Total
1788 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-40146 | 2024-04-17 | N/A | 6.8 MEDIUM | ||
| A privilege escalation vulnerability exists in the /bin/login functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted command line argument can lead to a limited-shell escape and elevated capabilities. An attacker can authenticate with hard-coded credentials and execute unblocked default busybox functionality to trigger this vulnerability. | |||||
| CVE-2023-22935 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-04-10 | N/A | 8.8 HIGH |
| In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘display.page.search.patterns.sensitivity’ search parameter lets a search bypass SPL safeguards for risky commands. The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled. | |||||
| CVE-2021-29154 | 4 Debian, Fedoraproject, Linux and 1 more | 20 Debian Linux, Fedora, Linux Kernel and 17 more | 2024-03-25 | 7.2 HIGH | 7.8 HIGH |
| BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. | |||||
| CVE-2023-40796 | 1 Phicomm | 2 K2, K2 Firmware | 2024-03-07 | N/A | 7.8 HIGH |
| Phicomm k2 v22.6.529.216 was discovered to contain a command injection vulnerability via the function luci.sys.call. | |||||
| CVE-2024-1374 | 1 Github | 1 Enterprise Server | 2024-03-06 | N/A | 9.1 CRITICAL |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via nomad templates when configuring audit log forwarding. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com . | |||||
| CVE-2024-1354 | 1 Github | 1 Enterprise Server | 2024-03-05 | N/A | 8.0 HIGH |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the `syslog-ng` configuration file. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2024-1359 | 1 Github | 1 Enterprise Server | 2024-03-05 | N/A | 9.1 CRITICAL |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting up an HTTP proxy. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com . | |||||
| CVE-2024-1369 | 1 Github | 1 Enterprise Server | 2024-03-05 | N/A | 9.1 CRITICAL |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting the username and password for collectd configurations. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com . | |||||
| CVE-2024-1372 | 1 Github | 1 Enterprise Server | 2024-03-05 | N/A | 9.1 CRITICAL |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring SAML settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com . | |||||
| CVE-2024-1378 | 1 Github | 1 Enterprise Server | 2024-03-01 | N/A | 9.1 CRITICAL |
| A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via nomad templates when configuring SMTP options. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com . | |||||
| CVE-2024-22197 | 1 Nginxui | 1 Nginx Ui | 2024-02-29 | N/A | 8.8 HIGH |
| Nginx-ui is online statistics for Server Indicators?? Monitor CPU usage, memory usage, load average, and disk usage in real-time. The `Home > Preference` page exposes a small list of nginx settings such as `Nginx Access Log Path` and `Nginx Error Log Path`. However, the API also exposes `test_config_cmd`, `reload_cmd` and `restart_cmd`. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sending a request to the API. This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure. This issue has been patched in version 2.0.0.beta.9. | |||||
| CVE-2023-6572 | 1 Gradio Project | 1 Gradio | 2024-02-28 | N/A | 8.1 HIGH |
| Command Injection in GitHub repository gradio-app/gradio prior to main. | |||||
| CVE-2021-22938 | 2 Ivanti, Pulsesecure | 2 Connect Secure, Pulse Connect Secure | 2024-02-27 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console. | |||||
| CVE-2021-22935 | 2 Ivanti, Pulsesecure | 2 Connect Secure, Pulse Connect Secure | 2024-02-27 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter. | |||||
| CVE-2023-49716 | 1 Emerson | 6 Gc1500xa, Gc1500xa Firmware, Gc370xa and 3 more | 2024-02-15 | N/A | 9.8 CRITICAL |
| In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an authenticated user with network access could run arbitrary commands from a remote computer. | |||||
| CVE-2023-46687 | 1 Emerson | 6 Gc1500xa, Gc1500xa Firmware, Gc370xa and 3 more | 2024-02-15 | N/A | 9.8 CRITICAL |
| In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer. | |||||
| CVE-2016-10098 | 1 Sendquick | 4 Avera Sms Gateway, Avera Sms Gateway Firmware, Entera Sms Gateway and 1 more | 2024-02-14 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on SendQuick Entera and Avera devices before 2HF16. Multiple Command Injection vulnerabilities allow attackers to execute arbitrary system commands. | |||||
| CVE-2021-38556 | 1 Raspap | 1 Raspap | 2024-02-14 | 6.5 MEDIUM | 8.8 HIGH |
| includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection. | |||||
| CVE-2024-0325 | 1 Perforce | 1 Helix Sync | 2024-02-09 | N/A | 7.8 HIGH |
| In Helix Sync versions prior to 2024.1, a local command injection was identified. Reported by Bryan Riggins. | |||||
| CVE-2024-21488 | 1 Forkhq | 1 Network | 2024-02-08 | N/A | 9.8 CRITICAL |
| Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on. | |||||