Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-78
Total 2452 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-8389 1 Airlive 10 Bu-2015, Bu-2015 Firmware, Bu-3026 and 7 more 2018-10-09 10.0 HIGH 9.8 CRITICAL
cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware LM.1.6.17.01 uses hard-coded credentials in the embedded Boa web server, which allows remote attackers to obtain user credentials via crafted HTTP requests.
CVE-2014-8334 1 Wp-dbmanager Project 1 Wp-dbmanager 2018-10-09 6.5 MEDIUM N/A
The WP-DBManager (aka Database Manager) plugin before 2.7.2 for WordPress allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) $backup['filepath'] (aka "Path to Backup:" field) or (2) $backup['mysqldumppath'] variable.
CVE-2014-8387 1 Advantech 2 Eki-6340, Eki-6340 Firmware 2018-10-09 9.0 HIGH N/A
cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi.
CVE-2014-3418 1 Infoblox 1 Netmri 2018-10-09 10.0 HIGH N/A
config/userAdmin/login.tdf in Infoblox NetMRI before 6.8.5 allows remote attackers to execute arbitrary commands via shell metacharacters in the skipjackUsername parameter.
CVE-2014-2507 1 Emc 1 Documentum Content Server 2018-10-09 8.5 HIGH N/A
EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05 allows remote authenticated users to execute arbitrary commands via shell metacharacters in arguments to unspecified methods.
CVE-2018-14417 1 Softnas 1 Cloud 2018-10-02 10.0 HIGH 9.8 CRITICAL
A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. In particular, the snserv script did not sanitize the 'recentVersion' parameter from the snserv endpoint, allowing an unauthenticated attacker to execute arbitrary commands with root permissions.
CVE-2018-12483 1 Ocsinventory-ng 1 Ocsinventory Ng 2018-10-02 9.0 HIGH 8.8 HIGH
OCS Inventory 2.4.1 is prone to a remote command-execution vulnerability. Specifically, this issue occurs because the content of the ipdiscover_analyser rzo GET parameter is concatenated to a string used in an exec() call in the PHP code. Authentication is needed in order to exploit this vulnerability.
CVE-2018-14010 1 Mi 7 Xiaomi R3, Xiaomi R3c, Xiaomi R3c Firmware and 4 more 2018-09-12 10.0 HIGH 9.8 CRITICAL
OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.
CVE-2018-14060 1 Mi 2 Xiaomi R3d, Xiaomi R3d Firmware 2018-09-12 10.0 HIGH 9.8 CRITICAL
OS command injection in the AP mode settings feature in /cgi-bin/luci /api/misystem/set_router_wifiap on Xiaomi R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.
CVE-2017-17411 1 Linksys 2 Wvbr0, Wvbr0 Firmware 2018-08-28 10.0 HIGH 9.8 CRITICAL
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges. Was ZDI-CAN-4892.
CVE-2018-0569 1 Basercms 1 Basercms 2018-08-21 6.5 MEDIUM 8.8 HIGH
baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and earlier versions) allows remote authenticated attackers to execute arbitrary OS commands via unspecified vectors.
CVE-2013-6041 1 Softaculous 1 Webuzo 2018-08-13 7.5 HIGH N/A
index.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in a SOFTCookies sid cookie within a login action.
CVE-2014-9727 1 Avm 1 Fritz\!box 2018-08-13 10.0 HIGH N/A
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.
CVE-2018-12591 1 Ubnt 2 Edgeswitch, Edgeswitch Firmware 2018-08-13 9.0 HIGH 7.2 HIGH
Ubiquiti Networks EdgeSwitch version 1.7.3 and prior suffer from an improperly neutralized element in an OS command due to lack of protection on the admin CLI, leading to code execution and privilege escalation greater than administrators themselves are allowed. An attacker with access to an admin account could escape the restricted CLI and execute arbitrary shell instructions.
CVE-2018-6211 1 D-link 2 Dir-620, Dir-620 Firmware 2018-08-11 9.0 HIGH 7.2 HIGH
On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, OS command injection is possible as a result of incorrect processing of the res_buf parameter to index.cgi.
CVE-2014-6277 1 Gnu 1 Bash 2018-08-08 10.0 HIGH N/A
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.
CVE-2017-7637 1 Qnap 1 Nas Proxy Server 2018-07-12 10.0 HIGH 9.8 CRITICAL
QNAP NAS application Proxy Server through version 1.2.0 allows remote attackers to run arbitrary OS commands against the system with root privileges.
CVE-2018-4923 1 Adobe 1 Connect 2018-06-22 6.4 MEDIUM 9.1 CRITICAL
Adobe Connect versions 9.7 and earlier have an exploitable OS Command Injection. Successful exploitation could lead to arbitrary file deletion.
CVE-2018-4924 2 Adobe, Microsoft 2 Dreamweaver, Windows 2018-06-22 10.0 HIGH 9.8 CRITICAL
Adobe Dreamweaver CC versions 18.0 and earlier have an OS Command Injection vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-10730 1 Phoenixcontact 58 Fl Switch 3004t-fx, Fl Switch 3004t-fx Firmware, Fl Switch 3004t-fx St and 55 more 2018-06-19 9.0 HIGH 9.1 CRITICAL
All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products running firmware version 1.0 to 1.33 are prone to OS command injection.