Total
2086 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-29256 | 1 Sharp Project | 1 Sharp | 2024-08-03 | 6.5 Medium |
| sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5. | ||||
| CVE-2022-29184 | 1 Thoughtworks | 1 Gocd | 2024-08-03 | 8.8 High |
| GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where "pipelines-as-code" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image. | ||||
| CVE-2022-29078 | 1 Ejs | 1 Ejs | 2024-08-03 | 9.8 Critical |
| The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation). | ||||
| CVE-2022-28935 | 1 Totolink | 12 A3000ru, A3000ru Firmware, A3100r and 9 more | 2024-08-03 | 7.2 High |
| Totolink A830R V5.9c.4729_B20191112, Totolink A3100R V4.1.2cu.5050_B20200504, Totolink A950RG V4.1.2cu.5161_B20200903, Totolink A800R V4.1.2cu.5137_B20200730, Totolink A3000RU V5.9c.5185_B20201128, Totolink A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability. | ||||
| CVE-2022-28618 | 1 Hpe | 4 Nimble Storage All Flash Arrays, Nimble Storage Hybrid Flash Arrays, Nimble Storage Secondary Flash Arrays and 1 more | 2024-08-03 | 9.8 Critical |
| A command injection security vulnerability has been identified in HPE Nimble Storage Hybrid Flash Arrays, HPE Nimble Storage All Flash Arrays and HPE Nimble Storage Secondary Flash Arrays that could allow an attacker to execute arbitrary commands on a Nimble appliance. HPE has made the following software updates to resolve the vulnerability in HPE Nimble Storage: 5.0.10.100 or later, 5.2.1.0 or later, 6.0.0.100 or later. | ||||
| CVE-2022-28391 | 1 Busybox | 1 Busybox | 2024-08-03 | 8.8 High |
| BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. | ||||
| CVE-2022-28496 | 1 Totolink | 2 Cp900, Cp900 Firmware | 2024-08-03 | 9.8 Critical |
| TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 discovered to contain a command injection vulnerability in the setPasswordCfg function via the adminuser and adminpassparameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2022-28497 | 1 Totolink | 2 Cp900, Cp900 Firmware | 2024-08-03 | 9.8 Critical |
| TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the mtd_write_bootloader function via the filename parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2022-28220 | 1 Apache | 1 James | 2024-08-03 | 7.5 High |
| Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests. | ||||
| CVE-2022-27079 | 1 Tenda | 2 M3, M3 Firmware | 2024-08-03 | 9.8 Critical |
| Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/setPicListItem. | ||||
| CVE-2022-26996 | 1 Commscope | 2 Arris Tr3300, Arris Tr3300 Firmware | 2024-08-03 | 9.8 Critical |
| Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pppoe function via the pppoe_username, pppoe_passwd, and pppoe_servicename parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2022-27083 | 1 Tenda | 2 M3, M3 Firmware | 2024-08-03 | 9.8 Critical |
| Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /cgi-bin/uploadAccessCodePic. | ||||
| CVE-2022-27077 | 1 Tenda | 2 M3, M3 Firmware | 2024-08-03 | 9.8 Critical |
| Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /cgi-bin/uploadWeiXinPic. | ||||
| CVE-2022-27078 | 1 Tenda | 2 M3, M3 Firmware | 2024-08-03 | 9.8 Critical |
| Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/setAdInfoDetail. | ||||
| CVE-2022-27082 | 1 Tenda | 2 M3, M3 Firmware | 2024-08-03 | 9.8 Critical |
| Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/SetInternetLanInfo. | ||||
| CVE-2022-27080 | 1 Tenda | 2 M3, M3 Firmware | 2024-08-03 | 9.8 Critical |
| Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/setWorkmode. | ||||
| CVE-2022-26998 | 1 Commscope | 2 Arris Tr3300, Arris Tr3300 Firmware | 2024-08-03 | 9.8 Critical |
| Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the wps setting function via the wps_enrolee_pin parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2022-27076 | 1 Tenda | 2 M3, M3 Firmware | 2024-08-03 | 9.8 Critical |
| Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/delAd. | ||||
| CVE-2022-27002 | 1 Commscope | 2 Arris Tr3300, Arris Tr3300 Firmware | 2024-08-03 | 9.8 Critical |
| Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddnsăddns_host parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||
| CVE-2022-26999 | 1 Commscope | 2 Arris Tr3300, Arris Tr3300 Firmware | 2024-08-03 | 9.8 Critical |
| Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the static ip settings function via the wan_ip_stat, wan_mask_stat, wan_gw_stat, and wan_dns1_stat parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | ||||