Vulnerabilities (CVE)

Filtered by CWE-78
Total 3799 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-7389 1 Sage 2 Syracuse, X3 2024-02-28 9.0 HIGH 7.2 HIGH
Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production.
CVE-2021-1558 1 Cisco 1 Dna Spaces\ 2024-02-28 7.2 HIGH 6.7 MEDIUM
Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. These vulnerabilities are due to insufficient restrictions during the execution of affected CLI commands. An attacker could exploit these vulnerabilities by leveraging the insufficient restrictions during execution of these commands. A successful exploit could allow the attacker to elevate privileges from dnasadmin and execute arbitrary commands on the underlying operating system as root.
CVE-2020-24636 2 Arubanetworks, Siemens 3 Instant, Scalance W1750d, Scalance W1750d Firmware 2024-02-28 10.0 HIGH 9.8 CRITICAL
A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below; Aruba Instant 8.7.x: 8.7.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
CVE-2021-20696 1 Dlink 2 Dap-1880ac, Dap-1880ac Firmware 2024-02-28 9.0 HIGH 8.8 HIGH
DAP-1880AC firmware version 1.21 and earlier allows a remote authenticated attacker to execute arbitrary OS commands by sending a specially crafted request to a specific CGI program.
CVE-2021-1421 1 Cisco 1 Enterprise Nfv Infrastructure Software 2024-02-28 7.2 HIGH 7.8 HIGH
A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to perform a command injection attack on an affected device. The vulnerability is due to insufficient validation of user-supplied input to a configuration command. An attacker could exploit this vulnerability by including malicious input during the execution of this command. A successful exploit could allow a non-privileged attacker authenticated in the restricted CLI to execute arbitrary commands on the underlying operating system (OS) with root privileges.
CVE-2021-21585 1 Dell 1 Openmanage Enterprise 2024-02-28 9.0 HIGH 7.2 HIGH
Dell OpenManage Enterprise versions prior to 3.6.1 contain an OS command injection vulnerability in RACADM and IPMI tools. A remote authenticated malicious user with high privileges may potentially exploit this vulnerability to execute arbitrary OS commands.
CVE-2021-36011 2 Adobe, Microsoft 2 Illustrator, Windows 2024-02-28 9.3 HIGH 7.8 HIGH
Adobe Illustrator version 25.2.3 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2021-32556 1 Canonical 1 Apport 2024-02-28 2.1 LOW 3.3 LOW
It was discovered that the get_modified_conffiles() function in backends/packaging-apt-dpkg.py allowed injecting modified package names in a manner that would confuse the dpkg(1) call.
CVE-2021-36182 1 Fortinet 1 Fortiweb 2024-02-28 6.5 MEDIUM 8.8 HIGH
A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6.3.13 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests
CVE-2021-33055 2 Microsoft, Zohocorp 2 Windows, Manageengine Adselfservice Plus 2024-02-28 10.0 HIGH 9.8 CRITICAL
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.
CVE-2021-36705 1 Prolink 2 Prc2402m, Prc2402m Firmware 2024-02-28 7.5 HIGH 9.8 CRITICAL
In ProLink PRC2402M V1.0.18 and older, the set_TR069 function in the adm.cgi binary, accessible with a page parameter value of TR069 contains a trivial command injection where the value of the TR069_local_port parameter is passed directly to system.
CVE-2021-1618 1 Cisco 1 Intersight Virtual Appliance 2024-02-28 9.0 HIGH 7.2 HIGH
Multiple vulnerabilities in the web-based management interface of Cisco Intersight Virtual Appliance could allow an authenticated, remote attacker to conduct a path traversal or command injection attack on an affected system. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by using the web-based management interface to do one or both of the following: Execute a command using crafted input Upload a file that has been altered using path traversal techniques A successful exploit could allow the attacker to read and write arbitrary files or execute arbitrary commands as root on an affected system. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-3198 1 Ivanti 1 Mobileiron 2024-02-28 9.0 HIGH 7.2 HIGH
By abusing the 'install rpm url' command, an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core. This issue was fixed in version 11.1.0.0.
CVE-2021-33358 1 Raspap 1 Raspap 2024-02-28 9.0 HIGH 8.8 HIGH
Multiple vulnerabilities exist in RaspAP 2.3 to 2.6.5 in the "interface", "ssid" and "wpa_passphrase" POST parameters in /hostapd, when the parameter values contain special characters such as ";" or "$()" which enables an authenticated attacker to execute arbitrary OS commands.
CVE-2021-23363 1 Kill-by-port Project 1 Kill-by-port 2024-02-28 6.5 MEDIUM 8.8 HIGH
This affects the package kill-by-port before 0.0.2. If (attacker-controlled) user input is given to the killByPort function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-25150 2 Arubanetworks, Siemens 3 Instant, Scalance W1750d, Scalance W1750d Firmware 2024-02-28 9.0 HIGH 8.8 HIGH
A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.4 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
CVE-2021-32305 1 Websvn 1 Websvn 2024-02-28 10.0 HIGH 9.8 CRITICAL
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
CVE-2021-1401 1 Cisco 12 Wap125, Wap125 Firmware, Wap131 and 9 more 2024-02-28 9.0 HIGH 7.2 HIGH
Multiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to obtain sensitive information from or inject arbitrary commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2020-21883 1 Indionetworks 10 Unibox U1000, Unibox U1000 Firmware, Unibox U2500 and 7 more 2024-02-28 9.0 HIGH 8.8 HIGH
Unibox U-50 2.4 and UniBox Enterprise Series 2.4 and UniBox Campus Series 2.4 contain a OS command injection vulnerability in /tools/ping, which can leads to complete device takeover.
CVE-2021-20731 1 Buffalo 4 Wsr-1166dhp3, Wsr-1166dhp3 Firmware, Wsr-1166dhp4 and 1 more 2024-02-28 8.3 HIGH 8.8 HIGH
WSR-1166DHP3 firmware Ver.1.16 and prior and WSR-1166DHP4 firmware Ver.1.02 and prior allow an attacker to execute arbitrary OS commands with root privileges via unspecified vectors.