Total
1397 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-0136 | 3 Apache, Canonical, Debian | 3 Openoffice, Ubuntu Linux, Debian Linux | 2022-02-07 | 9.3 HIGH | N/A |
| OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce Visual Basic for Applications (VBA) macro security settings, which allows remote attackers to run arbitrary macros via a crafted document. | |||||
| CVE-2014-3524 | 2 Apache, Libreoffice | 2 Openoffice, Libreoffice | 2022-02-07 | 9.3 HIGH | N/A |
| Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified impact via a crafted Calc spreadsheet. | |||||
| CVE-2022-24148 | 1 Tenda | 2 Ax3, Ax3 Firmware | 2022-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| Tenda AX3 v16.03.12.10_CN was discovered to contain a command injection vulnerability in the function mDMZSetCfg. This vulnerability allows attackers to execute arbitrary commands via the dmzIp parameter. | |||||
| CVE-2022-24150 | 1 Tenda | 2 Ax3, Ax3 Firmware | 2022-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| Tenda AX3 v16.03.12.10_CN was discovered to contain a command injection vulnerability in the function formSetSafeWanWebMan. This vulnerability allows attackers to execute arbitrary commands via the remoteIp parameter. | |||||
| CVE-2021-44247 | 1 Totolink | 6 A3100r, A3100r Firmware, A720r and 3 more | 2022-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain command injection vulnerability in the function setNoticeCfg. This vulnerability allows attackers to execute arbitrary commands via the IpFrom parameter. | |||||
| CVE-2021-45733 | 1 Totolink | 2 X5000r, X5000r Firmware | 2022-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function NTPSyncWithHost. This vulnerability allows attackers to execute arbitrary commands via the parameter host_time. | |||||
| CVE-2021-45742 | 1 Totolink | 2 A720r, A720r Firmware | 2022-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter. | |||||
| CVE-2021-45738 | 1 Totolink | 2 X5000r, X5000r Firmware | 2022-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function UploadFirmwareFile. This vulnerability allows attackers to execute arbitrary commands via the parameter FileName. | |||||
| CVE-2022-22992 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2022-02-03 | 10.0 HIGH | 9.8 CRITICAL |
| A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed by escaping individual arguments to shell functions coming from user input. | |||||
| CVE-2021-32849 | 1 Gerapy | 1 Gerapy | 2022-02-02 | 9.0 HIGH | 8.8 HIGH |
| Gerapy is a distributed crawler management framework. Prior to version 0.9.9, an authenticated user could execute arbitrary commands. This issue is fixed in version 0.9.9. There are no known workarounds. | |||||
| CVE-2021-42638 | 3 Apple, Linux, Printerlogic | 3 Macos, Linux Kernel, Web Stack | 2022-02-02 | 9.3 HIGH | 8.1 HIGH |
| PrinterLogic Web Stack versions 19.1.1.13 SP9 and below do not sanitize user input resulting in pre-auth remote code execution. | |||||
| CVE-2017-7689 | 1 Schneider-electric | 2 Homelynk Controller Lss100100, Homelynk Controller Lss100100 Firmware | 2022-02-01 | 10.0 HIGH | 9.8 CRITICAL |
| A Command Injection vulnerability in Schneider Electric homeLYnk Controller exists in all versions before 1.5.0. | |||||
| CVE-2021-46560 | 1 Moxa | 2 Tn-5900, Tn-5900 Firmware | 2022-02-01 | 7.5 HIGH | 9.8 CRITICAL |
| The firmware on Moxa TN-5900 devices through 3.1 allows command injection that could lead to device damage. | |||||
| CVE-2021-33964 | 1 Chinamobile | 2 An Lianbao Wf-1, An Lianbao Wf-1 Firmware | 2022-01-24 | 6.5 MEDIUM | 8.8 HIGH |
| China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRRuleFilter/set_firewall_level which receives parameters by POST request, and the parameter firewall_level has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands. | |||||
| CVE-2021-33965 | 1 Chinamobile | 2 An Lianbao Wf-1, An Lianbao Wf-1 Firmware | 2022-01-24 | 6.5 MEDIUM | 8.8 HIGH |
| China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRMesh/set_ZRMesh which receives parameters by POST request, and the parameter mesh_enable and mesh_device have a command injection vulnerability. An attacker can use the vulnerability to execute remote commands. | |||||
| CVE-2022-22991 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2022-01-21 | 8.3 HIGH | 8.8 HIGH |
| A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP. | |||||
| CVE-2021-42559 | 1 Mitre | 1 Caldera | 2022-01-19 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in CALDERA 2.8.1. It contains multiple startup "requirements" that execute commands when starting the server. Because these commands can be changed via the REST API, an authenticated user can insert arbitrary commands that will execute when the server is restarted. | |||||
| CVE-2021-45807 | 1 Jpress | 1 Jpress | 2022-01-18 | 7.5 HIGH | 9.8 CRITICAL |
| jpress v4.2.0 is vulnerable to command execution via io.jpress.web.admin._AddonController::doUploadAndInstall. | |||||
| CVE-2021-45456 | 1 Apache | 1 Kylin | 2022-01-13 | 7.5 HIGH | 9.8 CRITICAL |
| Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0. | |||||
| CVE-2021-43711 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2022-01-12 | 7.5 HIGH | 9.8 CRITICAL |
| The downloadFlile.cgi binary file in TOTOLINK EX200 V4.0.3c.7646_B20201211 has a command injection vulnerability when receiving GET parameters. The parameter name can be constructed for unauthenticated command execution. | |||||