injection in group.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root by modifying the "name" POST parameter. | |||||
| CVE-2018-12316 | 1 Asustor | 2 As602t, Data Master | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| OS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands by modifying the filename POST parameter. | |||||
| CVE-2018-12313 | 1 Asustor | 2 As602t, Data Master | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| OS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands without authentication via the "rocommunity" URL parameter. | |||||
| CVE-2018-12312 | 1 Asustor | 2 As602t, Data Master | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "secret_key" URL parameter. | |||||
| CVE-2018-12307 | 1 Asustor | 2 As602t, Data Master | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "name" POST parameter. | |||||
| CVE-2018-12268 | 1 Acccheck Project | 1 Acccheck.pl | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| acccheck.pl in acccheck 0.2.1 allows Command Injection via shell metacharacters in a username or password file, as demonstrated by injection into an smbclient command line. | |||||
| CVE-2018-12237 | 1 Symantec | 1 Reporter | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| The Symantec Reporter CLI 10.1 prior to 10.1.5.6 and 10.2 prior to 10.2.1.8 is susceptible to an OS command injection vulnerability. An authenticated malicious administrator with Enable mode access can execute arbitrary OS commands with elevated system privileges. | |||||
| CVE-2018-11805 | 2 Apache, Debian | 2 Spamassassin, Debian Linux | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places. | |||||
| CVE-2018-11616 | 1 Tencent | 1 Foxmail | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Tencent Foxmail 7.2.9.115. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI handlers. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5543. | |||||
| CVE-2018-11510 | 1 Asustor | 1 Adm | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter. | |||||
| CVE-2018-11229 | 1 Crestron | 8 Crestron Toolbox Protocol Firmware, Dmc-str, Tsw-1060 and 5 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Crestron TSW-1060, TSW-760, TSW-560, TSW-1060-NC, TSW-760-NC, and TSW-560-NC devices before 2.001.0037.001 allow unauthenticated remote code execution via command injection in Crestron Toolbox Protocol (CTP). | |||||
| CVE-2018-11215 | 1 Cloudera | 1 Data Science Workbench | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Remote code execution is possible in Cloudera Data Science Workbench version 1.3.0 and prior releases via unspecified attack vectors. | |||||