Total
3673 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36293 | 1 Dell | 10 Emc Unity Operating Environment, Vnx5200, Vnx5400 and 7 more | 2022-04-14 | 4.6 MEDIUM | 6.7 MEDIUM |
| Dell VNX2 for File version 8.1.21.266 and earlier, contain a privilege escalation vulnerability. A local malicious admin may potentially exploit vulnerability and gain elevated privileges. | |||||
| CVE-2022-26670 | 1 Dlink | 2 Dir-878, Dir-878 Firmware | 2022-04-14 | 8.3 HIGH | 8.8 HIGH |
| D-Link DIR-878 has inadequate filtering for special characters in the webpage input field. An unauthenticated LAN attacker can perform command injection attack to execute arbitrary system commands to control the system or disrupt service. | |||||
| CVE-2020-27373 | 1 Drtrustusa | 2 Icheck Connect Bp Monitor Bp Testing 118, Icheck Connect Bp Monitor Bp Testing 118 Firmware | 2022-04-14 | 8.3 HIGH | 8.8 HIGH |
| Dr Trust USA iCheck Connect BP Monitor BP Testing 118 1.2.1 is vulnerable to Plain text command over BLE. | |||||
| CVE-2021-24009 | 1 Fortinet | 1 Fortiwan | 2022-04-13 | 9.0 HIGH | 8.8 HIGH |
| Multiple improper neutralization of special elements used in an OS command vulnerabilities (CWE-78) in the Web GUI of FortiWAN before 4.5.9 may allow an authenticated attacker to execute arbitrary commands on the underlying system's shell via specifically crafted HTTP requests. | |||||
| CVE-2021-22127 | 1 Fortinet | 1 Forticlient | 2022-04-13 | 7.9 HIGH | 8.0 HIGH |
| An improper input validation vulnerability in FortiClient for Linux 6.4.x before 6.4.3, FortiClient for Linux 6.2.x before 6.2.9 may allow an unauthenticated attacker to execute arbitrary code on the host operating system as root via tricking the user into connecting to a network with a malicious name. | |||||
| CVE-2021-26116 | 1 Fortinet | 1 Fortiauthenticator | 2022-04-13 | 6.5 MEDIUM | 8.8 HIGH |
| An improper neutralization of special elements used in an OS command vulnerability in the command line interpreter of FortiAuthenticator before 6.3.1 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands. | |||||
| CVE-2022-24803 | 1 Asciidoctor-include-ext Project | 1 Asciidoctor-include-ext | 2022-04-11 | 10.0 HIGH | 9.8 CRITICAL |
| Asciidoctor-include-ext is Asciidoctor’s standard include processor reimplemented as an extension. Versions prior to 0.4.0, when used to render user-supplied input in AsciiDoc markup, may allow an attacker to execute arbitrary system commands on the host operating system. This attack is possible even when `allow-uri-read` is disabled! The problem has been patched in the referenced commits. | |||||
| CVE-2022-25017 | 1 Hitrontech | 2 Chita, Chita Firmware | 2022-04-09 | 9.0 HIGH | 8.8 HIGH |
| Hitron CHITA 7.2.2.0.3b6-CD devices contain a command injection vulnerability via the Device/DDNS ddnsUsername field. | |||||
| CVE-2022-24796 | 1 Raspberrymatic | 1 Raspberrymatic | 2022-04-08 | 10.0 HIGH | 9.8 CRITICAL |
| RaspberryMatic is a free and open-source operating system for running a cloud-free smart-home using the homematicIP / HomeMatic hardware line of IoT devices. A Remote Code Execution (RCE) vulnerability in the file upload facility of the WebUI interface of RaspberryMatic exists. Missing input validation/sanitization in the file upload mechanism allows remote, unauthenticated attackers with network access to the WebUI interface to achieve arbitrary operating system command execution via shell metacharacters in the HTTP query string. Injected commands are executed as root, thus leading to a full compromise of the underlying system and all its components. Versions after `2.31.25.20180428` and prior to `3.63.8.20220330` are affected. Users are advised to update to version `3.63.8.20220330` or newer. There are currently no known workarounds to mitigate the security impact and users are advised to update to the latest version available. | |||||
| CVE-2022-0848 | 1 Part-db Project | 1 Part-db | 2022-04-08 | 10.0 HIGH | 9.8 CRITICAL |
| OS Command Injection in GitHub repository part-db/part-db prior to 0.5.11. | |||||
| CVE-2022-22986 | 1 Ntt-east | 8 Og410xa, Og410xa Firmware, Og410xi and 5 more | 2022-04-08 | 8.3 HIGH | 8.8 HIGH |
| Netcommunity OG410X and OG810X series (Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier) allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file. | |||||
| CVE-2021-26472 | 2 Microsoft, Vembu | 3 Windows, Bdr Suite, Offsite Dr | 2022-04-06 | 10.0 HIGH | 9.8 CRITICAL |
| In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges. | |||||
| CVE-2021-46007 | 1 Totolink | 2 Ar3100r, Ar3100r Firmware | 2022-04-05 | 10.0 HIGH | 9.8 CRITICAL |
| totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks. | |||||
| CVE-2021-20039 | 1 Sonicwall | 10 Sma 200, Sma 200 Firmware, Sma 210 and 7 more | 2022-04-01 | 9.0 HIGH | 8.8 HIGH |
| Improper neutralization of special elements in the SMA100 management interface '/cgi-bin/viewcert' POST http method allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances. | |||||
| CVE-2021-39459 | 1 Redaxo | 1 Redaxo | 2022-03-31 | 9.0 HIGH | 7.2 HIGH |
| Remote code execution in the modules component in Yakamara Media Redaxo CMS version 5.12.1 allows an authenticated CMS user to execute code on the hosting system via a module containing malicious PHP code. | |||||
| CVE-2022-27945 | 1 Netgear | 2 R8500, R8500 Firmware | 2022-03-31 | 9.0 HIGH | 8.8 HIGH |
| NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to password.cgi. | |||||
| CVE-2022-27946 | 1 Netgear | 2 R8500, R8500 Firmware | 2022-03-31 | 9.0 HIGH | 8.8 HIGH |
| NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to admin_account.cgi. | |||||
| CVE-2022-27947 | 1 Netgear | 2 R8500, R8500 Firmware | 2022-03-31 | 9.0 HIGH | 8.8 HIGH |
| NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the ipv6_fix.cgi ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, or ipv6_lan_length parameter. | |||||
| CVE-2021-27476 | 1 Rockwellautomation | 1 Factorytalk Assetcentre | 2022-03-30 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability exists in the SaveConfigFile function of the RACompare Service, which may allow for OS command injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier. | |||||
| CVE-2022-22951 | 2 Microsoft, Vmware | 2 Windows, Carbon Black App Control | 2022-03-29 | 9.0 HIGH | 9.1 CRITICAL |
| VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x prior to 8.6.6, 8.7.x prior to 8.7.4 and 8.8.x prior to 8.8.2) contains an OS command injection vulnerability. An authenticated, high privileged malicious actor with network access to the VMware App Control administration interface may be able to execute commands on the server due to improper input validation leading to remote code execution. | |||||