Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-78
Total 2452 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-25617 1 Sap 1 Business Objects Business Intelligence Platform 2023-03-22 N/A 8.8 HIGH
SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom application based on the public java SDK. Programs could impact the confidentiality, integrity and availability of the system.
CVE-2022-37337 2023-03-21 N/A N/A
A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2023-27985 1 Gnu 1 Emacs 2023-03-21 N/A 7.8 HIGH
emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification.
CVE-2023-25280 1 Dlink 2 Dir820la1, Dir820la1 Firmware 2023-03-21 N/A 9.8 CRITICAL
OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.
CVE-2023-28343 1 Apsystems 2 Energy Communication Unit, Energy Communication Unit Firmware 2023-03-21 N/A 9.8 CRITICAL
OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
CVE-2018-7084 2 Arubanetworks, Siemens 3 Aruba Instant, Scalance W1750d, Scalance W1750d Firmware 2023-03-20 10.0 HIGH 9.8 CRITICAL
A command injection vulnerability is present that permits an unauthenticated user with access to the Aruba Instant web interface to execute arbitrary system commands within the underlying operating system. An attacker could use this ability to copy files, read configuration, write files, delete files, or reboot the device. Workaround: Block access to the Aruba Instant web interface from all untrusted users. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.1
CVE-2023-24762 1 Dlink 2 Dir-867, Dir-867 Firmware 2023-03-16 N/A 9.8 CRITICAL
OS Command injection vulnerability in D-Link DIR-867 DIR_867_FW1.30B07 allows attackers to execute arbitrary commands via a crafted LocalIPAddress parameter for the SetVirtualServerSettings to HNAP1.
CVE-2023-25279 1 Dlink 2 Dir-820l, Dir-820l Firmware 2023-03-16 N/A 9.8 CRITICAL
OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload.
CVE-2023-1350 1 Liferea Project 1 Liferea 2023-03-15 N/A 9.8 CRITICAL
A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848.
CVE-2023-1277 1 Ubuntukylin 1 Kylin-system-updater 2023-03-14 N/A 7.8 HIGH
A vulnerability, which was classified as critical, was found in kylin-system-updater up to 1.4.20kord. Affected is the function InstallSnap of the component Update Handler. The manipulation leads to command injection. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222600.
CVE-2023-25395 1 Totolink 2 A7100ru, A7100ru Firmware 2023-03-14 N/A 9.8 CRITICAL
TOTOlink A7100RU V7.4cu.2313_B20191024 router has a command injection vulnerability.
CVE-2022-39951 1 Fortinet 1 Fortiweb 2023-03-14 N/A 8.8 HIGH
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.3.6 through 6.3.20, FortiWeb 6.4 all versions allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
CVE-2023-20015 1 Cisco 39 Firepower 4100, Firepower 4110, Firepower 4112 and 36 more 2023-03-13 N/A 6.7 MEDIUM
A vulnerability in the CLI of Cisco Firepower 4100 Series, Cisco Firepower 9300 Security Appliances, and Cisco UCS 6200, 6300, 6400, and 6500 Series Fabric Interconnects could allow an authenticated, local attacker to inject unauthorized commands. This vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected command. A successful exploit could allow the attacker to execute unauthorized commands within the CLI. An attacker with Administrator privileges could also execute arbitrary commands on the underlying operating system of Cisco UCS 6400 and 6500 Series Fabric Interconnects with root-level privileges.
CVE-2023-20075 1 Cisco 1 Email Security Appliance 2023-03-13 N/A 6.7 MEDIUM
Vulnerability in the CLI of Cisco Secure Email Gateway could allow an authenticated, remote attacker to execute arbitrary commands. These vulnerability is due to improper input validation in the CLI. An attacker could exploit this vulnerability by injecting operating system commands into a legitimate command. A successful exploit could allow the attacker to escape the restricted command prompt and execute arbitrary commands on the underlying operating system. To successfully exploit this vulnerability, an attacker would need valid Administrator credentials.
CVE-2023-26213 1 Barracuda 14 T100b, T100b Firmware, T193a and 11 more 2023-03-10 N/A 7.2 HIGH
On Barracuda CloudGen WAN Private Edge Gateway devices before 8 webui-sdwan-1089-8.3.1-174141891, an OS command injection vulnerability exists in /ajax/update_certificate - a crafted HTTP request allows an authenticated attacker to execute arbitrary commands. For example, a name field can contain :password and a password field can contain shell metacharacters.
CVE-2023-26490 1 Mailcow 1 Mailcow\ 2023-03-09 N/A 8.8 HIGH
mailcow is a dockerized email package, with multiple containers linked in one bridged network. The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse this vulnerability to obtain shell access to the Docker container running dovecot. The imapsync Perl script implements all the necessary functionality for this feature, including the XOAUTH2 authentication mechanism. This code path creates a shell command to call openssl. However, since different parts of the specified user password are included without any validation, one can simply execute additional shell commands. Notably, the default ACL for a newly-created mailcow account does not include the necessary permission. The Issue has been fixed within the 2023-03 Update (March 3rd 2023). As a temporary workaround the Syncjob ACL can be removed from all mailbox users, preventing from creating or changing existing Syncjobs.
CVE-2023-20050 1 Cisco 111 Mds 9000, Mds 9100, Mds 9132t and 108 more 2023-03-09 N/A 7.8 HIGH
A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific CLI commands. An attacker could exploit this vulnerability by including crafted input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the currently logged-in user.
CVE-2022-2024 1 Gogs 1 Gogs 2023-03-09 N/A 9.8 CRITICAL
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
CVE-2023-26039 1 Zoneminder 1 Zoneminder 2023-03-07 N/A 8.8 HIGH
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33.
CVE-2023-26759 1 Smeup 1 Erp 2023-03-03 N/A 8.8 HIGH
Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an OS command injection vulnerability via calls made to the XMService component.