Total
2452 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16666 | 1 Xplico | 1 Xplico | 2019-10-02 | 9.0 HIGH | 8.8 HIGH |
| Xplico before 1.2.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the name of an uploaded PCAP file. NOTE: this issue can be exploited without authentication by leveraging the user registration feature. | |||||
| CVE-2017-15924 | 2 Debian, Shadowsocks | 2 Debian Linux, Shadowsocks-libev | 2019-10-02 | 7.2 HIGH | 7.8 HIGH |
| In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic, related to the add_server, build_config, and construct_command_line functions. | |||||
| CVE-2017-15226 | 1 Zyxel | 2 Nbg6716, Nbg6716 Firmware | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex are used directly in a popen call. | |||||
| CVE-2017-14705 | 1 Denyall | 2 I-suite, Web Application Firewall | 2019-10-02 | 9.3 HIGH | 8.1 HIGH |
| DenyAll WAF before 6.4.1 allows unauthenticated remote command execution via TCP port 3001 because shell metacharacters can be inserted into the type parameter to the tailDateFile function in /webservices/stream/tail.php. An iToken authentication parameter is required but can be obtained by exploiting CVE-2017-14706. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments. | |||||
| CVE-2017-14429 | 1 D-link | 2 Dir-850l, Dir-850l Firmware | 2019-10-02 | 10.0 HIGH | 9.8 CRITICAL |
| The DHCP client on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices allows unauthenticated remote code execution as root because /etc/services/INET/inet_ipv4.php mishandles shell metacharacters, affecting generated files such as WAN-1-udhcpc.sh. | |||||
| CVE-2017-14100 | 1 Digium | 2 Asterisk, Certified Asterisk | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection. | |||||
| CVE-2017-13713 | 1 Twsz | 2 Wifi Repeater, Wifi Repeater Firmware | 2019-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| T&W WIFI Repeater BE126 allows remote authenticated users to execute arbitrary code via shell metacharacters in the user parameter to cgi-bin/webupg. | |||||
| CVE-2017-11588 | 1 Cisco | 2 Residential Gateway, Residential Gateway Firmware | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E and DDR2201v1 ADSL2+ Residential Gateway DDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3 devices, there is remote command execution via shell metacharacters in the pingAddr parameter to the waitPingqry.cgi URI. The command output is visible at /PingMsg.cmd. | |||||
| CVE-2017-11381 | 1 Trendmicro | 1 Deep Discovery Director | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability exists in Trend Micro Deep Discovery Director 1.1 that allows an attacker to restore accounts that can access the pre-configuration console. | |||||
| CVE-2017-11366 | 1 Codiad | 1 Codiad | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| components/filemanager/class.filemanager.php in Codiad before 2.8.4 is vulnerable to remote command execution because shell commands can be embedded in parameter values, as demonstrated by search_file_type. | |||||
| CVE-2017-11395 | 1 Trendmicro | 1 Smart Protection Server | 2019-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| Command injection vulnerability in Trend Micro Smart Protection Server (Standalone) 3.1 and 3.2 server administration UI allows attackers with authenticated access to execute arbitrary code on vulnerable installations. | |||||
| CVE-2017-11322 | 1 Ucopia | 1 Ucopia Wireless Appliance | 2019-10-02 | 7.2 HIGH | 8.2 HIGH |
| The chroothole_client executable in UCOPIA Wireless Appliance before 5.1.8 allows remote attackers to gain root privileges via a dollar sign ($) metacharacter in the argument to chroothole_client. | |||||
| CVE-2017-11150 | 1 Synology | 1 Office | 2019-10-02 | 6.5 MEDIUM | 7.8 HIGH |
| Command injection vulnerability in Document.php in Synology Office 2.2.0-1502 and 2.2.1-1506 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the crafted file name of RTF documents. | |||||
| CVE-2017-1000220 | 1 Pidusage Project | 1 Pidusage | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| soyuka/pidusage <=1.1.4 is vulnerable to command injection in the module resulting in arbitrary command execution | |||||
| CVE-2017-1000219 | 1 Windows-cpu Project | 1 Windows-cpu | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| npm/KyleRoss windows-cpu all versions vulnerable to command injection resulting in code execution as Node.js user | |||||
| CVE-2017-1000215 | 1 Xrootd | 1 Xrootd | 2019-10-02 | 10.0 HIGH | 9.8 CRITICAL |
| ROOT xrootd version 4.6.0 and below is vulnerable to an unauthenticated shell command injection resulting in remote code execution | |||||
| CVE-2017-1000203 | 1 Cern | 1 Root | 2019-10-02 | 9.0 HIGH | 8.8 HIGH |
| ROOT version 6.9.03 and below is vulnerable to an authenticated shell metacharacter injection in the rootd daemon resulting in remote code execution | |||||
| CVE-2017-1000159 | 1 Gnome | 1 Evince | 2019-10-02 | 4.6 MEDIUM | 7.8 HIGH |
| Command injection in evince via filename when printing to PDF. This affects versions earlier than 3.25.91. | |||||
| CVE-2017-1000116 | 3 Debian, Mercurial, Redhat | 8 Debian Linux, Mercurial, Enterprise Linux Desktop and 5 more | 2019-10-02 | 10.0 HIGH | 9.8 CRITICAL |
| Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks. | |||||
| CVE-2019-16701 | 1 Netgate | 1 Pfsense | 2019-09-25 | 9.0 HIGH | 8.8 HIGH |
| pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value. | |||||