Total
4084 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-40222 | 1 Siretta | 2 Quartz-gold, Quartz-gold Firmware | 2024-11-21 | 9.8 Critical |
An OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability. | ||||
CVE-2022-40220 | 1 Siretta | 2 Quartz-gold, Quartz-gold Firmware | 2024-11-21 | 8.8 High |
An OS command injection vulnerability exists in the httpd txt/restore.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability. | ||||
CVE-2022-40189 | 1 Apache | 2 Airflow, Apache-airflow-providers-apache-pig | 2024-11-21 | 9.8 Critical |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider versions prior to 4.0.0. It also impacts any Apache Airflow versions prior to 2.3.0 in case Pig Provider is installed (Pig Provider 4.0.0 can only be installed for Airflow 2.3.0+). Note that you need to manually install the Pig Provider version 4.0.0 in order to get rid of the vulnerability on top of Airflow 2.3.0+ version. | ||||
CVE-2022-40176 | 1 Siemens | 20 Desigo Pxm30-1, Desigo Pxm30-1 Firmware, Desigo Pxm30.e and 17 more | 2024-11-21 | 8.0 High |
A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), Desigo PXM50-1 (All versions < V02.20.126.11-41), Desigo PXM50.E (All versions < V02.20.126.11-41), PXG3.W100-1 (All versions < V02.20.126.11-37), PXG3.W100-2 (All versions < V02.20.126.11-41), PXG3.W200-1 (All versions < V02.20.126.11-37), PXG3.W200-2 (All versions < V02.20.126.11-41). There exists an Improper Neutralization of Special Elements used in an OS Command with root privileges during a restore operation due to the missing validation of the names of files included in the input package. By restoring a specifically crafted package, a remote low-privileged attacker can execute arbitrary system commands with root privileges on the device, leading to a full compromise. | ||||
CVE-2022-40005 | 1 Intelbras | 2 Wifiber 120ac Inmesh, Wifiber 120ac Inmesh Firmware | 2024-11-21 | 8.8 High |
Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute. | ||||
CVE-2022-3874 | 2 Redhat, Theforeman | 3 Satellite, Satellite Capsule, Foreman | 2024-11-21 | 8 High |
A command injection flaw was found in foreman. This flaw allows an authenticated user with admin privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations in templates, possibly resulting in arbitrary command execution on the underlying operating system. | ||||
CVE-2022-3492 | 1 Oretnom23 | 1 Human Resource Management System | 2024-11-21 | 6.3 Medium |
A vulnerability classified as critical was found in SourceCodester Human Resource Management System 1.0. This vulnerability affects unknown code of the component Profile Photo Handler. The manipulation of the argument parameter leads to os command injection. The attack can be initiated remotely. The identifier of this vulnerability is VDB-210772. | ||||
CVE-2022-3276 | 2 Puppet, Redhat | 2 Puppetlabs-mysql, Openstack | 2024-11-21 | 8.4 High |
Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise. | ||||
CVE-2022-3275 | 2 Fedoraproject, Puppet | 2 Fedora, Puppetlabs-mysql | 2024-11-21 | 8.4 High |
Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise. | ||||
CVE-2022-3226 | 1 Sophos | 2 Xg Firewall, Xg Firewall Firmware | 2024-11-21 | 7.2 High |
An OS command injection vulnerability allows admins to execute code via SSL VPN configuration uploads in Sophos Firewall releases older than version 19.5 GA. | ||||
CVE-2022-3210 | 1 Dlink | 2 Dir-2150, Dir-2150 Firmware | 2024-11-21 | 8.8 High |
This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 4.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the xupnpd service, which listens on TCP port 4044 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15905. | ||||
CVE-2022-3183 | 1 Dataprobe | 24 Iboot-pdu4-n20, Iboot-pdu4-n20 Firmware, Iboot-pdu4a-n15 and 21 more | 2024-11-21 | 9.8 Critical |
Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where a specific function does not sanitize the input provided by the user, which may expose the affected to an OS command injection vulnerability. | ||||
CVE-2022-3133 | 1 Diagrams | 1 Drawio | 2024-11-21 | 7.8 High |
OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0. | ||||
CVE-2022-3008 | 2 Debian, Tinygltf Project | 2 Debian Linux, Tinygltf | 2024-11-21 | 8.1 High |
The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751 | ||||
CVE-2022-39951 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 7.2 High |
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.3.6 through 6.3.20, FortiWeb 6.4 all versions allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | ||||
CVE-2022-39947 | 1 Fortinet | 1 Fortiadc | 2024-11-21 | 8.6 High |
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiADC version 7.0.0 through 7.0.2, FortiADC version 6.2.0 through 6.2.3, FortiADC version version 6.1.0 through 6.1.6, FortiADC version 6.0.0 through 6.0.4, FortiADC version 5.4.0 through 5.4.5 may allow an attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | ||||
CVE-2022-39819 | 1 Nokia | 1 1350 Optical Management System | 2024-11-21 | 8.8 High |
In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This allows authenticated users to execute commands on the operating system. | ||||
CVE-2022-39818 | 1 Nokia | 1 Network Functions Manager For Transport | 2024-11-21 | 8.8 High |
In NOKIA NFM-T R19.9, an OS Command Injection vulnerability occurs in /cgi-bin/R19.9/log.pl of the VM Manager WebUI via the cmd HTTP GET parameter. This allows authenticated users to execute commands, with root privileges, on the operating system. | ||||
CVE-2022-39815 | 1 Nokia | 1 1350 Optical Management System | 2024-11-21 | 9.8 Critical |
In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This vulnerability allow unauthenticated users to execute commands on the operating system. | ||||
CVE-2022-39327 | 1 Microsoft | 2 Azure Command-line Interface, Windows | 2024-11-21 | 8.1 High |
Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability. |