Vulnerabilities (CVE)

Filtered by CWE-78
Total 3799 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-2486 1 Wavlink 4 Wl-wn535k2, Wl-wn535k2 Firmware, Wl-wn535k3 and 1 more 2024-02-28 N/A 9.8 CRITICAL
A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to the public and may be used.
CVE-2022-30534 1 Wwbn 1 Avideo 2024-02-28 N/A 8.8 HIGH
An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2022-42053 1 Tenda 2 Ac1200 V-w15ev2, W15e Firmware 2024-02-28 N/A 7.8 HIGH
Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain a command injection vulnerability via the PortMappingServer parameter in the setPortMapping function.
CVE-2021-44171 1 Fortinet 1 Fortios 2024-02-28 N/A 8.0 HIGH
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiOS version 6.0.0 through 6.0.14, FortiOS version 6.2.0 through 6.2.10, FortiOS version 6.4.0 through 6.4.8, FortiOS version 7.0.0 through 7.0.3 allows attacker to execute privileged commands on a linked FortiSwitch via diagnostic CLI commands.
CVE-2022-37076 1 Totolink 2 A7000r, A7000r Firmware 2024-02-28 N/A 7.8 HIGH
TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the FileName parameter in the function UploadFirmwareFile.
CVE-2022-36487 1 Totolink 2 N350rt, N350rt Firmware 2024-02-28 N/A 7.8 HIGH
TOTOLINK N350RT V9.3.5u.6139_B20201216 was discovered to contain a command injection vulnerability via the command parameter in the function setTracerouteCfg.
CVE-2022-34596 1 Tenda 2 Ax1803, Ax1803 Firmware 2024-02-28 7.5 HIGH 9.8 CRITICAL
Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function WanParameterSetting.
CVE-2022-30079 1 Netgear 1 R6200 2024-02-28 N/A 8.8 HIGH
Command injection vulnerability was discovered in Netgear R6200 v2 firmware through R6200v2-V1.0.3.12 via binary /sbin/acos_service that could allow remote authenticated attackers the ability to modify values in the vulnerable parameter.
CVE-2022-33873 1 Fortinet 1 Fortitester 2024-02-28 N/A 9.8 CRITICAL
An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in Console login components of FortiTester 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated attacker to execute arbitrary command in the underlying shell.
CVE-2022-20878 1 Cisco 9 Application Extension Platform, Rv110w, Rv110w Firmware and 6 more 2024-02-28 N/A 7.2 HIGH
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the device to restart unexpectedly, resulting in a denial of service (DoS) condition. These vulnerabilities are due to insufficient validation of user fields within incoming HTTP packets. An attacker could exploit these vulnerabilities by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on an affected device with root-level privileges or to cause the device to restart unexpectedly, resulting in a DoS condition. To exploit these vulnerabilities, an attacker would need to have valid Administrator credentials on the affected device. Cisco has not released software updates that address these vulnerabilities.
CVE-2022-35132 1 Webmin 1 Usermin 2024-02-28 N/A 8.8 HIGH
Usermin through 1.850 allows a remote authenticated user to execute OS commands via command injection in a filename for the GPG module.
CVE-2022-31232 1 Dell 1 Smartfabric Storage Software 2024-02-28 N/A 9.8 CRITICAL
SmartFabric storage software version 1.0.0 contains a Command-Injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access and perform actions on the affected system.
CVE-2022-37081 1 Totolink 2 A7000r, A7000r Firmware 2024-02-28 N/A 7.8 HIGH
TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the command parameter at setting/setTracerouteCfg.
CVE-2022-2550 1 Hestiacp 1 Control Panel 2024-02-28 N/A 8.8 HIGH
OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5.
CVE-2022-41395 1 Tenda 2 W15e, W15e Firmware 2024-02-28 N/A 7.8 HIGH
Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain a command injection vulnerability via the dmzHost parameter in the setDMZ function.
CVE-2022-20910 1 Cisco 9 Application Extension Platform, Rv110w, Rv110w Firmware and 6 more 2024-02-28 N/A 7.2 HIGH
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the device to restart unexpectedly, resulting in a denial of service (DoS) condition. These vulnerabilities are due to insufficient validation of user fields within incoming HTTP packets. An attacker could exploit these vulnerabilities by sending a crafted request to the web-based management interface. A successful exploit could allow the attacker to execute arbitrary commands on an affected device with root-level privileges or to cause the device to restart unexpectedly, resulting in a DoS condition. To exploit these vulnerabilities, an attacker would need to have valid Administrator credentials on the affected device. Cisco has not released software updates that address these vulnerabilities.
CVE-2022-20855 1 Cisco 30 Catalyst 9105, Catalyst 9105axi, Catalyst 9105axw and 27 more 2024-02-28 N/A 6.7 MEDIUM
A vulnerability in the self-healing functionality of Cisco IOS XE Software for Embedded Wireless Controllers on Catalyst Access Points could allow an authenticated, local attacker to escape the restricted controller shell and execute arbitrary commands on the underlying operating system of the access point. This vulnerability is due to improper checks throughout the restart of certain system processes. An attacker could exploit this vulnerability by logging on to an affected device and executing certain CLI commands. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS as root. To successfully exploit this vulnerability, an attacker would need valid credentials for a privilege level 15 user of the wireless controller.
CVE-2022-21178 1 Tcl 1 Linkhub Mesh Wifi Ac1200 2024-02-28 N/A 9.8 CRITICAL
An os command injection vulnerability exists in the confsrv ucloud_add_new_node functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2022-33923 1 Dell 10 Emc Powerstore 1200t, Emc Powerstore 1200t Firmware, Emc Powerstore 3200t and 7 more 2024-02-28 N/A 7.8 HIGH
Dell PowerStore, versions prior to 3.0.0.0, contains an OS Command Injection vulnerability in PowerStore T environment. A locally authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS command on the PowerStore underlying OS. Exploiting may lead to a system take over by an attacker.
CVE-2022-31137 1 Roxy-wi 1 Roxy-wi 2024-02-28 10.0 HIGH 9.8 CRITICAL
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.