Total
1755 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26800 | 1 Ruijienetworks | 6 Rg-ew1200, Rg-ew1200 Firmware, Rg-ew1200g Pro and 3 more | 2023-04-03 | N/A | 9.8 CRITICAL |
| Ruijie Networks RG-EW1200 Wireless Routers EW_3.0(1)B11P204 was discovered to contain a command injetion vulnerability via the params.path parameter in the upgradeConfirm function. | |||||
| CVE-2023-23149 | 1 Dek-1705 Project | 2 Dek-1705, Dek-1705 Firmware | 2023-03-30 | N/A | 9.8 CRITICAL |
| DEK-1705 <=Firmware:34.23.1 device was discovered to have a command execution vulnerability. | |||||
| CVE-2019-12805 | 1 Ncsoft | 1 Nc Launcher2 | 2023-03-29 | 6.8 MEDIUM | 8.8 HIGH |
| NCSOFT Game Launcher, NC Launcher2 2.4.1.691 and earlier versions have a vulnerability in the custom protocol handler that could allow remote attacker to execute arbitrary command. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page. This can be leveraged for code execution in the context of the current user. | |||||
| CVE-2022-28496 | 1 Totolink | 2 Cp900, Cp900 Firmware | 2023-03-29 | N/A | 9.8 CRITICAL |
| TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 discovered to contain a command injection vulnerability in the setPasswordCfg function via the adminuser and adminpassparameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-28497 | 1 Totolink | 2 Cp900, Cp900 Firmware | 2023-03-28 | N/A | 9.8 CRITICAL |
| TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the mtd_write_bootloader function via the filename parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2023-27224 | 1 Jc21 | 1 Nginx Proxy Manager | 2023-03-27 | N/A | 9.8 CRITICAL |
| An issue found in NginxProxyManager v.2.9.19 allows an attacker to execute arbitrary code via a lua script to the configuration file. | |||||
| CVE-2023-27135 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2023-03-27 | N/A | 9.8 CRITICAL |
| TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the enabled parameter at /setting/setWanIeCfg. | |||||
| CVE-2023-27078 | 1 Tp-link | 2 Tl-mr3020, Tl-mr3020 Firmware | 2023-03-27 | N/A | 9.8 CRITICAL |
| A command injection issue was found in TP-Link MR3020 v.1_150921 that allows a remote attacker to execute arbitrary commands via a crafted request to the tftp endpoint. | |||||
| CVE-2023-27079 | 1 Tenda | 2 G103, G103 Firmware | 2023-03-27 | N/A | 7.5 HIGH |
| Command Injection vulnerability found in Tenda G103 v.1.0.05 allows an attacker to obtain sensitive information via a crafted package | |||||
| CVE-2021-43113 | 2 Debian, Itextpdf | 2 Debian Linux, Itext | 2023-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java. | |||||
| CVE-2022-42906 | 2 Debian, Powerline Gitstatus Project | 2 Debian Linux, Powerline Gitstatus | 2023-03-24 | N/A | 7.8 HIGH |
| powerline-gitstatus (aka Powerline Gitstatus) before 1.3.2 allows arbitrary code execution. git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerline-gitstatus, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory to one controlled by the attacker, such as in a shared filesystem or extracted archive, powerline-gitstatus will run arbitrary commands under the attacker's control. NOTE: this is similar to CVE-2022-20001. | |||||
| CVE-2023-28460 | 1 Arraynetworks | 21 Apv10650, Apv11600, Apv1600 and 18 more | 2023-03-24 | N/A | 7.2 HIGH |
| A command injection vulnerability was discovered in Array Networks APV products. A remote attacker can send a crafted packet after logging into the affected appliance as an administrator, resulting in arbitrary shell code execution. This is fixed in 8.6.1.262 or newer and 10.4.2.93 or newer. | |||||
| CVE-2023-28110 | 1 Fit2cloud | 2 Jumpserver, Koko | 2023-03-23 | N/A | 9.9 CRITICAL |
| Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8. | |||||
| CVE-2023-27240 | 1 Tenda | 2 Ax3, Ax3 Firmware | 2023-03-21 | N/A | 9.8 CRITICAL |
| Tenda AX3 V16.03.12.11 was discovered to contain a command injection vulnerability via the lanip parameter at /goform/AdvSetLanip. | |||||
| CVE-2023-27581 | 1 Github-slug-action Project | 1 Github-slug-action | 2023-03-17 | N/A | 8.8 HIGH |
| github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0` and prior to version 4.4.1, this action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. This can be used to execute code on the GitHub runners and to exfiltrate any secrets one uses in the CI pipeline. A patched action is available in version 4.4.1. No workaround is available. | |||||
| CVE-2023-0628 | 1 Docker | 1 Docker Desktop | 2023-03-17 | N/A | 7.8 HIGH |
| Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking a user to open a crafted malicious docker-desktop:// URL. | |||||
| CVE-2023-0093 | 1 Okta | 1 Advanced Server Access | 2023-03-13 | N/A | 8.8 HIGH |
| Okta Advanced Server Access Client versions 1.13.1 through 1.65.0 are vulnerable to command injection due to the third party library webbrowser. An outdated library, webbrowser, used by the ASA client was found to be vulnerable to command injection. To exploit this issue, an attacker would need to phish the user to enter an attacker controlled server URL during enrollment. | |||||
| CVE-2023-22760 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2023-03-10 | N/A | 7.2 HIGH |
| Authenticated remote command injection vulnerabilities exist in the ArubaOS web-based management interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS. | |||||
| CVE-2023-22761 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2023-03-10 | N/A | 7.2 HIGH |
| Authenticated remote command injection vulnerabilities exist in the ArubaOS web-based management interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS. | |||||
| CVE-2023-22759 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2023-03-10 | N/A | 7.2 HIGH |
| Authenticated remote command injection vulnerabilities exist in the ArubaOS web-based management interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS. | |||||