Total
1788 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28497 | 1 Totolink | 2 Cp900, Cp900 Firmware | 2023-03-28 | N/A | 9.8 CRITICAL |
| TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the mtd_write_bootloader function via the filename parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2021-43113 | 2 Debian, Itextpdf | 2 Debian Linux, Itext | 2023-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java. | |||||
| CVE-2023-28460 | 1 Arraynetworks | 21 Apv10650, Apv11600, Apv1600 and 18 more | 2023-03-24 | N/A | 7.2 HIGH |
| A command injection vulnerability was discovered in Array Networks APV products. A remote attacker can send a crafted packet after logging into the affected appliance as an administrator, resulting in arbitrary shell code execution. This is fixed in 8.6.1.262 or newer and 10.4.2.93 or newer. | |||||
| CVE-2023-28110 | 1 Fit2cloud | 2 Jumpserver, Koko | 2023-03-23 | N/A | 9.9 CRITICAL |
| Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, refactoring coco's SSH/SFTP service and Web Terminal service. Prior to version 2.28.8, using illegal tokens to connect to a Kubernetes cluster through Koko can result in the execution of dangerous commands that may disrupt the Koko container environment and affect normal usage. The vulnerability has been fixed in v2.28.8. | |||||
| CVE-2023-27240 | 1 Tenda | 2 Ax3, Ax3 Firmware | 2023-03-21 | N/A | 9.8 CRITICAL |
| Tenda AX3 V16.03.12.11 was discovered to contain a command injection vulnerability via the lanip parameter at /goform/AdvSetLanip. | |||||
| CVE-2023-27581 | 1 Github-slug-action Project | 1 Github-slug-action | 2023-03-17 | N/A | 8.8 HIGH |
| github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0` and prior to version 4.4.1, this action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. This can be used to execute code on the GitHub runners and to exfiltrate any secrets one uses in the CI pipeline. A patched action is available in version 4.4.1. No workaround is available. | |||||
| CVE-2023-0628 | 1 Docker | 1 Docker Desktop | 2023-03-17 | N/A | 7.8 HIGH |
| Docker Desktop before 4.17.0 allows an attacker to execute an arbitrary command inside a Dev Environments container during initialization by tricking a user to open a crafted malicious docker-desktop:// URL. | |||||
| CVE-2023-22760 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2023-03-10 | N/A | 7.2 HIGH |
| Authenticated remote command injection vulnerabilities exist in the ArubaOS web-based management interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS. | |||||
| CVE-2023-22761 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2023-03-10 | N/A | 7.2 HIGH |
| Authenticated remote command injection vulnerabilities exist in the ArubaOS web-based management interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS. | |||||
| CVE-2023-22759 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2023-03-10 | N/A | 7.2 HIGH |
| Authenticated remote command injection vulnerabilities exist in the ArubaOS web-based management interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS. | |||||
| CVE-2023-22758 | 1 Arubanetworks | 2 Arubaos, Sd-wan | 2023-03-10 | N/A | 7.2 HIGH |
| Authenticated remote command injection vulnerabilities exist in the ArubaOS web-based management interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS. | |||||
| CVE-2023-26602 | 1 Asus | 1 Asmb8-ikvm Firmware | 2023-03-07 | N/A | 9.8 CRITICAL |
| ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution. | |||||
| CVE-2023-23080 | 1 Tenda | 10 Cp3, Cp3 Firmware, Cp7 and 7 more | 2023-03-07 | N/A | 9.8 CRITICAL |
| Certain Tenda products are vulnerable to command injection. This affects Tenda CP7 Tenda CP7<=V11.10.00.2211041403 and Tenda CP3 v.10 Tenda CP3 v.10<=V20220906024_2025 and Tenda IT7-PCS Tenda IT7-PCS<=V2209020914 and Tenda IT7-LCS Tenda IT7-LCS<=V2209020914 and Tenda IT7-PRS Tenda IT7-PRS<=V2209020908. | |||||
| CVE-2023-23294 | 1 Korenix | 29 Jetwave 2111, Jetwave 2111 Firmware, Jetwave 2111l and 26 more | 2023-03-06 | N/A | 8.8 HIGH |
| Korenix JetWave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to Command Injection. An attacker can modify the file_name parameter to execute commands as root. | |||||
| CVE-2019-1010174 | 2 Cimg, Debian | 2 Cimg Library, Debian Linux | 2023-03-01 | 7.5 HIGH | 9.8 CRITICAL |
| CImg The CImg Library v.2.3.3 and earlier is affected by: command injection. The impact is: RCE. The component is: load_network() function. The attack vector is: Loading an image from a user-controllable url can lead to command injection, because no string sanitization is done on the url. The fixed version is: v.2.3.4. | |||||
| CVE-2023-25805 | 1 Versionn Project | 1 Versionn | 2023-03-01 | N/A | 9.8 CRITICAL |
| versionn, software for changing version information across multiple files, has a command injection vulnerability in all versions prior to version 1.1.0. This issue is patched in version 1.1.0. | |||||
| CVE-2021-33963 | 1 Chinamobile | 2 An Lianbao Wf-1, An Lianbao Wf-1 Firmware | 2023-02-24 | 10.0 HIGH | 9.8 CRITICAL |
| China Mobile An Lianbao WF-1 v1.0.1 router web interface through /api/ZRMacClone/mac_addr_clone receives parameters by POST request, and the parameter macType has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands. | |||||
| CVE-2019-1584 | 1 Zingbox | 1 Inspector | 2023-02-15 | 6.8 MEDIUM | 9.8 CRITICAL |
| A security vulnerability exists in Zingbox Inspector version 1.293 and earlier, that allows for remote code execution if the Inspector were sent a malicious command from the Zingbox cloud, or if the Zingbox Inspector were tampered with to connect to an attacker's cloud endpoint. | |||||
| CVE-2018-14649 | 1 Redhat | 5 Ceph-iscsi-cli, Ceph Storage, Enterprise Linux Desktop and 2 more | 2023-02-13 | 10.0 HIGH | 9.8 CRITICAL |
| It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. Once an attacker has successfully connected to this debug shell they will be able to execute arbitrary commands remotely. These commands will run with the same privileges as of user executing the application which is using python-werkzeug with debug shell mode enabled. In - Red Hat Ceph Storage 2 and 3, ceph-isci-cli package runs python-werkzeug library with root level permissions. | |||||
| CVE-2015-5274 | 1 Redhat | 1 Openshift | 2023-02-13 | 6.5 MEDIUM | N/A |
| rubygem-openshift-origin-console in Red Hat OpenShift 2.2 allows remote authenticated users to execute arbitrary commands via a crafted request to the Broker. | |||||