Total
1397 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2015-8988 | 1 Mcafee | 1 Epo Deep Command | 2017-03-23 | 6.5 MEDIUM | 8.8 HIGH |
Unquoted executable path vulnerability in Client Management and Gateway components in McAfee (now Intel Security) ePO Deep Command (eDC) 2.2 and 2.1 allows authenticated users to execute a command of their choice via dropping a malicious file for the path. | |||||
CVE-2016-4929 | 1 Juniper | 1 Junos Space | 2017-03-22 | 9.0 HIGH | 8.8 HIGH |
Command injection vulnerability in Junos Space before 15.2R2 allows attackers to execute arbitrary code as a root user. | |||||
CVE-2017-5675 | 1 Embedthis | 1 Goahead | 2017-03-15 | 9.0 HIGH | 8.8 HIGH |
A command-injection vulnerability exists in a web application on a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models. The mail-sending form in the mail.htm page allows an attacker to inject a command into the receiver1 field in the form; it will be executed with root privileges. | |||||
CVE-2016-9337 | 1 Tesla | 1 Gateway Ecu | 2017-03-14 | 4.0 MEDIUM | 6.8 MEDIUM |
An issue was discovered in Tesla Motors Model S automobile, all firmware versions before version 7.1 (2.36.31) with web browser functionality enabled. The vehicle's Gateway ECU is susceptible to commands that may allow an attacker to install malicious software allowing the attacker to send messages to the vehicle's CAN bus, a Command Injection. | |||||
CVE-2016-9554 | 1 Sophos | 1 Web Appliance | 2017-03-13 | 9.0 HIGH | 7.2 HIGH |
The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. These vulnerabilities occur in MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), in the component responsible for performing diagnostic tests with the UNIX wget utility. The application doesn't properly escape the information passed in the 'url' variable before calling the executeCommand class function ($this->dtObj->executeCommand). This function calls exec() with unsanitized user input allowing for remote command injection. The page that contains the vulnerabilities, /controllers/MgrDiagnosticTools.php, is accessed by a built-in command answered by the administrative interface. The command that calls to that vulnerable page (passed in the 'section' parameter) is: 'configuration'. Exploitation of this vulnerability yields shell access to the remote machine under the 'spiderman' user account. | |||||
CVE-2016-10194 | 1 Festivaltts4r Project | 1 Festivaltts4r | 2017-03-09 | 7.5 HIGH | 9.8 CRITICAL |
The festivaltts4r gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a string to the (1) to_speech or (2) to_mp3 method in lib/festivaltts4r/festival4r.rb. | |||||
CVE-2016-9553 | 1 Sophos | 1 Web Appliance | 2017-03-08 | 9.0 HIGH | 7.2 HIGH |
The Sophos Web Appliance (version 4.2.1.3) is vulnerable to two Remote Command Injection vulnerabilities affecting its web administrative interface. These vulnerabilities occur in the MgrReport.php (/controllers/MgrReport.php) component responsible for blocking and unblocking IP addresses from accessing the device. The device doesn't properly escape the information passed in the variables 'unblockip' and 'blockip' before calling the shell_exec() function which allows for system commands to be injected into the device. The code erroneously suggests that the information handled is protected by utilizing the variable name 'escapedips' - however this was not the case. The Sophos ID is NSWA-1258. | |||||
CVE-2016-6649 | 1 Emc | 2 Recoverpoint, Recoverpoint For Virtual Machines | 2017-03-07 | 7.2 HIGH | 6.7 MEDIUM |
EMC RecoverPoint versions before 4.4.1.1 and EMC RecoverPoint for Virtual Machines versions before 5.0 are affected by multiple command injection vulnerabilities where a malicious administrator with configuration privileges may bypass the user interface and escalate his privileges to root. | |||||
CVE-2016-10098 | 1 Sendquick | 4 Avera Sms Gateway, Avera Sms Gateway Firmware, Entera Sms Gateway and 1 more | 2017-02-09 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered on SendQuick Entera and Avera devices before 2HF16. Multiple Command Injection vulnerabilities allow attackers to execute arbitrary system commands. | |||||
CVE-2016-0396 | 1 Ibm | 1 Bigfix Platform | 2017-02-07 | 6.8 MEDIUM | 8.1 HIGH |
IBM Tivoli Endpoint Manager could allow a user under special circumstances to inject commands that would be executed with unnecessary higher privileges than expected. | |||||
CVE-2015-3441 | 1 Genexia | 1 Drgos | 2017-01-17 | 9.0 HIGH | 8.8 HIGH |
The Parental Control panel in Genexis devices with DRGOS before 1.14.1 allows remote authenticated users to execute arbitrary CLI commands via the (1) start_hour, (2) start_minute, (3) end_hour, (4) end_minute, or (5) hostname parameter. | |||||
CVE-2016-10108 | 1 Western Digital | 1 Mycloud Nas | 2017-01-09 | 10.0 HIGH | 9.8 CRITICAL |
Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data. | |||||
CVE-2016-10107 | 1 Western Digital | 1 Mycloud Nas | 2017-01-04 | 10.0 HIGH | 9.8 CRITICAL |
Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 index.php page via a modified Cookie header. | |||||
CVE-2014-7285 | 1 Symantec | 1 Web Gateway | 2017-01-02 | 6.5 MEDIUM | N/A |
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts. | |||||
CVE-2014-8630 | 2 Fedoraproject, Mozilla | 2 Fedora, Bugzilla | 2017-01-02 | 6.5 MEDIUM | N/A |
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name. | |||||
CVE-2015-2051 | 1 D-link | 2 Dir-645, Dir-645 Firmware | 2016-12-30 | 10.0 HIGH | N/A |
The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface. | |||||
CVE-2015-1986 | 1 Ibm | 1 Tivoli Storage Manager Fastback | 2016-12-30 | 10.0 HIGH | N/A |
The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to execute arbitrary commands via unspecified vectors, a different vulnerability than CVE-2015-1938. | |||||
CVE-2015-2265 | 2 Canonical, Linuxfoundation | 2 Ubuntu Linux, Cups-filters | 2016-12-27 | 7.5 HIGH | N/A |
The remove_bad_chars function in utils/cups-browsed.c in cups-filters before 1.0.66 allows remote IPP printers to execute arbitrary commands via consecutive shell metacharacters in the (1) model or (2) PDL. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707. | |||||
CVE-2015-1949 | 1 Ibm | 1 Tivoli Storage Manager Fastback | 2016-12-27 | 10.0 HIGH | N/A |
The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to execute arbitrary commands with SYSTEM privileges via unspecified vectors. | |||||
CVE-2015-1938 | 1 Ibm | 1 Tivoli Storage Manager Fastback | 2016-12-27 | 10.0 HIGH | N/A |
The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to execute arbitrary commands via unspecified vectors, a different vulnerability than CVE-2015-1986. |