Total
2452 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-24193 | 1 Icewale | 1 Casaos | 2022-09-02 | 7.5 HIGH | 9.8 CRITICAL |
| CasaOS before v0.2.7 was discovered to contain a command injection vulnerability. | |||||
| CVE-2021-42372 | 1 Xorux | 2 Lpar2rrd, Stor2rrd | 2022-09-02 | 9.0 HIGH | 8.8 HIGH |
| A shell command injection in the HW Events SNMP community in XoruX LPAR2RRD and STOR2RRD before 7.30 allows authenticated remote attackers to execute arbitrary shell commands as the user running the service. | |||||
| CVE-2022-31499 | 1 Nortekcontrol | 2 Emerge E3, Emerge E3 Firmware | 2022-09-02 | N/A | 9.8 CRITICAL |
| Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256. | |||||
| CVE-2022-34374 | 1 Dell | 1 Container Storage Modules | 2022-09-02 | N/A | 8.8 HIGH |
| Dell Container Storage Modules 1.2 contains an OS command injection in goiscsi and gobrick libraries. A remote authenticated malicious user with low privileges could exploit this vulnerability leading to to execute arbitrary OS commands on the affected system. | |||||
| CVE-2020-13782 | 1 Dlink | 2 Dir-865l, Dir-865l Firmware | 2022-09-02 | 6.5 MEDIUM | 8.8 HIGH |
| D-Link DIR-865L Ax 1.20B01 Beta devices allow Command Injection. | |||||
| CVE-2020-29552 | 1 Urve | 1 Urve | 2022-09-01 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in URVE Build 24.03.2020. By using the _internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+" substring, it is possible to execute a Powershell command and redirect its output to a file under the web root. | |||||
| CVE-2022-20865 | 1 Cisco | 24 Firepower 4110, Firepower 4110 Firmware, Firepower 4112 and 21 more | 2022-09-01 | N/A | 6.7 MEDIUM |
| A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The attacker would need to have Administrator privileges on the device. This vulnerability is due to insufficient input validation of commands supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected command. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges. | |||||
| CVE-2019-20807 | 6 Apple, Canonical, Debian and 3 more | 7 Mac Os X, Ubuntu Linux, Debian Linux and 4 more | 2022-09-01 | 4.6 MEDIUM | 5.3 MEDIUM |
| In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua). | |||||
| CVE-2022-38078 | 1 Sixapart | 1 Movable Type | 2022-08-31 | N/A | 9.8 CRITICAL |
| Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and versions are as follows: Movable Type 7 r.5202 and earlier, Movable Type Advanced 7 r.5202 and earlier, Movable Type 6.8.6 and earlier, Movable Type Advanced 6.8.6 and earlier, Movable Type Premium 1.52 and earlier, and Movable Type Premium Advanced 1.52 and earlier. Note that all versions of Movable Type 4.0 or later including unsupported (End-of-Life, EOL) versions are also affected by this vulnerability. | |||||
| CVE-2021-23862 | 1 Bosch | 8 Bosch Video Management System, Divar Ip 5000 Firmware, Divar Ip 7000 Firmware and 5 more | 2022-08-30 | 9.0 HIGH | 7.2 HIGH |
| A crafted configuration packet sent by an authenticated administrative user can be used to execute arbitrary commands in system context. This issue also affects installations of the VRM, DIVAR IP, BVMS with VRM installed, the VIDEOJET decoder (VJD-7513 and VJD-8000). | |||||
| CVE-2022-23663 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2022-08-29 | 9.0 HIGH | 9.1 CRITICAL |
| A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2022-38132 | 1 Linksys | 2 Mr8300, Mr8300 Firmware | 2022-08-29 | N/A | 8.8 HIGH |
| Command injection vulnerability in Linksys MR8300 router while Registration to DDNS Service. By specifying username and password, an attacker connected to the router's web interface can execute arbitrary OS commands. The username and password fields are not sanitized correctly and are used as URL construction arguments, allowing URL redirection to an arbitrary server, downloading an arbitrary script file, and eventually executing the file in the device. This issue affects: Linksys MR8300 Router 1.0. | |||||
| CVE-2022-32572 | 1 Wwbn | 1 Avideo | 2022-08-26 | N/A | 8.8 HIGH |
| An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-30534 | 1 Wwbn | 1 Avideo | 2022-08-26 | N/A | 8.8 HIGH |
| An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2021-42232 | 1 Tp-link | 2 Archer A7, Archer A7 Firmware | 2022-08-25 | N/A | 9.8 CRITICAL |
| TP-Link Archer A7 Archer A7(US)_V5_210519 is affected by a command injection vulnerability in /usr/bin/tddp. The vulnerability is caused by the program taking part of the received data packet as part of the command. This will cause an attacker to execute arbitrary commands on the router. | |||||
| CVE-2020-10390 | 1 Chadhaajay | 1 Phpkb | 2022-08-19 | 6.5 MEDIUM | 7.2 HIGH |
| OS Command Injection in export.php (vulnerable function called from include/functions-article.php) in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by saving the code to be executed as the wkhtmltopdf path via admin/save-settings.php. | |||||
| CVE-2022-1410 | 1 Device42 | 1 Cmdb | 2022-08-18 | N/A | 8.8 HIGH |
| OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions. | |||||
| CVE-2022-36381 | 1 Nintendo | 2 Wi-fi Network Adaptor Wap 001, Wi-fi Network Adaptor Wap 001 Firmware | 2022-08-17 | N/A | 7.2 HIGH |
| OS command injection vulnerability in Nintendo Wi-Fi Network Adaptor WAP-001 All versions allows an attacker with an administrative privilege to execute arbitrary OS commands via unspecified vectors. | |||||
| CVE-2022-36309 | 1 Airspan | 2 Airvelocity 1500, Airvelocity 1500 Firmware | 2022-08-17 | N/A | 8.8 HIGH |
| Airspan AirVelocity 1500 software versions prior to 15.18.00.2511 have a root command injection vulnerability in the ActiveBank parameter of the recoverySubmit.cgi script running on the eNodeB's web management UI. This issue may affect other AirVelocity and AirSpeed models. | |||||
| CVE-2018-7187 | 2 Debian, Golang | 2 Debian Linux, Go | 2022-08-16 | 9.3 HIGH | 8.8 HIGH |
| The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. | |||||