Total
3837 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-6278 | 1 Gnu | 1 Bash | 2021-11-17 | 10.0 HIGH | N/A |
| GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277. | |||||
| CVE-2021-3723 | 1 Ibm | 4 System X3550 M3, System X3550 M3 Firmware, System X3650 M3 and 1 more | 2021-11-17 | 9.0 HIGH | 8.8 HIGH |
| A command injection vulnerability was reported in the Integrated Management Module (IMM) of legacy IBM System x 3550 M3 and IBM System x 3650 M3 servers that could allow the execution of operating system commands over an authenticated SSH or Telnet session. | |||||
| CVE-2021-41254 | 1 Fluxcd | 1 Kustomize-controller | 2021-11-17 | 9.0 HIGH | 8.8 HIGH |
| kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run `kubectl` commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges. In affected versions multitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue. This vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the `kubectl` binary has been removed from the container image. To prevent the creation of Kubernetes Service Accounts with `secrets` in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used. | |||||
| CVE-2021-39474 | 1 Ubeeinteractive | 2 Ubc1319, Ubc1319 Firmware | 2021-11-16 | 9.0 HIGH | 7.2 HIGH |
| Vulnerability in the product Docsis 3.0 UBC1319BA00 Router supported affected version 1319010201r009. The vulnerability allows an attacker with privileges and network access through the ping.cmd component to execute commands on the device. | |||||
| CVE-2021-3061 | 1 Paloaltonetworks | 2 Pan-os, Prisma Access | 2021-11-15 | 9.0 HIGH | 7.2 HIGH |
| An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 firewalls are impacted by this issue. | |||||
| CVE-2021-3060 | 1 Paloaltonetworks | 2 Pan-os, Prisma Access | 2021-11-15 | 9.3 HIGH | 8.1 HIGH |
| An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue. | |||||
| CVE-2021-3059 | 1 Paloaltonetworks | 1 Pan-os | 2021-11-15 | 7.6 HIGH | 8.1 HIGH |
| An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue. | |||||
| CVE-2021-3058 | 1 Paloaltonetworks | 1 Pan-os | 2021-11-15 | 9.0 HIGH | 7.2 HIGH |
| An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permissions to use XML API the ability to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. This issue does not impact Prisma Access firewalls. | |||||
| CVE-2021-37158 | 1 Opengamepanel | 1 Opengamepanel | 2021-11-12 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in OpenGamePanel OGP-Agent-Linux through 2021-08-14. An authenticated attacker could inject OS commands by starting a Counter-Strike server and using the map field to enter a Bash command. | |||||
| CVE-2021-36185 | 1 Fortinet | 1 Fortiwlm | 2021-11-04 | 6.5 MEDIUM | 8.8 HIGH |
| A improper neutralization of special elements used in an OS command ('OS Command Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests. | |||||
| CVE-2021-24684 | 1 Teamlead | 1 Pdf-light-viewer | 2021-11-04 | 9.0 HIGH | 8.8 HIGH |
| The WordPress PDF Light Viewer Plugin WordPress plugin before 1.4.12 allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript. | |||||
| CVE-2019-3913 | 1 Labkey | 1 Labkey Server | 2021-11-02 | 4.0 MEDIUM | 4.9 MEDIUM |
| Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service. | |||||
| CVE-2019-15598 | 1 Treekill Project | 1 Treekill | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| A Code Injection exists in treekill on Windows which allows a remote code execution when an attacker is able to control the input into the command. | |||||
| CVE-2011-2195 | 1 Websvn | 1 Websvn | 2021-10-29 | 9.3 HIGH | 9.8 CRITICAL |
| A flaw was found in WebSVN 2.3.2. Without prior authentication, if the 'allowDownload' option is enabled in config.php, an attacker can invoke the dl.php script and pass a well formed 'path' argument to execute arbitrary commands against the underlying operating system. | |||||
| CVE-2021-38478 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2021-10-25 | 6.5 MEDIUM | 9.1 CRITICAL |
| InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to an attacker using a traceroute tool to inject commands into the device. This may allow the attacker to remotely run commands on behalf of the device. | |||||
| CVE-2021-30358 | 1 Checkpoint | 1 Mobile Access Portal Agent | 2021-10-22 | 6.0 MEDIUM | 7.2 HIGH |
| Mobile Access Portal Native Applications who's path is defined by the administrator with environment variables may run applications from other locations by the Mobile Access Portal Agent. | |||||
| CVE-2021-38470 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2021-10-22 | 6.5 MEDIUM | 9.1 CRITICAL |
| InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to an attacker using a ping tool to inject commands into the device. This may allow the attacker to remotely run commands on behalf of the device. | |||||
| CVE-2020-3205 | 1 Cisco | 5 1120, 1240, 809 and 2 more | 2021-10-19 | 8.3 HIGH | 8.8 HIGH |
| A vulnerability in the implementation of the inter-VM channel of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers (Industrial ISRs) and Cisco 1000 Series Connected Grid Routers (CGR1000) could allow an unauthenticated, adjacent attacker to execute arbitrary shell commands on the Virtual Device Server (VDS) of an affected device. The vulnerability is due to insufficient validation of signaling packets that are destined to VDS. An attacker could exploit this vulnerability by sending malicious packets to an affected device. A successful exploit could allow the attacker to execute arbitrary commands in the context of the Linux shell of VDS with the privileges of the root user. Because the device is designed on a hypervisor architecture, exploitation of a vulnerability that affects the inter-VM channel may lead to a complete system compromise. For more information about this vulnerability, see the Details section of this advisory. | |||||
| CVE-2021-42071 | 1 Visual-tools | 2 Dvr Vx16, Dvr Vx16 Firmware | 2021-10-15 | 10.0 HIGH | 9.8 CRITICAL |
| In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header. | |||||
| CVE-2020-8186 | 1 Devcert Project | 1 Devcert | 2021-10-07 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function. | |||||