Total
3673 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-2479 | 1 Appium | 1 Appium-desktop | 2023-05-17 | N/A | 9.8 CRITICAL |
| OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4. | |||||
| CVE-2023-32568 | 1 Veritas | 1 Infoscale Operations Manager | 2023-05-16 | N/A | 7.2 HIGH |
| An issue was discovered in Veritas InfoScale Operations Manager (VIOM) before 7.4.2.800 and 8.x before 8.0.410. The VIOM web application does not validate user-supplied data and appends it to OS commands and internal binaries used by the application. An attacker with root/administrator level privileges can leverage this to read sensitive data stored on the servers, modify data or server configuration, and delete data or application configuration. | |||||
| CVE-2023-27407 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2023-05-15 | N/A | 9.9 CRITICAL |
| A vulnerability has been identified in SCALANCE LPE9403 (All versions < V2.1). The web based management of affected device does not properly validate user input, making it susceptible to command injection. This could allow an authenticated remote attacker to access the underlying operating system as the root user. | |||||
| CVE-2023-2574 | 1 Advantech | 6 Eki-1521, Eki-1521 Firmware, Eki-1522 and 3 more | 2023-05-12 | N/A | 8.8 HIGH |
| Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request. | |||||
| CVE-2023-2573 | 1 Advantech | 6 Eki-1521, Eki-1521 Firmware, Eki-1522 and 3 more | 2023-05-12 | N/A | 8.8 HIGH |
| Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request. | |||||
| CVE-2023-30054 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2023-05-11 | N/A | 9.8 CRITICAL |
| TOTOLINK A7100RU V7.4cu.2313_B20191024 has a Command Injection vulnerability. An attacker can obtain a stable root shell through a specially constructed payload. | |||||
| CVE-2023-30053 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2023-05-11 | N/A | 9.8 CRITICAL |
| TOTOLINK A7100RU V7.4cu.2313_B20191024 is vulnerable to Command Injection. | |||||
| CVE-2023-28742 | 1 F5 | 1 Big-ip Domain Name System | 2023-05-10 | N/A | 8.8 HIGH |
| When DNS is provisioned, an authenticated remote command execution vulnerability exists in DNS iQuery mesh. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2023-24958 | 1 Ibm | 6 3948-ved, 3948-ved Firmware, 3957-vec and 3 more | 2023-05-10 | N/A | 8.8 HIGH |
| A vulnerability in the IBM TS7700 Management Interface 8.51.2.12, 8.52.200.111, 8.52.102.13, and 8.53.0.63 could allow an authenticated user to submit a specially crafted URL leading to privilege escalation and remote code execution. IBM X-Force ID: 246320. | |||||
| CVE-2023-29778 | 1 Gl-inet | 2 Gl-mt3000, Gl-mt3000 Firmware | 2023-05-09 | N/A | 9.8 CRITICAL |
| GL.iNET MT3000 4.1.0 Release 2 is vulnerable to OS Command Injection via /usr/lib/oui-httpd/rpc/logread. | |||||
| CVE-2022-28888 | 1 Spryker | 1 Cloud Commerce | 2023-05-09 | 7.5 HIGH | 9.8 CRITICAL |
| Spryker Commerce OS 1.4.2 allows Remote Command Execution. | |||||
| CVE-2023-30854 | 1 Wwbn | 1 Avideo | 2023-05-09 | N/A | 8.8 HIGH |
| AVideo is an open source video platform. Prior to version 12.4, an OS Command Injection vulnerability in an authenticated endpoint `/plugin/CloneSite/cloneClient.json.php` allows attackers to achieve Remote Code Execution. This issue is fixed in version 12.4. | |||||
| CVE-2023-22919 | 1 Zyxel | 2 Nbg6604, Nbg6604 Firmware | 2023-05-06 | N/A | 8.8 HIGH |
| The post-authentication command injection vulnerability in the Zyxel NBG6604 firmware version V1.01(ABIR.0)C0 could allow an authenticated attacker to execute some OS commands remotely by sending a crafted HTTP request. | |||||
| CVE-2023-25313 | 1 Wwbn | 1 Avideo | 2023-05-04 | N/A | 9.8 CRITICAL |
| OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbitrary code via the video link field to the Embed a video link feature. | |||||
| CVE-2023-30628 | 1 Kiwitcms | 1 Kiwi Tcms | 2023-05-04 | N/A | 8.8 HIGH |
| Kiwi TCMS is an open source test management system. In kiwitcms/Kiwi v12.2 and prior and kiwitcms/enterprise v12.2 and prior, the `changelog.yml` workflow is vulnerable to command injection attacks because of using an untrusted `github.head_ref` field. The `github.head_ref` value is an attacker-controlled value. Assigning the value to `zzz";echo${IFS}"hello";#` can lead to command injection. Since the permission is not restricted, the attacker has a write-access to the repository. Commit 834c86dfd1b2492ccad7ebbfd6304bfec895fed2 of the kiwitcms/Kiwi repository and commit e39f7e156fdaf6fec09a15ea6f4e8fec8cdbf751 of the kiwitcms/enterprise repository contain a fix for this issue. | |||||
| CVE-2023-28983 | 1 Juniper | 1 Junos Os Evolved | 2023-05-04 | N/A | 8.8 HIGH |
| An OS Command Injection vulnerability in gRPC Network Operations Interface (gNOI) server module of Juniper Networks Junos OS Evolved allows an authenticated, low privileged, network based attacker to inject shell commands and execute code. This issue affects Juniper Networks Junos OS Evolved 21.4 version 21.4R1-EVO and later versions prior to 22.1R1-EVO. | |||||
| CVE-2023-30621 | 1 Gipsy Project | 1 Gipsy | 2023-04-29 | N/A | 9.8 CRITICAL |
| Gipsy is a multi-purpose discord bot which aim to be as modular and user-friendly as possible. In versions prior to 1.3 users can run command on the host machine with sudoer permission. The `!ping` command when provided with an IP or hostname used to run a bash `ping <IP>` without verification that the IP or hostname was legitimate. This command was executed with root permissions and may lead to arbitrary command injection on the host server. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-25507 | 1 Nvidia | 2 Bmc, Dgx-1 | 2023-04-29 | N/A | 8.8 HIGH |
| NVIDIA DGX-1 BMC contains a vulnerability in the SPX REST API, where an attacker with the appropriate level of authorization can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, and data tampering. | |||||
| CVE-2023-25759 | 1 Uniguest | 1 Tripleplay | 2023-04-28 | N/A | 5.4 MEDIUM |
| OS Command Injection in TripleData Reporting Engine in Tripleplay Platform releases prior to Caveman 3.4.0 allows authenticated users to run unprivileged OS level commands via a crafted request payload. | |||||
| CVE-2023-25554 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-04-27 | N/A | 7.8 HIGH |
| A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that allows a local privilege escalation on the appliance when a maliciously crafted Operating System command is entered on the device. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||||