Filtered by CWE-78
Total 4064 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-38031 1 Asus 2 Rt-ac86u, Rt-ac86u Firmware 2024-11-21 8.8 High
ASUS RT-AC86U Adaptive QoS - Web History function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services.
CVE-2023-38027 2 Myspotcam, Spotcam Co Ltd 3 Sense, Sense Firmware, Spotcam Sense 2024-11-21 9.8 Critical
SpotCam Co., Ltd. SpotCam Sense’s hidden Telnet function has a vulnerability of OS command injection. An remote unauthenticated attacker can exploit this vulnerability to execute command injection attack to perform arbitrary system commands or disrupt service.
CVE-2023-38025 2 Myspotcam, Spotcam Co Ltd 3 Fhd 2, Fhd 2 Firmware, Spotcam Fhd2 2024-11-21 9.8 Critical
SpotCam Co., Ltd. SpotCam FHD 2’s hidden Telnet function has a vulnerability of OS command injection. An remote unauthenticated attacker can exploit this vulnerability to execute command injection attack to arbitrary system commands or disrupt service.
CVE-2023-37928 1 Zyxel 4 Nas326, Nas326 Firmware, Nas542 and 1 more 2024-11-21 8.8 High
A post-authentication command injection vulnerability in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.
CVE-2023-37927 1 Zyxel 4 Nas326, Nas326 Firmware, Nas542 and 1 more 2024-11-21 8.8 High
The improper neutralization of special elements in the CGI program of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.
CVE-2023-37903 2 Redhat, Vm2 Project 3 Acm, Multicluster Engine, Vm2 2024-11-21 9.8 Critical
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.
CVE-2023-37863 1 Phoenixcontact 12 Wp 6070-wvps, Wp 6070-wvps Firmware, Wp 6101-wxps and 9 more 2024-11-21 7.2 High
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote attacker with SNMPv2 write privileges may use an a special SNMP request to gain full access to the device.
CVE-2023-37861 1 Phoenixcontact 12 Wp 6070-wvps, Wp 6070-wvps Firmware, Wp 6101-wxps and 9 more 2024-11-21 8.8 High
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated remote attacker can execute code with root permissions with a specially crafted HTTP POST when uploading a certificate to the device.
CVE-2023-37569 1 Esds.co 1 Emagic Data Center Management 2024-11-21 8.8 High
This vulnerability exists in ESDS Emagic Data Center Management Suit due to lack of input sanitization in its Ping component. A remote authenticated attacker could exploit this by injecting OS commands on the targeted system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on targeted system.
CVE-2023-37564 1 Elecom 10 Wrc-1167febk-a, Wrc-1167febk-a Firmware, Wrc-1167febk-s and 7 more 2024-11-21 8.0 High
OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary OS command with a root privilege by sending a specially crafted request. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier.
CVE-2023-37477 1 Fit2cloud 1 1panel 2024-11-21 7.2 High
1Panel is an open source Linux server operation and maintenance management panel. An OS command injection vulnerability exists in 1Panel firewall functionality. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. 1Panel firewall functionality `/hosts/firewall/ip` endpoint read user input without validation, the attacker extends the default functionality of the application, which execute system commands. An attacker can execute arbitrary code on the target system, which can lead to a complete compromise of the system. This issue has been addressed in commit `e17b80cff49` which is included in release version `1.4.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-37466 2 Redhat, Vm2 Project 3 Acm, Multicluster Engine, Vm2 2024-11-21 9.8 Critical
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox.
CVE-2023-37407 2024-11-21 8.8 High
IBM Aspera Orchestrator 4.0.1 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 260116.
CVE-2023-37292 1 Hgiga 1 Isherlock 2024-11-21 9.8 Critical
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in HGiga iSherlock 4.5 (iSherlock-user modules), HGiga iSherlock 5.5 (iSherlock-user modules) allows OS Command Injection.This issue affects iSherlock 4.5: before iSherlock-user-4.5-174; iSherlock 5.5: before iSherlock-user-5.5-174.
CVE-2023-37249 1 Infoblox 1 Nios 2024-11-21 8.8 High
Infoblox NIOS through 8.5.1 has a faulty component that accepts malicious input without sanitization, resulting in shell access.
CVE-2023-37213 1 Synel 3 Synergy\/a, Synergy\/a Firmware, Synergy Fingerprint Terminals 2024-11-21 8.8 High
Synel SYnergy Fingerprint Terminals - CWE-78: 'OS Command Injection'
CVE-2023-37173 1 Totolink 3 A3000ru, A3300r, A3300r Firmware 2024-11-21 9.8 Critical
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the command parameter in the setTracerouteCfg function.
CVE-2023-37172 1 Totolink 3 A3000ru, A3300r, A3300r Firmware 2024-11-21 9.8 Critical
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the ip parameter in the setDiagnosisCfg function.
CVE-2023-37171 1 Totolink 2 A3300r, A3300r Firmware 2024-11-21 9.8 Critical
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the admuser parameter in the setPasswordCfg function.
CVE-2023-37170 1 Totolink 2 A3300r, A3300r Firmware 2024-11-21 9.8 Critical
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the lang parameter in the setLanguageCfg function.