Total
2086 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-29473 | 1 Atos | 2 Unify Openscape 4000, Unify Openscape 4000 Manager | 2024-08-02 | 9.8 Critical |
| webservice in Atos Unify OpenScape 4000 Platform and OpenScape 4000 Manager Platform 10 R1 before 10 R1.34.4 allows an unauthenticated attacker to run arbitrary commands on the platform operating system and achieve administrative access, aka OSFOURK-23710. | ||||
| CVE-2023-29474 | 1 Atos | 2 Unify Openscape 4000, Unify Openscape 4000 Manager | 2024-08-02 | 9.8 Critical |
| inventory in Atos Unify OpenScape 4000 Platform and OpenScape 4000 Manager Platform 10 R1 before 10 R1.34.4 allows an unauthenticated attacker to run arbitrary commands on the platform operating system and achieve administrative access, aka OSFOURK-23552. | ||||
| CVE-2023-29475 | 1 Atos | 2 Unify Openscape 4000, Unify Openscape 4000 Manager | 2024-08-02 | 9.8 Critical |
| inventory in Atos Unify OpenScape 4000 Platform and OpenScape 4000 Manager Platform 10 R1 before 10 R1.34.4 allows an unauthenticated attacker to run arbitrary commands on the platform operating system and achieve administrative access, aka OSFOURK-23543. | ||||
| CVE-2023-29084 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2024-08-02 | 7.2 High |
| Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings. | ||||
| CVE-2023-28832 | 1 Siemens | 4 6gk1411-1ac00, 6gk1411-1ac00 Firmware, 6gk1411-5ac00 and 1 more | 2024-08-02 | 7.2 High |
| A vulnerability has been identified in SIMATIC Cloud Connect 7 CC712 (All versions >= V2.0 < V2.1), SIMATIC Cloud Connect 7 CC716 (All versions >= V2.0 < V2.1). The web based management of affected devices does not properly validate user input, making it susceptible to command injection. This could allow an authenticated privileged remote attacker to execute arbitrary code with root privileges. | ||||
| CVE-2023-28854 | 1 Nophp Project | 1 Nophp | 2024-08-02 | 8 High |
| nophp is a PHP web framework. Prior to version 0.0.1, nophp is vulnerable to shell command injection on httpd user. A patch was made available at commit e5409aa2d441789cbb35f6b119bef97ecc3986aa on 2023-03-30. Users should update index.php to 2023-03-30 or later or, as a workaround, add a function such as `env_patchsample230330.php` to env.php. | ||||
| CVE-2023-28677 | 1 Jenkins | 1 Convert To Pipeline | 2024-08-02 | 9.8 Critical |
| Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin. | ||||
| CVE-2023-28712 | 1 Propumpservice | 2 Osprey Pump Controller, Osprey Pump Controller Firmware | 2024-08-02 | 8.2 High |
| Osprey Pump Controller version 1.01 contains an unauthenticated command injection vulnerability that could allow system access with www-data permissions. | ||||
| CVE-2023-28617 | 2 Gnu, Redhat | 6 Org Mode, Enterprise Linux, Rhel Aus and 3 more | 2024-08-02 | 7.8 High |
| org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters. | ||||
| CVE-2023-28489 | 1 Siemens | 4 Cp-8031, Cp-8031 Firmware, Cp-8050 and 1 more | 2024-08-02 | 9.8 Critical |
| A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter “Remote Operation” is enabled. The parameter is disabled by default. The vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device. | ||||
| CVE-2023-28365 | 2 Linux, Ui | 2 Linux Kernel, Unifi | 2024-08-02 | 9.1 Critical |
| A backup file vulnerability found in UniFi applications (Version 7.3.83 and earlier) running on Linux operating systems allows application administrators to execute malicious commands on the host device being restored. | ||||
| CVE-2023-28460 | 1 Arraynetworks | 21 Apv10650, Apv11600, Apv1600 and 18 more | 2024-08-02 | 7.2 High |
| A command injection vulnerability was discovered in Array Networks APV products. A remote attacker can send a crafted packet after logging into the affected appliance as an administrator, resulting in arbitrary shell code execution. This is fixed in 8.6.1.262 or newer and 10.4.2.93 or newer. | ||||
| CVE-2023-28425 | 1 Redis | 1 Redis | 2024-08-02 | 5.5 Medium |
| Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in Redis version 7.0.10. | ||||
| CVE-2023-28430 | 1 Onesignal | 1 React-native-onesignal | 2024-08-02 | 7.3 High |
| OneSignal is an email, sms, push notification, and in-app message service for mobile apps.The Zapier.yml workflow is triggered on issues (types: [closed]) (i.e., when an Issue is closed). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write. This workflow runs the following step with data controlled by the comment `(${{ github.event.issue.title }} – the full title of the Issue)`, allowing an attacker to take over the GitHub Runner and run custom commands, potentially stealing any secret (if used), or altering the repository. This issue was found with CodeQL using javascript’s Expression injection in Actions query. This issue has been addressed in the repositories github action. No actions are required by users. This issue is also tracked as `GHSL-2023-051`. | ||||
| CVE-2023-28110 | 1 Fit2cloud | 2 Jumpserver, Koko | 2024-08-02 | 5.7 Medium |
| Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8. | ||||
| CVE-2023-27985 | 1 Gnu | 1 Emacs | 2024-08-02 | 7.8 High |
| emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90 | ||||
| CVE-2023-27986 | 1 Gnu | 1 Emacs | 2024-08-02 | 7.8 High |
| emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters. It is fixed in 29.0.90. | ||||
| CVE-2023-27848 | 1 Broccoli-compass Project | 1 Broccoli-compass | 2024-08-02 | 9.8 Critical |
| broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function. | ||||
| CVE-2023-27849 | 1 Rails-routes-to-json Project | 1 Rails-routes-to-json | 2024-08-02 | 9.8 Critical |
| rails-routes-to-json v1.0.0 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function. | ||||
| CVE-2023-27837 | 1 Tp-link | 2 Tl-wpa8630p, Tl-wpa8630p Firmware | 2024-08-02 | 9.8 Critical |
| TP-Link TL-WPA8630P (US)_ V2_ Version 171011 was discovered to contain a command injection vulnerability via the key parameter in the function sub_ 40A774. | ||||