Total
2452 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12780 | 1 Belkin | 2 Crock-pot Smart Slow Cooker With Wemo, Crock-pot Smart Slow Cooker With Wemo Firmware | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST request to /upnp/control/basicevent1 can allow an attacker to execute commands without authentication. | |||||
| CVE-2019-12771 | 1 Thinstation Project | 1 Thinstation | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Command injection is possible in ThinStation through 6.1.1 via shell metacharacters after the cgi-bin/CdControl.cgi action= substring, or after the cgi-bin/VolControl.cgi OK= substring. | |||||
| CVE-2019-12585 | 2 Apcupsd, Netgate | 2 Apcupsd, Pfsense | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php. | |||||
| CVE-2018-5265 | 1 Ui | 2 Edgeos, Erlite-3 | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| Ubiquiti EdgeOS 1.9.1 on EdgeRouter Lite devices allows remote attackers to execute arbitrary code with admin credentials, because /opt/vyatta/share/vyatta-cfg/templates/system/static-host-mapping/host-name/node.def does not sanitize the 'alias' or 'ips' parameter for shell metacharacters. | |||||
| CVE-2019-12489 | 1 Fastweb | 2 Askey Rtv1907vw, Askey Rtv1907vw Firmware | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Fastweb Askey RTV1907VW 0.00.81_FW_200_Askey 2018-10-02 18:08:18 devices. By using the usb_remove service through an HTTP request, it is possible to inject and execute a command between two & characters in the mount parameter. | |||||
| CVE-2019-12328 | 1 Atcom | 2 A10w, A10w Firmware | 2020-08-24 | 9.0 HIGH | 8.8 HIGH |
| A command injection (missing input validation) issue in the remote phonebook configuration URI in the web interface of the Atcom A10W VoIP phone with firmware 2.6.1a2421 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request. | |||||
| CVE-2019-12324 | 1 Akuvox | 2 Sp-r50p, Sp-r50p Firmware | 2020-08-24 | 9.0 HIGH | 7.2 HIGH |
| A command injection (missing input validation) issue in the IP address field for the logging server in the configuration web interface on the Akuvox R50P VoIP phone with firmware 50.0.6.156 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request. | |||||
| CVE-2019-12272 | 1 Openwrt | 1 Luci | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. | |||||
| CVE-2019-12103 | 1 Tp-link | 2 M7350, M7350 Firmware | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by a pre-authentication command injection vulnerability. | |||||
| CVE-2019-11689 | 1 Asustor | 1 Exfat Driver | 2020-08-24 | 9.3 HIGH | 8.1 HIGH |
| An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. When conducting license validation, exfat.cgi and exfatctl fail to properly validate server responses and pass unsanitized text to the system shell, resulting in code execution as root. | |||||
| CVE-2019-11410 | 1 Fusionpbx | 1 Fusionpbx | 2020-08-24 | 9.0 HIGH | 7.2 HIGH |
| app/backup/index.php in the Backup Module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute commands on the host. | |||||
| CVE-2019-11353 | 1 Engeniustech | 2 Ews660ap, Ews660ap Firmware | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| The EnGenius EWS660AP router with firmware 2.0.284 allows an attacker to execute arbitrary commands using the built-in ping and traceroute utilities by using different payloads and injecting multiple parameters. This vulnerability is fixed in a later firmware version. | |||||
| CVE-2019-11319 | 1 Motorola | 4 Cx2, Cx2 Firmware, M2 and 1 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a command injection in the function downloadFirmware in hnap, which leads to remote code execution via shell metacharacters in a JSON value. | |||||
| CVE-2019-11322 | 1 Motorola | 4 Cx2, Cx2 Firmware, M2 and 1 more | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a command injection in the function startRmtAssist in hnap, which leads to remote code execution via shell metacharacters in a JSON value. | |||||
| CVE-2019-10804 | 1 Serial-number Project | 1 Serial-number | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| serial-number through 1.3.0 allows execution of arbritary commands. The "cmdPrefix" argument in serialNumber function is used by the "exec" function without any validation. | |||||
| CVE-2019-10801 | 1 Enpeem Project | 1 Enpeem | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| enpeem through 2.2.0 allows execution of arbitrary commands. The "options.dir" argument is provided to the "exec" function without any sanitization. | |||||
| CVE-2019-10796 | 1 Rpi Project | 1 Rpi | 2020-08-24 | 6.8 MEDIUM | 9.8 CRITICAL |
| rpi through 0.0.3 allows execution of arbritary commands. The variable pinNumbver in function GPIO within src/lib/gpio.js is used as part of the arguement of exec function without any sanitization. | |||||
| CVE-2019-10791 | 1 Promise-probe Project | 1 Promise-probe | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization. | |||||
| CVE-2019-10788 | 1 Dnt | 1 Im-metadata | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| im-metadata through 3.0.1 allows remote attackers to execute arbitrary commands via the "exec" argument. It is possible to inject arbitrary commands as part of the metadata options which is given to the "exec" function. | |||||
| CVE-2019-10787 | 1 Dnt | 1 Im-resize | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| im-resize through 2.3.2 allows remote attackers to execute arbitrary commands via the "exec" argument. The cmd argument used within index.js, can be controlled by user without any sanitization. | |||||