Total
3837 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-5477 | 3 Canonical, Debian, Nokogiri | 3 Ubuntu Linux, Debian Linux, Nokogiri | 2022-10-14 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4. | |||||
| CVE-2019-7269 | 1 Nortekcontrol | 4 Linear Emerge 5000p, Linear Emerge 5000p Firmware, Linear Emerge 50p and 1 more | 2022-10-13 | 10.0 HIGH | 9.8 CRITICAL |
| Linear eMerge 50P/5000P devices allow Authenticated Command Injection with root Code Execution. | |||||
| CVE-2022-34427 | 1 Dell | 1 Container Storage Modules | 2022-10-13 | N/A | 8.8 HIGH |
| Dell Container Storage Modules 1.2 contains an OS Command Injection in goiscsi and gobrick libraries. A remote unauthenticated attacker could exploit this vulnerability leading to modification of intended OS command execution. | |||||
| CVE-2021-44171 | 1 Fortinet | 1 Fortios | 2022-10-12 | N/A | 8.0 HIGH |
| A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiOS version 6.0.0 through 6.0.14, FortiOS version 6.2.0 through 6.2.10, FortiOS version 6.4.0 through 6.4.8, FortiOS version 7.0.0 through 7.0.3 allows attacker to execute privileged commands on a linked FortiSwitch via diagnostic CLI commands. | |||||
| CVE-2022-40176 | 1 Siemens | 20 Desigo Pxm30-1, Desigo Pxm30-1 Firmware, Desigo Pxm30.e and 17 more | 2022-10-12 | N/A | 8.0 HIGH |
| A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), Desigo PXM50-1 (All versions < V02.20.126.11-41), Desigo PXM50.E (All versions < V02.20.126.11-41), PXG3.W100-1 (All versions < V02.20.126.11-37), PXG3.W100-2 (All versions < V02.20.126.11-41), PXG3.W200-1 (All versions < V02.20.126.11-37), PXG3.W200-2 (All versions < V02.20.126.11-41). There exists an Improper Neutralization of Special Elements used in an OS Command with root privileges during a restore operation due to the missing validation of the names of files included in the input package. By restoring a specifically crafted package, a remote low-privileged attacker can execute arbitrary system commands with root privileges on the device, leading to a full compromise. | |||||
| CVE-2022-27224 | 1 Galsys | 2 Nts-6002-gps, Nts-6002-gps Firmware | 2022-10-12 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Galleon NTS-6002-GPS 4.14.103-Galleon-NTS-6002.V12 4. An authenticated attacker can perform command injection as root via shell metacharacters within the Network Tools section of the web-management interface. All three networking tools are affected (Ping, Traceroute, and DNS Lookup) and their respective input fields (ping_address, trace_address, nslookup_address). | |||||
| CVE-2021-3515 | 1 2ndquadrant | 1 Pglogical | 2022-10-07 | 7.2 HIGH | 6.7 MEDIUM |
| A shell injection flaw was found in pglogical in versions before 2.3.4 and before 3.6.26. An attacker with CREATEDB privileges on a PostgreSQL server can craft a database name that allows execution of shell commands as the postgresql user when calling pglogical.create_subscription(). | |||||
| CVE-2017-15108 | 2 Debian, Spice-space | 2 Debian Linux, Spice-vdagent | 2022-10-07 | 4.6 MEDIUM | 7.8 HIGH |
| spice-vdagent up to and including 0.17.0 does not properly escape save directory before passing to shell, allowing local attacker with access to the session the agent runs in to inject arbitrary commands to be executed. | |||||
| CVE-2021-44235 | 1 Sap | 1 Netweaver Application Server Abap | 2022-10-06 | 7.2 HIGH | 6.7 MEDIUM |
| Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system. | |||||
| CVE-2020-25206 | 1 Mimosa | 6 B5, B5 Firmware, B5c and 3 more | 2022-10-05 | 9.0 HIGH | 7.2 HIGH |
| The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 allows authenticated command injection in the Throughput, WANStats, PhyStats, and QosStats API classes. An attacker with access to a web console account may execute operating system commands on affected devices by sending crafted POST requests to the affected endpoints (/core/api/calls/Throughput.php, /core/api/calls/WANStats.php, /core/api/calls/PhyStats.php, /core/api/calls/QosStats.php). This results in the complete takeover of the vulnerable device. This vulnerability does not occur in the older 1.5.x firmware versions. | |||||
| CVE-2021-21877 | 1 Lantronix | 2 Premierwave 2050, Premierwave 2050 Firmware | 2022-10-05 | 6.5 MEDIUM | 9.1 CRITICAL |
| Specially-crafted HTTP requests can lead to arbitrary command execution in “GET” requests. An attacker can make authenticated HTTP requests to trigger this vulnerability. | |||||
| CVE-2021-21876 | 1 Lantronix | 2 Premierwave 2050, Premierwave 2050 Firmware | 2022-10-05 | 6.5 MEDIUM | 9.1 CRITICAL |
| Specially-crafted HTTP requests can lead to arbitrary command execution in PUT requests. An attacker can make authenticated HTTP requests to trigger this vulnerability. | |||||
| CVE-2021-21875 | 1 Lantronix | 2 Premierwave 2050, Premierwave 2050 Firmware | 2022-10-05 | 9.0 HIGH | 9.1 CRITICAL |
| A specially-crafted HTTP request can lead to arbitrary command execution in EC keypasswd parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2021-21874 | 1 Lantronix | 2 Premierwave 2050, Premierwave 2050 Firmware | 2022-10-05 | 9.0 HIGH | 9.1 CRITICAL |
| A specially-crafted HTTP request can lead to arbitrary command execution in DSA keypasswd parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2022-39819 | 1 Nokia | 1 1350 Optical Management System | 2022-10-01 | N/A | 8.8 HIGH |
| In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This allows authenticated users to execute commands on the operating system. | |||||
| CVE-2022-39815 | 1 Nokia | 1 1350 Optical Management System | 2022-10-01 | N/A | 9.8 CRITICAL |
| In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This vulnerability allow unauthenticated users to execute commands on the operating system. | |||||
| CVE-2021-28398 | 1 Osgeo | 1 Geonetwork | 2022-10-01 | N/A | 7.2 HIGH |
| A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0. | |||||
| CVE-2021-21872 | 1 Lantronix | 2 Premierwave 2050, Premierwave 2050 Firmware | 2022-09-30 | 9.0 HIGH | 9.9 CRITICAL |
| An OS command injection vulnerability exists in the Web Manager Diagnostics: Traceroute functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2021-21873 | 1 Lantronix | 2 Premierwave 2050, Premierwave 2050 Firmware | 2022-09-30 | 9.0 HIGH | 9.1 CRITICAL |
| A specially-crafted HTTP request can lead to arbitrary command execution in RSA keypasswd parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2021-46422 | 1 Telesquare | 2 Sdt-cs3b1, Sdt-cs3b1 Firmware | 2022-09-30 | 10.0 HIGH | 9.8 CRITICAL |
| Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication. | |||||