Total
3665 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-47616 | 1 Hitrontech | 2 Coda-5310, Coda-5310 Firmware | 2024-02-28 | N/A | 7.2 HIGH |
| Hitron CODA-5310 has insufficient filtering for specific parameters in the connection test function. A remote attacker authenticated as an administrator, can use the management page to perform command injection attacks, to execute arbitrary system command, manipulate system or disrupt service. | |||||
| CVE-2023-28627 | 1 Pymedusa | 1 Medusa | 2024-02-28 | N/A | 8.8 HIGH |
| pymedusa is an automatic video library manager for TV Shows. In versions prior 1.0.12 an attacker with access to the web interface can update the git executable path in /config/general/ > advanced settings with arbitrary OS commands. An attacker may exploit this vulnerability to take execute arbitrary OS commands as the user running the pymedusa program. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-20163 | 1 Cisco | 1 Identity Services Engine | 2024-02-28 | N/A | 7.2 HIGH |
| Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit these vulnerabilities, an attacker must have valid credentials on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2023-25507 | 1 Nvidia | 2 Bmc, Dgx-1 | 2024-02-28 | N/A | 8.8 HIGH |
| NVIDIA DGX-1 BMC contains a vulnerability in the SPX REST API, where an attacker with the appropriate level of authorization can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, and data tampering. | |||||
| CVE-2023-24841 | 1 Hgiga | 1 Oaklouds Mailsherlock | 2024-02-28 | N/A | 7.2 HIGH |
| HGiga MailSherlock query function for connection log has a vulnerability of insufficient filtering for user input. An authenticated remote attacker with administrator privilege can exploit this vulnerability to inject and execute arbitrary system commands to perform arbitrary system operation or disrupt service. | |||||
| CVE-2021-42081 | 1 Osnexus | 1 Quantastor | 2024-02-28 | N/A | 7.2 HIGH |
| An authenticated administrator is allowed to remotely execute arbitrary shell commands via the API. | |||||
| CVE-2023-24837 | 1 Hgiga | 2 Powerstation, Powerstation Firmware | 2024-02-28 | N/A | 8.8 HIGH |
| HGiga PowerStation remote management function has insufficient filtering for user input. An authenticated remote attacker with general user privilege can exploit this vulnerability to inject and execute arbitrary system commands to perform arbitrary system operation or disrupt service. | |||||
| CVE-2023-29169 | 1 Myscada | 1 Mypro | 2024-02-28 | N/A | 8.8 HIGH |
| mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands. | |||||
| CVE-2022-29841 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2024-02-28 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. This command could be triggered by an attacker remotely to cause code execution and gain a reverse shell in Western Digital My Cloud OS 5 devices.This issue affects My Cloud OS 5: before 5.26.119. | |||||
| CVE-2023-33869 | 1 Enphase | 2 Envoy, Envoy Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
| Enphase Envoy versions D7.0.88 is vulnerable to a command injection exploit that may allow an attacker to execute root commands. | |||||
| CVE-2023-22659 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-02-28 | N/A | 7.2 HIGH |
| An os command injection vulnerability exists in the libzebra.so change_hostname functionality of Milesight UR32L v32.3.0.5. A specially-crafted network packets can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
| CVE-2023-28617 | 1 Gnu | 1 Org Mode | 2024-02-28 | N/A | 7.8 HIGH |
| org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters. | |||||
| CVE-2023-28771 | 1 Zyxel | 38 Atp100, Atp100 Firmware, Atp100w and 35 more | 2024-02-28 | N/A | 9.8 CRITICAL |
| Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device. | |||||
| CVE-2023-26921 | 1 Quectel | 2 Ag550qcn, Ag550qcn Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
| OS Command Injection vulnerability in quectel AG550QCN allows attackers to execute arbitrary commands via ql_atfwd. | |||||
| CVE-2023-34800 | 1 Dlink | 2 Go-rt-ac750, Go-rt-ac750 Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
| D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at genacgi_main. | |||||
| CVE-2022-43631 | 1 Dlink | 2 Dir-1935, Dir-1935 Firmware | 2024-02-28 | N/A | 6.8 MEDIUM |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetVirtualServerSettings requests to the web management portal. When parsing subelements within the VirtualServerInfo element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16151. | |||||
| CVE-2023-27826 | 1 Seowonintech | 2 Swc-5100w, Swc-5100w Firmware | 2024-02-28 | N/A | 8.8 HIGH |
| SeowonIntech SWC 5100W WIMAX Bootloader 1.18.19.0, HW 0.0.7.0, and FW 1.11.0.1, 1.9.9.4 are vulnerable to OS Command Injection. which allows attackers to take over the system with root privilege by abusing doSystem() function. | |||||
| CVE-2022-43647 | 1 Dlink | 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more | 2024-02-28 | N/A | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19464. | |||||
| CVE-2023-22299 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-02-28 | N/A | 8.8 HIGH |
| An OS command injection vulnerability exists in the vtysh_ubus _get_fw_logs functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability. | |||||
| CVE-2023-30261 | 1 Openwb | 1 Openwb | 2024-02-28 | N/A | 9.8 CRITICAL |
| Command Injection vulnerability in OpenWB 1.6 and 1.7 allows remote attackers to run arbitrary commands via crafted GET request. | |||||