Total
1755 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-29946 | 1 Splunk | 1 Splunk | 2024-04-10 | N/A | 8.1 HIGH |
| In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the Dashboard Examples Hub lacks protections for risky SPL commands. This could let attackers bypass SPL safeguards for risky commands in the Hub. The vulnerability would require the attacker to phish the victim by tricking them into initiating a request within their browser. | |||||
| CVE-2023-40598 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-04-10 | N/A | 8.8 HIGH |
| In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance. | |||||
| CVE-2023-22935 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-04-10 | N/A | 8.8 HIGH |
| In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘display.page.search.patterns.sensitivity’ search parameter lets a search bypass SPL safeguards for risky commands. The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled. | |||||
| CVE-2024-27972 | 2024-04-03 | N/A | 9.9 CRITICAL | ||
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Very Good Plugins WP Fusion Lite allows Command Injection.This issue affects WP Fusion Lite: from n/a through 3.41.24. | |||||
| CVE-2023-41724 | 1 Ivanti | 1 Standalone Sentry | 2024-04-01 | N/A | 8.8 HIGH |
| A command injection vulnerability in Ivanti Sentry prior to 9.19.0 allows unauthenticated threat actor to execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network. | |||||
| CVE-2024-24897 | 2024-03-25 | N/A | 8.1 HIGH | ||
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in openEuler A-Tune-Collector on Linux allows Command Injection. This vulnerability is associated with program files https://gitee.Com/openeuler/A-Tune-Collector/blob/master/atune_collector/plugin/monitor/process/sched.Py. This issue affects A-Tune-Collector: from 1.1.0-3 through 1.3.0. | |||||
| CVE-2021-29154 | 4 Debian, Fedoraproject, Linux and 1 more | 20 Debian Linux, Fedora, Linux Kernel and 17 more | 2024-03-25 | 7.2 HIGH | 7.8 HIGH |
| BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. | |||||
| CVE-2023-39362 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2024-03-18 | N/A | 7.2 HIGH |
| Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-41334 | 2024-03-18 | N/A | 8.4 HIGH | ||
| Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue. | |||||
| CVE-2023-40796 | 1 Phicomm | 2 K2, K2 Firmware | 2024-03-07 | N/A | 7.8 HIGH |
| Phicomm k2 v22.6.529.216 was discovered to contain a command injection vulnerability via the function luci.sys.call. | |||||
| CVE-2023-31729 | 1 Totolink | 2 A3300r, A3300r Firmware | 2024-03-07 | N/A | 9.8 CRITICAL |
| TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection via /cgi-bin/cstecgi.cgi. | |||||
| CVE-2024-0817 | 2024-03-07 | N/A | 9.3 CRITICAL | ||
| Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0 | |||||
| CVE-2024-1374 | 1 Github | 1 Enterprise Server | 2024-03-06 | N/A | 9.1 CRITICAL |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via nomad templates when configuring audit log forwarding. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com . | |||||
| CVE-2024-1359 | 1 Github | 1 Enterprise Server | 2024-03-05 | N/A | 9.1 CRITICAL |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting up an HTTP proxy. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com . | |||||
| CVE-2024-1355 | 1 Github | 1 Enterprise Server | 2024-03-05 | N/A | 9.1 CRITICAL |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the actions-console docker container while setting a service URL. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2024-1354 | 1 Github | 1 Enterprise Server | 2024-03-05 | N/A | 8.0 HIGH |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the `syslog-ng` configuration file. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2024-22545 | 1 Trendnet | 2 Tew-824dru, Tew-824dru Firmware | 2024-03-05 | N/A | 7.8 HIGH |
| An issue was discovered in TRENDnet TEW-824DRU version 1.04b01, allows unauthenticated attackers to execute arbitrary code via the system.ntp.server parameter in the sub_420AE0() function. The attack can be launched remotely. | |||||
| CVE-2024-1369 | 1 Github | 1 Enterprise Server | 2024-03-05 | N/A | 9.1 CRITICAL |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting the username and password for collectd configurations. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com . | |||||
| CVE-2024-1372 | 1 Github | 1 Enterprise Server | 2024-03-05 | N/A | 9.1 CRITICAL |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring SAML settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com . | |||||
| CVE-2021-3621 | 2 Fedoraproject, Redhat | 8 Fedora, Sssd, Enterprise Linux and 5 more | 2024-03-04 | 9.3 HIGH | 8.8 HIGH |
| A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | |||||