Total
3060 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2991 | 1 Tenda | 2 Fh1203, Fh1203 Firmware | 2025-01-22 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability has been found in Tenda FH1203 2.0.1.6 and classified as critical. This vulnerability affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-258160. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2023-31729 | 1 Totolink | 2 A3300r, A3300r Firmware | 2025-01-22 | N/A | 9.8 CRITICAL |
|
TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection via /cgi-bin/cstecgi.cgi.
|
|||||
| CVE-2023-31741 | 1 Linksys | 2 E2000, E2000 Firmware | 2025-01-21 | N/A | 7.2 HIGH |
|
There is a command injection vulnerability in the Linksys E2000 router with firmware version 1.0.06. If an attacker gains web management privileges, they can inject commands into the post request parameters wl_ssid, wl_ant, wl_rate, WL_atten_ctl, ttcp_num, ttcp_size in the httpd s Start_EPI() function, thereby gaining shell privileges.
|
|||||
| CVE-2023-31740 | 1 Linksys | 2 E2000, E2000 Firmware | 2025-01-21 | N/A | 7.2 HIGH |
|
There is a command injection vulnerability in the Linksys E2000 router with firmware version 1.0.06. If an attacker gains web management privileges, they can inject commands into the post request parameters WL_atten_bb, WL_atten_radio, and WL_atten_ctl in the apply.cgi interface, thereby gaining shell privileges.
|
|||||
| CVE-2024-3483 | 1 Microfocus | 1 Imanager | 2025-01-21 | N/A | 7.8 HIGH |
|
Remote Code
Execution has been discovered in
OpenText™ iManager 3.2.6.0200. The vulnerability can
trigger command injection and insecure deserialization issues.
|
|||||
| CVE-2024-0817 | 1 Paddlepaddle | 1 Paddlepaddle | 2025-01-19 | N/A | 7.8 HIGH |
|
Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0
|
|||||
| CVE-2024-3908 | 1 Tenda | 2 Ac500, Ac500 Firmware | 2025-01-17 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical has been found in Tenda AC500 2.0.1.9(1307). Affected is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-261144. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-11772 | 1 Ivanti | 1 Cloud Services Appliance | 2025-01-17 | N/A | 9.1 CRITICAL |
|
Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
|
|||||
| CVE-2024-11634 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-01-17 | N/A | 9.1 CRITICAL |
|
Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)
|
|||||
| CVE-2023-25911 | 1 Danfoss | 2 Ak-em100, Ak-em100 Firmware | 2025-01-17 | N/A | 9.9 CRITICAL |
|
The Danfoss AK-EM100 web applications allow for an authenticated user to perform OS command injection through the web application parameters.
|
|||||
| CVE-2024-54681 | 2025-01-17 | N/A | 3.5 LOW | ||
|
Multiple bash files were present in the application's private directory.
Bash files can be used on their own, by an attacker that has already
full access to the mobile platform to compromise the translations for
the application.
|
|||||
| CVE-2023-31996 | 1 Hanwhavision | 236 Ane-l6012r, Ane-l6012r Firmware, Ane-l7012r and 233 more | 2025-01-17 | N/A | 8.8 HIGH |
|
Hanwha IP Camera ANE-L7012R 1.41.01 is vulnerable to Command Injection due to improper sanitization of special characters for the NAS storage test function.
|
|||||
| CVE-2024-3009 | 1 Tenda | 2 Fh1205, Fh1205 Firmware | 2025-01-15 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability has been found in Tenda FH1205 2.0.0.7(775) and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-258295. NOTE: The vendor was contacted early about this disclosure but did not respond in any way ...
Show More |
|||||
| CVE-2024-26204 | 1 Microsoft | 1 Outlook | 2025-01-15 | N/A | 7.5 HIGH |
|
Outlook for Android Information Disclosure Vulnerability
|
|||||
| CVE-2022-22688 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 6.5 MEDIUM | 8.8 HIGH |
|
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
|
|||||
| CVE-2017-12075 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 6.5 MEDIUM | 7.2 HIGH |
|
Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter.
|
|||||
| CVE-2022-47028 | 1 Actionlauncher | 1 Action Launcher | 2025-01-14 | N/A | 5.5 MEDIUM |
|
An issue discovered in Action Launcher for Android v50.5 allows an attacker to cause a denial of service via arbitary data injection to function insert.
|
|||||
| CVE-2015-20108 | 1 Onelogin | 1 Ruby-saml | 2025-01-14 | N/A | 9.8 CRITICAL |
|
xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.
|
|||||
| CVE-2020-29547 | 1 Citadel | 1 Webcit | 2025-01-14 | N/A | 5.9 MEDIUM |
|
An issue was discovered in Citadel through webcit-926. Meddler-in-the-middle attackers can pipeline commands after POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands, injecting cleartext commands into an encrypted user session. This can lead to credential disclosure.
|
|||||
| CVE-2024-2982 | 1 Tenda | 2 Fh1202, Fh1202 Firmware | 2025-01-14 | 5.2 MEDIUM | 5.5 MEDIUM |
|
A vulnerability has been found in Tenda FH1202 1.2.0.14(408) and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-258151. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2023-26129 | 1 Bwm-ng Project | 1 Bwm-ng | 2025-01-13 | N/A | 8.4 HIGH |
|
All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file.
**Note:**
To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment.
|
|||||
| CVE-2023-26128 | 1 Keep-module-latest Project | 1 Keep-module-latest | 2025-01-13 | N/A | 8.4 HIGH |
|
All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function.
**Note:**
To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment.
|
|||||
| CVE-2023-26127 | 1 N158 Project | 1 N158 | 2025-01-13 | N/A | 7.8 HIGH |
|
All versions of the package n158 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function.
**Note:**
To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment.
|
|||||
| CVE-2024-24377 | 1 Idocv | 1 Idocview | 2025-01-13 | N/A | 9.8 CRITICAL |
|
An issue in idocv v.14.1.3_20231228 allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted script.
|
|||||
| CVE-2025-0396 | 2025-01-12 | 6.8 MEDIUM | 7.8 HIGH | ||
|
A vulnerability, which was classified as critical, has been found in exelban stats up to 2.11.21. This issue affects the function shouldAcceptNewConnection of the component XPC Service. The manipulation leads to command injection. It is possible to launch the attack on the local host. Upgrading to version 2.11.22 is able to address this issue. It is recommended to upgrade the affected component.
|
|||||
| CVE-2022-32203 | 1 Huawei | 2 Cv81-wdm, Cv81-wdm Firmware | 2025-01-10 | N/A | 9.8 CRITICAL |
|
There is a command injection vulnerability in Huawei terminal printer product. Successful exploitation could result in the highest privileges of the printer. (Vulnerability ID: HWPSIRT-2022-51773)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2022-32203.
|
|||||
| CVE-2023-33722 | 1 Edimax | 2 Br-6288acl, Br-6288acl Firmware | 2025-01-10 | N/A | 8.8 HIGH |
|
EDIMAX BR-6288ACL v1.12 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the pppUserName parameter.
|
|||||
| CVE-2024-27980 | 2025-01-09 | N/A | 8.1 HIGH | ||
|
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
|
|||||
| CVE-2023-33487 | 1 Totolink | 2 X5000r, X5000r Firmware | 2025-01-09 | N/A | 9.8 CRITICAL |
|
TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contains a command insertion vulnerability in setDiagnosisCfg.This vulnerability allows an attacker to execute arbitrary commands through the "ip" parameter.
|
|||||
| CVE-2023-23952 | 1 Broadcom | 2 Advanced Secure Gateway, Content Analysis | 2025-01-09 | N/A | 9.8 CRITICAL |
|
Advanced Secure Gateway and Content Analysis, prior to 7.3.13.1 / 3.1.6.0, may be susceptible to a Command Injection vulnerability.
|
|||||
| CVE-2023-33486 | 1 Totolink | 2 X5000r, X5000r Firmware | 2025-01-09 | N/A | 9.8 CRITICAL |
|
TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setOpModeCfg. This vulnerability allows an attacker to execute arbitrary commands through the "hostName" parameter.
|
|||||
| CVE-2025-0328 | 2025-01-09 | 7.5 HIGH | 7.3 HIGH | ||
|
A vulnerability, which was classified as critical, has been found in KaiYuanTong ECT Platform up to 2.0.0. Affected by this issue is some unknown functionality of the file /public/server/runCode.php of the component HTTP POST Request Handler. The manipulation of the argument code leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-51442 | 2025-01-08 | N/A | 8.8 HIGH | ||
|
Command Injection in Minidlna version v1.3.3 and before allows an attacker to execute arbitrary OS commands via a specially crafted minidlna.conf configuration file.
|
|||||
| CVE-2024-55414 | 2025-01-08 | N/A | 9.8 CRITICAL | ||
|
A vulnerability exits in driver SmSerl64.sys in Motorola SM56 Modem WDM Driver v6.12.23.0, which allows low-privileged users to mapping physical memory via specially crafted IOCTL requests . This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.
|
|||||
| CVE-2023-33533 | 1 Netgear | 8 D6220, D6220 Firmware, D8500 and 5 more | 2025-01-08 | N/A | 8.8 HIGH |
|
Netgear D6220 with Firmware Version 1.0.0.80, D8500 with Firmware Version 1.0.3.60, R6700 with Firmware Version 1.0.2.26, and R6900 with Firmware Version 1.0.2.26 are vulnerable to Command Injection. If an attacker gains web management privileges, they can inject commands into the post request parameters, gaining shell privileges.
|
|||||
| CVE-2023-33532 | 1 Netgear | 2 R6250, R6250 Firmware | 2025-01-08 | N/A | 9.8 CRITICAL |
|
There is a command injection vulnerability in the Netgear R6250 router with Firmware Version 1.0.4.48. If an attacker gains web management privileges, they can inject commands into the post request parameters, thereby gaining shell privileges.
|
|||||
| CVE-2023-33530 | 1 Tenda | 2 G103, G103 Firmware | 2025-01-08 | N/A | 8.8 HIGH |
|
There is a command injection vulnerability in the Tenda G103 Gigabit GPON Terminal with firmware version V1.0.0.5. If an attacker gains web management privileges, they can inject commands gaining shell privileges.
|
|||||
| CVE-2023-31569 | 1 Totolink | 2 X5000r, X5000r Firmware | 2025-01-08 | N/A | 9.8 CRITICAL |
|
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection via the setWanCfg function.
|
|||||
| CVE-2024-54007 | 2025-01-07 | N/A | 7.2 HIGH | ||
|
Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge which could lead to authenticated remote command execution. Successful exploitation of these vulnerabilities result in the ability of an attacker to execute arbitrary commands as a privileged user on the underlying operating system. Exploitation requires administrative authentication credentials on the host system.
|
|||||
| CVE-2024-54006 | 2025-01-07 | N/A | 7.2 HIGH | ||
|
Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge which could lead to authenticated remote command execution. Successful exploitation of these vulnerabilities result in the ability of an attacker to execute arbitrary commands as a privileged user on the underlying operating system. Exploitation requires administrative authentication credentials on the host system.
|
|||||