Total
1397 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2014-8990 | 3 Debian, Fedoraproject, Lsyncd Project | 3 Debian Linux, Fedora, Lsyncd | 2017-06-30 | 7.5 HIGH | N/A |
default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename. | |||||
CVE-2017-4984 | 1 Emc | 4 Vnx1, Vnx1 Firmware, Vnx2 and 1 more | 2017-06-29 | 10.0 HIGH | 9.8 CRITICAL |
In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions prior to OE for File 7.1.80.8, an unauthenticated remote attacker may be able to elevate their permissions to root through a command injection. This may potentially be exploited by an attacker to run arbitrary code with root-level privileges on the targeted VNX Control Station system, aka remote code execution. | |||||
CVE-2015-4046 | 1 Alienvault | 1 Open Source Security Information Management | 2017-05-30 | 6.5 MEDIUM | 7.2 HIGH |
The asset discovery scanner in AlienVault OSSIM before 5.0.1 allows remote authenticated users to execute arbitrary commands via the assets array parameter to netscan/do_scan.php. | |||||
CVE-2015-8257 | 1 Axis | 11 Cannon Network Camera, Explosion-protected Camera, Fixed Box Camera and 8 more | 2017-05-16 | 9.0 HIGH | 8.8 HIGH |
The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to (1) app_license.shtml, (2) app_license_custom.shtml, (3) app_index.shtml, or (4) app_params.shtml. | |||||
CVE-2017-2324 | 1 Juniper | 1 Northstar Controller | 2017-04-27 | 5.0 MEDIUM | 5.3 MEDIUM |
A command injection vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a network-based malicious attacker to cause a denial of service condition. | |||||
CVE-2017-7722 | 1 Solarwinds | 1 Log \& Event Manager | 2017-04-21 | 10.0 HIGH | 10.0 CRITICAL |
In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a menu system is encountered when the SSH service is accessed with "cmc" and "password" (the default username and password). By exploiting a vulnerability in the restrictssh feature of the menuing script, an attacker can escape from the restricted shell. | |||||
CVE-2016-4989 | 2 Redhat, Setroubleshoot Project | 5 Enterprise Linux Desktop, Enterprise Linux Hpc Node, Enterprise Linux Server and 2 more | 2017-04-17 | 6.9 MEDIUM | 7.0 HIGH |
setroubleshoot allows local users to bypass an intended container protection mechanism and execute arbitrary commands by (1) triggering an SELinux denial with a crafted file name, which is handled by the _set_tpath function in audit_data.py or via a crafted (2) local_id or (3) analysis_id field in a crafted XML document to the run_fix function in SetroubleshootFixit.py, related to the subprocess.check_output and commands.getstatusoutput functions, a different vulnerability than CVE-2016-4445. | |||||
CVE-2016-4446 | 2 Redhat, Setroubleshoot Project | 5 Enterprise Linux Desktop, Enterprise Linux Hpc Node, Enterprise Linux Server and 2 more | 2017-04-17 | 6.9 MEDIUM | 7.0 HIGH |
The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function. | |||||
CVE-2016-4445 | 2 Redhat, Setroubleshoot Project | 5 Enterprise Linux Desktop, Enterprise Linux Hpc Node, Enterprise Linux Server and 2 more | 2017-04-17 | 6.9 MEDIUM | 7.0 HIGH |
The fix_lookup_id function in sealert in setroubleshoot before 3.2.23 allows local users to execute arbitrary commands as root by triggering an SELinux denial with a crafted file name, related to executing external commands with the commands.getstatusoutput function. | |||||
CVE-2016-10322 | 1 Synology | 1 Photo Station | 2017-04-17 | 6.5 MEDIUM | 8.8 HIGH |
Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php. | |||||
CVE-2016-4444 | 2 Redhat, Setroubleshoot Project | 5 Enterprise Linux Desktop, Enterprise Linux Hpc Node, Enterprise Linux Server and 2 more | 2017-04-17 | 6.9 MEDIUM | 7.0 HIGH |
The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function. | |||||
CVE-2016-5067 | 1 Sierrawireless | 2 Aleos Firmware, Gx 440 | 2017-04-14 | 9.0 HIGH | 8.8 HIGH |
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Hayes AT command injection. | |||||
CVE-2016-5065 | 1 Sierrawireless | 2 Aleos Firmware, Gx 440 | 2017-04-14 | 7.5 HIGH | 9.8 CRITICAL |
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Embedded_Ace_Set_Task.cgi command injection. | |||||
CVE-2016-6534 | 1 Opmantek | 1 Network Management Information System | 2017-04-14 | 6.0 MEDIUM | 7.5 HIGH |
Opmantek NMIS before 4.3.7c has command injection via man, finger, ping, trace, and nslookup in the tools.pl CGI script. Versions before 8.5.12G might be affected in non-default configurations. | |||||
CVE-2016-10312 | 1 Jensenofscandinavia | 6 Al3g, Al3g Firmware, Al5000ac and 3 more | 2017-04-10 | 10.0 HIGH | 9.8 CRITICAL |
Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to execute arbitrary commands via shell metacharacters to certain /goform/* pages. | |||||
CVE-2016-8801 | 1 Huawei | 2 Oceanstor 5600 V3, Oceanstor 5600 V3 Firmware | 2017-04-05 | 9.0 HIGH | 7.2 HIGH |
Huawei OceanStor 5600 V3 with V300R003C00C10 and earlier versions allows attackers with administrator privilege to inject a command into a specific command's parameters, and run this injected command with root privilege. | |||||
CVE-2008-7313 | 3 Nagios, Redhat, Snoopy | 3 Nagios, Openstack, Snoopy | 2017-04-04 | 7.5 HIGH | 9.8 CRITICAL |
The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796. | |||||
CVE-2014-5008 | 3 Debian, Redhat, Snoopy | 3 Debian Linux, Openstack, Snoopy | 2017-04-04 | 7.5 HIGH | 9.8 CRITICAL |
Snoopy allows remote attackers to execute arbitrary commands. | |||||
CVE-2017-6184 | 1 Sophos | 1 Web Appliance | 2017-04-04 | 6.5 MEDIUM | 4.7 MEDIUM |
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via the token parameter, aka NSWA-1303. | |||||
CVE-2017-6183 | 1 Sophos | 1 Web Appliance | 2017-04-04 | 6.5 MEDIUM | 7.2 HIGH |
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's configuration utilities for adding (and detecting) Active Directory servers was vulnerable to remote command injection, aka NSWA-1314. |