Total
3851 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-48632 | 2024-10-18 | N/A | 8.0 HIGH | ||
| D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the LocalIPAddress, TCPPorts, and UDPPorts parameters in the SetPortForwardingSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request. | |||||
| CVE-2024-48635 | 2024-10-18 | N/A | 8.0 HIGH | ||
| D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:2/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request. | |||||
| CVE-2024-48630 | 2024-10-18 | N/A | 8.0 HIGH | ||
| D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the MacAddress parameter in the SetMACFilters2 function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request. | |||||
| CVE-2024-10118 | 2024-10-18 | N/A | 9.8 CRITICAL | ||
| SECOM WRTR-304GN-304TW-UPSC does not properly filter user input in the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. | |||||
| CVE-2024-48637 | 2024-10-18 | N/A | 8.0 HIGH | ||
| D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:1/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request. | |||||
| CVE-2024-48636 | 2024-10-18 | N/A | 8.0 HIGH | ||
| D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:0/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request. | |||||
| CVE-2024-48629 | 2024-10-18 | N/A | 8.0 HIGH | ||
| D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the IPAddress parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request. | |||||
| CVE-2024-48634 | 2024-10-18 | N/A | 8.0 HIGH | ||
| D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the key parameter in the SetWLanRadioSecurity function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request. | |||||
| CVE-2024-48631 | 2024-10-18 | N/A | 8.0 HIGH | ||
| D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the SSID parameter in the SetWLanRadioSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request. | |||||
| CVE-2024-9054 | 1 Microchip | 2 Timeprovider 4100, Timeprovider 4100 Firmware | 2024-10-17 | N/A | 8.8 HIGH |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7. | |||||
| CVE-2024-9464 | 1 Paloaltonetworks | 1 Expedition | 2024-10-17 | N/A | 6.5 MEDIUM |
| An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. | |||||
| CVE-2024-9916 | 1 Usualtool | 1 Usualtoolcms | 2024-10-16 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, has been found in HuangDou UTCMS V9. Affected by this issue is some unknown functionality of the file app/modules/ut-cac/admin/cli.php. The manipulation of the argument o leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-8926 | 1 Php-fpm | 1 Php-fpm | 2024-10-16 | N/A | 8.8 HIGH |
| In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. | |||||
| CVE-2024-9977 | 2024-10-16 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A vulnerability, which was classified as critical, was found in MitraStar GPT-2541GNAC BR_g5.6_1.11(WVK.0)b26. Affected is an unknown function of the file /cgi-bin/settings-firewall.cgi of the component Firewall Settings Page. The manipulation of the argument SrcInterface leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. We tried to contact the vendor early about the disclosure but the official mail address was not working properly. | |||||
| CVE-2024-22033 | 2024-10-16 | N/A | 6.3 MEDIUM | ||
| The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps | |||||
| CVE-2024-7591 | 1 Kemptechnologies | 2 Loadmaster, Multi-tenant Hypervisor Firmware | 2024-10-16 | N/A | 7.2 HIGH |
| Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above | |||||
| CVE-2024-9139 | 2024-10-15 | N/A | 7.2 HIGH | ||
| The affected product permits OS command injection through improperly restricted commands, potentially allowing attackers to execute arbitrary code. | |||||
| CVE-2024-45698 | 1 Dlink | 2 Dir-x4860, Dir-x4860 Firmware | 2024-10-15 | N/A | 9.8 CRITICAL |
| Certain models of D-Link wireless routers do not properly validate user input in the telnet service, allowing unauthenticated remote attackers to use hard-coded credentials to log into telnet and inject arbitrary OS commands, which can then be executed on the device. | |||||
| CVE-2024-9380 | 1 Ivanti | 1 Endpoint Manager Cloud Services Appliance | 2024-10-10 | N/A | 7.2 HIGH |
| An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution. | |||||
| CVE-2024-21532 | 2024-10-10 | N/A | 7.3 HIGH | ||
| All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API. | |||||