Total
5311 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3133 | 1 Diagrams | 1 Drawio | 2024-11-21 | N/A | 7.8 HIGH |
|
OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.
|
|||||
| CVE-2022-3008 | 2 Debian, Tinygltf Project | 2 Debian Linux, Tinygltf | 2024-11-21 | N/A | 8.1 HIGH |
|
The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751
|
|||||
| CVE-2022-39951 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | N/A | 7.2 HIGH |
|
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.3.6 through 6.3.20, FortiWeb 6.4 all versions allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
|
|||||
| CVE-2022-39947 | 1 Fortinet | 1 Fortiadc | 2024-11-21 | N/A | 8.8 HIGH |
|
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiADC version 7.0.0 through 7.0.2, FortiADC version 6.2.0 through 6.2.3, FortiADC version version 6.1.0 through 6.1.6, FortiADC version 6.0.0 through 6.0.4, FortiADC version 5.4.0 through 5.4.5 may allow an attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
|
|||||
| CVE-2022-39819 | 1 Nokia | 1 1350 Optical Management System | 2024-11-21 | N/A | 8.8 HIGH |
|
In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This allows authenticated users to execute commands on the operating system.
|
|||||
| CVE-2022-39818 | 1 Nokia | 1 Network Functions Manager For Transport | 2024-11-21 | N/A | 8.8 HIGH |
|
In NOKIA NFM-T R19.9, an OS Command Injection vulnerability occurs in /cgi-bin/R19.9/log.pl of the VM Manager WebUI via the cmd HTTP GET parameter. This allows authenticated users to execute commands, with root privileges, on the operating system.
|
|||||
| CVE-2022-39815 | 1 Nokia | 1 1350 Optical Management System | 2024-11-21 | N/A | 9.8 CRITICAL |
|
In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This vulnerability allow unauthenticated users to execute commands on the operating system.
|
|||||
| CVE-2022-39327 | 1 Microsoft | 2 Azure Command-line Interface, Windows | 2024-11-21 | N/A | 8.1 HIGH |
|
Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these ...
Show More |
|||||
| CVE-2022-39321 | 1 Github | 1 Runner | 2024-11-21 | N/A | 8.8 HIGH |
|
GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands was discovered in versions prior to 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4 that allows an input to escape the environment variable and modify that docker command invocation directly. Jobs that use ...
Show More |
|||||
| CVE-2022-39224 | 1 Ruby-arr-pm Project | 1 Ruby-arr-pm | 2024-11-21 | N/A | 7.0 HIGH |
|
Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. T ...
Show More |
|||||
| CVE-2022-39057 | 1 Changingtec | 1 Rava Certificate Validation System | 2024-11-21 | N/A | 7.2 HIGH |
|
RAVA certificate validation system has insufficient filtering for special parameter of the web page input field. A remote attacker with administrator privilege can exploit this vulnerability to perform arbitrary system command and disrupt service.
|
|||||
| CVE-2022-38828 | 1 Totolink | 2 T6, T6 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to command injection via cstecgi.cgi
|
|||||
| CVE-2022-38826 | 1 Totolink | 2 T6, T6 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
In TOTOLINK T6 V4.1.5cu.709_B20210518, there is an execute arbitrary command in cstecgi.cgi.
|
|||||
| CVE-2022-38547 | 1 Zyxel | 50 Atp100, Atp100 Firmware, Atp100w and 47 more | 2024-11-21 | N/A | 7.2 HIGH |
|
A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72, VPN series firmware versions 4.30 through 5.32, USG FLEX series firmware versions 4.50 through 5.32, and ATP series firmware versions 4.32 through 5.32, which could allow an authenticated attacker with administrator privileges to execute OS commands.
|
|||||
| CVE-2022-38535 | 1 Totolink | 2 A720r, A720r Firmware | 2024-11-21 | N/A | 7.2 HIGH |
|
TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg function.
|
|||||
| CVE-2022-38534 | 1 Totolink | 2 A720r, A720r Firmware | 2024-11-21 | N/A | 7.2 HIGH |
|
TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setdiagnosicfg function.
|
|||||
| CVE-2022-38531 | 1 Fpt | 4 G-97rg3, G-97rg3 Firmware, G-97rg6m and 1 more | 2024-11-21 | N/A | 8.8 HIGH |
|
FPT G-97RG6M R4.2.98.035 and G-97RG3 R4.2.43.078 are vulnerable to Remote Command Execution in the ping function.
|
|||||
| CVE-2022-38511 | 1 Totolink | 2 A810r, A810r Firmware | 2024-11-21 | N/A | 7.8 HIGH |
|
TOTOLINK A810R V5.9c.4050_B20190424 was discovered to contain a command injection vulnerability via the component downloadFile.cgi.
|
|||||
| CVE-2022-38387 | 2 Ibm, Linux | 2 Cloud Pak For Security, Linux Kernel | 2024-11-21 | N/A | 7.1 HIGH |
|
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.2.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 233786.
|
|||||
| CVE-2022-38308 | 1 Totolink | 2 A7000ru, A7000ru Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
TOTOLink A700RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the lang parameter in the function cstesystem. This vulnerability allows attackers to execute arbitrary commands via a crafted payload.
|
|||||
| CVE-2022-38132 | 1 Linksys | 2 Mr8300, Mr8300 Firmware | 2024-11-21 | N/A | 8.2 HIGH |
|
Command injection vulnerability in Linksys MR8300 router while Registration to DDNS Service. By specifying username and password, an attacker connected to the router's web interface can execute arbitrary OS commands. The username and password fields are not sanitized correctly and are used as URL construction arguments, allowing URL redirection to an arbitrary server, downloading an arbitrary script file, and eventually executing the file in the device. This issue affects: Linksys MR8300 Router ...
Show More |
|||||
| CVE-2022-38094 | 1 Allied-telesis | 2 Centrecom Ar260s, Centrecom Ar260s Firmware | 2024-11-21 | N/A | 8.8 HIGH |
|
OS command injection vulnerability in the telnet function of CentreCOM AR260S V2 firmware versions prior to Ver.3.3.7 allows a remote authenticated attacker to execute an arbitrary OS command.
|
|||||
| CVE-2022-38066 | 1 Siretta | 2 Quartz-gold, Quartz-gold Firmware | 2024-11-21 | N/A | 8.8 HIGH |
|
An OS command injection vulnerability exists in the httpd SNMP functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP response can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.
|
|||||
| CVE-2022-37893 | 2 Arubanetworks, Siemens | 4 Arubaos, Instant, Scalance W1750d and 1 more | 2024-11-21 | N/A | 7.8 HIGH |
|
An authenticated command injection vulnerability exists in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; A ...
Show More |
|||||
| CVE-2022-37860 | 1 Tp-link | 2 M7350, M7350 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
The web configuration interface of the TP-Link M7350 V3 with firmware version 190531 is affected by a pre-authentication command injection vulnerability.
|
|||||
| CVE-2022-37810 | 1 Tenda | 2 Ac1206, Ac1206 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Tenda AC1206 V15.03.06.23 was discovered to contain a command injection vulnerability via the mac parameter in the function formWriteFacMac.
|
|||||
| CVE-2022-37337 | 1 Netgear | 2 Rbs750, Rbs750 Firmware | 2024-11-21 | N/A | 9.1 CRITICAL |
|
A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
|
|||||
| CVE-2022-37149 | 1 Wavlink | 2 Wl-wn575a3, Wl-wn575a3 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
WAVLINK WL-WN575A3 RPT75A3.V4300.201217 was discovered to contain a command injection vulnerability when operating the file adm.cgi. This vulnerability allows attackers to execute arbitrary commands via the username parameter.
|
|||||
| CVE-2022-37130 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
In D-Link DIR-816 A2_v1.10CNB04, DIR-878 DIR_878_FW1.30B08.img a command injection vulnerability occurs in /goform/Diagnosis, after the condition is met, setnum will be spliced into v10 by snprintf, and the system will be executed, resulting in a command injection vulnerability
|
|||||
| CVE-2022-37129 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2024-11-21 | N/A | 8.8 HIGH |
|
D-Link DIR-816 A2_v1.10CNB04.img is vulnerable to Command Injection via /goform/SystemCommand. After the user passes in the command parameter, it will be spliced into byte_4836B0 by snprintf, and finally doSystem(&byte_4836B0); will be executed, resulting in a command injection.
|
|||||
| CVE-2022-37123 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2024-11-21 | N/A | 8.8 HIGH |
|
D-link DIR-816 A2_v1.10CNB04.img is vulnerable to Command injection via /goform/form2userconfig.cgi.
|
|||||
| CVE-2022-37083 | 1 Totolink | 2 A7000r, A7000r Firmware | 2024-11-21 | N/A | 7.8 HIGH |
|
TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the ip parameter at the function setDiagnosisCfg.
|
|||||
| CVE-2022-37082 | 1 Totolink | 2 A7000r, A7000r Firmware | 2024-11-21 | N/A | 7.8 HIGH |
|
TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the host_time parameter at the function NTPSyncWithHost.
|
|||||
| CVE-2022-37081 | 1 Totolink | 2 A7000r, A7000r Firmware | 2024-11-21 | N/A | 7.8 HIGH |
|
TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the command parameter at setting/setTracerouteCfg.
|
|||||
| CVE-2022-37079 | 1 Totolink | 2 A7000r, A7000r Firmware | 2024-11-21 | N/A | 7.8 HIGH |
|
TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the hostName parameter in the function setOpModeCfg.
|
|||||
| CVE-2022-37076 | 1 Totolink | 2 A7000r, A7000r Firmware | 2024-11-21 | N/A | 7.8 HIGH |
|
TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a command injection vulnerability via the FileName parameter in the function UploadFirmwareFile.
|
|||||
| CVE-2022-37070 | 1 H3c | 2 Gr-1200w, Gr-1200w Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
H3C GR-1200W MiniGRW1A0V100R006 was discovered to contain a command injection vulnerability via the param parameter at DelL2tpLNSList.
|
|||||
| CVE-2022-36962 | 1 Solarwinds | 1 Orion Platform | 2024-11-21 | N/A | 7.2 HIGH |
|
SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands.
|
|||||
| CVE-2022-36926 | 1 Zoom | 1 Rooms | 2024-11-21 | N/A | 8.8 HIGH |
|
Zoom Rooms for macOS clients before version 5.11.3 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.
|
|||||
| CVE-2022-36779 | 2 Advice, Proscend | 18 Icr 111wg, Icr 111wg Firmware, M301-g and 15 more | 2024-11-21 | N/A | 6.5 MEDIUM |
|
PROSCEND - PROSCEND / ADVICE .Ltd - G/5G Industrial Cellular Router (with GPS)4 Unauthenticated OS Command Injection Proscend M330-w / M33-W5 / M350-5G / M350-W5G / M350-6 / M350-W6 / M301-G / M301-GW ADVICE ICR 111WG / https://www.proscend.com/en/category/industrial-Cellular-Router/industrial-Cellular-Router.html https://cdn.shopify.com/s/files/1/0036/9413/3297/files/ADVICE_Industrial_4G_LTE_Cellular_Router_ICR111WG.pdf?v=1620814301
|
|||||