Total
2087 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-45546 | 1 Netgear | 28 R7850, R7850 Firmware, R7900p and 25 more | 2024-08-04 | 8.4 High |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7850 before 1.0.5.74, R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 1.0.4.74, R8000P before 1.4.2.84, RAX200 before 1.0.4.120, RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK752 before 3.2.17.12, RBK852 before 3.2.17.12, RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 before 3.2.17.12, and RBS850 before 3.2.17.12. | ||||
| CVE-2021-45513 | 1 Netgear | 2 Xr1000, Xr1000 Firmware | 2024-08-04 | 9.6 Critical |
| NETGEAR XR1000 devices before 1.0.0.58 are affected by command injection by an unauthenticated attacker. | ||||
| CVE-2021-45514 | 1 Netgear | 2 Xr1000, Xr1000 Firmware | 2024-08-04 | 9.6 Critical |
| NETGEAR XR1000 devices before 1.0.0.58 are affected by command injection by an unauthenticated attacker. | ||||
| CVE-2021-45459 | 1 Node-windows Project | 1 Node-windows | 2024-08-04 | 9.8 Critical |
| lib/cmd.js in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter. | ||||
| CVE-2021-45456 | 1 Apache | 1 Kylin | 2024-08-04 | 9.8 Critical |
| Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0. | ||||
| CVE-2021-45444 | 5 Apple, Debian, Fedoraproject and 2 more | 6 Mac Os X, Macos, Debian Linux and 3 more | 2024-08-04 | 7.8 High |
| In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion. | ||||
| CVE-2021-45401 | 1 Tendacn | 2 Ac10u, Ac10u Firmware | 2024-08-04 | 9.8 Critical |
| A Command injection vulnerability exists in Tenda AC10U AC1200 Smart Dual-band Wireless Router AC10U V1.0 Firmware V15.03.06.49_multi via the setUsbUnload functionality. The vulnerability is caused because the client controlled "deviceName" value is passed directly to the "doSystemCmd" function. | ||||
| CVE-2021-45082 | 4 Cobbler Project, Fedoraproject, Opensuse and 1 more | 5 Cobbler, Fedora, Backports and 2 more | 2024-08-04 | 7.8 High |
| An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.) | ||||
| CVE-2021-44881 | 1 Dlink | 2 Dir-882, Dir-882 Firmware | 2024-08-04 | 9.8 Critical |
| D-Link device DIR_882 DIR_882_FW1.30B06_Hotfix_02 was discovered to contain a command injection vulnerability in the twsystem function. This vulnerability allows attackers to execute arbitrary commands via a crafted HNAP1 POST request. | ||||
| CVE-2021-44880 | 1 Dlink | 4 Dir-878, Dir-878 Firmware, Dir-882 and 1 more | 2024-08-04 | 9.8 Critical |
| D-Link devices DIR_878 DIR_878_FW1.30B08_Hotfix_02 and DIR_882 DIR_882_FW1.30B06_Hotfix_02 were discovered to contain a command injection vulnerability in the system function. This vulnerability allows attackers to execute arbitrary commands via a crafted HNAP1 POST request. | ||||
| CVE-2021-44882 | 1 Dlink | 2 Dir-878, Dir-878 Firmware | 2024-08-04 | 9.8 Critical |
| D-Link device DIR_878_FW1.30B08_Hotfix_02 was discovered to contain a command injection vulnerability in the twsystem function. This vulnerability allows attackers to execute arbitrary commands via a crafted HNAP1 POST request. | ||||
| CVE-2021-44735 | 1 Lexmark | 236 B2236, B2236 Firmware, B2338 and 233 more | 2024-08-04 | 9.8 Critical |
| Embedded web server command injection vulnerability in Lexmark devices through 2021-12-07. | ||||
| CVE-2021-44620 | 1 Totolink | 2 A3100r, A3100r Firmware | 2024-08-04 | 9.8 Critical |
| A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime parameters. | ||||
| CVE-2021-44520 | 1 Citrix | 1 Xenmobile Server | 2024-08-04 | 8.8 High |
| In Citrix XenMobile Server through 10.12 RP9, there is an Authenticated Command Injection vulnerability, leading to remote code execution with root privileges. | ||||
| CVE-2021-44247 | 1 Totolink | 6 A3100r, A3100r Firmware, A720r and 3 more | 2024-08-04 | 9.8 Critical |
| Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain command injection vulnerability in the function setNoticeCfg. This vulnerability allows attackers to execute arbitrary commands via the IpFrom parameter. | ||||
| CVE-2021-44132 | 1 C-data Onu4ferw Project | 2 C-data Onu4ferw, C-data Onu4ferw Firmware | 2024-08-04 | 7.8 High |
| A command injection vulnerability in the function formImportOMCIShell of C-DATA ONU4FERW V2.1.13_X139 allows attackers to execute arbitrary commands via a crafted file. | ||||
| CVE-2021-44079 | 1 Wazuh | 1 Wazuh | 2024-08-04 | 9.8 Critical |
| In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl command line, potentially resulting in remote code execution. | ||||
| CVE-2021-43818 | 6 Debian, Fedoraproject, Lxml and 3 more | 16 Debian Linux, Fedora, Lxml and 13 more | 2024-08-04 | 8.2 High |
| lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. | ||||
| CVE-2021-43711 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2024-08-04 | 9.8 Critical |
| The downloadFlile.cgi binary file in TOTOLINK EX200 V4.0.3c.7646_B20201211 has a command injection vulnerability when receiving GET parameters. The parameter name can be constructed for unauthenticated command execution. | ||||
| CVE-2021-43664 | 1 Totolink | 2 Ex300 V2, Ex300 V2 Firmware | 2024-08-04 | 8.1 High |
| totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component process forceugpo. | ||||