Total
3297 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-10216 | 2 Dlink, Trendnet | 4 Dir-825, Dir-825 Firmware, Tew-632brp and 1 more | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the date parameter in a system_time.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected. | |||||
CVE-2019-19839 | 1 Ruckuswireless | 17 C110, E510, H320 and 14 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote attackers to execute OS commands via a POST request with the attribute xcmd=import-category to admin/_cmdstat.jsp via the uploadFile attribute. | |||||
CVE-2013-2612 | 1 Huawei | 2 E587, E587 Firmware | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Command-injection vulnerability in Huawei E587 3G Mobile Hotspot 11.203.27 allows remote attackers to execute arbitrary shell commands with root privileges due to an error in the Web UI. | |||||
CVE-2020-7244 | 1 Comtechtel | 2 Stampede Fx-1010, Stampede Fx-1010 Firmware | 2023-12-10 | 9.0 HIGH | 7.2 HIGH |
Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated administrators to achieve remote code execution by navigating to the Poll Routes page and entering shell metacharacters in the Router IP Address field. (In some cases, authentication can be achieved with the comtech password for the comtech account.) | |||||
CVE-2014-2727 | 1 Trustwave | 1 Mailmarshal | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection. | |||||
CVE-2019-13649 | 1 Tp-link | 2 M7350, M7350 Firmware | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
TP-Link M7350 devices through 1.0.16 Build 181220 Rel.1116n allow externalPort OS Command Injection (issue 1 of 5). | |||||
CVE-2019-5170 | 1 Wago | 2 Pfc200, Pfc200 Firmware | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file.At 0x1e87c the extracted hostname value from the xml file is used as an argument to /etc/config-tools/change_hostname hostname=<contents of hostname node> using sprintf(). This command is later executed via a call to system(). | |||||
CVE-2019-5173 | 1 Wago | 2 Pfc200, Pfc200 Firmware | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1e9fc the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=<contents of state node> using sprintf(). This command is later executed via a call to system(). | |||||
CVE-2019-5168 | 1 Wago | 2 Pfc200, Pfc200 Firmware | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=<contents of domainname node> using sprintf().This command is later executed via a call to system(). | |||||
CVE-2020-6760 | 1 Schmid-telecom | 2 Zi 620 V400, Zi 620 V400 Firmware | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Schmid ZI 620 V400 VPN 090 routers allow an attacker to execute OS commands as root via shell metacharacters to an entry on the SSH subcommand menu, as demonstrated by ping. | |||||
CVE-2019-17364 | 2 Petwant, Skymee | 4 Pf-103, Pf-103 Firmware, Petalk Ai and 1 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
The processCommandUploadLog() function of libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | |||||
CVE-2019-15715 | 1 Mantisbt | 1 Mantisbt | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution. | |||||
CVE-2019-10799 | 1 Compile-sass Project | 1 Compile-sass | 2023-12-10 | 8.5 HIGH | 8.2 HIGH |
compile-sass prior to 1.0.5 allows execution of arbritary commands. The function "setupCleanupOnExit(cssPath)" within "dist/index.js" is executed as part of the "rm" command without any sanitization. | |||||
CVE-2019-3988 | 1 Amazon | 2 Blink Xt2 Sync Module, Blink Xt2 Sync Module Firmware | 2023-12-10 | 8.3 HIGH | 8.8 HIGH |
Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the bssid parameter. | |||||
CVE-2019-20348 | 1 Okerthai | 2 G232v1, G232v1 Firmware | 2023-12-10 | 7.2 HIGH | 6.8 MEDIUM |
OKER G232V1 v1.03.02.20161129 devices provide a root terminal on a UART serial interface without proper access control. This allows attackers with physical access to interrupt the boot sequence in order to execute arbitrary commands with root privileges and conduct further attacks. | |||||
CVE-2019-19920 | 3 Canonical, Debian, Sa-exim Project | 3 Ubuntu Linux, Debian Linux, Sa-exim | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805. | |||||
CVE-2013-2568 | 1 Zavio | 4 F3105, F3105 Firmware, F312a and 1 more | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 via the ap parameter to /cgi-bin/mft/wireless_mft.cgi, which could let a remote malicious user execute arbitrary code. | |||||
CVE-2012-5878 | 1 Bulbsecurity | 1 Smartphone Pentest Framework | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in the hostingPath parameter to (1) SEAttack.pl or (2) CSAttack.pl in frameworkgui/ or the (3) appURLPath parameter to frameworkgui/attachMobileModem.pl. | |||||
CVE-2019-15746 | 1 Sitos | 1 Sitos Six | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
SITOS six Build v6.2.1 allows an attacker to inject arbitrary PHP commands. As a result, an attacker can compromise the running server and execute system commands in the context of the web user. | |||||
CVE-2019-19604 | 4 Debian, Fedoraproject, Git-scm and 1 more | 4 Debian Linux, Fedora, Git and 1 more | 2023-12-10 | 9.3 HIGH | 7.8 HIGH |
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. |