Total
3665 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-18728 | 1 Tenda | 6 Ac15, Ac15 Firmware, Ac18 and 3 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered on Tenda AC9 V15.03.05.19(6318)_CN, AC15 V15.03.05.19_CN, and AC18 V15.03.05.19(6318)_CN devices. They allow remote code execution via shell metacharacters in the usbName field to the __fastcall function with a POST request. | |||||
CVE-2018-19908 | 1 Misp | 1 Misp | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import. | |||||
CVE-2018-14699 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter. | |||||
CVE-2018-0625 | 1 Nec | 2 Aterm Wg1200hp, Aterm Wg1200hp Firmware | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
Aterm WG1200HP firmware Ver1.0.31 and earlier allows attacker with administrator rights to execute arbitrary OS commands via formSysCmd parameter. | |||||
CVE-2018-16232 | 1 Ipfire | 1 Ipfire | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
An authenticated command injection vulnerability exists in IPFire Firewall before 2.21 Core Update 124 in backup.cgi. This allows an authenticated user with privileges for the affected page to execute arbitrary commands. | |||||
CVE-2018-3786 | 1 Eggjs | 1 Egg-scripts | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument. | |||||
CVE-2018-18856 | 1 Liquidvpn | 1 Liquidvpn | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
Multiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the system function to execute the "openvpncmd" parameter as a shell command. | |||||
CVE-2018-3785 | 1 Git-dummy-commit Project | 1 Git-dummy-commit | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
A command injection in git-dummy-commit v1.3.0 allows os level commands to be executed due to an unescaped parameter. | |||||
CVE-2019-8312 | 1 Dlink | 2 Dir-878, Dir-878 Firmware | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetSysLogSettings API function, as demonstrated by shell metacharacters in the IPAddress field. | |||||
CVE-2018-10587 | 1 Netgain-systems | 1 Enterprise Manager | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
NetGain Enterprise Manager (EM) is affected by OS Command Injection vulnerabilities in versions before 10.0.57. These vulnerabilities could allow remote authenticated attackers to inject arbitrary code, resulting in remote code execution. | |||||
CVE-2018-16744 | 1 Mgetty Project | 1 Mgetty | 2024-02-28 | 4.6 MEDIUM | 7.8 HIGH |
An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() in faxrec.c, the mail_to parameter is not sanitized. It could allow for command injection if untrusted input can reach it, because popen is used. | |||||
CVE-2018-19073 | 2 Foscam, Opticam | 6 C2, C2 Application Firmware, C2 System Firmware and 3 more | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
An issue was discovered on Foscam C2 devices with System Firmware 1.11.1.8 and Application Firmware 2.72.1.32, and Opticam i5 devices with System Firmware 1.5.2.11 and Application Firmware 2.21.1.128. They allow attackers to execute arbitrary OS commands via shell metacharacters in the modelName, by leveraging /mnt/mtd/app/config/ProductConfig.xml write access. | |||||
CVE-2018-0643 | 2 Canonical, Orcamo | 2 Ubuntu Linux, Online Receipt Computer Advantage | 2024-02-28 | 7.4 HIGH | 6.6 MEDIUM |
Ubuntu14.04 ORCA (Online Receipt Computer Advantage) 4.8.0 (panda-server) 1:1.4.9+p41-u4jma1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via unspecified vectors. | |||||
CVE-2018-6444 | 2 Brocade, Netapp | 2 Network Advisor, Brocade Network Advisor | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
A Vulnerability in Brocade Network Advisor versions before 14.1.0 could allow a remote unauthenticated attacker to execute arbitray code. The vulnerability could also be exploited to execute arbitrary OS Commands. | |||||
CVE-2018-1000666 | 2 Gig, Openvcloud Project | 2 Jumpscale, Openvcloud | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
GIG Technology NV JumpScale Portal 7 version before commit 15443122ed2b1cbfd7bdefc048bf106f075becdb contains a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in method: notifySpaceModification; that can result in Improper validation of parameters results in command execution. This attack appear to be exploitable via Network connectivity, required minimal auth privileges (everyone can register an account). This vulnerability appears to have been fixed in After commit 15443122ed2b1cbfd7bdefc048bf106f075becdb. | |||||
CVE-2018-0348 | 1 Cisco | 19 Vbond Orchestrator, Vedge-100, Vedge-1000 and 16 more | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
A vulnerability in the CLI of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting malicious input to the load command within the VPN subsystem. The attacker must be authenticated to access the affected CLI parameter. A successful exploit could allow an attacker to execute commands with root privileges. This vulnerability affects the following Cisco products if they are running a release of the Cisco SD-WAN Solution prior to Release 18.3.0: vBond Orchestrator Software, vEdge 100 Series Routers, vEdge 1000 Series Routers, vEdge 2000 Series Routers, vEdge 5000 Series Routers, vEdge Cloud Router Platform, vManage Network Management Software, vSmart Controller Software. Cisco Bug IDs: CSCvi69866. | |||||
CVE-2018-13353 | 1 Terra-master | 1 Terramaster Operating System | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter. | |||||
CVE-2018-15481 | 1 Ucopia | 2 Wireless Appliance, Wireless Appliance Firmware | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Improper input sanitization within the restricted administration shell on UCOPIA Wireless Appliance devices using firmware version 5.1.x before 5.1.13 allows authenticated remote attackers to escape the shell and escalate their privileges by adding a LocalCommand to the SSH configuration file in the user home folder. | |||||
CVE-2018-14893 | 1 Zyxel | 2 Nsa325 V2, Nsa325 V2 Firmware | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
A system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API. | |||||
CVE-2018-0424 | 1 Cisco | 6 Rv110w Firmware, Rv110w Wireless-n Vpn Firewall, Rv130w and 3 more | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an authenticated, remote attacker to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input to scripts by the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the root user. |