Total
2452 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27083 | 1 Tenda | 2 M3, M3 Firmware | 2022-03-29 | 10.0 HIGH | 9.8 CRITICAL |
| Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /cgi-bin/uploadAccessCodePic. | |||||
| CVE-2022-26290 | 1 Tenda | 2 M3, M3 Firmware | 2022-03-29 | 10.0 HIGH | 9.8 CRITICAL |
| Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/WriteFacMac. | |||||
| CVE-2022-27082 | 1 Tenda | 2 M3, M3 Firmware | 2022-03-29 | 10.0 HIGH | 9.8 CRITICAL |
| Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/SetInternetLanInfo. | |||||
| CVE-2022-26289 | 1 Tenda | 2 M3, M3 Firmware | 2022-03-29 | 10.0 HIGH | 9.8 CRITICAL |
| Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/exeCommand. | |||||
| CVE-2022-22273 | 1 Sonicwall | 18 Sma 200, Sma 200 Firmware, Sma 210 and 15 more | 2022-03-28 | 7.5 HIGH | 9.8 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** Improper neutralization of Special Elements leading to OS Command Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products and older firmware versions of Secure Mobile Access (SMA) 100 series products, specifically the SRA appliances running all 8.x, 9.0.0.5-19sv and earlier versions and Secure Mobile Access (SMA) 100 series products running older firmware 9.0.0.9-26sv and earlier versions. | |||||
| CVE-2022-27000 | 1 Commscope | 2 Arris Tr3300, Arris Tr3300 Firmware | 2022-03-25 | 10.0 HIGH | 9.8 CRITICAL |
| Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the time and time zone function via the h_primary_ntp_server, h_backup_ntp_server, and h_time_zone parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-27001 | 1 Commscope | 2 Arris Tr3300, Arris Tr3300 Firmware | 2022-03-25 | 10.0 HIGH | 9.8 CRITICAL |
| Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the dhcp function via the hostname parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-26999 | 1 Commscope | 2 Arris Tr3300, Arris Tr3300 Firmware | 2022-03-25 | 10.0 HIGH | 9.8 CRITICAL |
| Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the static ip settings function via the wan_ip_stat, wan_mask_stat, wan_gw_stat, and wan_dns1_stat parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-26998 | 1 Commscope | 2 Arris Tr3300, Arris Tr3300 Firmware | 2022-03-25 | 10.0 HIGH | 9.8 CRITICAL |
| Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the wps setting function via the wps_enrolee_pin parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-26997 | 1 Commscope | 2 Arris Tr3300, Arris Tr3300 Firmware | 2022-03-25 | 10.0 HIGH | 9.8 CRITICAL |
| Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the upnp function via the upnp_ttl parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-26996 | 1 Commscope | 2 Arris Tr3300, Arris Tr3300 Firmware | 2022-03-25 | 10.0 HIGH | 9.8 CRITICAL |
| Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pppoe function via the pppoe_username, pppoe_passwd, and pppoe_servicename parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-26995 | 1 Commscope | 2 Arris Tr3300, Arris Tr3300 Firmware | 2022-03-25 | 10.0 HIGH | 9.8 CRITICAL |
| Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pptp (wan_pptp.html) function via the pptp_fix_ip, pptp_fix_mask, pptp_fix_gw, and wan_dns1_stat parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2021-23632 | 1 Git Project | 1 Git | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install git. 3. Run exploit.js: node exploit.js. You should see the outputs of both the git version and date command-lines. Note that the repo-test Git repository does not need to be present to make this PoC work. | |||||
| CVE-2021-3708 | 1 Dlink | 2 Dsl-2750u, Dsl-2750u Firmware | 2022-03-22 | 7.2 HIGH | 7.8 HIGH |
| D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to OS command injection. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3707, to execute any OS commands on the vulnerable device. | |||||
| CVE-2022-25621 | 1 Nec | 20 Univerge Wa1020, Univerge Wa1020 Firmware, Univerge Wa1510 and 17 more | 2022-03-22 | 7.5 HIGH | 9.8 CRITICAL |
| UUNIVERGE WA 1020 Ver8.2.11 and prior, UNIVERGE WA 1510 Ver8.2.11 and prior, UNIVERGE WA 1511 Ver8.2.11 and prior, UNIVERGE WA 1512 Ver8.2.11 and prior, UNIVERGE WA 2020 Ver8.2.11 and prior, UNIVERGE WA 2021 Ver8.2.11 and prior, UNIVERGE WA 2610-AP Ver8.2.11 and prior, UNIVERGE WA 2611-AP Ver8.2.11 and prior, UNIVERGE WA 2611E-AP Ver8.2.11 and prior, UNIVERGE WA WA2612-AP Ver8.2.11 and prior allows a remote attacker to execute arbitrary OS commands. | |||||
| CVE-2022-0557 | 1 Microweber | 1 Microweber | 2022-03-18 | 9.0 HIGH | 7.2 HIGH |
| OS Command Injection in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2021-44827 | 1 Tp-link | 2 Archer C20i, Archer C20i Firmware | 2022-03-15 | 9.0 HIGH | 8.8 HIGH |
| There is remote authenticated OS command injection on TP-Link Archer C20i 0.9.1 3.2 v003a.0 Build 170221 Rel.55462n devices vie the X_TP_ExternalIPv6Address HTTP parameter, allowing a remote attacker to run arbitrary commands on the router with root privileges. | |||||
| CVE-2021-46704 | 1 Genieacs | 1 Genieacs | 2022-03-11 | 7.5 HIGH | 9.8 CRITICAL |
| In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument (lib/ui/api.ts and lib/ping.ts). The vulnerability arises from insufficient input validation combined with a missing authorization check. | |||||
| CVE-2022-22301 | 1 Fortinet | 1 Fortiap-c | 2022-03-10 | 4.6 MEDIUM | 7.8 HIGH |
| An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiAP-C console 5.4.0 through 5.4.3, 5.2.0 through 5.2.1 may allow an authenticated attacker to execute unauthorized commands by running CLI commands with specifically crafted arguments. | |||||
| CVE-2020-12775 | 1 Moica | 1 Hicos | 2022-03-10 | 10.0 HIGH | 9.8 CRITICAL |
| Hicos citizen certificate client-side component does not filter special characters for command parameters in specific web URLs. An unauthenticated remote attacker can exploit this vulnerability to perform command injection attack to execute arbitrary system command, disrupt system or terminate service. | |||||