Total
4033 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-10660 | 1 Grandstream | 2 Gxv3611ir Hd, Gxv3611ir Hd Firmware | 2024-08-04 | 8.8 High |
| Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field. | ||||
| CVE-2019-10669 | 1 Librenms | 1 Librenms | 2024-08-04 | 7.2 High |
| An issue was discovered in LibreNMS through 1.47. There is a command injection vulnerability in html/includes/graphs/device/collectd.inc.php where user supplied parameters are filtered with the mysqli_escape_real_string function. This function is not the appropriate function to sanitize command arguments as it does not escape a number of command line syntax characters such as ` (backtick), allowing an attacker to inject commands into the variable $rrd_cmd, which gets executed via passthru(). | ||||
| CVE-2019-10657 | 1 Grandstream | 4 Gwn7000, Gwn7000 Firmware, Gwn7610 and 1 more | 2024-08-04 | 6.5 Medium |
| Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request. | ||||
| CVE-2019-10662 | 1 Grandstream | 2 Ucm6204, Ucm6204 Firmware | 2024-08-04 | 8.8 High |
| Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI. | ||||
| CVE-2019-10658 | 1 Grandstream | 2 Gwn7610, Gwn7610 Firmware | 2024-08-04 | 8.8 High |
| Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call. | ||||
| CVE-2019-10656 | 1 Grandstream | 2 Gwn7000, Gwn7000 Firmware | 2024-08-04 | 8.8 High |
| Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call. | ||||
| CVE-2019-10659 | 1 Grandstream | 4 Gxv3370, Gxv3370 Firmware, Wp820 and 1 more | 2024-08-04 | 8.8 High |
| Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field. | ||||
| CVE-2019-10631 | 1 Zyxel | 2 Nas326, Nas326 Firmware | 2024-08-04 | N/A |
| Shell Metacharacter Injection in the package installer on Zyxel NAS 326 version 5.21 and below allows an authenticated attacker to execute arbitrary code via multiple different requests. | ||||
| CVE-2019-10392 | 2 Jenkins, Redhat | 2 Git Client, Openshift | 2024-08-04 | 8.8 High |
| Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection. | ||||
| CVE-2019-10149 | 3 Canonical, Debian, Exim | 3 Ubuntu Linux, Debian Linux, Exim | 2024-08-04 | 9.8 Critical |
| A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution. | ||||
| CVE-2019-10061 | 1 Node-opencv Project | 1 Node-opencv | 2024-08-04 | N/A |
| utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) prior to 6.1.0 is vulnerable to Command Injection. It does not validate user input allowing attackers to execute arbitrary commands. | ||||
| CVE-2019-10048 | 1 Pydio | 1 Pydio | 2024-08-04 | N/A |
| The ImageMagick plugin that is installed by default in Pydio through 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin's configuration options, allowing arbitrary shell commands to be entered that result in command execution on the underlying operating system, with the privileges of the local user running the web server. The attacker must be authenticated into the application with an administrator user account in order to be able to edit the affected plugin configuration. | ||||
| CVE-2019-9859 | 1 Vestacp | 1 Vesta Control Panel | 2024-08-04 | 8.8 High |
| Vesta Control Panel (VestaCP) 0.9.7 through 0.9.8-23 is vulnerable to an authenticated command execution that can result in remote root access on the server. The platform works with PHP as the frontend language and uses shell scripts to execute system actions. PHP executes shell script through the dangerous command exec. This function can be dangerous if arguments passed to it are not filtered. Every user input in VestaCP that is used as an argument is filtered with the escapeshellarg function. This function comes from the PHP library directly and its description is as follows: "escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument." It means that if you give Username, it will have 'Username' as a replacement. This works well and protects users from exploiting this potentially dangerous exec function. Unfortunately, VestaCP uses this escapeshellarg function incorrectly in several places. | ||||
| CVE-2019-9804 | 2 Apple, Mozilla | 2 Mac Os X, Firefox | 2024-08-04 | N/A |
| In Firefox Developer Tools it is possible that pasting the result of the 'Copy as cURL' command into a command shell on macOS will cause the execution of unintended additional bash script commands if the URL was maliciously crafted. This is the result of an issue with the native version of Bash on macOS. *Note: This issue only affects macOS. Other operating systems are unaffected.*. This vulnerability affects Firefox < 66. | ||||
| CVE-2019-9653 | 1 Nuuo | 2 Network Video Recorder, Network Video Recorder Firmware | 2024-08-04 | N/A |
| NUUO Network Video Recorder Firmware 1.7.x through 3.3.x allows unauthenticated attackers to execute arbitrary commands via shell metacharacters to handle_load_config.php. | ||||
| CVE-2019-9197 | 2 Microsoft, Unity3d | 2 Windows, Unity Editor | 2024-08-04 | 8.8 High |
| The com.unity3d.kharma protocol handler in Unity Editor 2018.3 allows remote attackers to execute arbitrary code. | ||||
| CVE-2019-9161 | 1 Xinruidz | 2 Sundray Wan Controller, Sundray Wan Controller Firmware | 2024-08-04 | N/A |
| WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header can be used to read an etc/config/wac/wns_cfg_admin_detail.xml file containing the admin password. (The password for root is the WebUI admin password concatenated with a static string.) | ||||
| CVE-2019-9156 | 1 Gemalto | 1 Ezio Ds3 Server | 2024-08-04 | N/A |
| Gemalto DS3 Authentication Server 2.6.1-SP01 allows OS Command Injection. | ||||
| CVE-2019-9120 | 1 Motorola | 4 C1, C1 Firmware, M2 and 1 more | 2024-08-04 | N/A |
| An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetWLanACLSettings API function, as demonstrated by shell metacharacters in the wl(0).(0)_maclist field. | ||||
| CVE-2019-9194 | 1 Std42 | 1 Elfinder | 2024-08-04 | N/A |
| elFinder before 2.1.48 has a command injection vulnerability in the PHP connector. | ||||