Total
1397 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10666 | 1 Sangoma | 2 Freepbx, Restapps | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| The restapps (aka Rest Phone apps) module for Sangoma FreePBX and PBXact 13, 14, and 15 through 15.0.19.2 allows remote code execution via a URL variable to an AMI command. | |||||
| CVE-2021-44520 | 1 Citrix | 1 Xenmobile Server | 2022-07-12 | 9.0 HIGH | 8.8 HIGH |
| In Citrix XenMobile Server through 10.12 RP9, there is an Authenticated Command Injection vulnerability, leading to remote code execution with root privileges. | |||||
| CVE-2021-40553 | 1 Piwigo | 1 Piwigo | 2022-07-07 | 6.5 MEDIUM | 8.8 HIGH |
| piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor. | |||||
| CVE-2022-32092 | 1 Dlink | 2 Dir-645, Dir-645 Firmware | 2022-07-07 | 7.5 HIGH | 9.8 CRITICAL |
| D-Link DIR-645 v1.03 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter at __ajax_explorer.sgi. | |||||
| CVE-2020-5299 | 1 Octobercms | 1 October | 2022-06-30 | 4.6 MEDIUM | 5.1 MEDIUM |
| In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires attackers to achieve the following before a successful attack can be completed: 1. Have found a vulnerability in the victims spreadsheet software of choice. 2. Control data that would potentially be exported through the `ImportExportController` by a theoretical victim. 3. Convince the victim to export above data as a CSV and run it in vulnerable spreadsheet software while also bypassing any sanity checks by said software. Issue has been patched in Build 466 (v1.0.466). | |||||
| CVE-2022-30023 | 1 Tenda | 2 Hg9, Hg9 Firmware | 2022-06-28 | 9.0 HIGH | 8.8 HIGH |
| Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. | |||||
| CVE-2022-31874 | 1 Asus | 2 Rt-n53, Rt-n53 Firmware | 2022-06-28 | 7.5 HIGH | 9.8 CRITICAL |
| ASUS RT-N53 3.0.0.4.376.3754 has a command injection vulnerability in the SystemCmd parameter of the apply.cgi interface. | |||||
| CVE-2022-31849 | 1 Mercurycom | 2 Mipc451-4, Mipc451-4 Firmware | 2022-06-27 | 6.5 MEDIUM | 8.8 HIGH |
| MERCURY MIPC451-4 1.0.22 Build 220105 Rel.55642n was discovered to contain a remote code execution (RCE) vulnerability which is exploitable via a crafted POST request. | |||||
| CVE-2022-32154 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2022-06-23 | 4.0 MEDIUM | 8.1 HIGH |
| Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will. | |||||
| CVE-2022-31311 | 1 Wavlink | 2 Aerial X 1200m, Aerial X 1200m Firmware | 2022-06-23 | 10.0 HIGH | 9.8 CRITICAL |
| An issue in adm.cgi of WAVLINK AERIAL X 1200M M79X3.V5030.180719 allows attackers to execute arbitrary commands via a crafted POST request. | |||||
| CVE-2022-32262 | 1 Siemens | 1 Sinema Remote Connect Server | 2022-06-22 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application contains a file upload server that is vulnerable to command injection. An attacker could use this to achieve arbitrary code execution. | |||||
| CVE-2022-2054 | 1 Nuitka | 1 Nuitka | 2022-06-21 | 7.2 HIGH | 7.8 HIGH |
| Command Injection in GitHub repository nuitka/nuitka prior to 0.9. | |||||
| CVE-2022-31446 | 1 Tendacn | 2 Ac18, Ac18 Firmware | 2022-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| Tenda AC18 router V15.03.05.19 and V15.03.05.05 was discovered to contain a remote code execution (RCE) vulnerability via the Mac parameter at ip/goform/WriteFacMac. | |||||
| CVE-2022-24376 | 1 Git-promise Project | 1 Git-promise | 2022-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package git-promise are vulnerable to Command Injection due to an inappropriate fix of a prior [vulnerability](https://security.snyk.io/vuln/SNYK-JS-GITPROMISE-567476) in this package. **Note:** Please note that the vulnerability will not be fixed. The README file was updated with a warning regarding this issue. | |||||
| CVE-2021-41738 | 1 Zeroshell | 1 Zeroshell | 2022-06-17 | 6.5 MEDIUM | 8.8 HIGH |
| ZeroShell 3.9.5 has a command injection vulnerability in /cgi-bin/kerbynet IP parameter, which may allow an authenticated attacker to execute system commands. | |||||
| CVE-2022-29013 | 1 Razer | 2 Sila, Sila Firmware | 2022-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection in the command parameter of Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to execute arbitrary commands via a crafted POST request. | |||||
| CVE-2020-36529 | 1 Ibm | 1 Sevone Network Performance Management | 2022-06-14 | 8.5 HIGH | 8.8 HIGH |
| A vulnerability classified as critical has been found in SevOne Network Management System up to 5.7.2.22. This affects the file traceroute.php of the Traceroute Handler. The manipulation leads to privilege escalation with a command injection. It is possible to initiate the attack remotely. | |||||
| CVE-2021-23727 | 2 Celeryproject, Fedoraproject | 3 Celery, Extra Packages For Enterprise Linux, Fedora | 2022-06-14 | 6.0 MEDIUM | 7.5 HIGH |
| This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system. | |||||
| CVE-2019-9972 | 2 3cx, Debian | 3 Phone System, Phone System Firmware, Debian Linux | 2022-06-14 | 9.0 HIGH | 8.8 HIGH |
| PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an authenticated attacker to run arbitrary commands with the phonesystem user privileges because of "<space><space> followed by <shift><enter>" mishandling. | |||||
| CVE-2021-42888 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2022-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setLanguageCfg of the file global.so which can control langType to attack. | |||||