Filtered by CWE-78
Total 4084 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-28771 1 Zyxel 38 Atp100, Atp100 Firmware, Atp100w and 35 more 2024-11-21 9.8 Critical
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
CVE-2023-28767 1 Zyxel 47 Atp Series Firmware, Usg 20w-vpn, Usg 20w-vpn Firmware and 44 more 2024-11-21 8.8 High
The configuration parser fails to sanitize user-controlled input in the Zyxel ATP series firmware versions 5.10 through 5.36, USG FLEX series firmware versions 5.00 through 5.36,  USG FLEX 50(W) series firmware versions 5.10 through 5.36, USG20(W)-VPN series firmware versions 5.10 through 5.36, and VPN series firmware versions 5.00 through 5.36. An unauthenticated, LAN-based attacker could leverage the vulnerability to inject some operating system (OS) commands into the device configuration data on an affected device when the cloud management mode is enabled.
CVE-2023-28742 1 F5 1 Big-ip Domain Name System 2024-11-21 7.2 High
When DNS is provisioned, an authenticated remote command execution vulnerability exists in DNS iQuery mesh. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2023-28726 1 Panasonic 2 Aiseg2, Aiseg2 Firmware 2024-11-21 7.5 High
Panasonic AiSEG2 versions 2.80F through 2.93A allows remote attackers to execute arbitrary OS commands.
CVE-2023-28716 1 Myscada 1 Mypro 2024-11-21 8.8 High
mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.
CVE-2023-28704 1 Furbo 2 Dog Camera, Dog Camera Firmware 2024-11-21 8.8 High
Furbo dog camera has insufficient filtering for special parameter of device log management function. An unauthenticated remote attacker in the Bluetooth network with normal user privileges can exploit this vulnerability to perform command injection attack to execute arbitrary system commands or disrupt service.
CVE-2023-28702 1 Asus 2 Rt-ac86u, Rt-ac86u Firmware 2024-11-21 8.8 High
ASUS RT-AC86U does not filter special characters for parameters in specific web URLs. A remote attacker with normal user privileges can exploit this vulnerability to perform command injection attack to execute arbitrary system commands, disrupt system or terminate service.
CVE-2023-28627 1 Pymedusa 1 Medusa 2024-11-21 8.3 High
pymedusa is an automatic video library manager for TV Shows. In versions prior 1.0.12 an attacker with access to the web interface can update the git executable path in /config/general/ > advanced settings with arbitrary OS commands. An attacker may exploit this vulnerability to take execute arbitrary OS commands as the user running the pymedusa program. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-28617 2 Gnu, Redhat 6 Org Mode, Enterprise Linux, Rhel Aus and 3 more 2024-11-21 7.8 High
org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters.
CVE-2023-28614 1 Freewillsolutions 1 Smart Trade 2024-11-21 9.8 Critical
Freewill iFIS (aka SMART Trade) 20.01.01.04 allows OS Command Injection via shell metacharacters to a report page.
CVE-2023-28528 1 Ibm 2 Aix, Vios 2024-11-21 8.4 High
IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the invscout command to execute arbitrary commands. IBM X-Force ID: 251207.
CVE-2023-28400 1 Myscada 1 Mypro 2024-11-21 8.8 High
mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.
CVE-2023-28394 1 Beekeeperstudio 1 Beekeeper-studio 2024-11-21 8.8 High
Beekeeper Studio versions prior to 3.9.9 allows a remote authenticated attacker to execute arbitrary JavaScript code with the privilege of the application on the PC where the affected product is installed. As a result, an arbitrary OS command may be executed as well.
CVE-2023-28392 1 Inaba 8 Ac-wapu-300, Ac-wapu-300-p, Ac-wapu-300-p Firmware and 5 more 2024-11-21 7.2 High
Wi-Fi AP UNIT AC-PD-WAPU v1.05_B04 and earlier, AC-PD-WAPUM v1.05_B04 and earlier, AC-PD-WAPU-P v1.05_B04P and earlier, AC-PD-WAPUM-P v1.05_B04P and earlier, AC-WAPU-300 v1.00_B07 and earlier, AC-WAPU-300-P v1.00_B08P and earlier, AC-WAPUM-300 v1.00_B07 and earlier, and AC-WAPUM-300-P v1.00_B08P and earlier allow an authenticated user with an administrative privilege to execute an arbitrary OS command.
CVE-2023-28384 1 Myscada 1 Mypro 2024-11-21 8.8 High
mySCADA myPRO versions 8.26.0 and prior has parameters which an authenticated user could exploit to inject arbitrary operating system commands.
CVE-2023-28381 1 Peplink 2 Surf Soho, Surf Soho Firmware 2024-11-21 7.2 High
An OS command injection vulnerability exists in the admin.cgi MVPN_trial_init functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2023-28343 1 Apsystems 2 Energy Communication Unit, Energy Communication Unit Firmware 2024-11-21 9.8 Critical
OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
CVE-2023-28102 1 Discordrb Project 1 Discordrb 2024-11-21 8.4 High
discordrb is an implementation of the Discord API using Ruby. In discordrb before commit `91e13043ffa` the `encoder.rb` file unsafely constructs a shell string using the file parameter, which can potentially leave clients of discordrb vulnerable to command injection. The library is not directly exploitable: the exploit requires that some client of the library calls the vulnerable method with user input. However, if unsafe input reaches the library method, then an attacker can execute arbitrary shell commands on the host machine. Full impact will depend on the permissions of the process running the `discordrb` library and will likely not be total system access. This issue has been addressed in code, but a new release of the `discordrb` gem has not been uploaded to rubygems. This issue is also tracked as `GHSL-2022-094`.
CVE-2023-28000 1 Fortinet 1 Fortiadc 2024-11-21 6.3 Medium
An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC CLI 7.1.0, 7.0.0 through 7.0.3, 6.2.0 through 6.2.4, 6.1 all versions, 6.0 all versions may allow a local and authenticated attacker to execute unauthorized commands via specifically crafted arguments in diagnose system df CLI command.
CVE-2023-27999 1 Fortinet 1 Fortiadc 2024-11-21 7.6 High
An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC 7.2.0, 7.1.0 through 7.1.1 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.