Total
3673 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-13338 | 1 Terra-master | 1 Terramaster Operating System | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation. | |||||
| CVE-2017-3761 | 1 Lenovo | 1 Service Framework | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution. | |||||
| CVE-2017-16666 | 1 Xplico | 1 Xplico | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| Xplico before 1.2.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the name of an uploaded PCAP file. NOTE: this issue can be exploited without authentication by leveraging the user registration feature. | |||||
| CVE-2018-11175 | 1 Quest | 1 Disk Backup | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 33 of 46). | |||||
| CVE-2018-15709 | 1 Nagios | 1 Nagios Xi | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request. | |||||
| CVE-2018-7890 | 1 Zohocorp | 1 Manageengine Applications Manager | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection. | |||||
| CVE-2018-0708 | 1 Qnap | 1 Q\'center | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| Command injection vulnerability in networking of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands. | |||||
| CVE-2018-16216 | 1 Audiocodes | 2 405hd, 405hd Firmware | 2019-10-03 | 7.7 HIGH | 8.0 HIGH |
| A command injection (missing input validation, escaping) in the monitoring or memory status web interface in AudioCodes 405HD (firmware 2.2.12) VoIP phone allows an authenticated remote attacker in the same network as the device to trigger OS commands (like starting telnetd or opening a reverse shell) via a POST request to the web server. In combination with another attack (unauthenticated password change), the attacker can circumvent the authentication requirement. | |||||
| CVE-2018-11147 | 1 Quest | 1 Disk Backup | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 5 of 46). | |||||
| CVE-2017-7414 | 1 Horde | 1 Groupware | 2019-10-03 | 5.1 MEDIUM | 7.5 HIGH |
| In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it. | |||||
| CVE-2018-11169 | 1 Quest | 1 Disk Backup | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 27 of 46). | |||||
| CVE-2017-6361 | 1 Qnap | 1 Qts | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbitrary commands via unspecified vectors. | |||||
| CVE-2018-11156 | 1 Quest | 1 Disk Backup | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 14 of 46). | |||||
| CVE-2018-16055 | 1 Netgate | 1 Pfsense | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| An authenticated command injection vulnerability exists in status_interfaces.php via dhcp_relinquish_lease() in pfSense before 2.4.4 due to its passing user input from the $_POST parameters "ifdescr" and "ipv" to a shell without escaping the contents of the variables. This allows an authenticated WebGUI user with privileges for the affected page to execute commands in the context of the root user when submitting a request to relinquish a DHCP lease for an interface which is configured to obtain its address via DHCP. | |||||
| CVE-2018-19290 | 1 Budabot | 1 Budabot | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command, resulting in a denial of service or possibly unspecified other impact, as demonstrated by the "!calc 5 x 5" command. In versions before 3.0, modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above, modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code. | |||||
| CVE-2018-12268 | 1 Acccheck Project | 1 Acccheck.pl | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| acccheck.pl in acccheck 0.2.1 allows Command Injection via shell metacharacters in a username or password file, as demonstrated by injection into an smbclient command line. | |||||
| CVE-2017-1000159 | 1 Gnome | 1 Evince | 2019-10-03 | 4.6 MEDIUM | 7.8 HIGH |
| Command injection in evince via filename when printing to PDF. This affects versions earlier than 3.25.91. | |||||
| CVE-2018-0710 | 1 Qnap | 1 Q\'center | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| Command injection vulnerability in SSH of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands. | |||||
| CVE-2018-14933 | 1 Nuuo | 2 Nvrmini, Nvrmini Firmware | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command. | |||||
| CVE-2018-1000885 | 1 Phkp Project | 1 Phkp | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| PHKP version including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b contains a Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in function pgp_exec() phkp.php:98 that can result in It is possible to manipulate gpg-keys or execute commands remotely. This attack appear to be exploitable via HKP-Api: /pks/lookup?search. | |||||