Total
4029 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-17642 | 1 Centreon | 1 Centreon | 2024-08-05 | 8.8 High |
| An issue was discovered in Centreon before 18.10.8, 19.10.1, and 19.04.2. It allows CSRF with resultant remote command execution via shell metacharacters in a POST to centreon-autodiscovery-server/views/scan/ajax/call.php in the Autodiscovery plugin. | ||||
| CVE-2019-18183 | 2 Fedoraproject, Pacman Project | 2 Fedora, Pacman | 2024-08-05 | 9.8 Critical |
| pacman before 5.2 is vulnerable to arbitrary command injection in lib/libalpm/sync.c in the apply_deltas() function. This can be exploited when unsigned databases are used. To exploit the vulnerability, the user must enable the non-default delta feature and retrieve an attacker-controlled crafted database and delta file. | ||||
| CVE-2019-17621 | 1 Dlink | 28 Dir-818lx, Dir-818lx Firmware, Dir-822 and 25 more | 2024-08-05 | 9.8 Critical |
| The UPnP endpoint URL /gena.cgi in the D-Link DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 allows an Unauthenticated remote attacker to execute system commands as root, by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service when connecting to the local network. | ||||
| CVE-2019-18184 | 1 Crestron | 2 Dmc-stro, Dmc-stro Firmware | 2024-08-05 | 9.8 Critical |
| Crestron DMC-STRO 1.0 devices allow remote command execution as root via shell metacharacters to the ping function. | ||||
| CVE-2019-17625 | 1 Rambox | 1 Rambox | 2024-08-05 | 9.0 Critical |
| There is a stored XSS in Rambox 0.6.9 that can lead to code execution. The XSS is in the name field while adding/editing a service. The problem occurs due to incorrect sanitization of the name field when being processed and stored. This allows a user to craft a payload for Node.js and Electron, such as an exec of OS commands within the onerror attribute of an IMG element. | ||||
| CVE-2019-17510 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2024-08-05 | 9.8 Critical |
| D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary OS commands as root by leveraging admin access and sending a /HNAP1/ request for SetWizardConfig with shell metacharacters to /squashfs-root/www/HNAP1/control/SetWizardConfig.php. | ||||
| CVE-2019-17501 | 1 Centreon | 1 Centreon | 2024-08-05 | 8.8 High |
| Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen). CVE-2019-17501 and CVE-2019-16405 are similar to one another and may be the same. | ||||
| CVE-2019-17499 | 1 Compal | 2 Ch7465lg, Ch7465lg Firmware | 2024-08-05 | 8.8 High |
| The setter.xml component of the Common Gateway Interface on Compal CH7465LG 6.12.18.25-2p4 devices does not properly validate ping command arguments, which allows remote authenticated users to execute OS commands as root via shell metacharacters in the Target_IP parameter. | ||||
| CVE-2019-17509 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2024-08-05 | 9.8 Critical |
| D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary OS commands as root by leveraging admin access and sending a /HNAP1/ request for SetMasterWLanSettings with shell metacharacters to /squashfs-root/www/HNAP1/control/SetMasterWLanSettings.php. | ||||
| CVE-2019-17508 | 1 Dlink | 4 Dir-850l A, Dir-850l A Firmware, Dir-859 A3 and 1 more | 2024-08-05 | 9.8 Critical |
| On D-Link DIR-859 A3-1.06 and DIR-850 A1.13 devices, /etc/services/DEVICE.TIME.php allows command injection via the $SERVER variable. | ||||
| CVE-2019-17364 | 2 Petwant, Skymee | 4 Pf-103, Pf-103 Firmware, Petalk Ai and 1 more | 2024-08-05 | 9.8 Critical |
| The processCommandUploadLog() function of libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | ||||
| CVE-2019-17269 | 1 Intelliantech | 1 Remote Access | 2024-08-05 | 9.8 Critical |
| Intellian Remote Access 3.18 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the Ping Test field. | ||||
| CVE-2019-17148 | 1 Parallels | 1 Parallels Desktop | 2024-08-05 | 7.8 High |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop version 14.1.3 (45485). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of root. Was ZDI-CAN-8685. | ||||
| CVE-2019-17270 | 1 Yachtcontrol | 1 Yachtcontrol | 2024-08-05 | 9.8 Critical |
| Yachtcontrol through 2019-10-06: It's possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command={COMMAND}" page and parameter, where {COMMAND} will be executed and returning the results to the client. Affects Yachtcontrol webservers disclosed via Dutch GPRS/4G mobile IP-ranges. IP addresses vary due to DHCP client leasing of telco's. | ||||
| CVE-2019-17059 | 1 Sophos | 2 Cyberoam, Cyberoamos | 2024-08-05 | 9.8 Critical |
| A shell injection vulnerability on the Sophos Cyberoam firewall appliance with CyberoamOS before 10.6.6 MR-6 allows remote attackers to execute arbitrary commands via the Web Admin and SSL VPN consoles. | ||||
| CVE-2019-17107 | 1 Centreon | 1 Centreon Web | 2024-08-05 | 8.8 High |
| minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect. | ||||
| CVE-2019-16964 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 8.8 High |
| app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any commands on the host as www-data. | ||||
| CVE-2019-16920 | 1 Dlink | 20 Dap-1533, Dap-1533 Firmware, Dhp-1565 and 17 more | 2024-08-05 | 9.8 Critical |
| Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. | ||||
| CVE-2019-16965 | 1 Fusionpbx | 1 Fusionpbx | 2024-08-05 | 7.2 High |
| resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data. | ||||
| CVE-2019-16790 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2024-08-05 | 6.5 Medium |
| In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted. | ||||