Total
3666 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-37531 | 1 Sap | 1 Netweaver Knowledge Management Xml Forms | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. This can result in a full compromise of the confidentiality, integrity, and availability of the system. | |||||
| CVE-2021-34756 | 1 Cisco | 3 Firepower Management Center Virtual Appliance, Firepower Threat Defense, Sourcefire Defense Center | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
| Multiple vulnerabilities in the CLI of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands with root privileges. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-43928 | 1 Synology | 1 Mail Station | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in mail sending and receiving component in Synology Mail Station before 20211105-10315 allows remote authenticated users to execute arbitrary commands via unspecified vectors. | |||||
| CVE-2021-43283 | 1 Govicture | 2 Wr1200, Wr1200 Firmware | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered on Victure WR1200 devices through 1.0.3. A command injection vulnerability was found within the web interface of the device, allowing an attacker with valid credentials to inject arbitrary shell commands to be executed by the device with root privileges. This occurs in the ping and traceroute features. An attacker would thus be able to use this vulnerability to open a reverse shell on the device with root privileges. | |||||
| CVE-2021-41018 | 1 Fortinet | 1 Fortiweb | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests. | |||||
| CVE-2021-20173 | 1 Netgear | 2 R6700, R6700 Firmware | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| Netgear Nighthawk R6700 version 1.0.4.120 contains a command injection vulnerability in update functionality of the device. By triggering a system update check via the SOAP interface, the device is susceptible to command injection via preconfigured values. | |||||
| CVE-2021-45978 | 2 Apple, Foxit | 3 Macos, Pdf Editor, Pdf Reader | 2024-02-28 | 6.8 MEDIUM | 7.8 HIGH |
| Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote attackers to execute arbitrary code via xfa.host.gotoURL in the XFA API. | |||||
| CVE-2021-20854 | 1 Elecom | 4 Wrh-733gbk, Wrh-733gbk Firmware, Wrh-733gwh and 1 more | 2024-02-28 | 5.2 MEDIUM | 6.8 MEDIUM |
| ELECOM LAN routers (WRH-733GBK firmware v1.02.9 and prior and WRH-733GWH firmware v1.02.9 and prior) allows a network-adjacent attacker with an administrator privilege to execute arbitrary OS commands via unspecified vectors. | |||||
| CVE-2021-34755 | 1 Cisco | 3 Firepower Management Center Virtual Appliance, Firepower Threat Defense, Sourcefire Defense Center | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
| Multiple vulnerabilities in the CLI of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands with root privileges. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2021-20863 | 1 Elecom | 28 Edwrc-2533gst2, Edwrc-2533gst2 Firmware, Wrc-1167gst2 and 25 more | 2024-02-28 | 7.7 HIGH | 8.0 HIGH |
| OS command injection vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attackers to execute an arbitrary OS command with the root privilege via unspecified vectors. | |||||
| CVE-2021-40222 | 1 Rittal | 2 Cmc Pu Iii 7030.000, Cmc Pu Iii 7030.000 Firmware | 2024-02-28 | 9.0 HIGH | 7.2 HIGH |
| Rittal CMC PU III Web management Version affected: V3.11.00_2. Version fixed: V3.17.10 is affected by a remote code execution vulnerablity. It is possible to introduce shell code to create a reverse shell in the PU-Hostname field of the TCP/IP Configuration dialog. Web application fails to sanitize user input on Network TCP/IP configuration page. This allows the attacker to inject commands as root on the device which will be executed once the data is received. | |||||
| CVE-2021-31605 | 1 Openvpn-monitor Project | 1 Openvpn-monitor | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
| furlongm openvpn-monitor through 1.1.3 allows %0a command injection via the OpenVPN management interface socket. This can shut down the server via signal%20SIGTERM. | |||||
| CVE-2021-38685 | 1 Qnap | 1 Qvr | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later | |||||
| CVE-2021-20837 | 1 Sixapart | 1 Movable Type | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable Type Advanced 6.8.2 and earlier (Movable Type Advanced 6 Series), Movable Type Premium 1.46 and earlier, and Movable Type Premium Advanced 1.46 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability. | |||||
| CVE-2021-36260 | 1 Hikvision | 512 Ds-2cd2021g1-i\(w\), Ds-2cd2021g1-i\(w\) Firmware, Ds-2cd2023g2-i\(u\) and 509 more | 2024-02-28 | 9.3 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands. | |||||
| CVE-2021-20159 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2024-02-28 | 9.0 HIGH | 8.8 HIGH |
| Trendnet AC2600 TEW-827DRU version 2.08B01 is vulnerable to command injection. The system log functionality of the firmware allows for command injection as root by supplying a malformed parameter. | |||||
| CVE-2021-41280 | 1 Sharetribe | 1 Sharetribe | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Sharetribe Go is a source available marketplace software. In affected versions operating system command injection is possible on installations of Sharetribe Go, that do not have a secret AWS Simple Notification Service (SNS) notification token configured via the `sns_notification_token` configuration parameter. This configuration parameter is unset by default. The vulnerability has been patched in version 10.2.1. Users who are unable to upgrade should set the`sns_notification_token` configuration parameter to a secret value. | |||||
| CVE-2020-36377 | 1 Aaptjs Project | 1 Aaptjs | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the dump function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters. | |||||
| CVE-2021-31358 | 1 Juniper | 1 Junos Os Evolved | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
| A command injection vulnerability in sftp command processing on Juniper Networks Junos OS Evolved allows an attacker with authenticated CLI access to be able to bypass configured access protections to execute arbitrary shell commands within the context of the current user. The vulnerability allows an attacker to bypass command authorization restrictions assigned to their specific user account and execute commands that are available to the privilege level for which the user is assigned. For example, a user that is in the super-user login class, but restricted to executing specific CLI commands could exploit the vulnerability to execute any other command available to an unrestricted admin user. This vulnerability does not increase the privilege level of the user, but rather bypasses any CLI command restrictions by allowing full access to the shell. This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R2-S2-EVO; 21.1 versions prior to 21.1R2-EVO; 21.2 versions prior to 21.2R1-S1-EVO, 21.2R2-EVO. | |||||
| CVE-2021-20142 | 1 Gryphonconnect | 2 Gryphon Tower, Gryphon Tower Firmware | 2024-02-28 | 8.3 HIGH | 8.8 HIGH |
| An unauthenticated command injection vulnerability exists in the parameters of operation 41 in the controller_server service on Gryphon Tower routers. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the controller_server service on port 9999. | |||||