Total
2452 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-20500 | 1 D-link | 2 Dwl-2600ap, Dwl-2600ap Firmware | 2020-03-06 | 7.2 HIGH | 7.8 HIGH |
| D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter. | |||||
| CVE-2020-3176 | 1 Cisco | 6 Remote Phy 120, Remote Phy 120 Firmware, Remote Phy 220 and 3 more | 2020-03-05 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in Cisco Remote PHY Device Software could allow an authenticated, local attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability exists because the affected software does not properly sanitize user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying certain CLI commands with crafted arguments. A successful exploit could allow the attacker to run arbitrary commands as the root user, which could result in a complete system compromise. | |||||
| CVE-2020-3167 | 1 Cisco | 27 Adaptive Security Appliance Software, Firepower 1010, Firepower 1120 and 24 more | 2020-03-03 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the CLI of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS). The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including crafted arguments to specific commands. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS with the privileges of the currently logged-in user for all affected platforms excluding Cisco UCS 6400 Series Fabric Interconnects. On Cisco UCS 6400 Series Fabric Interconnects, the injected commands are executed with root privileges. | |||||
| CVE-2020-3171 | 1 Cisco | 21 Firepower 2110, Firepower 2120, Firepower 2130 and 18 more | 2020-03-03 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the local management (local-mgmt) CLI of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by including crafted arguments to specific commands. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS with the privileges of the currently logged-in user for all affected platforms excluding Cisco UCS 6400 Series Fabric Interconnects. On Cisco UCS 6400 Series Fabric Interconnects, the injected commands are executed with root privileges. | |||||
| CVE-2019-10802 | 1 Mangoraft | 1 Giting | 2020-03-03 | 7.5 HIGH | 9.8 CRITICAL |
| giting version prior to 0.0.8 allows execution of arbritary commands. The first argument "repo" of function "pull()" is executed by the package without any validation. | |||||
| CVE-2020-3173 | 1 Cisco | 8 Ucs 6248up, Ucs 6296up, Ucs 6324 and 5 more | 2020-03-03 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the local management (local-mgmt) CLI of Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) on an affected device. The vulnerability is due to insufficient input validation of command arguments. An attacker could exploit this vulnerability by including crafted arguments to specific commands on the local management CLI. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS with the privileges of the currently logged-in user for all affected platforms excluding Cisco UCS 6400 Series Fabric Interconnects. On Cisco UCS 6400 Series Fabric Interconnects, the injected commands are executed with root privileges. | |||||
| CVE-2019-10803 | 1 Push-dir Project | 1 Push-dir | 2020-03-03 | 7.5 HIGH | 9.8 CRITICAL |
| push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable "opt.branch" is not validated before being provided to the "git" command within "index.js#L139". This could be abused by an attacker to inject arbitrary commands. | |||||
| CVE-2019-12511 | 1 Netgear | 2 Nighthawk X10-r9000, Nighthawk X10-r9000 Firmware | 2020-03-03 | 9.3 HIGH | 9.8 CRITICAL |
| In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled, and a valid authentication JWT, additional vulnerabilities (CVE-2019-12510) allow an attacker to interact with the entire SOAP API without authentication. Additionally, DNS rebinding techniques may be used to exploit this vulnerability remotely. Exploiting this vulnerability is somewhat involved. The following limitations apply to the payload and must be overcome for successful exploitation: - No more than 17 characters may be used. - At least one colon must be included to prevent mangling. - A single-quote and meta-character must be used to break out of the existing command. - Parent command remnants after the injection point must be dealt with. - The payload must be in all-caps. Despite these limitations, it is still possible to gain access to an interactive root shell via this vulnerability. Since the web server assigns certain HTTP headers to environment variables with all-caps names, it is possible to insert a payload into one such header and reference the subsequent environment variable in the injection point. | |||||
| CVE-2020-9463 | 1 Centreon | 1 Centreon | 2020-03-03 | 9.0 HIGH | 8.8 HIGH |
| Centreon 19.10 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the server_ip field in JSON data in an api/internal.php?object=centreon_configuration_remote request. | |||||
| CVE-2019-15609 | 1 Kill-port-process Project | 1 Kill-port-process | 2020-03-02 | 10.0 HIGH | 9.8 CRITICAL |
| The kill-port-process package version < 2.2.0 is vulnerable to a Command Injection vulnerability. | |||||
| CVE-2020-3169 | 1 Cisco | 16 Firepower 4110, Firepower 4115, Firepower 4120 and 13 more | 2020-02-28 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root on an affected device. The vulnerability is due to insufficient validation of arguments passed to a specific CLI command on the affected device. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with root privileges. An attacker would need valid administrator credentials to exploit this vulnerability. | |||||
| CVE-2019-19994 | 1 Seling | 1 Visual Access Manager | 2020-02-27 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. It allows blind Command Injection. An attacker without authentication is able to execute arbitrary operating system command by injecting the vulnerable parameter in the PHP Web page /common/vam_monitor_sap.php. | |||||
| CVE-2020-8963 | 1 Timetoolsltd | 20 Sc7105, Sc7105 Firmware, Sc9205 and 17 more | 2020-02-25 | 10.0 HIGH | 9.8 CRITICAL |
| TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.007, SR9210 1.0.007, SR9750 1.0.007, SR9850 1.0.007, T100 1.0.003, T300 1.0.003, and T550 1.0.003 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the t3.cgi srmodel or srtime parameter. | |||||
| CVE-2014-2727 | 1 Trustwave | 1 Mailmarshal | 2020-02-25 | 7.5 HIGH | 9.8 CRITICAL |
| The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection. | |||||
| CVE-2020-6841 | 1 D-link | 2 Dch-m225, Dch-m225 Firmware | 2020-02-25 | 10.0 HIGH | 9.8 CRITICAL |
| D-Link DCH-M225 1.05b01 and earlier devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the spotifyConnect.php userName parameter. | |||||
| CVE-2020-6842 | 1 D-link | 2 Dch-m225, Dch-m225 Firmware | 2020-02-25 | 9.0 HIGH | 7.2 HIGH |
| D-Link DCH-M225 1.05b01 and earlier devices allow remote authenticated admins to execute arbitrary OS commands via shell metacharacters in the media renderer name. | |||||
| CVE-2020-8949 | 1 Gocloud | 10 Isp3000, Isp3000 Firmware, S2a and 7 more | 2020-02-25 | 9.0 HIGH | 8.8 HIGH |
| Gocloud S2A_WL 4.2.7.16471, S2A 4.2.7.17278, S2A 4.3.0.15815, S2A 4.3.0.17193, S3A K2P MTK 4.2.7.16528, S3A 4.3.0.16572, and ISP3000 4.3.0.17190 devices allows remote attackers to execute arbitrary OS commands via shell metacharacters in a ping operation, as demonstrated by the cgi-bin/webui/admin/tools/app_ping/diag_ping/; substring. | |||||
| CVE-2020-5524 | 1 Nec | 6 Aterm Wf1200c, Aterm Wf1200c Firmware, Aterm Wg1200cr and 3 more | 2020-02-21 | 8.3 HIGH | 8.8 HIGH |
| Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an attacker on the same network segment to execute arbitrary OS commands with root privileges via UPnP function. | |||||
| CVE-2020-5525 | 1 Nec | 6 Aterm Wf1200c, Aterm Wf1200c Firmware, Aterm Wg1200cr and 3 more | 2020-02-21 | 7.7 HIGH | 8.0 HIGH |
| Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via management screen. | |||||
| CVE-2020-5534 | 1 Nec | 2 Aterm Wg2600hs, Aterm Wg2600hs Firmware | 2020-02-21 | 7.7 HIGH | 8.0 HIGH |
| Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors. | |||||