Total
3060 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-48746 | 2024-11-06 | N/A | 9.8 CRITICAL | ||
|
An issue in Lens Visual integration with Power BI v.4.0.0.3 allows a remote attacker to execute arbitrary code via the Natural language processing component
|
|||||
| CVE-2024-42509 | 2024-11-06 | N/A | 9.8 CRITICAL | ||
|
Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
|
|||||
| CVE-2024-47460 | 2024-11-06 | N/A | 9.0 CRITICAL | ||
|
Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
|
|||||
| CVE-2024-9793 | 1 Tenda | 2 Ac1206, Ac1206 Firmware | 2024-11-01 | 6.5 MEDIUM | 9.8 CRITICAL |
|
A vulnerability classified as critical was found in Tenda AC1206 up to 15.03.06.23. This vulnerability affects the function ate_iwpriv_set/ate_ifconfig_set of the file /goform/ate. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-48214 | 2024-11-01 | N/A | 8.4 HIGH | ||
|
KERUI HD 3MP 1080P Tuya Camera 1.0.4 has a command injection vulnerability in the module that connects to the local network via a QR code. This vulnerability allows an attacker to create a custom, unauthenticated QR code and abuse one of the parameters, either SSID or PASSWORD, in the JSON data contained within the QR code. By that, the attacker can execute arbitrary code on the camera.
|
|||||
| CVE-2024-48145 | 2024-10-28 | N/A | 9.1 CRITICAL | ||
|
A prompt injection vulnerability in the chatbox of Netangular Technologies ChatNet AI Version v1.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.
|
|||||
| CVE-2024-48144 | 2024-10-28 | N/A | 9.1 CRITICAL | ||
|
A prompt injection vulnerability in the chatbox of Fusion Chat Chat AI Assistant Ask Me Anything v1.2.4.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.
|
|||||
| CVE-2024-10435 | 2024-10-28 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability was found in didi Super-Jacoco 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /cov/triggerEnvCov. The manipulation of the argument uuid leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-48441 | 2024-10-25 | N/A | 8.8 HIGH | ||
|
Wuhan Tianyu Information Industry Co., Ltd Tianyu CPE Router CommonCPExCPETS_v3.2.468.11.04_P4 was discovered to contain a command injection vulnerability via the component at_command.asp.
|
|||||
| CVE-2024-48440 | 2024-10-25 | N/A | 8.8 HIGH | ||
|
Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 was discovered to contain a command injection vulnerability via the component at_command.asp.
|
|||||
| CVE-2024-48141 | 2024-10-25 | N/A | 7.5 HIGH | ||
|
A prompt injection vulnerability in the chatbox of Zhipu AI CodeGeeX v2.17.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.
|
|||||
| CVE-2024-48140 | 2024-10-25 | N/A | 7.5 HIGH | ||
|
A prompt injection vulnerability in the chatbox of Butterfly Effect Limited Monica Your AI Copilot powered by ChatGPT4 v6.3.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.
|
|||||
| CVE-2024-48139 | 2024-10-25 | N/A | 7.5 HIGH | ||
|
A prompt injection vulnerability in the chatbox of Blackbox AI v1.3.95 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.
|
|||||
| CVE-2024-48142 | 2024-10-25 | N/A | 7.5 HIGH | ||
|
A prompt injection vulnerability in the chatbox of Butterfly Effect Limited Monica ChatGPT AI Assistant v2.4.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.
|
|||||
| CVE-2024-10193 | 1 Wavlink | 6 Wn530h4, Wn530h4 Firmware, Wn530hg4 and 3 more | 2024-10-23 | 5.8 MEDIUM | 7.2 HIGH |
|
A vulnerability was found in WAVLINK WN530H4, WN530HG4 and WN572HG3 up to 20221028 and classified as critical. This issue affects the function ping_ddns of the file internet.cgi. The manipulation of the argument DDNS leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-43497 | 1 Microsoft | 1 Deepspeed | 2024-10-17 | N/A | 7.8 HIGH |
|
DeepSpeed Remote Code Execution Vulnerability
|
|||||
| CVE-2024-39438 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-10-17 | N/A | 6.7 MEDIUM |
|
In linkturbonative service, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed.
|
|||||
| CVE-2024-39437 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-10-17 | N/A | 6.7 MEDIUM |
|
In linkturbonative service, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed.
|
|||||
| CVE-2024-39436 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-10-17 | N/A | 6.7 MEDIUM |
|
In linkturbonative service, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed.
|
|||||
| CVE-2024-35520 | 1 Netgear | 2 R7000, R7000 Firmware | 2024-10-16 | N/A | 6.8 MEDIUM |
|
Netgear R7000 1.0.11.136 is vulnerable to Command Injection in RMT_invite.cgi via device_name2 parameter.
|
|||||
| CVE-2024-44413 | 2024-10-15 | N/A | 8.8 HIGH | ||
|
A vulnerability was discovered in DI_8200-16.07.26A1, which has been classified as critical. This issue affects the upgrade_filter_asp function in the upgrade_filter.asp file. Manipulation of the path parameter can lead to command injection.
|
|||||
| CVE-2024-47562 | 1 Siemens | 1 Sinec Security Monitor | 2024-10-11 | N/A | 8.8 HIGH |
|
A vulnerability has been identified in Siemens SINEC Security Monitor (All versions < V4.9.0). The affected application does not properly neutralize special elements in user input to the ```ssmctl-client``` command.
This could allow an authenticated, lowly privileged local attacker to execute privileged commands in the underlying OS.
|
|||||
| CVE-2024-44400 | 1 Dlink | 2 Di-8400, Di-8400 Firmware | 2024-10-11 | N/A | 9.8 CRITICAL |
|
A vulnerability was discovered in DI_8400-16.07.26A1, which has been classified as critical. This issue affects the upgrade_filter_asp function in the upgrade_filter.asp file. Manipulation of the path parameter can lead to command injection.
|
|||||
| CVE-2023-37154 | 2024-10-10 | N/A | 8.4 HIGH | ||
|
check_by_ssh in Nagios nagios-plugins 2.4.5 allows arbitrary command execution via ProxyCommand, LocalCommand, and PermitLocalCommand with \${IFS}. This has been categorized both as fixed in e8810de, and as intended behavior.
|
|||||
| CVE-2024-38817 | 2024-10-10 | N/A | 6.7 MEDIUM | ||
|
VMware NSX contains a command injection vulnerability.
A malicious actor with access to the NSX Edge CLI terminal may be able to craft malicious payloads to execute arbitrary commands on the operating system as root.
|
|||||
| CVE-2024-20492 | 1 Cisco | 1 Telepresence Video Communication Server | 2024-10-08 | N/A | 6.7 MEDIUM |
|
A vulnerability in the restricted shell of Cisco Expressway Series could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have Administrator-level credentials with read-write privileges on an affected device.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a series ...
Show More |
|||||
| CVE-2024-20365 | 1 Cisco | 1 Unified Computing System | 2024-10-08 | N/A | 7.2 HIGH |
|
A vulnerability in the Redfish API of Cisco UCS B-Series, Cisco UCS Managed C-Series, and Cisco UCS X-Series Servers could allow an authenticated, remote attacker with administrative privileges to perform command injection attacks on an affected system and elevate privileges to root.
This vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by sending crafted commands through the Redfish API on an affected device. A ...
Show More |
|||||
| CVE-2024-20432 | 1 Cisco | 1 Nexus Dashboard Fabric Controller | 2024-10-08 | N/A | 8.8 HIGH |
|
A vulnerability in the REST API and web UI of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, low-privileged, remote attacker to perform a command injection attack against an affected device.
This vulnerability is due to improper user authorization and insufficient validation of command arguments. An attacker could exploit this vulnerability by submitting crafted commands to an affected REST API endpoint or through the web UI. A successful exploit could allo ...
Show More |
|||||
| CVE-2023-26315 | 1 Mi | 2 Ax9000, Ax9000 Firmware | 2024-10-08 | N/A | 8.8 HIGH |
|
The Xiaomi router AX9000 has a post-authentication command injection vulnerability. This vulnerability is caused by the lack of input filtering, allowing an attacker to exploit it to obtain root access to the device.
|
|||||
| CVE-2024-44610 | 2024-10-04 | N/A | 5.6 MEDIUM | ||
|
PCAN-Ethernet Gateway FD before 1.3.0 and PCAN-Ethernet Gateway before 2.11.0 are vulnerable to Command injection via shell metacharacters in a Software Update to processing.php.
|
|||||
| CVE-2024-7575 | 1 Telerik | 1 Ui For Wpf | 2024-10-03 | N/A | 9.8 CRITICAL |
|
In Progress Telerik UI for WPF versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.
|
|||||
| CVE-2024-8405 | 1 Papercut | 2 Papercut Mf, Papercut Ng | 2024-10-03 | N/A | 5.5 MEDIUM |
|
An arbitrary file creation vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This specific flaw exists within the web-print.exe process, which can incorrectly create files that don’t exist when a maliciously formed payload is provided. This can be used to flood disk space and result in a Denial of Service (DoS) attack.
Note:
This CVE has been split from CVE-2024-4712.
|
|||||
| CVE-2024-43693 | 1 Doverfuelingsolutions | 4 Progauge Maglink Lx4 Console, Progauge Maglink Lx4 Console Firmware, Progauge Maglink Lx Console and 1 more | 2024-10-01 | N/A | 9.8 CRITICAL |
|
A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE
UTILITY sub-menu can allow a remote attacker to inject arbitrary
commands.
|
|||||
| CVE-2024-7679 | 1 Telerik | 1 Ui For Wpf | 2024-10-01 | N/A | 7.8 HIGH |
|
In Progress Telerik UI for WinForms versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.
|
|||||
| CVE-2024-45066 | 1 Doverfuelingsolutions | 4 Progauge Maglink Lx4 Console, Progauge Maglink Lx4 Console Firmware, Progauge Maglink Lx Console and 1 more | 2024-10-01 | N/A | 9.8 CRITICAL |
|
A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP
sub-menu can allow a remote attacker to inject arbitrary commands.
|
|||||
| CVE-2024-45989 | 2024-09-30 | N/A | 4.0 MEDIUM | ||
|
Monica AI Assistant desktop application v2.3.0 is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor. A prompt injection allows an attacker to modify chatbot answer with an unloaded image that exfiltrates the user's sensitive chat data of the current session to a malicious third-party or attacker-controlled server.
|
|||||
| CVE-2023-47563 | 1 Qnap | 1 Video Station | 2024-09-28 | N/A | 8.8 HIGH |
|
An OS command injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following version:
Video Station 5.8.2 and later
|
|||||
| CVE-2024-42025 | 1 Ui | 1 Unifi Network Application | 2024-09-28 | N/A | 7.8 HIGH |
|
A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.3.32 and earlier) allows a malicious actor with unifi user shell access to escalate privileges to root on the host device.
|
|||||
| CVE-2024-45682 | 1 Millbeck | 2 Proroute H685t-w, Proroute H685t-w Firmware | 2024-09-27 | N/A | 9.8 CRITICAL |
|
There is a command injection vulnerability that may allow an attacker to inject malicious input on the device's operating system.
|
|||||
| CVE-2024-0005 | 1 Purestorage | 2 Purity\/\/fa, Purity\/\/fb | 2024-09-27 | N/A | 8.8 HIGH |
|
A condition exists in FlashArray and FlashBlade Purity whereby a malicious user could execute arbitrary commands remotely through a specifically crafted SNMP configuration.
|
|||||