Total
3666 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36381 | 1 Aaptjs Project | 1 Aaptjs | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the singleCrunch function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters. | |||||
| CVE-2021-20138 | 1 Gryphonconnect | 2 Gryphon Tower, Gryphon Tower Firmware | 2024-02-28 | 8.3 HIGH | 8.8 HIGH |
| An unauthenticated command injection vulnerability exists in multiple parameters in the Gryphon Tower router’s web interface at /cgi-bin/luci/rc. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the web interface. | |||||
| CVE-2021-33551 | 1 Geutebrueck | 32 G-cam Ebc-2110, G-cam Ebc-2110 Firmware, G-cam Ebc-2111 and 29 more | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. | |||||
| CVE-2021-20140 | 1 Gryphonconnect | 2 Gryphon Tower, Gryphon Tower Firmware | 2024-02-28 | 8.3 HIGH | 8.8 HIGH |
| An unauthenticated command injection vulnerability exists in the parameters of operation 10 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the controller_server service on port 9999. | |||||
| CVE-2021-3058 | 1 Paloaltonetworks | 1 Pan-os | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permissions to use XML API the ability to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. This issue does not impact Prisma Access firewalls. | |||||
| CVE-2021-20144 | 1 Gryphonconnect | 2 Gryphon Tower, Gryphon Tower Firmware | 2024-02-28 | 8.3 HIGH | 8.8 HIGH |
| An unauthenticated command injection vulnerability exists in the parameters of operation 49 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the controller_server service on port 9999. | |||||
| CVE-2021-33554 | 1 Geutebrueck | 32 G-cam Ebc-2110, G-cam Ebc-2110 Firmware, G-cam Ebc-2111 and 29 more | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. | |||||
| CVE-2021-24684 | 1 Teamlead | 1 Pdf-light-viewer | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| The WordPress PDF Light Viewer Plugin WordPress plugin before 1.4.12 allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript. | |||||
| CVE-2021-3726 | 1 Planetargon | 1 Oh My Zsh | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| # Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function. | |||||
| CVE-2011-2195 | 1 Websvn | 1 Websvn | 2024-02-28 | 9.3 HIGH | 9.8 CRITICAL |
| A flaw was found in WebSVN 2.3.2. Without prior authentication, if the 'allowDownload' option is enabled in config.php, an attacker can invoke the dl.php script and pass a well formed 'path' argument to execute arbitrary commands against the underlying operating system. | |||||
| CVE-2021-30358 | 1 Checkpoint | 1 Mobile Access Portal Agent | 2024-02-28 | 6.0 MEDIUM | 7.2 HIGH |
| Mobile Access Portal Native Applications who's path is defined by the administrator with environment variables may run applications from other locations by the Mobile Access Portal Agent. | |||||
| CVE-2020-36379 | 1 Aaptjs Project | 1 Aaptjs | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the remove function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters. | |||||
| CVE-2022-24552 | 1 Starwindsoftware | 2 Nas, San | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| A flaw was found in the REST API in StarWind Stack. REST command, which manipulates a virtual disk, doesn’t check input parameters. Some of them go directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges. This affects StarWind SAN and NAS v0.2 build 1633. | |||||
| CVE-2021-20160 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| Trendnet AC2600 TEW-827DRU version 2.08B01 contains a command injection vulnerability in the smb functionality of the device. The username parameter used when configuring smb functionality for the device is vulnerable to command injection as root. | |||||
| CVE-2021-33544 | 1 Geutebrueck | 32 G-cam Ebc-2110, G-cam Ebc-2110 Firmware, G-cam Ebc-2111 and 29 more | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. | |||||
| CVE-2021-3059 | 1 Paloaltonetworks | 1 Pan-os | 2024-02-28 | 7.6 HIGH | 8.1 HIGH |
| An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue. | |||||
| CVE-2021-21875 | 1 Lantronix | 2 Premierwave 2050, Premierwave 2050 Firmware | 2024-02-28 | 9.0 HIGH | 9.1 CRITICAL |
| A specially-crafted HTTP request can lead to arbitrary command execution in EC keypasswd parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2021-20850 | 1 Alfasado | 1 Powercms | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| PowerCMS XMLRPC API of PowerCMS 5.19 and earlier, PowerCMS 4.49 and earlier, PowerCMS 3.295 and earlier, and PowerCMS 2 Series (End-of-Life, EOL) allows a remote attacker to execute an arbitrary OS command via unspecified vectors. | |||||
| CVE-2021-41254 | 1 Fluxcd | 1 Kustomize-controller | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run `kubectl` commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges. In affected versions multitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue. This vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the `kubectl` binary has been removed from the container image. To prevent the creation of Kubernetes Service Accounts with `secrets` in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used. | |||||
| CVE-2021-3723 | 1 Ibm | 4 System X3550 M3, System X3550 M3 Firmware, System X3650 M3 and 1 more | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| A command injection vulnerability was reported in the Integrated Management Module (IMM) of legacy IBM System x 3550 M3 and IBM System x 3650 M3 servers that could allow the execution of operating system commands over an authenticated SSH or Telnet session. | |||||