Total
3673 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-38132 | 1 Linksys | 2 Mr8300, Mr8300 Firmware | 2022-08-29 | N/A | 8.8 HIGH |
| Command injection vulnerability in Linksys MR8300 router while Registration to DDNS Service. By specifying username and password, an attacker connected to the router's web interface can execute arbitrary OS commands. The username and password fields are not sanitized correctly and are used as URL construction arguments, allowing URL redirection to an arbitrary server, downloading an arbitrary script file, and eventually executing the file in the device. This issue affects: Linksys MR8300 Router 1.0. | |||||
| CVE-2022-32572 | 1 Wwbn | 1 Avideo | 2022-08-26 | N/A | 8.8 HIGH |
| An os command injection vulnerability exists in the aVideoEncoder wget functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-30534 | 1 Wwbn | 1 Avideo | 2022-08-26 | N/A | 8.8 HIGH |
| An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2021-21809 | 1 Moodle | 1 Moodle | 2022-08-24 | 9.0 HIGH | 9.1 CRITICAL |
| A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities. | |||||
| CVE-2022-35976 | 1 Weave | 1 Gitops Tools | 2022-08-23 | N/A | 9.8 CRITICAL |
| The GitOps Tools Extension for VSCode relies on kubeconfigs in order to communicate with Kubernetes clusters. A specially crafted kubeconfig leads to arbitrary code execution on behalf of the user running VSCode. Users relying on kubeconfigs that are generated or altered by other processes or users are affected by this issue. Please note that the vulnerability is specific to this extension, and the same kubeconfig would not result in arbitrary code execution when used with kubectl. Using only trust-worthy kubeconfigs is a safe mitigation. However, updating to the latest version of the extension is still highly recommended. | |||||
| CVE-2022-35975 | 1 Weave | 1 Gitops Tools | 2022-08-22 | N/A | 9.8 CRITICAL |
| The GitOps Tools Extension for VSCode can make it easier to manage Flux objects. A specially crafted Flux object may allow for remote code execution in the machine running the extension, in the context of the user that is running VSCode. Users using the VSCode extension to manage clusters that are shared amongst other users are affected by this issue. The only safe mitigation is to update to the latest version of the extension. | |||||
| CVE-2020-10390 | 1 Chadhaajay | 1 Phpkb | 2022-08-19 | 6.5 MEDIUM | 7.2 HIGH |
| OS Command Injection in export.php (vulnerable function called from include/functions-article.php) in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by saving the code to be executed as the wkhtmltopdf path via admin/save-settings.php. | |||||
| CVE-2022-1410 | 1 Device42 | 1 Cmdb | 2022-08-18 | N/A | 8.8 HIGH |
| OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions. | |||||
| CVE-2022-36381 | 1 Nintendo | 2 Wi-fi Network Adaptor Wap 001, Wi-fi Network Adaptor Wap 001 Firmware | 2022-08-17 | N/A | 7.2 HIGH |
| OS command injection vulnerability in Nintendo Wi-Fi Network Adaptor WAP-001 All versions allows an attacker with an administrative privilege to execute arbitrary OS commands via unspecified vectors. | |||||
| CVE-2022-36309 | 1 Airspan | 2 Airvelocity 1500, Airvelocity 1500 Firmware | 2022-08-17 | N/A | 8.8 HIGH |
| Airspan AirVelocity 1500 software versions prior to 15.18.00.2511 have a root command injection vulnerability in the ActiveBank parameter of the recoverySubmit.cgi script running on the eNodeB's web management UI. This issue may affect other AirVelocity and AirSpeed models. | |||||
| CVE-2018-7187 | 2 Debian, Golang | 2 Debian Linux, Go | 2022-08-16 | 9.3 HIGH | 8.8 HIGH |
| The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. | |||||
| CVE-2021-35049 | 1 Fidelissecurity | 2 Deception, Network | 2022-08-12 | 6.5 MEDIUM | 8.8 HIGH |
| Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response in an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.3.7 and in version 9.4. Patches and updates are available to address this vulnerability. | |||||
| CVE-2022-27616 | 1 Synology | 1 Diskstation Manager | 2022-08-10 | N/A | 7.2 HIGH |
| Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 7.0.1-42218-3 allows remote authenticated users to execute arbitrary commands via unspecified vectors. | |||||
| CVE-2021-3725 | 1 Planetargon | 1 Oh My Zsh | 2022-08-09 | 6.8 MEDIUM | 8.8 HIGH |
| Vulnerability in dirhistory plugin Description: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the system is subject to command injection. Impacted areas: - Functions pop_past and pop_future in dirhistory plugin. | |||||
| CVE-2021-43779 | 1 Teclib-edition | 1 Addressing | 2022-08-09 | 9.0 HIGH | 9.9 CRITICAL |
| GLPI is an open source IT Asset Management, issue tracking system and service desk system. The GLPI addressing plugin in versions < 2.9.1 suffers from authenticated Remote Code Execution vulnerability, allowing access to the server's underlying operating system using command injection abuse of functionality. There is no workaround for this issue and users are advised to upgrade or to disable the addressing plugin. | |||||
| CVE-2022-22140 | 1 Tcl | 1 Linkhub Mesh Wifi Ac1200 | 2022-08-08 | N/A | 9.8 CRITICAL |
| An os command injection vulnerability exists in the confsrv ucloud_add_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2022-21178 | 1 Tcl | 1 Linkhub Mesh Wifi Ac1200 | 2022-08-08 | N/A | 9.8 CRITICAL |
| An os command injection vulnerability exists in the confsrv ucloud_add_new_node functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2022-33955 | 1 Ibm | 1 Cics Tx | 2022-08-05 | N/A | 6.8 MEDIUM |
| IBM CICS TX 11.1 could allow allow an attacker with physical access to the system to execute code due using a back and refresh attack. IBM X-Force ID: 229312. | |||||
| CVE-2020-7034 | 1 Avaya | 1 Session Border Controller For Enterprise | 2022-08-05 | 9.0 HIGH | 8.8 HIGH |
| A command injection vulnerability in Avaya Session Border Controller for Enterprise could allow an authenticated, remote attacker to send specially crafted messages and execute arbitrary commands with the affected system privileges. Affected versions of Avaya Session Border Controller for Enterprise include 7.x, 8.0 through 8.1.1.x | |||||
| CVE-2020-28424 | 1 S3-kilatstorage Project | 1 S3-kilatstorage | 2022-08-05 | N/A | 9.8 CRITICAL |
| This affects all versions of package s3-kilatstorage. | |||||