Total
3853 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-31138 | 1 Mailcow | 1 Mailcow\ | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege vulnerability can be exploited by manipulating the custom parameters regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd to execute arbitrary code. Users should update their mailcow instances with the `update.sh` script in the mailcow root directory to 2022-06a or newer to receive a patch for this issue. As a temporary workaround, the Syncjob ACL can be removed from all mailbox users, preventing changes to those settings. | |||||
| CVE-2022-31137 | 1 Roxy-wi | 1 Roxy-wi | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-30603 | 1 Goabode | 2 Iota All-in-one Security Kit, Iota All-in-one Security Kit Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| An OS command injection vulnerability exists in the web interface /action/iperf functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2022-30541 | 1 Goabode | 2 Iota All-in-one Security Kit, Iota All-in-one Security Kit Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| An OS command injection vulnerability exists in the XCMD setUPnP functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted XCMD can lead to arbitrary command execution. An attacker can send a malicious XML payload to trigger this vulnerability. | |||||
| CVE-2022-30534 | 1 Wwbn | 1 Avideo | 2024-11-21 | N/A | 8.8 HIGH |
| An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-30525 | 1 Zyxel | 32 Atp100, Atp100 Firmware, Atp100w and 29 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. | |||||
| CVE-2022-30425 | 1 Tenda | 2 Hg6, Hg6 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Tenda Technology Co.,Ltd HG6 3.3.0-210926 was discovered to contain a command injection vulnerability via the pingAddr and traceAddr parameters. This vulnerability is exploited via a crafted POST request. | |||||
| CVE-2022-30329 | 1 Trendnet | 2 Tew-831dr, Tew-831dr Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. An OS injection vulnerability exists within the web interface, allowing an attacker with valid credentials to execute arbitrary shell commands. | |||||
| CVE-2022-30311 | 1 Festo | 16 Controller Cecc-x-m1, Controller Cecc-x-m1-mv, Controller Cecc-x-m1-mv-s1 and 13 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-refresh-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. | |||||
| CVE-2022-30310 | 1 Festo | 16 Controller Cecc-x-m1, Controller Cecc-x-m1-mv, Controller Cecc-x-m1-mv-s1 and 13 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-acknerr-request" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. | |||||
| CVE-2022-30309 | 1 Festo | 16 Controller Cecc-x-m1, Controller Cecc-x-m1-mv, Controller Cecc-x-m1-mv-s1 and 13 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-off" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. | |||||
| CVE-2022-30308 | 1 Festo | 16 Controller Cecc-x-m1, Controller Cecc-x-m1-mv, Controller Cecc-x-m1-mv-s1 and 13 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn’t check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection. | |||||
| CVE-2022-30303 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | N/A | 8.8 HIGH |
| An improper neutralization of special elements used in an os command ('OS Command Injection') [CWE-78] in FortiWeb 7.0.0 through 7.0.1, 6.3.0 through 6.3.19, 6.4 all versions may allow an authenticated attacker to execute arbitrary shell code as `root` user via crafted HTTP requests. | |||||
| CVE-2022-30105 | 1 Belkin | 2 N300, N300 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In Belkin N300 Firmware 1.00.08, the script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities. The following parameters in the [form name] form; [list vulnerable parameters], are not properly sanitized after being submitted to the web interface in a POST request. With specially crafted parameters, it is possible to inject a an OS command which will be executed with root privileges, as the web interface, and all processes on the device, run as root. | |||||
| CVE-2022-30079 | 1 Netgear | 1 R6200 | 2024-11-21 | N/A | 8.8 HIGH |
| Command injection vulnerability was discovered in Netgear R6200 v2 firmware through R6200v2-V1.0.3.12 via binary /sbin/acos_service that could allow remote authenticated attackers the ability to modify values in the vulnerable parameter. | |||||
| CVE-2022-30078 | 1 Netgear | 4 R6200, R6200 Firmware, R6300 and 1 more | 2024-11-21 | N/A | 8.8 HIGH |
| NETGEAR R6200_V2 firmware versions through R6200v2-V1.0.3.12_10.1.11 and R6300_V2 firmware versions through R6300v2-V1.0.4.52_10.0.93 allow remote authenticated attackers to execute arbitrary command via shell metacharacters in the ipv6_fix.cgi ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, or ipv6_lan_length parameters. | |||||
| CVE-2022-30023 | 1 Tenda | 2 Hg9, Hg9 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. | |||||
| CVE-2022-2884 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 9.9 CRITICAL |
| A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3 to 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint | |||||
| CVE-2022-2550 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | N/A | 8.8 HIGH |
| OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5. | |||||
| CVE-2022-2488 | 1 Wavlink | 4 Wl-wn535k2, Wl-wn535k2 Firmware, Wl-wn535k3 and 1 more | 2024-11-21 | N/A | 8.0 HIGH |
| A vulnerability was found in WAVLINK WN535K2 and WN535K3 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/touchlist_sync.cgi. The manipulation of the argument IP leads to os command injection. The exploit has been disclosed to the public and may be used. | |||||