Total
3666 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-28909 | 1 Totolink | 2 N600r, N600r Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the webwlanidx parameter in /setting/setWebWlanIdx. | |||||
CVE-2022-28912 | 1 Totolink | 2 N600r, N600r Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the filename parameter in /setting/setUpgradeFW. | |||||
CVE-2022-33312 | 1 Robustel | 2 R1510, R1510 Firmware | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/action/import_cert_file/` API is affected by command injection vulnerability. | |||||
CVE-2022-25064 | 1 Tp-link | 2 Tl-wr840n, Tl-wr840n Firmware | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr. | |||||
CVE-2022-30329 | 1 Trendnet | 2 Tew-831dr, Tew-831dr Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. An OS injection vulnerability exists within the web interface, allowing an attacker with valid credentials to execute arbitrary shell commands. | |||||
CVE-2022-29256 | 1 Sharp Project | 1 Sharp | 2024-02-28 | 4.6 MEDIUM | 6.7 MEDIUM |
sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5. | |||||
CVE-2022-28810 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-02-28 | 7.1 HIGH | 6.8 MEDIUM |
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field. | |||||
CVE-2022-26210 | 1 Totolink | 12 A3000ru, A3000ru Firmware, A3100r and 9 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUpgradeFW, via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
CVE-2022-24288 | 1 Apache | 1 Airflow | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. | |||||
CVE-2022-28908 | 1 Totolink | 2 N600r, N600r Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the ipdoamin parameter in /setting/setDiagnosisCfg. | |||||
CVE-2021-46319 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
Remote Code Execution (RCE) vulnerability exists in D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin. Malicious users can use this vulnerability to use "\ " or backticks to bypass the shell metacharacters in the ssid0 or ssid1 parameters to execute arbitrary commands.This vulnerability is due to the fact that CVE-2019-17509 is not fully patched and can be bypassed by using line breaks or backticks on its basis. | |||||
CVE-2019-25065 | 1 Opennetadmin | 1 Opennetadmin | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
A vulnerability was found in OpenNetAdmin 18.1.1. It has been rated as critical. Affected by this issue is some unknown functionality. The manipulation leads to privilege escalation. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2022-28896 | 1 Dlink | 2 Dir-882, Dir-882 Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
A command injection vulnerability in the component /setnetworksettings/SubnetMask of D-Link DIR882 DIR882A1_FW130B06 allows attackers to escalate privileges to root via a crafted payload. | |||||
CVE-2021-27476 | 1 Rockwellautomation | 1 Factorytalk Assetcentre | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
A vulnerability exists in the SaveConfigFile function of the RACompare Service, which may allow for OS command injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier. | |||||
CVE-2022-26211 | 1 Totolink | 12 A3000ru, A3000ru Firmware, A3100r and 9 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function CloudACMunualUpdate, via the deviceMac and deviceName parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
CVE-2022-28895 | 1 Dlink | 2 Dir-882, Dir-882 Firmware | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
A command injection vulnerability in the component /setnetworksettings/IPAddress of D-Link DIR882 DIR882A1_FW130B06 allows attackers to escalate privileges to root via a crafted payload. | |||||
CVE-2022-30425 | 1 Tenda | 2 Hg6, Hg6 Firmware | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
Tenda Technology Co.,Ltd HG6 3.3.0-210926 was discovered to contain a command injection vulnerability via the pingAddr and traceAddr parameters. This vulnerability is exploited via a crafted POST request. | |||||
CVE-2022-1360 | 1 Cambiumnetworks | 1 Cnmaestro | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The affected On-Premise cnMaestro is vulnerable to execution of code on the cnMaestro hosting server. This could allow a remote attacker to change server configuration settings. | |||||
CVE-2022-1440 | 1 Git-interface Project | 1 Git-interface | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
Command Injection vulnerability in git-interface@2.1.1 in GitHub repository yarkeev/git-interface prior to 2.1.2. If both are provided by user input, then the use of a `--upload-pack` command-line argument feature of git is also supported for `git clone`, which would then allow for any operating system command to be spawned by the attacker. | |||||
CVE-2022-23667 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. |