Total
3665 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-20128 | 1 Cisco | 4 Rv320, Rv320 Firmware, Rv325 and 1 more | 2024-02-28 | N/A | 7.2 HIGH |
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands as the root user on the underlying Linux operating system of the affected device. To exploit these vulnerabilities, an attacker would need to have valid Administrator credentials on the affected device. Cisco has not released software updates to address these vulnerabilities. | |||||
CVE-2023-34420 | 1 Lenovo | 1 Xclarity Administrator | 2024-02-28 | N/A | 7.2 HIGH |
A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API. | |||||
CVE-2023-28702 | 1 Asus | 2 Rt-ac86u, Rt-ac86u Firmware | 2024-02-28 | N/A | 8.8 HIGH |
ASUS RT-AC86U does not filter special characters for parameters in specific web URLs. A remote attacker with normal user privileges can exploit this vulnerability to perform command injection attack to execute arbitrary system commands, disrupt system or terminate service. | |||||
CVE-2023-22365 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-02-28 | N/A | 7.2 HIGH |
An OS command injection vulnerability exists in the ys_thirdparty check_system_user functionality of Milesight UR32L v32.3.0.5. A specially crafted set of network packets can lead to command execution. An attacker can send a network request to trigger this vulnerability. | |||||
CVE-2023-28000 | 1 Fortinet | 1 Fortiadc | 2024-02-28 | N/A | 7.8 HIGH |
An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC CLI 7.1.0, 7.0.0 through 7.0.3, 6.2.0 through 6.2.4, 6.1 all versions, 6.0 all versions may allow a local and authenticated attacker to execute unauthorized commands via specifically crafted arguments in diagnose system df CLI command. | |||||
CVE-2023-30628 | 1 Kiwitcms | 1 Kiwi Tcms | 2024-02-28 | N/A | 8.8 HIGH |
Kiwi TCMS is an open source test management system. In kiwitcms/Kiwi v12.2 and prior and kiwitcms/enterprise v12.2 and prior, the `changelog.yml` workflow is vulnerable to command injection attacks because of using an untrusted `github.head_ref` field. The `github.head_ref` value is an attacker-controlled value. Assigning the value to `zzz";echo${IFS}"hello";#` can lead to command injection. Since the permission is not restricted, the attacker has a write-access to the repository. Commit 834c86dfd1b2492ccad7ebbfd6304bfec895fed2 of the kiwitcms/Kiwi repository and commit e39f7e156fdaf6fec09a15ea6f4e8fec8cdbf751 of the kiwitcms/enterprise repository contain a fix for this issue. | |||||
CVE-2022-45026 | 1 Markdown Preview Enhanced Project | 1 Markdown Preview Enhanced | 2024-02-28 | N/A | 9.8 CRITICAL |
An issue in Markdown Preview Enhanced v0.6.5 and v0.19.6 for VSCode and Atom allows attackers to execute arbitrary commands during the GFM export process. | |||||
CVE-2022-27482 | 1 Fortinet | 1 Fortiadc | 2024-02-28 | N/A | 7.8 HIGH |
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiADC version 7.0.0 through 7.0.1, 6.2.0 through 6.2.2, 6.1.0 through 6.1.6, 6.0.x, 5.x.x allows attacker to execute arbitrary shell code as `root` via CLI commands. | |||||
CVE-2022-45699 | 1 Apsystems | 2 Ecu-r, Ecu-r Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
Command injection in the administration interface in APSystems ECU-R version 5203 allows a remote unauthenticated attacker to execute arbitrary commands as root using the timezone parameter. | |||||
CVE-2022-24431 | 1 Abacus-ext-cmdline Project | 1 Abacus-ext-cmdline | 2024-02-28 | N/A | 9.8 CRITICAL |
All versions of package abacus-ext-cmdline are vulnerable to Command Injection via the execute function due to improper user-input sanitization. | |||||
CVE-2022-33186 | 1 Brocade | 1 Fabric Operating System | 2024-02-28 | N/A | 9.8 CRITICAL |
A vulnerability in Brocade Fabric OS software v9.1.1, v9.0.1e, v8.2.3c, v7.4.2j, and earlier versions could allow a remote unauthenticated attacker to execute on a Brocade Fabric OS switch commands capable of modifying zoning, disabling the switch, disabling ports, and modifying the switch IP address. | |||||
CVE-2022-46598 | 1 Trendnet | 2 Tew-755ap, Tew-755ap Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
TRENDnet TEW755AP 1.13B01 was discovered to contain a command injection vulnerability via the wps_sta_enrollee_pin parameter in the action set_sta_enrollee_pin_5g function. | |||||
CVE-2022-42493 | 1 Siretta | 2 Quartz-gold, Quartz-gold Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_INFO command. | |||||
CVE-2022-48123 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the servername parameter in the setting/delStaticDhcpRules function. | |||||
CVE-2023-23692 | 1 Dell | 1 Emc Data Domain Os | 2024-02-28 | N/A | 8.8 HIGH |
Dell EMC prior to version DDOS 7.9 contain(s) an OS command injection Vulnerability. An authenticated non admin attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. | |||||
CVE-2022-40222 | 1 Siretta | 2 Quartz-gold, Quartz-gold Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
An OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability. | |||||
CVE-2022-43867 | 2 Ibm, Linux | 2 Spectrum Scale Container Native Storage Access, Linux Kernel | 2024-02-28 | N/A | 7.8 HIGH |
IBM Spectrum Scale 5.1.0.1 through 5.1.4.1 could allow a local attacker to execute arbitrary commands in the container. IBM X-Force ID: 239437. | |||||
CVE-2022-48124 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the FileName parameter in the setting/setOpenVpnCertGenerationCfg function. | |||||
CVE-2023-26759 | 1 Smeup | 1 Erp | 2024-02-28 | N/A | 8.8 HIGH |
Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an OS command injection vulnerability via calls made to the XMService component. | |||||
CVE-2020-6627 | 1 Seagate | 6 Stcg2000300, Stcg2000300 Firmware, Stcg3000300 and 3 more | 2024-02-28 | N/A | 9.8 CRITICAL |
The web-management application on Seagate Central NAS STCG2000300, STCG3000300, and STCG4000300 devices allows OS command injection via mv_backend_launch in cirrus/application/helpers/mv_backend_helper.php by leveraging the "start" state and sending a check_device_name request. |