Total
138 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-34816 | 1 Etherpad | 1 Etherpad | 2021-07-30 | 6.5 MEDIUM | 7.2 HIGH |
| An Argument Injection issue in the plugin management of Etherpad 1.8.13 allows privileged users to execute arbitrary code on the server by installing plugins from an attacker-controlled source. | |||||
| CVE-2019-3463 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands. | |||||
| CVE-2019-18888 | 2 Fedoraproject, Sensiolabs | 2 Fedora, Symfony | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x). | |||||
| CVE-2019-9794 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Firefox Esr and 1 more | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs. This could be used to retrieve and execute files whose location is supplied through these command line arguments if Firefox is configured as the default URI handler for a given URI scheme in third party applications and these applications insufficiently sanitize URL data. *Note: This issue only affects Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66. | |||||
| CVE-2020-13699 | 2 Microsoft, Teamviewer | 2 Windows, Teamviewer | 2021-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: --play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3. | |||||
| CVE-2020-14049 | 1 Rakuten | 1 Viber | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Viber for Windows up to 13.2.0.39 does not properly quote its custom URI handler. A malicious website could launch Viber with arbitrary parameters, forcing a victim to send an NTLM authentication request, and either relay the request or capture the hash for offline password cracking. NOTE: this issue exists because of an incomplete fix for CVE-2019-12569. | |||||
| CVE-2020-25268 | 1 Ilias | 1 Ilias | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS data. | |||||
| CVE-2020-5599 | 1 Mitsubishielectric | 4 Coreos, Got2000 Gt23, Got2000 Gt25 and 1 more | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet. | |||||
| CVE-2020-7769 | 1 Nodemailer | 1 Nodemailer | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails. | |||||
| CVE-2019-10746 | 1 Mixin-deep Project | 1 Mixin-deep | 2021-07-20 | 7.5 HIGH | 9.8 CRITICAL |
| mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. | |||||
| CVE-2021-36122 | 1 Echobh | 1 Sharecare | 2021-07-15 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Echo ShareCare 8.15.5. The UnzipFile feature in Access/EligFeedParse_Sup/UnzipFile_Upd.cfm is susceptible to a command argument injection vulnerability when processing remote input in the zippass parameter from an authenticated user, leading to the ability to inject arbitrary arguments to 7z.exe. | |||||
| CVE-2021-24002 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2021-07-02 | 6.8 MEDIUM | 8.8 HIGH |
| When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88. | |||||
| CVE-2021-3256 | 1 Kuaifan | 1 Kuaifancms | 2021-06-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| KuaiFanCMS V5.x contains an arbitrary file read vulnerability in the html_url parameter of the chakanhtml.module.php file. | |||||
| CVE-2021-33564 | 1 Dragonfly Project | 1 Dragonfly | 2021-06-10 | 6.8 MEDIUM | 9.8 CRITICAL |
| An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility. | |||||
| CVE-2021-31909 | 1 Jetbrains | 1 Teamcity | 2021-05-14 | 7.5 HIGH | 9.8 CRITICAL |
| In JetBrains TeamCity before 2020.2.3, argument injection leading to remote code execution was possible. | |||||
| CVE-2020-7851 | 4 Apple, Innorix, Linux and 1 more | 4 Macos, File Transfer Solution, Linux Kernel and 1 more | 2021-04-23 | 6.8 MEDIUM | 7.8 HIGH |
| Innorix Web-Based File Transfer Solution versuibs prior to and including 9.2.18.385 contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the internal method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection. | |||||
| CVE-2021-21384 | 3 Microsoft, Opengroup, Shescape Project | 3 Windows, Unix, Shescape | 2021-04-22 | 4.6 MEDIUM | 7.8 HIGH |
| shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using _Shescape_ to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Security Advisory. The problem has been patched in version 1.1.3. No further changes are required. | |||||
| CVE-2021-1485 | 1 Cisco | 1 Ios Xr | 2021-04-20 | 7.2 HIGH | 7.8 HIGH |
| A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges on the underlying Linux operating system (OS) of an affected device. This vulnerability is due to insufficient input validation of commands that are supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to an affected command. A successful exploit could allow the attacker to execute commands on the underlying Linux OS with root privileges. | |||||
| CVE-2020-7850 | 2 Douzone, Microsoft | 2 Nbbdownloader.ocx, Windows | 2021-04-01 | 6.8 MEDIUM | 7.8 HIGH |
| NBBDownloader.ocx ActiveX Control in Groupware contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the activex method. A remote attacker could induce a user to access a crafted web page, causing damage such as malicious code infection. | |||||
| CVE-2021-1454 | 1 Cisco | 2 Ios Xe, Ios Xe Sd-wan | 2021-03-29 | 7.2 HIGH | 6.7 MEDIUM |
| Multiple vulnerabilities in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to access the underlying operating system with root privileges. These vulnerabilities are due to insufficient input validation of certain CLI commands. An attacker could exploit these vulnerabilities by authenticating to the device and submitting crafted input to the CLI. The attacker must be authenticated as an administrative user to execute the affected commands. A successful exploit could allow the attacker to access the underlying operating system with root privileges. | |||||