Total
3060 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-0857 | 2 Debian, Tardiff Project | 2 Debian Linux, Tardiff | 2025-04-12 | 10.0 HIGH | 9.8 CRITICAL |
|
Cool Projects TarDiff allows remote attackers to execute arbitrary commands via shell metacharacters in the name of a (1) tar file or (2) file within a tar file.
|
|||||
| CVE-2016-5640 | 1 Crestron | 2 Airmedia Am-100, Airmedia Am-100 Firmware | 2025-04-12 | 10.0 HIGH | 9.8 CRITICAL |
|
Directory traversal vulnerability in cgi-bin/rftest.cgi on Crestron AirMedia AM-100 devices with firmware before 1.4.0.13 allows remote attackers to execute arbitrary commands via a .. (dot dot) in the ATE_COMMAND parameter.
|
|||||
| CVE-2014-3556 | 1 F5 | 1 Nginx | 2025-04-12 | 6.8 MEDIUM | N/A |
|
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
|
|||||
| CVE-2015-4336 | 1 Xcloner | 1 Xcloner | 2025-04-12 | 6.5 MEDIUM | N/A |
|
cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as demonstrated by using the backup comments feature to create the file.
|
|||||
| CVE-2014-7285 | 1 Symantec | 1 Web Gateway | 2025-04-12 | 6.5 MEDIUM | N/A |
|
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.
|
|||||
| CVE-2016-2396 | 1 Sonicwall | 4 Analyzer, Global Management System, Uma Em5000 and 1 more | 2025-04-12 | 9.0 HIGH | 9.9 CRITICAL |
|
The GMS ViewPoint (GMSVP) web application in Dell SonicWALL GMS, Analyzer, and UMA EM5000 7.2, 8.0, and 8.1 before Hotfix 168056 allows remote authenticated users to execute arbitrary commands via vectors related to configuration input.
|
|||||
| CVE-2014-8630 | 2 Fedoraproject, Mozilla | 2 Fedora, Bugzilla | 2025-04-12 | 6.5 MEDIUM | N/A |
|
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.
|
|||||
| CVE-2014-8990 | 3 Debian, Fedoraproject, Lsyncd Project | 3 Debian Linux, Fedora, Lsyncd | 2025-04-12 | 7.5 HIGH | N/A |
|
default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.
|
|||||
| CVE-2014-9622 | 1 Gentoo | 1 Xdg-utils | 2025-04-12 | 6.8 MEDIUM | N/A |
|
Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported desktop environment is identified, allows context-dependent attackers to execute arbitrary code via the URL argument to xdg-open.
|
|||||
| CVE-2015-1986 | 1 Ibm | 1 Tivoli Storage Manager Fastback | 2025-04-12 | 10.0 HIGH | N/A |
|
The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to execute arbitrary commands via unspecified vectors, a different vulnerability than CVE-2015-1938.
|
|||||
| CVE-2014-9682 | 1 Dns-sync Project | 1 Dns-sync | 2025-04-12 | 10.0 HIGH | N/A |
|
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.
|
|||||
| CVE-2015-5011 | 1 Ibm | 2 Integration Bus, Websphere Message Broker | 2025-04-12 | 3.2 LOW | N/A |
|
IBM WebSphere Message Broker 8 before 8.0.0.6 and Integration Bus 9 before 9.0.0.4 do not check authorization for MQSISTARTMSGFLOW and MQSISTOPMSGFLOW commands, which allows local users to bypass intended access restrictions, and start or stop a service, by issuing a command.
|
|||||
| CVE-2015-4974 | 1 Ibm | 2 General Parallel File System, Spectrum Scale | 2025-04-12 | 7.2 HIGH | N/A |
|
IBM General Parallel File System (GPFS) 3.5.x before 3.5.0.27 and 4.1.x before 4.1.1.2 and Spectrum Scale 4.1.1.x before 4.1.1.2 allow local users to obtain root privileges for command execution via unspecified vectors.
|
|||||
| CVE-2016-0326 | 1 Ibm | 2 Rational Collaborative Lifecycle Management, Rational Quality Manager | 2025-04-12 | 6.5 MEDIUM | 8.8 HIGH |
|
IBM Rational Quality Manager (RQM) and Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.x before 4.0.7 iFix11, 5.x before 5.0.2 iFix17, and 6.x before 6.0.1 ifix3 allow remote authenticated users to execute arbitrary OS commands via a crafted "HTML request."
|
|||||
| CVE-2014-9277 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 7.5 HIGH | N/A |
|
The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-domain-policy> in a PHP format request, which causes the string length to change when converting the request to <NOT-cross-domain-policy>.
|
|||||
| CVE-2015-3408 | 2 Canonical, Module-signature Project | 2 Ubuntu Linux, Module-signature | 2025-04-12 | 10.0 HIGH | N/A |
|
Module::Signature before 0.74 allows remote attackers to execute arbitrary shell commands via a crafted SIGNATURE file which is not properly handled when generating checksums from a signed manifest.
|
|||||
| CVE-2015-5453 | 1 Watchguard | 1 Xcs | 2025-04-12 | 6.5 MEDIUM | N/A |
|
Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to ADMIN/mailqueue.spl.
|
|||||
| CVE-2015-2746 | 1 Websense | 2 Triton, V-series Appliances | 2025-04-12 | 6.5 MEDIUM | N/A |
|
The network diagnostics tool (CommandLineServlet) in the Appliance Manager command line utility (CLU) in Websense TRITON 7.8.3 and V-Series appliances before 7.8.4 Hotfix 02 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the "second" parameter of a command, as demonstrated by the Destination parameter in the ping command.
|
|||||
| CVE-2016-3081 | 2 Apache, Oracle | 2 Struts, Siebel E-billing | 2025-04-12 | 9.3 HIGH | 8.1 HIGH |
|
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
|
|||||
| CVE-2015-8968 | 1 Squareup | 1 Git-fastclone | 2025-04-12 | 9.3 HIGH | 8.8 HIGH |
|
git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an arbitrary shell command. Alternately, if an attacker can MITM an unencrypted git clone, they could exploit this. The ext command will be run if the repository is recursively cloned or if submodules are updated. This attack works when cloning both local and remote repositories.
|
|||||
| CVE-2015-5080 | 1 Citrix | 2 Netscaler Application Delivery Controller Firmware, Netscaler Gateway Firmware | 2025-04-12 | 9.0 HIGH | N/A |
|
The Management Interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.1 before 10.1.132.8, 10.5 before Build 56.15, and 10.5.e before Build 56.1505.e allows remote authenticated users to execute arbitrary shell commands via shell metacharacters in the filter parameter to rapi/ipsec_logs.
|
|||||
| CVE-2016-0236 | 1 Ibm | 1 Security Guardium Database Activity Monitor | 2025-04-12 | 9.0 HIGH | 8.8 HIGH |
|
IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 allows remote authenticated users to execute arbitrary commands with root privileges via the search field.
|
|||||
| CVE-2014-7209 | 1 Debian | 1 Mime-support | 2025-04-12 | 7.5 HIGH | N/A |
|
run-mailcap in the Debian mime-support package before 3.52-1+deb7u1 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.
|
|||||
| CVE-2016-1388 | 1 Cisco | 3 Network Analysis Module, Prime Network Analysis Module Software, Prime Virtual Network Analysis Module Software | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
|
Cisco Prime Network Analysis Module (NAM) before 6.1(1) patch.6.1-2-final and 6.2.x before 6.2(1) and Prime Virtual Network Analysis Module (vNAM) before 6.1(1) patch.6.1-2-final and 6.2.x before 6.2(1) allow remote attackers to execute arbitrary OS commands via a crafted HTTP request, aka Bug ID CSCuy21882.
|
|||||
| CVE-2015-6547 | 1 Symantec | 1 Web Gateway | 2025-04-12 | 8.3 HIGH | N/A |
|
The management console on Symantec Web Gateway (SWG) appliances with software before 5.2.2 DB 5.0.0.1277 allows remote authenticated users to execute arbitrary commands at boot time via unspecified vectors.
|
|||||
| CVE-2015-0538 | 1 Emc | 1 Autostart | 2025-04-12 | 9.3 HIGH | N/A |
|
ftagent.exe in EMC AutoStart 5.4.x and 5.5.x before 5.5.0.508 HF4 allows remote attackers to execute arbitrary commands via crafted packets.
|
|||||
| CVE-2015-3441 | 1 Genexia | 1 Drgos | 2025-04-12 | 9.0 HIGH | 8.8 HIGH |
|
The Parental Control panel in Genexis devices with DRGOS before 1.14.1 allows remote authenticated users to execute arbitrary CLI commands via the (1) start_hour, (2) start_minute, (3) end_hour, (4) end_minute, or (5) hostname parameter.
|
|||||
| CVE-2015-7541 | 1 Colorscore Project | 1 Colorscore | 2025-04-12 | 10.0 HIGH | 10.0 CRITICAL |
|
The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metacharacters in the (1) image_path, (2) colors, or (3) depth variable.
|
|||||
| CVE-2015-2011 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2025-04-12 | 9.0 HIGH | N/A |
|
The xmlrpc.cgi Webmin script in IBM QRadar SIEM 7.1 MR2 before Patch 11 IF02 and 7.2.x before 7.2.5 Patch 4 allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors.
|
|||||
| CVE-2015-5349 | 1 Apache | 2 Directory Studio, Ldap Studio | 2025-04-12 | 9.3 HIGH | 7.8 HIGH |
|
The CSV export in Apache LDAP Studio and Apache Directory Studio before 2.0.0-M10 does not properly escape field values, which might allow attackers to execute arbitrary commands by leveraging a crafted LDAP entry that is interpreted as a formula when imported into a spreadsheet.
|
|||||
| CVE-2016-6656 | 1 Pivotal Software | 1 Greenplum | 2025-04-12 | 6.5 MEDIUM | 7.2 HIGH |
|
An issue was discovered in Pivotal Greenplum before 4.3.10.0. Creation of external tables using GPHDFS protocol has a vulnerability whereby arbitrary commands can be injected into the system. In order to exploit this vulnerability the user must have superuser 'gpadmin' access to the system or have been granted GPHDFS protocol permissions in order to create a GPHDFS external table.
|
|||||
| CVE-2016-7399 | 1 Veritas | 2 Netbackup Appliance, Netbackup Appliance Firmware | 2025-04-12 | 10.0 HIGH | 9.8 CRITICAL |
|
scripts/license.pl in Veritas NetBackup Appliance 2.6.0.x through 2.6.0.4, 2.6.1.x through 2.6.1.2, 2.7.x through 2.7.3, and 3.0.x allow remote attackers to execute arbitrary commands via shell metacharacters in the hostName parameter to appliancews/getLicense.
|
|||||
| CVE-2015-1815 | 2 Fedoraproject, Selinux | 2 Fedora, Setroubleshoot | 2025-04-12 | 10.0 HIGH | N/A |
|
The get_rpm_nvr_by_file_path_temporary function in util.py in setroubleshoot before 3.2.22 allows remote attackers to execute arbitrary commands via shell metacharacters in a file name.
|
|||||
| CVE-2015-5274 | 1 Redhat | 1 Openshift | 2025-04-12 | 6.5 MEDIUM | N/A |
|
rubygem-openshift-origin-console in Red Hat OpenShift 2.2 allows remote authenticated users to execute arbitrary commands via a crafted request to the Broker.
|
|||||
| CVE-2015-3678 | 1 Apple | 1 Mac Os X | 2025-04-12 | 7.2 HIGH | N/A |
|
AppleThunderboltEDMService in Apple OS X before 10.10.4 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified Thunderbolt commands.
|
|||||
| CVE-2016-0328 | 1 Ibm | 1 Security Guardium Database Activity Monitor | 2025-04-12 | 7.2 HIGH | 7.8 HIGH |
|
IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 allows local users to obtain administrator privileges for command execution via unspecified vectors.
|
|||||
| CVE-2015-1561 | 1 Centreon | 1 Centreon | 2025-04-12 | 6.5 MEDIUM | N/A |
|
The escape_command function in include/Administration/corePerformance/getStats.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ns_id parameter.
|
|||||
| CVE-2013-2810 | 1 Emerson | 6 Dl 8000 Remote Terminal Unit, Dl 8000 Remote Terminal Unit Firmware, Roc 800 Remote Terminal Unit and 3 more | 2025-04-12 | 10.0 HIGH | N/A |
|
Emerson Process Management ROC800 RTU with software 3.50 and earlier, DL8000 RTU with software 2.30 and earlier, and ROC800L RTU with software 1.20 and earlier allows remote attackers to execute arbitrary commands via a TCP replay attack.
|
|||||
| CVE-2016-2332 | 1 Systech | 2 Syslink Sl-1000 Modular Gateway, Syslink Sl-1000 Modular Gateway Firmware | 2025-04-12 | 9.0 HIGH | 8.8 HIGH |
|
flu.cgi in the web interface on SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with firmware before 01A.8 allows remote authenticated users to execute arbitrary commands via the 5066 (aka dnsmasq) parameter.
|
|||||
| CVE-2013-7418 | 1 Ipcop | 1 Ipcop | 2025-04-12 | 6.5 MEDIUM | N/A |
|
cgi-bin/iptablesgui.cgi in IPCop (aka IPCop Firewall) before 2.1.5 allows remote authenticated users to execute arbitrary code via shell metacharacters in the TABLE parameter. NOTE: this can be exploited remotely by leveraging a separate cross-site scripting (XSS) vulnerability.
|
|||||