Vulnerabilities (CVE)

Filtered by CWE-78
Total 3673 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2008-2575 2 Fedoraproject, Jcoppens 2 Fedora, Cbrpager 2024-02-02 6.8 MEDIUM N/A
cbrPager before 0.9.17 allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a (1) ZIP (aka .cbz) or (2) RAR (aka .cbr) archive filename.
CVE-2003-0041 3 Mandrakesoft, Mit, Redhat 4 Mandrake Linux, Mandrake Multi Network Firewall, Kerberos Ftp Client and 1 more 2024-02-02 10.0 HIGH N/A
Kerberos FTP client allows remote FTP sites to execute arbitrary code via a pipe (|) character in a filename that is retrieved by the client.
CVE-2002-1898 1 Apple 2 Mac Os X, Terminal 2024-02-02 7.2 HIGH N/A
Terminal 1.3 in Apple Mac OS X 10.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a telnet:// link, which is executed by Terminal.app window.
CVE-2019-5736 13 Apache, Canonical, D2iq and 10 more 19 Mesos, Ubuntu Linux, Dc\/os and 16 more 2024-02-02 9.3 HIGH 8.6 HIGH
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
CVE-2023-20175 1 Cisco 1 Identity Services Engine 2024-02-01 N/A 8.8 HIGH
A vulnerability in a specific Cisco ISE CLI command could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, an attacker must have valid Read-only-level privileges or higher on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.
CVE-2023-37903 1 Vm2 Project 1 Vm2 2024-02-01 N/A 10.0 CRITICAL
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. There are no patches and no known workarounds. Users are advised to find an alternative software.
CVE-2024-24333 1 Totolink 2 A3300r, A3300r Firmware 2024-02-01 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the desc parameter in the setWiFiAclRules function.
CVE-2024-24325 1 Totolink 2 A3300r, A3300r Firmware 2024-02-01 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setParentalRules function.
CVE-2024-24326 1 Totolink 2 A3300r, A3300r Firmware 2024-02-01 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the arpEnable parameter in the setStaticDhcpRules function.
CVE-2024-24327 1 Totolink 2 A3300r, A3300r Firmware 2024-02-01 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the pppoePass parameter in the setIpv6Cfg function.
CVE-2024-24328 1 Totolink 2 A3300r, A3300r Firmware 2024-02-01 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setMacFilterRules function.
CVE-2024-24329 1 Totolink 2 A3300r, A3300r Firmware 2024-02-01 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setPortForwardRules function.
CVE-2024-24332 1 Totolink 2 A3300r, A3300r Firmware 2024-02-01 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the url parameter in the setUrlFilterRules function.
CVE-2024-24331 1 Totolink 2 A3300r, A3300r Firmware 2024-02-01 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setWiFiScheduleCfg function.
CVE-2024-24330 1 Totolink 2 A3300r, A3300r Firmware 2024-02-01 N/A 9.8 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the port or enable parameter in the setRemoteCfg function.
CVE-2023-31037 1 Nvidia 4 Bluefield 2 Ga, Bluefield 2 Lts, Bluefield 3 Ga and 1 more 2024-01-31 N/A 7.2 HIGH
NVIDIA Bluefield 2 and Bluefield 3 DPU BMC contains a vulnerability in ipmitool, where a root user may cause code injection by a network call. A successful exploit of this vulnerability may lead to code execution on the OS.
CVE-2024-22372 1 Elecom 10 Wrc-x1800gs-b, Wrc-x1800gs-b Firmware, Wrc-x1800gsa-b and 7 more 2024-01-30 N/A 6.8 MEDIUM
OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product. Affected products and versions are as follows: WRC-X1800GS-B v1.17 and earlier, WRC-X1800GSA-B v1.17 and earlier, WRC-X1800GSH-B v1.17 and earlier, WRC-X6000XS-G v1.09, and WRC-X6000XST-G v1.12 and earlier.
CVE-2024-22366 1 Yamaha 10 Wlx202, Wlx202 Firmware, Wlx212 and 7 more 2024-01-30 N/A 6.8 MEDIUM
Active debug code exists in Yamaha wireless LAN access point devices. If a logged-in user who knows how to use the debug function accesses the device's management page, this function can be enabled by performing specific operations. As a result, an arbitrary OS command may be executed and/or configuration settings of the device may be altered. Affected products and versions are as follows: WLX222 firmware Rev.24.00.03 and earlier, WLX413 firmware Rev.22.00.05 and earlier, WLX212 firmware Rev.21.00.12 and earlier, WLX313 firmware Rev.18.00.12 and earlier, and WLX202 firmware Rev.16.00.18 and earlier.
CVE-2023-6926 1 Crestron 2 Am-300, Am-300 Firmware 2024-01-29 N/A 7.8 HIGH
There is an OS command injection vulnerability in Crestron AM-300 firmware version 1.4499.00018 which may enable a user of a limited-access SSH session to escalate their privileges to root-level access.
CVE-2002-0061 1 Apache 1 Http Server 2024-01-26 7.5 HIGH N/A
Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe.