Total
2452 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0841 | 1 Npm-lockfile Project | 1 Npm-lockfile | 2022-03-09 | 10.0 HIGH | 9.8 CRITICAL |
| OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4. | |||||
| CVE-2021-43075 | 1 Fortinet | 1 Fortiwlm | 2022-03-09 | 9.0 HIGH | 8.8 HIGH |
| A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.2 and below, version 8.5.2 and below, version 8.4.2 and below, version 8.3.2 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to the alarm dashboard and controller config handlers. | |||||
| CVE-2022-25263 | 1 Jetbrains | 1 Teamcity | 2022-03-08 | 7.5 HIGH | 9.8 CRITICAL |
| JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration. | |||||
| CVE-2022-20650 | 1 Cisco | 66 N9k-c9316d-gx, N9k-c9332d-gx2b, N9k-c9348d-gx2a and 63 more | 2022-03-08 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The vulnerability is due to insufficient input validation of user supplied data that is sent to the NX-API. An attacker could exploit this vulnerability by sending a crafted HTTP POST request to the NX-API of an affected device. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system. Note: The NX-API feature is disabled by default. | |||||
| CVE-2022-25328 | 1 Google | 1 Fscrypt | 2022-03-07 | 7.2 HIGH | 7.3 HIGH |
| The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or above | |||||
| CVE-2022-24288 | 1 Apache | 1 Airflow | 2022-03-04 | 6.5 MEDIUM | 8.8 HIGH |
| In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI. | |||||
| CVE-2021-4029 | 1 Zyxel | 4 Nbg6816, Nbg6816 Firmware, Nbg6817 and 1 more | 2022-03-02 | 8.3 HIGH | 8.8 HIGH |
| A command injection vulnerability in the CGI program of the Zyxel ARMOR Z1/Z2 firmware could allow an attacker to execute arbitrary OS commands via a LAN interface. | |||||
| CVE-2022-21143 | 1 Airspan | 9 A5x, A5x Firmware, C5c and 6 more | 2022-02-25 | 10.0 HIGH | 9.8 CRITICAL |
| MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 does not properly sanitize user input on several locations, which may allow an attacker to inject arbitrary commands. | |||||
| CVE-2021-46319 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2022-02-25 | 10.0 HIGH | 9.8 CRITICAL |
| Remote Code Execution (RCE) vulnerability exists in D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin. Malicious users can use this vulnerability to use "\ " or backticks to bypass the shell metacharacters in the ssid0 or ssid1 parameters to execute arbitrary commands.This vulnerability is due to the fact that CVE-2019-17509 is not fully patched and can be bypassed by using line breaks or backticks on its basis. | |||||
| CVE-2021-46315 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2022-02-25 | 10.0 HIGH | 9.8 CRITICAL |
| Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetWizardConfig.php in D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin. Malicoius users can use this vulnerability to use "\ " or backticks in the shell metacharacters in the ssid0 or ssid1 parameters to cause arbitrary command execution. Since CVE-2019-17510 vulnerability has not been patched and improved www/hnap1/control/setwizardconfig.php, can also use line breaks and backquotes to bypass. | |||||
| CVE-2022-22945 | 1 Vmware | 2 Cloud Foundation, Nsx Data Center | 2022-02-24 | 7.2 HIGH | 7.8 HIGH |
| VMware NSX Edge contains a CLI shell injection vulnerability. A malicious actor with SSH access to an NSX-Edge appliance can execute arbitrary commands on the operating system as root. | |||||
| CVE-2022-25174 | 1 Jenkins | 1 Pipeline\ | 2022-02-23 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same checkout directories for distinct SCMs for Pipeline libraries, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. | |||||
| CVE-2022-25173 | 1 Jenkins | 1 Pipeline\ | 2022-02-23 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. | |||||
| CVE-2020-28885 | 1 Liferay | 1 Liferay Portal | 2022-02-22 | 9.0 HIGH | 7.2 HIGH |
| ** DISPUTED ** Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design flaw | |||||
| CVE-2020-16846 | 2 Debian, Saltstack | 2 Debian Linux, Salt | 2022-02-22 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection. | |||||
| CVE-2017-14535 | 1 Netfortris | 1 Trixbox | 2022-02-18 | 9.0 HIGH | 8.8 HIGH |
| trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php. | |||||
| CVE-2022-21173 | 1 Elecom | 16 Wrh-300bk3, Wrh-300bk3-s, Wrh-300bk3-s Firmware and 13 more | 2022-02-15 | 8.3 HIGH | 8.8 HIGH |
| Hidden functionality vulnerability in ELECOM LAN routers (WRH-300BK3 firmware v1.05 and earlier, WRH-300WH3 firmware v1.05 and earlier, WRH-300BK3-S firmware v1.05 and earlier, WRH-300DR3-S firmware v1.05 and earlier, WRH-300LB3-S firmware v1.05 and earlier, WRH-300PN3-S firmware v1.05 and earlier, WRH-300WH3-S firmware v1.05 and earlier, and WRH-300YG3-S firmware v1.05 and earlier) allows an attacker on the adjacent network to execute an arbitrary OS command via unspecified vectors. | |||||
| CVE-2021-26616 | 1 Secuwiz | 1 Secuwayssl U | 2022-02-15 | 7.5 HIGH | 9.8 CRITICAL |
| An OS command injection was found in SecuwaySSL, when special characters injection on execute command with runCommand arguments. | |||||
| CVE-2022-23611 | 1 Itunesrpc-remastered Project | 1 Itunesrpc-remastered | 2022-02-10 | 7.5 HIGH | 9.8 CRITICAL |
| iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows utility. In affected versions iTunesRPC-Remastered did not properly sanitize image file paths leading to OS level command injection. This issue has been patched in commit cdcd48b. Users are advised to upgrade. | |||||
| CVE-2021-20638 | 1 Logitech | 2 Lan-w300n\/pgrb, Lan-w300n\/pgrb Firmware | 2022-02-10 | 7.7 HIGH | 6.8 MEDIUM |
| LOGITEC LAN-W300N/PGRB allows an attacker with administrative privilege to execute arbitrary OS commands via unspecified vectors. | |||||