Total
4033 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-6552 | 1 Advantech | 1 Webaccess | 2024-08-04 | 9.8 Critical |
| Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple command injection vulnerabilities, caused by a lack of proper validation of user-supplied data, may allow remote code execution. | ||||
| CVE-2019-6013 | 1 Dlink | 2 Dba-1510p, Dba-1510p Firmware | 2024-08-04 | 6.6 Medium |
| DBA-1510P firmware 1.70b009 and earlier allows authenticated attackers to execute arbitrary OS commands via Command Line Interface (CLI). | ||||
| CVE-2019-5987 | 1 Anglers-net | 1 Cgi An-anlyzer | 2024-08-04 | 8.8 High |
| Access analysis CGI An-Analyzer released in 2019 June 24 and earlier allows remote authenticated attackers to execute arbitrary OS commands via the Management Page. | ||||
| CVE-2019-6014 | 1 Dlink | 2 Dba-1510p, Dba-1510p Firmware | 2024-08-04 | 8.8 High |
| DBA-1510P firmware 1.70b009 and earlier allows an attacker to execute arbitrary OS commands via Web User Interface. | ||||
| CVE-2019-5819 | 6 Apple, Debian, Fedoraproject and 3 more | 7 Macos, Debian Linux, Fedora and 4 more | 2024-08-04 | 7.8 High |
| Insufficient data validation in developer tools in Google Chrome on OS X prior to 74.0.3729.108 allowed a local attacker to execute arbitrary code via a crafted string copied to clipboard. | ||||
| CVE-2019-5736 | 13 Apache, Canonical, D2iq and 10 more | 20 Mesos, Ubuntu Linux, Dc\/os and 17 more | 2024-08-04 | 8.6 High |
| runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. | ||||
| CVE-2019-5477 | 3 Canonical, Debian, Nokogiri | 3 Ubuntu Linux, Debian Linux, Nokogiri | 2024-08-04 | 9.8 Critical |
| A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4. | ||||
| CVE-2019-5475 | 1 Sonatype | 1 Nexus Repository Manager | 2024-08-04 | N/A |
| The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Execution when instances using CommandLineExecutor.java are supplied vulnerable data, such as the Yum Configuration Capability. | ||||
| CVE-2019-5424 | 1 Ui | 1 Edgeswitch X | 2024-08-04 | 8.8 High |
| In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, a privileged user can execute arbitrary shell commands over the SSH CLI interface. This allows to execute shell commands under the root user. | ||||
| CVE-2019-5485 | 1 Gitlabhook Project | 1 Gitlabhook | 2024-08-04 | 10.0 Critical |
| NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name. | ||||
| CVE-2019-5425 | 1 Ui | 1 Edgeswitch X | 2024-08-04 | N/A |
| In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an authenticated user can execute arbitrary shell commands over the SSH interface bypassing the CLI interface, which allow them to escalate privileges to root. | ||||
| CVE-2019-5414 | 1 Kill-port Project | 1 Kill-port | 2024-08-04 | N/A |
| If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in a third-party module kill-port < 1.3.2. | ||||
| CVE-2019-5315 | 1 Arubanetworks | 1 Arubaos | 2024-08-04 | 7.2 High |
| A command injection vulnerability is present in the web management interface of ArubaOS that permits an authenticated user to execute arbitrary commands on the underlying operating system. A malicious administrator could use this ability to install backdoors or change system configuration in a way that would not be logged. This vulnerability only affects ArubaOS 8.x. | ||||
| CVE-2019-5168 | 1 Wago | 2 Pfc200, Pfc200 Firmware | 2024-08-04 | 7.8 High |
| An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname value from the xml file is used as an argument to /etc/config-tools/edit_dns_server domain-name=<contents of domainname node> using sprintf().This command is later executed via a call to system(). | ||||
| CVE-2019-5174 | 1 Wago | 2 Pfc200, Pfc200 Firmware | 2024-08-04 | 7.8 High |
| An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file.At 0x1e9fc the extracted subnetmask value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=enabled subnet-mask=<contents of subnetmask node> using sprintf(). This command is later executed via a call to system(). | ||||
| CVE-2019-5141 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2024-08-04 | 8.8 High |
| An exploitable command injection vulnerability exists in the iw_webs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iw_serverip parameter can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. | ||||
| CVE-2019-5138 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2024-08-04 | 9.9 Critical |
| An exploitable command injection vulnerability exists in encrypted diagnostic script functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file can cause arbitrary busybox commands to be executed, resulting in remote control over the device. An attacker can send diagnostic while authenticated as a low privilege user to trigger this vulnerability. | ||||
| CVE-2019-5173 | 1 Wago | 2 Pfc200, Pfc200 Firmware | 2024-08-04 | 7.8 High |
| An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to inject OS commands. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1e9fc the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=<contents of state node> using sprintf(). This command is later executed via a call to system(). | ||||
| CVE-2019-5140 | 1 Moxa | 2 Awk-3131a, Awk-3131a Firmware | 2024-08-04 | 8.8 High |
| An exploitable command injection vulnerability exists in the iwwebs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file name can cause user input to be reflected in a subsequent iwsystem call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability. | ||||
| CVE-2019-5171 | 1 Wago | 2 Pfc200, Pfc200 Firmware | 2024-08-04 | 7.8 High |
| An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send specially crafted packet at 0x1ea48 to the extracted hostname value from the xml file that is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=enabled ip-address=<contents of ip node> using sprintf(). | ||||