Total
2084 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2947 | 1 Redhat | 1 Enterprise Linux | 2024-11-06 | 7.3 High |
| A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer. | ||||
| CVE-2023-37567 | 1 Elecom | 8 Lan-w301nr, Wrc-1167ghbk3-a, Wrc-1167ghbk3-a Firmware and 5 more | 2024-11-06 | 9.8 Critical |
| Command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows a remote unauthenticated attacker to execute an arbitrary command by sending a specially crafted request to a certain port of the web management page. Affected products and versions are as follows: WRC-1167GHBK3-A v1.24 and earlier, WRC-F1167ACF2 all versions, WRC-600GHBK-A all versions, WRC-733FEBK2-A all versions, WRC-1467GHBK-A all versions, WRC-1900GHBK-A all versions, and LAN-W301NR all versions. | ||||
| CVE-2023-20152 | 1 Cisco | 1 Identity Services Engine | 2024-11-06 | 6 Medium |
| Multiple vulnerabilities in specific Cisco Identity Services Engine (ISE) CLI commands could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit these vulnerabilities, an attacker must have valid Administrator privileges on the affected device. These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root. | ||||
| CVE-2024-52022 | 1 Netgear | 4 R6400 Firmware, R7000p Firmware, R8500 Firmware and 1 more | 2024-11-05 | 8 High |
| Netgear R8500 v1.0.2.160, XR300 v1.0.3.78, R7000P v1.3.3.154, and R6400 v2 1.0.4.128 were discovered to contain a command injection vulnerability in the component wlg_adv.cgi via the apmode_gateway parameter. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request. | ||||
| CVE-2023-37568 | 1 Elecom | 4 Wrc-1167gebk-s, Wrc-1167gebk-s Firmware, Wrc-1167ghbk-s and 1 more | 2024-11-05 | 8.0 High |
| ELECOM wireless LAN routers WRC-1167GHBK-S v1.03 and earlier, and WRC-1167GEBK-S v1.03 and earlier allow a network-adjacent authenticated attacker to execute an arbitrary command by sending a specially crafted request to the web management page. | ||||
| CVE-2024-10697 | 1 Tenda | 2 Ac6, Ac6 Firmware | 2024-11-05 | 6.3 Medium |
| A vulnerability has been found in Tenda AC6 15.03.05.19 and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac of the component API Endpoint. The manipulation of the argument The leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-25082 | 1 Redhat | 1 Enterprise Linux | 2024-11-04 | 6.5 Medium |
| Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files. | ||||
| CVE-2022-20851 | 1 Cisco | 259 1000 Integrated Services Router, 1100-4g Integrated Services Router, 1100-4p Integrated Services Router and 256 more | 2024-11-01 | 5.5 Medium |
| A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI API. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges. To exploit this vulnerability, an attacker must have valid Administrator privileges on the affected device. | ||||
| CVE-2024-9264 | 1 Grafana | 1 Grafana | 2024-11-01 | 9.9 Critical |
| The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. | ||||
| CVE-2024-10131 | 1 Infiniflow | 1 Ragflow | 2024-11-01 | 8.8 High |
| The `add_llm` function in `llm_app.py` in infiniflow/ragflow version 0.11.0 contains a remote code execution (RCE) vulnerability. The function uses user-supplied input `req['llm_factory']` and `req['llm_name']` to dynamically instantiate classes from various model dictionaries. This approach allows an attacker to potentially execute arbitrary code due to the lack of comprehensive input validation or sanitization. An attacker could provide a malicious value for 'llm_factory' that, when used as an index to these model dictionaries, results in the execution of arbitrary code. | ||||
| CVE-2024-9793 | 1 Tenda | 2 Ac1206, Ac1206 Firmware | 2024-11-01 | 6.3 Medium |
| A vulnerability classified as critical was found in Tenda AC1206 up to 15.03.06.23. This vulnerability affects the function ate_iwpriv_set/ate_ifconfig_set of the file /goform/ate. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-51255 | 1 Draytek | 1 Vigor3900 Firmware | 2024-11-01 | 9.8 Critical |
| DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ruequest_certificate function. | ||||
| CVE-2024-51259 | 1 Draytek | 1 Vigor3900 Firmware | 2024-11-01 | 9.8 Critical |
| DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function. | ||||
| CVE-2024-51299 | 1 Draytek | 1 Vigor3900 Firmware | 2024-11-01 | 8.8 High |
| In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the dumpSyslog function. | ||||
| CVE-2024-51304 | 1 Draytek | 1 Vigor3900 Firmware | 2024-11-01 | 8.8 High |
| In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ldap_search_dn function. | ||||
| CVE-2024-51301 | 1 Draytek | 1 Vigor3900 Firmware | 2024-11-01 | 8.8 High |
| In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the packet_monitor function. | ||||
| CVE-2024-51254 | 1 Draytek | 1 Vigor3900 Firmware | 2024-11-01 | 8.8 High |
| DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the sign_cacertificate function. | ||||
| CVE-2024-51260 | 1 Draytek | 1 Vigor3900 Firmware | 2024-11-01 | 9.8 Critical |
| DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the acme_process function. | ||||
| CVE-2024-51296 | 1 Draytek | 1 Vigor3900 Firmware | 2024-11-01 | 8.8 High |
| In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the pingtrace function. | ||||
| CVE-2024-48214 | 1 Keruistore | 1 Kerui Hd 3mp 1080p Tuya Camera Firmware | 2024-11-01 | 8.4 High |
| KERUI HD 3MP 1080P Tuya Camera 1.0.4 has a command injection vulnerability in the module that connects to the local network via a QR code. This vulnerability allows an attacker to create a custom, unauthenticated QR code and abuse one of the parameters, either SSID or PASSWORD, in the JSON data contained within the QR code. By that, the attacker can execute arbitrary code on the camera. | ||||