Total
3284 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-7597 | 1 Codecov | 1 Codecov | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. This vulnerability exists due to an incomplete fix of CVE-2020-7596. | |||||
CVE-2019-16920 | 1 Dlink | 8 Dhp-1565, Dhp-1565 Firmware, Dir-652 and 5 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. | |||||
CVE-2019-19994 | 1 Seling | 1 Visual Access Manager | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. It allows blind Command Injection. An attacker without authentication is able to execute arbitrary operating system command by injecting the vulnerable parameter in the PHP Web page /common/vam_monitor_sap.php. | |||||
CVE-2019-16662 | 1 Rconfig | 1 Rconfig | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution. | |||||
CVE-2013-3322 | 1 Netapp | 1 Oncommand System Manager | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
NetApp OnCommand System Manager 2.1 and earlier allows remote attackers to inject arbitrary commands in the Halt/Reboot interface. | |||||
CVE-2020-4222 | 1 Ibm | 1 Spectrum Protect | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175091. | |||||
CVE-2020-10221 | 1 Rconfig | 1 Rconfig | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter. | |||||
CVE-2019-18909 | 2 Hp, Linux | 2 Thinpro, Linux Kernel | 2023-12-10 | 7.7 HIGH | 8.0 HIGH |
The VPN software within HP ThinPro does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with root privileges. | |||||
CVE-2019-17059 | 1 Sophos | 2 Cyberoam, Cyberoamos | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
A shell injection vulnerability on the Sophos Cyberoam firewall appliance with CyberoamOS before 10.6.6 MR-6 allows remote attackers to execute arbitrary commands via the Web Admin and SSL VPN consoles. | |||||
CVE-2019-10777 | 1 Amazon | 1 Aws-lambda | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName". | |||||
CVE-2019-19117 | 1 Phicomm | 2 K2\(psg1218\), K2\(psg1218\) Firmware | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter. | |||||
CVE-2019-5072 | 1 Tendacn | 2 Ac1200 Smart Dual-band Gigabit Wifi, Ac9v1.0 Firmware | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16multiTRU). A specially crafted HTTP POST request can cause a command injection in the DNS2 post parameters, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability. | |||||
CVE-2019-10780 | 1 Bibtex-ruby Project | 1 Bibtex-ruby | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
BibTeX-ruby before 5.1.0 allows shell command injection due to unsanitized user input being passed directly to the built-in Ruby Kernel.open method through BibTeX.open. | |||||
CVE-2020-8963 | 1 Timetoolsltd | 20 Sc7105, Sc7105 Firmware, Sc9205 and 17 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.007, SR9210 1.0.007, SR9750 1.0.007, SR9850 1.0.007, T100 1.0.003, T300 1.0.003, and T550 1.0.003 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the t3.cgi srmodel or srtime parameter. | |||||
CVE-2019-5141 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
An exploitable command injection vulnerability exists in the iw_webs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iw_serverip parameter can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. | |||||
CVE-2020-4211 | 2 Ibm, Linux | 2 Spectrum Protect, Linux Kernel | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. IBM X-Force ID: 175022. | |||||
CVE-2019-10796 | 1 Rpi Project | 1 Rpi | 2023-12-10 | 6.8 MEDIUM | 9.8 CRITICAL |
rpi through 0.0.3 allows execution of arbritary commands. The variable pinNumbver in function GPIO within src/lib/gpio.js is used as part of the arguement of exec function without any sanitization. | |||||
CVE-2019-5155 | 1 Wago | 2 Pfc200, Pfc200 Firmware | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
An exploitable command injection vulnerability exists in the cloud connectivity feature of WAGO PFC200. An attacker can inject operating system commands into any of the parameter values contained in the firmware update command. This affects WAGO PFC200 Firmware version 03.02.02(14), version 03.01.07(13), and version 03.00.39(12) | |||||
CVE-2020-1609 | 1 Juniper | 1 Junos | 2023-12-10 | 8.3 HIGH | 8.8 HIGH |
When a device using Juniper Network's Dynamic Host Configuration Protocol Daemon (JDHCPD) process on Junos OS or Junos OS Evolved which is configured in relay mode it vulnerable to an attacker sending crafted IPv6 packets who may then arbitrarily execute commands as root on the target device. This issue affects IPv6 JDHCPD services. This issue affects: Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S6; 15.1X49 versions prior to 15.1X49-D200; 15.1X53 versions prior to 15.1X53-D592; 16.1 versions prior to 16.1R7-S6; 16.2 versions prior to 16.2R2-S11; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R2-S8, 17.2R3-S3; 17.3 versions prior to 17.3R3-S6; 17.4 versions prior to 17.4R2-S7, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R3-S2; 18.2X75 versions prior to 18.2X75-D60; 18.3 versions prior to 18.3R1-S6, 18.3R2-S2, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3; 19.1 versions prior to 19.1R1-S3, 19.1R2; 19.2 versions prior to 19.2R1-S3, 19.2R2*. and All versions prior to 19.3R1 on Junos OS Evolved. This issue do not affect versions of Junos OS prior to 15.1, or JDHCPD operating as a local server in non-relay mode. | |||||
CVE-2019-18183 | 2 Fedoraproject, Pacman Project | 2 Fedora, Pacman | 2023-12-10 | 6.8 MEDIUM | 9.8 CRITICAL |
pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file. |