Filtered by CWE-78
Total 4084 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-1698 1 Wago 14 Compact Controller 100, Compact Controller 100 Firmware, Edge Controller and 11 more 2024-11-21 9.8 Critical
In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.
CVE-2023-1350 1 Liferea Project 1 Liferea 2024-11-21 6.3 Medium
A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848.
CVE-2023-1277 1 Ubuntukylin 1 Kylin-system-updater 2024-11-21 7.8 High
A vulnerability, which was classified as critical, was found in kylin-system-updater up to 1.4.20kord on Ubuntu Kylin. Affected is the function InstallSnap of the component Update Handler. The manipulation leads to command injection. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222600.
CVE-2023-1082 2024-11-21 8.8 High
An remote attacker with low privileges can perform a command injection which can lead to root access.
CVE-2023-0935 1 Dolphinphp Project 1 Dolphinphp 2024-11-21 6.3 Medium
A vulnerability was found in DolphinPHP up to 1.5.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file common.php of the component Incomplete Fix CVE-2021-46097. The manipulation of the argument id leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-221551.
CVE-2023-0861 1 Netmodule 10 Nb1601, Nb1800, Nb1810 and 7 more 2024-11-21 7.2 High
NetModule NSRW web administration interface executes an OS command constructed with unsanitized user input. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. This issue affects NSRW: from 4.3.0.0 before 4.3.0.119, from 4.4.0.0 before 4.4.0.118, from 4.6.0.0 before 4.6.0.105, from 4.7.0.0 before 4.7.0.103.
CVE-2023-0830 1 Easynas 1 Easynas 2024-11-21 6.3 Medium
A vulnerability classified as critical has been found in EasyNAS 1.1.0. Affected is the function system of the file /backup.pl. The manipulation leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. VDB-220950 is the identifier assigned to this vulnerability.
CVE-2023-0164 1 Orangescrum 1 Orangescrum 2024-11-21 8.8 High
OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function.
CVE-2023-0118 2 Redhat, Theforeman 6 Enterprise Linux, Satellite, Satellite Capsule and 3 more 2024-11-21 9.1 Critical
An arbitrary code execution flaw was found in Foreman. This flaw allows an admin user to bypass safe mode in templates and execute arbitrary code on the underlying operating system.
CVE-2023-0011 1 U-blox 10 Toby-l200, Toby-l200 Firmware, Toby-l201 and 7 more 2024-11-21 7.6 High
A flaw in the input validation in TOBY-L2 allows a user to execute arbitrary operating system commands using specifically crafted AT commands. This vulnerability requires physical access to the serial interface of the module or the ability to modify the system or software which uses its serial interface to send malicious AT commands. Exploitation of the vulnerability gives full administrative (root) privileges to the attacker to execute any operating system command on TOBY-L2 which can lead to modification of the behavior of the module itself as well as the components connected with it (depending on its rights on other connected systems). It can further provide the ability to read system level files and hamper the availability of the module as well.. This issue affects TOBY-L2 series: TOBY-L200, TOBY-L201, TOBY-L210, TOBY-L220, TOBY-L280.
CVE-2022-4643 1 Search 1 Docconv 2024-11-21 6.3 Medium
A vulnerability was found in docconv up to 1.2.0. It has been declared as critical. This vulnerability affects the function ConvertPDFImages of the file pdf_ocr.go. The manipulation of the argument path leads to os command injection. The attack can be initiated remotely. Upgrading to version 1.2.1 is able to address this issue. The name of the patch is b19021ade3d0b71c89d35cb00eb9e589a121faa5. It is recommended to upgrade the affected component. VDB-216502 is the identifier assigned to this vulnerability.
CVE-2022-4515 3 Debian, Exuberant Ctags Project, Redhat 3 Debian Linux, Exuberant Ctags, Enterprise Linux 2024-11-21 7.8 High
A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.
CVE-2022-4364 1 Flir 2 Flir Ax8, Flir Ax8 Firmware 2024-11-21 7.3 High
A vulnerability classified as critical has been found in Teledyne FLIR AX8 up to 1.46.16. Affected is an unknown function of the file palette.php of the component Web Service Handler. The manipulation of the argument palette leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-215118 is the identifier assigned to this vulnerability.
CVE-2022-4257 1 Cdatatec 1 C-data Web Management System 2024-11-21 6.3 Medium
A vulnerability was found in C-DATA Web Management System. It has been rated as critical. This issue affects some unknown processing of the file cgi-bin/jumpto.php of the component GET Parameter Handler. The manipulation of the argument hostname leads to argument injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-214631.
CVE-2022-4221 1 Asus 2 Nas-m25, Nas-m25 Firmware 2024-11-21 9.8 Critical
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Asus NAS-M25 allows an unauthenticated attacker to inject arbitrary OS commands via unsanitized cookie values.This issue affects NAS-M25: through 1.0.1.7.
CVE-2022-48684 1 Logpoint 1 Logpoint 2024-11-21 8.4 High
An issue was discovered in Logpoint before 7.1.1. Template injection was seen in the search template. The search template uses jinja templating for generating dynamic data. This could be abused to achieve code execution. Any user with access to create a search template can leverage this to execute code as the loginspect user.
CVE-2022-48616 1 Huawei 2 Ar617vw, Ar617vw Firmware 2024-11-21 6.4 Medium
A Huawei data communication product has a command injection vulnerability. Successful exploitation of this vulnerability may allow attackers to gain higher privileges.
CVE-2022-48604 1 Sciencelogic 1 Sl1 2024-11-21 8.8 High
A SQL injection vulnerability exists in the “logging export” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.
CVE-2022-48603 1 Sciencelogic 1 Sl1 2024-11-21 8.8 High
A SQL injection vulnerability exists in the “message viewer iframe” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.
CVE-2022-48602 1 Sciencelogic 1 Sl1 2024-11-21 8.8 High
A SQL injection vulnerability exists in the “message viewer print” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.