Total
3837 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-35714 | 1 Linksys | 2 Re6500, Re6500 Firmware | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Belkin LINKSYS RE6500 devices before 1.0.11.001 allow remote authenticated users to execute arbitrary commands via goform/systemCommand?command= in conjunction with the goform/pingstart program. | |||||
| CVE-2020-29664 | 1 Dji | 2 Mavic 2, Mavic 2 Firmware | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| A command injection issue in dji_sys in DJI Mavic 2 Remote Controller before firmware version 01.00.0510 allows for code execution via a malicious firmware upgrade packet. | |||||
| CVE-2020-29381 | 1 Vsolcn | 10 V1600d, V1600d-mini, V1600d-mini Firmware and 7 more | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename. | |||||
| CVE-2020-7781 | 1 Connection-tester Project | 1 Connection-tester | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects the package connection-tester before 0.2.1. The injection point is located in line 15 in index.js. The following PoC demonstrates the vulnerability: | |||||
| CVE-2019-10786 | 1 Network-manager Project | 1 Network-manager | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| network-manager through 1.0.2 allows remote attackers to execute arbitrary commands via the "execSync()" argument. | |||||
| CVE-2020-25759 | 1 Dlink | 20 Dsr-1000, Dsr-1000 Firmware, Dsr-1000ac and 17 more | 2021-07-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered on D-Link DSR-250 3.17 devices. Certain functionality in the Unified Services Router web interface could allow an authenticated attacker to execute arbitrary commands, due to a lack of validation of inputs provided in multipart HTTP POST requests. | |||||
| CVE-2020-7634 | 1 Heroku-addonpool Project | 1 Heroku-addonpool | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| heroku-addonpool through 0.1.15 is vulnerable to Command Injection. | |||||
| CVE-2020-7603 | 1 Closure-compiler-stream Project | 1 Closure-compiler-stream | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization. | |||||
| CVE-2020-6756 | 1 Rasilient | 2 Pixelstor 5000, Pixelstor 5000 Firmware | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| languageOptions.php in Rasilient PixelStor 5000 K:4.0.1580-20150629 (KDI Version) allows unauthenticated attackers to remotely execute code via the lang parameter. | |||||
| CVE-2020-11766 | 2 Avantfax, Ifax | 2 Avantfax, Hylafax | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| sendfax.php in iFAX AvantFAX before 3.3.6 and HylaFAX Enterprise Web Interface before 0.2.5 allows authenticated Command Injection. | |||||
| CVE-2020-25757 | 1 Dlink | 20 Dsr-1000, Dsr-1000 Firmware, Dsr-1000ac and 17 more | 2021-07-21 | 8.3 HIGH | 8.8 HIGH |
| A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17. | |||||
| CVE-2019-14479 | 1 Adremsoft | 1 Netcrunch | 2021-07-21 | 9.0 HIGH | 8.8 HIGH |
| AdRem NetCrunch 10.6.0.4587 allows Remote Code Execution. In the NetCrunch web client, a read-only administrator can execute arbitrary code on the server running the NetCrunch server software. | |||||
| CVE-2020-8126 | 1 Ui | 1 Edgeswitch | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| A privilege escalation in the EdgeSwitch prior to version 1.7.1, an CGI script don't fully sanitize the user input resulting in local commands execution, allowing an operator user (Privilege-1) to escalate privileges and became administrator (Privilege-15). | |||||
| CVE-2020-7601 | 1 Gulp-scss-lint Project | 1 Gulp-scss-lint | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands to the "exec" function located in "src/command.js" via the provided options. | |||||
| CVE-2020-12242 | 1 Valvesoftware | 1 Source | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| Valve Source allows local users to gain privileges by writing to the /tmp/hl2_relaunch file, which is later executed in the context of a different user account. | |||||
| CVE-2020-27542 | 1 Company | 2 Cs-c2shw, Cs-c2shw Firmware | 2021-07-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| Rostelecom CS-C2SHW 5.0.082.1 is affected by: Bash command injection. The camera reads configuration from QR code (including network settings). The static IP configuration from QR code is copied to the file /config/ip-static and after reboot data from this file is inserted into bash command (without any escaping). So bash injection is possible. Camera doesn't parse QR codes if it's already successfully configured. Camera is always rebooted after successful configuration via QR code. | |||||
| CVE-2020-7785 | 1 Node-ps Project | 1 Node-ps | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package node-ps. The injection point is located in line 72 in lib/index.js. | |||||
| CVE-2020-7596 | 1 Codecov | 1 Nodejs Uploader | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument. | |||||
| CVE-2020-7786 | 1 Macfromip Project | 1 Macfromip | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package macfromip. The injection point is located in line 66 in macfromip.js. | |||||
| CVE-2020-36246 | 1 Amaze File Manager Project | 1 Amaze File Manager | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| Amaze File Manager before 3.5.1 allows attackers to obtain root privileges via shell metacharacters in a symbolic link. | |||||