Total
1527 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-22938 | 2 Ivanti, Pulsesecure | 2 Connect Secure, Pulse Connect Secure | 2024-02-27 | 6.5 MEDIUM | 7.2 HIGH |
A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console. | |||||
CVE-2021-22899 | 2 Ivanti, Pulsesecure | 2 Connect Secure, Pulse Connect Secure | 2024-02-27 | 6.5 MEDIUM | 8.8 HIGH |
A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature | |||||
CVE-2024-23346 | 2024-02-22 | N/A | 9.3 CRITICAL | ||
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue. | |||||
CVE-2023-49716 | 1 Emerson | 6 Gc1500xa, Gc1500xa Firmware, Gc370xa and 3 more | 2024-02-15 | N/A | 9.8 CRITICAL |
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an authenticated user with network access could run arbitrary commands from a remote computer. | |||||
CVE-2023-46687 | 1 Emerson | 6 Gc1500xa, Gc1500xa Firmware, Gc370xa and 3 more | 2024-02-15 | N/A | 9.8 CRITICAL |
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer. | |||||
CVE-2023-47218 | 2024-02-15 | N/A | 5.8 MEDIUM | ||
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later | |||||
CVE-2024-24321 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2024-02-15 | N/A | 9.8 CRITICAL |
An issue in Dlink DIR-816A2 v.1.10CNB05 allows a remote attacker to execute arbitrary code via the wizardstep4_ssid_2 parameter in the sub_42DA54 function. | |||||
CVE-2023-40263 | 1 Unify | 1 Openscape Voice Trace Manager V8 | 2024-02-15 | N/A | 8.8 HIGH |
An issue was discovered in Atos Unify OpenScape Voice Trace Manager V8 before V8 R0.9.11. It allows authenticated command injection via ftp. | |||||
CVE-2022-1509 | 1 Hestiacp | 1 Control Panel | 2024-02-14 | 9.0 HIGH | 8.8 HIGH |
Sed Injection Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.12. An authenticated remote attacker with low privileges can execute arbitrary code under root context. | |||||
CVE-2024-22093 | 2024-02-14 | N/A | 8.7 HIGH | ||
When running in appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint on multi-bladed systems. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
CVE-2024-23749 | 1 9bis | 1 Kitty | 2024-02-14 | N/A | 7.8 HIGH |
KiTTY versions 0.76.1.13 and before is vulnerable to command injection via the filename variable, occurs due to insufficient input sanitization and validation, failure to escape special characters, and insecure system calls (at lines 2369-2390). This allows an attacker to add inputs inside the filename variable, leading to arbitrary code execution. | |||||
CVE-2016-10098 | 1 Sendquick | 4 Avera Sms Gateway, Avera Sms Gateway Firmware, Entera Sms Gateway and 1 more | 2024-02-14 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered on SendQuick Entera and Avera devices before 2HF16. Multiple Command Injection vulnerabilities allow attackers to execute arbitrary system commands. | |||||
CVE-2021-38556 | 1 Raspap | 1 Raspap | 2024-02-14 | 6.5 MEDIUM | 8.8 HIGH |
includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection. | |||||
CVE-2024-23049 | 1 B3log | 1 Symphony | 2024-02-12 | N/A | 9.8 CRITICAL |
An issue in symphony v.3.6.3 and before allows a remote attacker to execute arbitrary code via the log4j component. | |||||
CVE-2024-0325 | 1 Perforce | 1 Helix Sync | 2024-02-09 | N/A | 7.8 HIGH |
In Helix Sync versions prior to 2024.1, a local command injection was identified. Reported by Bryan Riggins. | |||||
CVE-2024-22107 | 1 Gttb | 1 Gtb Central Console | 2024-02-09 | N/A | 7.2 HIGH |
An issue was discovered in GTB Central Console 15.17.1-30814.NG. The method systemSettingsDnsDataAction at /opt/webapp/src/AppBundle/Controller/React/SystemSettingsController.php is vulnerable to command injection via the /old/react/v1/api/system/dns/data endpoint. An authenticated attacker can abuse it to inject an arbitrary command and compromise the platform. | |||||
CVE-2024-21488 | 1 Forkhq | 1 Network | 2024-02-08 | N/A | 9.8 CRITICAL |
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on. | |||||
CVE-2023-45025 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2024-02-08 | N/A | 9.8 CRITICAL |
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later | |||||
CVE-2022-21668 | 2 Fedoraproject, Pypa | 2 Fedora, Pipenv | 2024-02-07 | 9.3 HIGH | 8.6 HIGH |
pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability. | |||||
CVE-2023-47562 | 1 Qnap | 1 Photo Station | 2024-02-07 | N/A | 8.8 HIGH |
An OS command injection vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later |