Total
2085 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-20209 | 1 Cisco | 1 Telepresence Video Communication Server | 2024-10-23 | 6.5 Medium |
| A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker with read-write privileges on the application to perform a command injection attack that could result in remote code execution on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to establish a remote shell with root privileges. | ||||
| CVE-2023-20170 | 1 Cisco | 1 Identity Services Engine | 2024-10-23 | 6 Medium |
| A vulnerability in a specific Cisco ISE CLI command could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, an attacker must have valid Administrator-level privileges on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root. | ||||
| CVE-2024-10193 | 1 Wavlink | 6 Wn530h4, Wn530h4 Firmware, Wn530hg4 and 3 more | 2024-10-23 | 4.7 Medium |
| A vulnerability was found in WAVLINK WN530H4, WN530HG4 and WN572HG3 up to 20221028 and classified as critical. This issue affects the function ping_ddns of the file internet.cgi. The manipulation of the argument DDNS leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-28935 | 1 Apache | 1 Unstructured Information Management Architecture | 2024-10-23 | 8.8 High |
| ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache UIMA DUCC. When using the "Distributed UIMA Cluster Computing" (DUCC) module of Apache UIMA, an authenticated user that has the permissions to modify core entities can cause command execution as the system user that runs the web process. As the "Distributed UIMA Cluster Computing" module for UIMA is retired, we do not plan to release a fix for this issue. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-40089 | 1 Viloliving | 1 Vilo 5 Mesh Wifi System Firmware | 2024-10-23 | 9.1 Critical |
| A Command Injection vulnerability in Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, authenticated attackers to execute arbitrary code by injecting shell commands into the name of the Vilo device. | ||||
| CVE-2024-48659 | 1 Dcnglobal | 1 Dcme-320-l Firmware | 2024-10-23 | 9.8 Critical |
| An issue in DCME-320-L <=9.3.2.114 allows a remote attacker to execute arbitrary code via the log_u_umount.php component. | ||||
| CVE-2024-48904 | 1 Trendmicro | 1 Cloud Edge | 2024-10-23 | 9.8 Critical |
| An command injection vulnerability in Trend Micro Cloud Edge could allow a remote attacker to execute arbitrary code on affected appliances. Please note: authentication is not required in order to exploit this vulnerability. | ||||
| CVE-2024-35285 | 1 Mitel | 1 Micollab Nupoint Messanger | 2024-10-23 | 9.8 Critical |
| A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. | ||||
| CVE-2023-3718 | 2 Hewlett Packard Enterprise, Hpe | 28 Aruba Cx Switches, Aruba Cx 10000-48y6, Aruba Cx 4100i and 25 more | 2024-10-22 | 8.8 High |
| An authenticated command injection vulnerability exists in the AOS-CX command line interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands on the underlying operating system as a privileged user on the affected switch. This allows an attacker to fully compromise the underlying operating system on the device running AOS-CX. | ||||
| CVE-2024-37091 | 1 Stylemixthemes | 2 Consulting Elementor Widgets, Masterstudy Elementor Widgets | 2024-10-22 | 9.9 Critical |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in StylemixThemes Consulting Elementor Widgets, StylemixThemes Masterstudy Elementor Widgets allows OS Command Injection.This issue affects Consulting Elementor Widgets: from n/a through 1.3.0; Masterstudy Elementor Widgets: from n/a through 1.2.2. | ||||
| CVE-2023-4797 | 1 Tribulant | 1 Newsletters | 2024-10-22 | 7.2 High |
| The Newsletters WordPress plugin before 4.9.3 does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server. | ||||
| CVE-2024-0579 | 1 Totolink | 2 X2000r, X2000r Firmware | 2024-10-22 | 6.3 Medium |
| A vulnerability classified as critical was found in Totolink X2000R 1.0.0-B20221212.1452. Affected by this vulnerability is the function formMapDelDevice of the file /boafrm/formMapDelDevice. The manipulation of the argument macstr leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250795. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-0507 | 1 Github | 1 Enterprise Server | 2024-10-22 | 6.5 Medium |
| An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.11.3, 3.10.5, 3.9.8, and 3.8.13 This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2023-37214 | 1 Heights-t | 2 Ero1xs-pro, Ero1xs-pro Firmware | 2024-10-21 | 9.8 Critical |
| Heights Telecom ERO1xS-Pro Dual-Band FW version BZ_ERO1XP.025. | ||||
| CVE-2022-39986 | 1 Raspap | 1 Raspap | 2024-10-21 | 9.8 Critical |
| A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. | ||||
| CVE-2022-39987 | 1 Raspap | 1 Raspap | 2024-10-21 | 8.8 High |
| A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php. | ||||
| CVE-2023-36458 | 1 Fit2cloud | 1 1panel | 2024-10-18 | 6.3 Medium |
| 1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.3.6, an authenticated attacker can craft a malicious payloads to achieve command injection when entering the container terminal. The vulnerability has been fixed in v1.3.6. | ||||
| CVE-2023-36457 | 1 Fit2cloud | 1 1panel | 2024-10-18 | 6.3 Medium |
| 1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.3.6, an authenticated attacker can craft a malicious payload to achieve command injection when adding container repositories. The vulnerability has been fixed in v1.3.6. | ||||
| CVE-2024-22529 | 1 Totolink | 2 X2000r, X2000r Firmware | 2024-10-18 | 9.8 Critical |
| TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa. | ||||
| CVE-2024-0919 | 1 Trendnet | 2 Tew-815dap, Tew-815dap Firmware | 2024-10-18 | 8.8 High |
| A vulnerability was found in TRENDnet TEW-815DAP 1.0.2.0. It has been classified as critical. This affects the function do_setNTP of the component POST Request Handler. The manipulation of the argument NtpDstStart/NtpDstEnd leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252123. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||