Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-78
Total 2257 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-39815 1 Nokia 1 1350 Optical Management System 2022-09-30 N/A 9.8 CRITICAL
In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This vulnerability allow unauthenticated users to execute commands on the operating system.
CVE-2022-39819 1 Nokia 1 1350 Optical Management System 2022-09-30 N/A 8.8 HIGH
In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This allows authenticated users to execute commands on the operating system.
CVE-2021-28398 1 Osgeo 1 Geonetwork 2022-09-30 N/A 7.2 HIGH
A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.
CVE-2021-21872 1 Lantronix 2 Premierwave 2050, Premierwave 2050 Firmware 2022-09-30 9.0 HIGH 9.9 CRITICAL
An OS command injection vulnerability exists in the Web Manager Diagnostics: Traceroute functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2021-21873 1 Lantronix 2 Premierwave 2050, Premierwave 2050 Firmware 2022-09-30 9.0 HIGH 9.1 CRITICAL
A specially-crafted HTTP request can lead to arbitrary command execution in RSA keypasswd parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2021-46422 1 Telesquare 2 Sdt-cs3b1, Sdt-cs3b1 Firmware 2022-09-30 10.0 HIGH 9.8 CRITICAL
Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.
CVE-2022-28811 1 Gavazziautomation 3 Cpy Car Park Server, Uwp 3.0 Monitoring Gateway And Controller, Uwp 3.0 Monitoring Gateway And Controller Firmware 2022-09-30 N/A 9.8 CRITICAL
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could utilize an improper input validation on an API-submitted parameter to execute arbitrary OS commands.
CVE-2021-21805 1 Advantech 1 R-seenet 2022-09-29 10.0 HIGH 9.8 CRITICAL
An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability.
CVE-2021-1382 1 Cisco 1 Ios Xe 2022-09-29 7.2 HIGH 6.7 MEDIUM
A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with root privileges on the underlying operating system. This vulnerability is due to insufficient input validation on certain CLI commands. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated as an administrative user to execute the affected commands. A successful exploit could allow the attacker to execute commands with root privileges.
CVE-2022-27002 1 Commscope 2 Arris Tr3300, Arris Tr3300 Firmware 2022-09-29 10.0 HIGH 9.8 CRITICAL
Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns?ddns_host parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
CVE-2022-39224 1 Ruby-arr-pm Project 1 Ruby-arr-pm 2022-09-26 N/A 7.8 HIGH
Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool.
CVE-2021-1138 1 Cisco 1 Smart Software Manager Satellite 2022-09-20 10.0 HIGH 9.8 CRITICAL
Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-1140 1 Cisco 1 Smart Software Manager Satellite 2022-09-20 10.0 HIGH 9.8 CRITICAL
Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-1139 1 Cisco 1 Smart Software Manager Satellite 2022-09-20 9.0 HIGH 8.8 HIGH
Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-1141 1 Cisco 1 Smart Software Manager Satellite 2022-09-20 9.0 HIGH 8.8 HIGH
Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2020-2038 1 Paloaltonetworks 1 Pan-os 2022-09-16 9.0 HIGH 7.2 HIGH
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue impacts: PAN-OS 9.0 versions earlier than 9.0.10; PAN-OS 9.1 versions earlier than 9.1.4; PAN-OS 10.0 versions earlier than 10.0.1.
CVE-2022-36779 2 Advice, Proscend 18 Icr 111wg, Icr 111wg Firmware, M301-g and 15 more 2022-09-15 N/A 9.8 CRITICAL
PROSCEND - PROSCEND / ADVICE .Ltd - G/5G Industrial Cellular Router (with GPS)4 Unauthenticated OS Command Injection Proscend M330-w / M33-W5 / M350-5G / M350-W5G / M350-6 / M350-W6 / M301-G / M301-GW ADVICE ICR 111WG / https://www.proscend.com/en/category/industrial-Cellular-Router/industrial-Cellular-Router.html https://cdn.shopify.com/s/files/1/0036/9413/3297/files/ADVICE_Industrial_4G_LTE_Cellular_Router_ICR111WG.pdf?v=1620814301
CVE-2022-32212 1 Nodejs 1 Node.js 2022-09-15 N/A 8.1 HIGH
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
CVE-2022-3133 1 Diagrams 1 Drawio 2022-09-15 N/A 7.8 HIGH
OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.
CVE-2021-45844 2 Debian, Freecadweb 2 Debian Linux, Freecad 2022-09-14 7.6 HIGH 7.8 HIGH
Improper sanitization in the invocation of ODA File Converter from FreeCAD 0.19 allows an attacker to inject OS commands via a crafted filename.