Total
3673 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13388 | 1 Python | 1 Jw.util | 2023-03-03 | 7.5 HIGH | 9.8 CRITICAL |
| An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used. | |||||
| CVE-2019-1778 | 1 Cisco | 67 N9k-c9504-fm-r, N9k-c9508-fm-r, N9k-x96136yc-r and 64 more | 2023-03-01 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with the privilege level of root. The vulnerability is due to insufficient validation of arguments passed to a specific CLI command on the affected device. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. | |||||
| CVE-2019-1776 | 1 Cisco | 134 7000 10-slot, 7000 18-slot, 7000 4-slot and 131 more | 2023-03-01 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root. The vulnerability is due to insufficient validation of arguments passed to a specific CLI command on the affected device. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. | |||||
| CVE-2019-1775 | 1 Cisco | 129 7000 10-slot, 7000 18-slot, 7000 4-slot and 126 more | 2023-03-01 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments passed to certain CLI commands. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. | |||||
| CVE-2019-1774 | 1 Cisco | 129 7000 10-slot, 7000 18-slot, 7000 4-slot and 126 more | 2023-03-01 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments passed to certain CLI commands. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with elevated privileges. An attacker would need valid administrator credentials to exploit this vulnerability. | |||||
| CVE-2019-11062 | 1 Sun.net | 1 Wmpro | 2023-03-01 | 10.0 HIGH | 9.8 CRITICAL |
| The SUNNET WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php". The target server can be exploited without authentication. | |||||
| CVE-2019-10662 | 1 Grandstream | 2 Ucm6204, Ucm6204 Firmware | 2023-03-01 | 9.0 HIGH | 8.8 HIGH |
| Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI. | |||||
| CVE-2019-10660 | 1 Grandstream | 2 Gxv3611ir Hd, Gxv3611ir Hd Firmware | 2023-03-01 | 6.5 MEDIUM | 8.8 HIGH |
| Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field. | |||||
| CVE-2019-10659 | 1 Grandstream | 4 Gxv3370, Gxv3370 Firmware, Wp820 and 1 more | 2023-03-01 | 6.5 MEDIUM | 8.8 HIGH |
| Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field. | |||||
| CVE-2019-10658 | 1 Grandstream | 2 Gwn7610, Gwn7610 Firmware | 2023-03-01 | 6.5 MEDIUM | 8.8 HIGH |
| Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call. | |||||
| CVE-2019-10657 | 1 Grandstream | 4 Gwn7000, Gwn7000 Firmware, Gwn7610 and 1 more | 2023-03-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request. | |||||
| CVE-2019-10656 | 1 Grandstream | 2 Gwn7000, Gwn7000 Firmware | 2023-03-01 | 9.0 HIGH | 8.8 HIGH |
| Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call. | |||||
| CVE-2019-5485 | 1 Gitlabhook Project | 1 Gitlabhook | 2023-02-28 | 10.0 HIGH | 10.0 CRITICAL |
| NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name. | |||||
| CVE-2018-10697 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2023-02-28 | 9.3 HIGH | 8.8 HIGH |
| An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack. | |||||
| CVE-2018-10702 | 1 Moxa | 2 Awk-3121, Awk-3121 Firmware | 2023-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters. | |||||
| CVE-2019-15107 | 1 Webmin | 1 Webmin | 2023-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability. | |||||
| CVE-2022-32212 | 4 Debian, Fedoraproject, Nodejs and 1 more | 4 Debian Linux, Fedora, Node.js and 1 more | 2023-02-23 | N/A | 8.1 HIGH |
| A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. | |||||
| CVE-2023-24816 | 1 Ipython | 1 Ipython | 2023-02-23 | N/A | 7.0 HIGH |
| IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function `IPython.utils.terminal.set_term_title` be called on Windows in a Python environment where ctypes is not available. The dependency on `ctypes` in `IPython.utils._process_win32` prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool `set_term_title` could be called and hence introduce a vulnerability. Should an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. Users of ipython as a library are advised to upgrade. Users unable to upgrade should ensure that any calls to the `IPython.utils.terminal.set_term_title` function are done with trusted or filtered input. | |||||
| CVE-2023-23076 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2023-02-23 | N/A | 9.8 CRITICAL |
| OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules. | |||||
| CVE-2022-43550 | 2 Jitsi, Microsoft | 2 Jitsi, Windows | 2023-02-16 | N/A | 9.8 CRITICAL |
| A command injection vulnerability exists in Jitsi before commit 8aa7be58522f4264078d54752aae5483bfd854b2 when launching browsers on Windows which could allow an attacker to insert an arbitrary URL which opens up the opportunity to remote execution. | |||||