Total
5311 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2812 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi. It has been classified as critical. This affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257667. NOTE: The vendor was contacted early about this disclosure but did not respond i ...
Show More |
|||||
| CVE-2024-2742 | 2024-11-21 | N/A | 6.4 MEDIUM | ||
|
Operating system command injection vulnerability in Planet IGS-4215-16T2S, affecting firmware version 1.305b210528. An authenticated attacker could execute arbitrary code on the remote host by exploiting IP address functionality.
|
|||||
| CVE-2024-2415 | 2024-11-21 | N/A | 7.8 HIGH | ||
|
Command injection vulnerability in Movistar 4G router affecting version ES_WLD71-T1_v2.0.201820. This vulnerability allows an authenticated user to execute commands inside the router by making a POST request to the URL '/cgi-bin/gui.cgi'.
|
|||||
| CVE-2024-2359 | 1 Lollms | 1 Lollms Web Ui | 2024-11-21 | N/A | 9.8 CRITICAL |
|
A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the `/execute_code` endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the `/update_setting` endpoint, which lacks proper access control, to modify the `host` configuration at runtime. By changing the `host` setting to an attacker-controlled value, the ...
Show More |
|||||
| CVE-2024-2162 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
An OS Command Injection vulnerability in Kiloview NDI allows a low-privileged user to execute arbitrary code remotely on the device with high privileges.
This issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 .
|
|||||
| CVE-2024-29640 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component.
|
|||||
| CVE-2024-29167 | 2024-11-21 | N/A | 7.2 HIGH | ||
|
SVR-116 firmware version 1.6.0.30028871 allows a remote authenticated attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product.
|
|||||
| CVE-2024-28750 | 2024-11-21 | N/A | 7.2 HIGH | ||
|
A remote attacker with high privileges may use a deleting file function to inject OS commands.
|
|||||
| CVE-2024-28749 | 2024-11-21 | N/A | 7.2 HIGH | ||
|
A remote attacker with high privileges may use a writing file function to inject OS commands.
|
|||||
| CVE-2024-28748 | 2024-11-21 | N/A | 7.2 HIGH | ||
|
A remote attacker with high privileges may use a reading file function to inject OS commands.
|
|||||
| CVE-2024-28048 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
OS command injection vulnerability exists in ffBull ver.4.11, which may allow a remote unauthenticated attacker to execute an arbitrary OS command with the privilege of the running web server. Note that the developer was unreachable, therefore, users should consider stop using ffBull ver.4.11.
|
|||||
| CVE-2024-28033 | 2024-11-21 | N/A | 7.3 HIGH | ||
|
OS command injection vulnerability exists in WebProxy 1.7.8 and 1.7.9, which may allow a remote unauthenticated attacker to execute an arbitrary OS command with the privilege of the running web server. Note that the developer was unreachable, therefore, users should consider stop using WebProxy 1.7.8 and 1.7.9.
|
|||||
| CVE-2024-27172 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
Remote Command program allows an attacker to get Remote Code Execution. As for the affected products/models/versions, see the reference URL.
|
|||||
| CVE-2024-25568 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent unauthenticated attacker to execute arbitrary OS commands by sending a specially crafted request to the product. Affected products and versions are as follows: WRC-X3200GST3-B v1.25 and earlier, WRC-G01-W v1.24 and earlier, and WMC-X1800GST-B v1.41 and earlier. Note that WMC-X1800GST-B is also included in e-Mesh Starter Kit "WMC-2LX-B".
|
|||||
| CVE-2024-25002 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
Command Injection in the diagnostics interface of the Bosch Network Synchronizer allows unauthorized users full access to the device.
|
|||||
| CVE-2024-24899 | 2024-11-21 | N/A | 7.2 HIGH | ||
|
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in openEuler aops-zeus on Linux allows Command Injection. This vulnerability is associated with program files https://gitee.Com/openeuler/aops-zeus/blob/master/zeus/conf/constant.Py.
This issue affects aops-zeus: from 1.2.0 through 1.4.0.
|
|||||
| CVE-2024-24892 | 2024-11-21 | N/A | 8.1 HIGH | ||
|
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Improper Privilege Management vulnerability in openEuler migration-tools on Linux allows Command Injection, Restful Privilege Elevation. This vulnerability is associated with program files https://gitee.Com/openeuler/migration-tools/blob/master/index.Py.
This issue affects migration-tools: from 1.0.0 through 1.0.1.
|
|||||
| CVE-2024-24890 | 2024-11-21 | N/A | 7.8 HIGH | ||
|
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in openEuler gala-gopher on Linux allows Command Injection. This vulnerability is associated with program files https://gitee.Com/openeuler/gala-gopher/blob/master/src/probes/extends/ebpf.Probe/src/ioprobe/ioprobe.C.
This issue affects gala-gopher: through 1.0.2.
|
|||||
| CVE-2024-24623 | 1 Softaculous | 1 Webuzo | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
Softaculous Webuzo contains a command injection vulnerability in the FTP management functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system.
|
|||||
| CVE-2024-24622 | 1 Softaculous | 1 Webuzo | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
Softaculous Webuzo contains a command injection in the password reset functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system.
|
|||||
| CVE-2024-24328 | 1 Totolink | 2 A3300r, A3300r Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setMacFilterRules function.
|
|||||
| CVE-2024-24326 | 1 Totolink | 2 A3300r, A3300r Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the arpEnable parameter in the setStaticDhcpRules function.
|
|||||
| CVE-2024-24091 | 1 Yealink | 1 Yealink Meeting Server | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface.
|
|||||
| CVE-2024-23812 | 1 Siemens | 1 Sinec Nms | 2024-11-21 | N/A | 8.0 HIGH |
|
A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application incorrectly neutralizes special elements when creating a report which could lead to command injection.
|
|||||
| CVE-2024-23058 | 1 Totolink | 2 A3300r, A3300r Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the pass parameter in the setTr069Cfg function.
|
|||||
| CVE-2024-23057 | 1 Totolink | 2 A3300r, A3300r Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the tz parameter in the setNtpCfg function.
|
|||||
| CVE-2024-22445 | 1 Dell | 1 Powerprotect Data Manager | 2024-11-21 | N/A | 7.2 HIGH |
|
Dell PowerProtect Data Manager, version 19.15 and prior versions, contain an OS command injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
|
|||||
| CVE-2024-22228 | 1 Dell | 1 Unity Operating Environment | 2024-11-21 | N/A | 7.8 HIGH |
|
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_cifssupport utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges.
|
|||||
| CVE-2024-22227 | 1 Dell | 1 Unity Operating Environment | 2024-11-21 | N/A | 7.8 HIGH |
|
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_dc utility. An authenticated attacker could potentially exploit this vulnerability, leading to the ability execute commands with root privileges.
|
|||||
| CVE-2024-22225 | 1 Dell | 1 Unity Operating Environment | 2024-11-21 | N/A | 7.8 HIGH |
|
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_supportassist utility. An authenticated attacker could potentially exploit this vulnerability, leading to execution of arbitrary operating system commands with root privileges.
|
|||||
| CVE-2024-22224 | 1 Dell | 1 Unity Operating Environment | 2024-11-21 | N/A | 7.8 HIGH |
|
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_nas utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges.
|
|||||
| CVE-2024-22223 | 1 Dell | 1 Unity Operating Environment | 2024-11-21 | N/A | 7.8 HIGH |
|
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability within its svc_cbr utility. An authenticated malicious user with local access could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application.
|
|||||
| CVE-2024-22222 | 1 Dell | 1 Unity Operating Environment | 2024-11-21 | N/A | 7.8 HIGH |
|
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability within its svc_udoctor utility. An authenticated malicious user with local access could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application.
|
|||||
| CVE-2024-22132 | 1 Sap | 1 Ides Ecc | 2024-11-21 | N/A | 7.4 HIGH |
|
SAP IDES ECC-systems contain code that permits the execution of arbitrary program code of user's choice.An attacker can therefore control the behaviour of the system by executing malicious code which can potentially escalate privileges with low impact on confidentiality, integrity and availability of the system.
|
|||||
| CVE-2024-20720 | 1 Adobe | 1 Commerce | 2024-11-21 | N/A | 9.1 CRITICAL |
|
Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction.
|
|||||
| CVE-2024-20356 | 2024-11-21 | N/A | 8.7 HIGH | ||
|
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker with Administrator-level privileges to perform command injection attacks on an affected system and elevate their privileges to root. This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful expl ...
Show More |
|||||
| CVE-2024-20295 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
A vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have read-only or higher privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A suc ...
Show More |
|||||
| CVE-2024-20277 | 1 Cisco | 1 Thousandeyes Enterprise Agent | 2024-11-21 | N/A | 6.8 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied input for the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP packet to the affected device. A successful exploit could allow the attacker to execute ar ...
Show More |
|||||
| CVE-2024-1655 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
Certain ASUS WiFi routers models has an OS Command Injection vulnerability, allowing an authenticated remote attacker to execute arbitrary system commands by sending a specially crafted request.
|
|||||
| CVE-2024-1628 | 2024-11-21 | N/A | 8.4 HIGH | ||
|
OS command injection vulnerabilities in GE HealthCare ultrasound devices
|
|||||