Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-78
Total 2452 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-15978 1 Cisco 1 Data Center Network Manager 2023-02-03 9.0 HIGH 7.2 HIGH
Multiple vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker with administrative privileges on the DCNM application to inject arbitrary commands on the underlying operating system (OS). For more information about these vulnerabilities, see the Details section of this advisory. Note: The severity of these vulnerabilities is aggravated by the vulnerabilities described in the Cisco Data Center Network Manager Authentication Bypass Vulnerabilities advisory, published simultaneously with this one.
CVE-2020-35576 1 Tp-link 2 Tl-wr841n, Tl-wr841n Firmware 2023-02-02 9.0 HIGH 8.8 HIGH
A Command Injection issue in the traceroute feature on TP-Link TL-WR841N V13 (JP) with firmware versions prior to 201216 allows authenticated users to execute arbitrary code as root via shell metacharacters, a different vulnerability than CVE-2018-12577.
CVE-2019-15014 1 Zingbox 1 Inspector 2023-02-02 9.0 HIGH 8.8 HIGH
A command injection vulnerability exists in the Zingbox Inspector versions 1.286 and earlier, that allows for an authenticated user to execute arbitrary system commands in the CLI.
CVE-2018-3786 1 Eggjs 1 Egg-scripts 2023-02-02 10.0 HIGH 9.8 CRITICAL
A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument.
CVE-2018-3785 1 Git-dummy-commit Project 1 Git-dummy-commit 2023-02-02 10.0 HIGH 9.8 CRITICAL
A command injection in git-dummy-commit v1.3.0 allows os level commands to be executed due to an unescaped parameter.
CVE-2021-31854 1 Mcafee 1 Agent 2023-02-02 9.3 HIGH 7.8 HIGH
A command Injection Vulnerability in McAfee Agent (MA) for Windows prior to 5.7.5 allows local users to inject arbitrary shell code into the file cleanup.exe. The malicious clean.exe file is placed into the relevant folder and executed by running the McAfee Agent deployment feature located in the System Tree. An attacker may exploit the vulnerability to obtain a reverse shell which can lead to privilege escalation to obtain root privileges.
CVE-2018-7082 2 Arubanetworks, Siemens 3 Aruba Instant, Scalance W1750d, Scalance W1750d Firmware 2023-02-02 9.0 HIGH 7.2 HIGH
A command injection vulnerability is present in Aruba Instant that permits an authenticated administrative user to execute arbitrary commands on the underlying operating system. A malicious administrator could use this ability to install backdoors or change system configuration in a way that would not be logged. Workaround: None. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0
CVE-2021-31838 1 Mcafee 1 Mvision Edr 2023-02-02 9.0 HIGH 9.1 CRITICAL
A command injection vulnerability in MVISION EDR (MVEDR) prior to 3.4.0 allows an authenticated MVEDR administrator to trigger the EDR client to execute arbitrary commands through PowerShell using the EDR functionality 'execute reaction'.
CVE-2022-40969 1 Siretta 2 Quartz-gold, Quartz-gold Firmware 2023-02-02 N/A 8.8 HIGH
An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2022-38066 1 Siretta 2 Quartz-gold, Quartz-gold Firmware 2023-02-02 N/A 8.8 HIGH
An OS command injection vulnerability exists in the httpd SNMP functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP response can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.
CVE-2022-40220 1 Siretta 2 Quartz-gold, Quartz-gold Firmware 2023-02-02 N/A 8.8 HIGH
An OS command injection vulnerability exists in the httpd txt/restore.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2022-40222 1 Siretta 2 Quartz-gold, Quartz-gold Firmware 2023-02-02 N/A 9.8 CRITICAL
An OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.
CVE-2022-45639 1 Sleuthkit 1 The Sleuth Kit 2023-02-02 N/A 7.8 HIGH
** DISPUTED ** OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter. NOTE: third parties have disputed this because there is no analysis showing that the backtick command executes outside the context of the user account that entered the command line.
CVE-2022-40720 1 Dlink 2 Dir-2150, Dir-2150 Firmware 2023-02-02 N/A 8.8 HIGH
This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 4.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Dreambox plugin for the xupnpd service, which listens on TCP port 4044 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the router. Was ZDI-CAN-15935.
CVE-2022-40719 1 Dlink 2 Dir-2150, Dir-2150 Firmware 2023-02-02 N/A 8.8 HIGH
This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 4.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the xupnpd_generic.lua plugin for the xupnpd service, which listens on TCP port 4044 by default. When parsing the feed parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15906.
CVE-2018-3969 1 Getcujo 1 Smart Firewall 2023-02-02 7.2 HIGH 7.8 HIGH
An exploitable vulnerability exists in the verified boot protection of the CUJO Smart Firewall. It is possible to add arbitrary shell commands into the dhcpd.conf file, that persist across reboots and firmware updates, and thus allow for executing unverified commands. To trigger this vulnerability, a local attacker needs to be able to write into /config/dhcpd.conf.
CVE-2018-3952 1 Nordvpn 1 Nordvpn 2023-02-02 7.2 HIGH 8.8 HIGH
An exploitable code execution vulnerability exists in the connect functionality of NordVPN 6.14.28.0. A specially crafted configuration file can cause a privilege escalation, resulting in the execution of arbitrary commands with system privileges.
CVE-2018-3910 1 Yitechnology 3 Yi Home, Yi Home Camera, Yi Home Camera Firmware 2023-02-01 5.4 MEDIUM 8.0 HIGH
An exploitable code execution vulnerability exists in the cloud OTA setup functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted SSID can cause a command injection, resulting in code execution. An attacker can cause a camera to connect to this SSID to trigger this vulnerability. Alternatively, an attacker can convince a user to connect their camera to this SSID.
CVE-2018-3890 1 Yitechnology 2 Yi Home Camera, Yi Home Camera Firmware 2023-02-01 4.6 MEDIUM 6.8 MEDIUM
An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted file can cause a logic flaw and command injection, resulting in code execution. An attacker can insert an SD card to trigger this vulnerability.
CVE-2018-15877 1 Plainview Activity Monitor Project 1 Plainview Activity Monitor 2023-02-01 9.0 HIGH 8.8 HIGH
The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.