Total
3673 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7604 | 1 Pulverizr Project | 1 Pulverizr | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command. | |||||
| CVE-2020-16279 | 1 Rangee | 1 Rangeeos | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Kommbox component in Rangee GmbH RangeeOS 8.0.4 is vulnerable to Remote Code Execution due to untrusted user supplied input being passed to the command line without sanitization. | |||||
| CVE-2020-36246 | 1 Amaze File Manager Project | 1 Amaze File Manager | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| Amaze File Manager before 3.5.1 allows attackers to obtain root privileges via shell metacharacters in a symbolic link. | |||||
| CVE-2020-16257 | 1 Winstonprivacy | 2 Winston, Winston Firmware | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| Winston 1.5.4 devices are vulnerable to command injection via the API. | |||||
| CVE-2020-35459 | 2 Clusterlabs, Debian | 2 Crmsh, Debian Linux | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges. | |||||
| CVE-2020-13619 | 1 Locutus | 1 Locutus Php | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution. | |||||
| CVE-2019-15490 | 1 It-novum | 1 Openitcockpit | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21. | |||||
| CVE-2020-8466 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could allow an unauthenticated attacker to execute certain commands by providing a manipulated password. | |||||
| CVE-2019-15310 | 1 Linkplay | 1 Linkplay | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on various devices via the Linkplay firmware. There is WAN remote code execution without user interaction. An attacker could retrieve the AWS key from the firmware and obtain full control over Linkplay's AWS estate, including S3 buckets containing device firmware. When combined with an OS command injection vulnerability within the XML Parsing logic of the firmware update process, an attacker would be able to gain code execution on any device that attempted to update. Note that by default all devices tested had automatic updates enabled. | |||||
| CVE-2020-7635 | 1 Compass-compile Project | 1 Compass-compile | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| compass-compile through 0.0.1 is vulnerable to Command Injection.It allows execution of arbitrary commands via tha options argument. | |||||
| CVE-2020-4206 | 1 Ibm | 1 Spectrum Protect Plus | 2021-07-21 | 9.0 HIGH | 8.8 HIGH |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to execute arbitrary commands on the system in the context of root user, caused by improper validation of user-supplied input. IBM X-Force ID: 174966. | |||||
| CVE-2019-10786 | 1 Network-manager Project | 1 Network-manager | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| network-manager through 1.0.2 allows remote attackers to execute arbitrary commands via the "execSync()" argument. | |||||
| CVE-2020-12620 | 1 Pi-hole | 1 Pi-hole | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection (shell metacharacters after an IP address). | |||||
| CVE-2020-27542 | 1 Company | 2 Cs-c2shw, Cs-c2shw Firmware | 2021-07-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| Rostelecom CS-C2SHW 5.0.082.1 is affected by: Bash command injection. The camera reads configuration from QR code (including network settings). The static IP configuration from QR code is copied to the file /config/ip-static and after reboot data from this file is inserted into bash command (without any escaping). So bash injection is possible. Camera doesn't parse QR codes if it's already successfully configured. Camera is always rebooted after successful configuration via QR code. | |||||
| CVE-2020-7786 | 1 Macfromip Project | 1 Macfromip | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package macfromip. The injection point is located in line 66 in macfromip.js. | |||||
| CVE-2019-12787 | 1 Dlink | 2 Dir-818lw, Dir-818lw Firmware | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered on D-Link DIR-818LW devices from 2.05.B03 to 2.06B01 BETA. There is a command injection in HNAP1 SetWanSettings via an XML injection of the value of the Gateway key. | |||||
| CVE-2020-28494 | 1 Totaljs | 1 Total.js | 2021-07-21 | 7.5 HIGH | 8.6 HIGH |
| This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option shell set to true and because the type parameter is not properly sanitized. | |||||
| CVE-2020-7794 | 1 Buns Project | 1 Buns | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function install(requestedModule). | |||||
| CVE-2019-18370 | 1 Mi | 2 Millet Router 3g, Millet Router 3g Firmware | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress, so one can control the contents of the files in the decompressed directory. In addition, the application's sh script for testing upload and download speeds reads a URL list from /tmp/speedtest_urls.xml, and there is a command injection vulnerability, as demonstrated by api/xqnetdetect/netspeed. | |||||
| CVE-2020-7596 | 1 Codecov | 1 Nodejs Uploader | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument. | |||||