Total
4062 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-39520 | 1 Juniper | 1 Junos Os Evolved | 2024-11-21 | 7.8 High |
An Improper Neutralization of Special Elements vulnerability in Juniper Networks Junos OS Evolved commands allows a local, authenticated attacker with low privileges to escalate their privileges to 'root' leading to a full compromise of the system. The Junos OS Evolved CLI doesn't properly handle command options in some cases, allowing users which execute specific CLI commands with a crafted set of parameters to escalate their privileges to root on shell level. This issue affects Junos OS Evolved: * All version before 20.4R3-S6-EVO, * 21.2-EVO versions before 21.2R3-S4-EVO, * 21.4-EVO versions before 21.4R3-S6-EVO, * 22.2-EVO versions before 22.2R2-S1-EVO, 22.2R3-EVO, * 22.3-EVO versions before 22.3R2-EVO. | ||||
CVE-2024-39351 | 2024-11-21 | 7.2 High | ||
A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the NTP configuration. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500. | ||||
CVE-2024-39345 | 1 Adtran | 2 834-5, Sdg Smartos | 2024-11-21 | 7.2 High |
AdTran 834-5 HDC17600021F1 (SmartOS 11.1.1.1) devices enable the SSH service by default and have a hidden, undocumented, hard-coded support account whose password is based on the devices MAC address. All of the devices internet interfaces share a similar MAC address that only varies in their final octet. This allows network-adjacent attackers to derive the support user's SSH password by decrementing the final octet of the connected gateway address or via the BSSID. An attacker can then execute arbitrary OS commands with root-level privileges. NOTE: The vendor states that there is no intended functionality allowing an attacker to execute arbitrary OS Commands with root-level privileges. The vendor also states that this issue was fixed in SmartOS 12.5.5.1. | ||||
CVE-2024-39202 | 1 Dlink | 3 Dir-823x Ax3000, Dir-823x Ax3000 Firmware, Dir-823x Firmware | 2024-11-21 | 7.6 High |
D-Link DIR-823X firmware - 240126 was discovered to contain a remote command execution (RCE) vulnerability via the dhcpd_startip parameter at /goform/set_lan_settings. | ||||
CVE-2024-38512 | 2024-11-21 | 7.2 High | ||
A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands. | ||||
CVE-2024-38511 | 2024-11-21 | 7.2 High | ||
A privilege escalation vulnerability was discovered in an upload processing functionality of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. | ||||
CVE-2024-38510 | 2024-11-21 | 7.2 High | ||
A privilege escalation vulnerability was discovered in the SSH captive command shell interface that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. | ||||
CVE-2024-38508 | 2024-11-21 | 7.2 High | ||
A privilege escalation vulnerability was discovered in the web interface or SSH captive command shell interface of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via a specially crafted request. | ||||
CVE-2024-37678 | 1 Hangzhou Meisoft Information Technology | 1 Finesoft | 2024-11-21 | 5.3 Medium |
Cross Site Scripting vulnerability in Hangzhou Meisoft Information Technology Co., Ltd. Finesoft v.8.0 and before allows a remote attacker to execute arbitrary code via a crafted script. | ||||
CVE-2024-37626 | 1 Totolink | 1 A6000r Firmware | 2024-11-21 | 8.8 High |
A command injection issue in TOTOLINK A6000R V1.0.1-B20201211.2000 firmware allows a remote attacker to execute arbitrary code via the iface parameter in the vif_enable function. | ||||
CVE-2024-37140 | 1 Dell | 1 Data Domain Operating System | 2024-11-21 | 8.8 High |
Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain an OS command injection vulnerability in an admin operation. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the system application's underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. | ||||
CVE-2024-37091 | 1 Stylemixthemes | 2 Consulting Elementor Widgets, Masterstudy Elementor Widgets | 2024-11-21 | 9.9 Critical |
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in StylemixThemes Consulting Elementor Widgets, StylemixThemes Masterstudy Elementor Widgets allows OS Command Injection.This issue affects Consulting Elementor Widgets: from n/a through 1.3.0; Masterstudy Elementor Widgets: from n/a through 1.2.2. | ||||
CVE-2024-37066 | 1 Wyze | 2 Cam V4, Cam V4 Firmware | 2024-11-21 | 6.8 Medium |
A command injection vulnerability exists in Wyze V4 Pro firmware versions before 4.50.4.9222, which allows attackers to execute arbitrary commands over Bluetooth as root during the camera setup process. | ||||
CVE-2024-36491 | 1 Centurysys | 33 Futurenet Nxr-1200, Futurenet Nxr-1200 Firmware, Futurenet Nxr-120\/c and 30 more | 2024-11-21 | 9.8 Critical |
FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. allow a remote unauthenticated attacker to execute an arbitrary OS command, obtain and/or alter sensitive information, and be able to cause a denial of service (DoS) condition. | ||||
CVE-2024-36475 | 1 Centurysys | 35 Futurenet Nxr-1200, Futurenet Nxr-1200 Firmware, Futurenet Nxr-120\/c and 32 more | 2024-11-21 | 7.2 High |
FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. contain an active debug code vulnerability. If a user who knows how to use the debug function logs in to the product, the debug function may be used and an arbitrary OS command may be executed. | ||||
CVE-2024-36394 | 1 Sysaid | 1 Sysaid | 2024-11-21 | 9.1 Critical |
SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | ||||
CVE-2024-36103 | 2024-11-21 | 6.8 Medium | ||
OS command injection vulnerability in WRC-X5400GS-B v1.0.10 and earlier, and WRC-X5400GSA-B v1.0.10 and earlier allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product. | ||||
CVE-2024-35306 | 1 Pandora Fms | 1 Pandora Fms | 2024-11-21 | N/A |
OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 through <777. | ||||
CVE-2024-35304 | 1 Pandorafms | 1 Pandora Fms | 2024-11-21 | N/A |
System command injection through Netflow function due to improper input validation, allowing attackers to execute arbitrary system commands. This issue affects Pandora FMS: from 700 through <777. | ||||
CVE-2024-34921 | 1 Totolink | 1 X5000r Firmware | 2024-11-21 | 8.8 High |
TOTOLINK X5000R v9.1.0cu.2350_B20230313 was discovered to contain a command injection via the disconnectVPN function. |