Total
1788 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-42427 | 1 Dell | 1 Wyse Thinos | 2024-12-20 | N/A | 7.6 HIGH |
| Dell ThinOS versions 2402 and 2405, contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. An unauthenticated attacker with physical access could potentially exploit this vulnerability, leading to Elevation of privileges. | |||||
| CVE-2023-23356 | 2024-12-19 | N/A | N/A | ||
| A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QuFirewall 2.3.3 ( 2023/03/27 ) and later and later | |||||
| CVE-2024-36604 | 1 Tenda | 2 O3, O3 Firmware | 2024-12-13 | N/A | 9.8 CRITICAL |
| Tenda O3V2 v1.0.0.12(3880) was discovered to contain a Blind Command Injection via stpEn parameter in the SetStp function. This vulnerability allows attackers to execute arbitrary commands with root privileges. | |||||
| CVE-2023-28365 | 2 Linux, Ui | 2 Linux Kernel, Unifi Network Application | 2024-12-12 | N/A | 9.1 CRITICAL |
| A backup file vulnerability found in UniFi applications (Version 7.3.83 and earlier) running on Linux operating systems allows application administrators to execute malicious commands on the host device being restored. | |||||
| CVE-2024-22122 | 1 Zabbix | 1 Zabbix | 2024-12-10 | N/A | 9.1 CRITICAL |
| Zabbix allows to configure SMS notifications. AT command injection occurs on "Zabbix Server" because there is no validation of "Number" field on Web nor on Zabbix server side. Attacker can run test of SMS providing specially crafted phone number and execute additional AT commands on modem. | |||||
| CVE-2024-50388 | 2024-12-06 | N/A | N/A | ||
| An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute commands. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 25.1.1.673 and later | |||||
| CVE-2024-11665 | 1 Echarge | 2 Salia Plcc, Salia Plcc Firmware | 2024-12-04 | N/A | 8.8 HIGH |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in hardy-barth cph2_echarge_firmware allows OS Command Injection.This issue affects cph2_echarge_firmware: through 2.0.4. | |||||
| CVE-2024-3400 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-29 | N/A | 10.0 CRITICAL |
| A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. | |||||
| CVE-2024-9076 | 1 Dedecms | 1 Dedecms | 2024-11-28 | N/A | 8.8 HIGH |
| A vulnerability was found in DedeCMS up to 5.7.115. It has been rated as critical. This issue affects some unknown processing of the file /dede/article_string_mix.php. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-11320 | 1 Pandorafms | 1 Pandora Fms | 2024-11-26 | N/A | 9.8 CRITICAL |
| Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora FMS: from 700 through <=777.4 | |||||
| CVE-2023-20219 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | N/A | 8.8 HIGH |
| Multiple vulnerabilities in the web management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. The attacker would need valid device credentials but does not require administrator privileges to exploit this vulnerability. These vulnerabilities are due to insufficient validation of user-supplied input for certain configuration options. An attacker could exploit these vulnerabilities by using crafted input within the device configuration GUI. A successful exploit could allow the attacker to execute arbitrary commands on the device including the underlying operating system which could also affect the availability of the device. | |||||
| CVE-2023-20220 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | N/A | 8.8 HIGH |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. To exploit these vulnerabilities, the attacker must have valid device credentials, but does not need Administrator privileges. These vulnerabilities are due to insufficient validation of user-supplied input for certain configuration options. An attacker could exploit these vulnerabilities by using crafted input within the device configuration GUI. A successful exploit could allow the attacker to execute arbitrary commands on the device, including on the underlying operating system, which could also affect the availability of the device. | |||||
| CVE-2024-45348 | 1 Mi | 2 Ax9000, Ax9000 Firmware | 2024-11-25 | N/A | 8.8 HIGH |
| Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code. | |||||
| CVE-2024-4638 | 1 Moxa | 8 Oncell G3470a-lte-eu, Oncell G3470a-lte-eu-t, Oncell G3470a-lte-eu-t Firmware and 5 more | 2024-11-21 | N/A | 8.8 HIGH |
| OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to a lack of neutralized inputs in the web key upload function. An attacker could modify the intended commands sent to target functions, which could cause malicious users to execute unauthorized commands. | |||||
| CVE-2024-4639 | 1 Moxa | 8 Oncell G3470a-lte-eu, Oncell G3470a-lte-eu-t, Oncell G3470a-lte-eu-t Firmware and 5 more | 2024-11-21 | N/A | 8.8 HIGH |
| OnCell G3470A-LTE Series firmware versions v1.7.7 and prior have been identified as vulnerable due to a lack of neutralized inputs in IPSec configuration. An attacker could modify the intended commands sent to target functions, which could cause malicious users to execute unauthorized commands. | |||||
| CVE-2024-52308 | 1 Github | 1 Cli | 2024-11-20 | N/A | 9.6 CRITICAL |
| The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands. This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand="echo hacked" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored. In `2.62.0`, the remote username information is being validated before being used. | |||||
| CVE-2022-1884 | 2 Gogs, Microsoft | 2 Gogs, Windows | 2024-11-19 | N/A | 9.8 CRITICAL |
| A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. The vulnerability arises due to improper validation of the `tree_path` parameter during file uploads. An attacker can set `tree_path=.git.` to upload a file into the .git directory, allowing them to write or rewrite the `.git/config` file. If the `core.sshCommand` is set, this can lead to remote command execution. | |||||
| CVE-2024-49557 | 1 Dell | 1 Smartfabric Os10 | 2024-11-15 | N/A | 7.8 HIGH |
| Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. | |||||
| CVE-2024-49560 | 1 Dell | 1 Smartfabric Os10 | 2024-11-15 | N/A | 7.8 HIGH |
| Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) a command injection vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution. | |||||
| CVE-2024-50853 | 1 Tendacn | 2 G3, G3 Firmware | 2024-11-14 | N/A | 8.8 HIGH |
| Tenda G3 v3.0 v15.11.0.20 was discovered to contain a command injection vulnerability via the formSetDebugCfg function. | |||||