Total
3837 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-16733 | 2 Petwant, Skymee | 4 Pf-103, Pf-103 Firmware, Petalk Ai and 1 more | 2019-12-18 | 10.0 HIGH | 9.8 CRITICAL |
| processCommandSetUid() in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | |||||
| CVE-2019-16737 | 2 Petwant, Skymee | 4 Pf-103, Pf-103 Firmware, Petalk Ai and 1 more | 2019-12-18 | 10.0 HIGH | 9.8 CRITICAL |
| The processCommandSetMac() function of libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | |||||
| CVE-2019-17364 | 2 Petwant, Skymee | 4 Pf-103, Pf-103 Firmware, Petalk Ai and 1 more | 2019-12-18 | 10.0 HIGH | 9.8 CRITICAL |
| The processCommandUploadLog() function of libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | |||||
| CVE-2019-19642 | 1 Supermicro | 3 X8sti-f, X8sti-f Bios, X8sti-f Firmware | 2019-12-18 | 9.0 HIGH | 8.8 HIGH |
| On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareName. The attacker can achieve a persistent backdoor. | |||||
| CVE-2019-17501 | 1 Centreon | 1 Centreon | 2019-12-18 | 9.0 HIGH | 8.8 HIGH |
| Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen). CVE-2019-17501 and CVE-2019-16405 are similar to one another and may be the same. | |||||
| CVE-2014-0163 | 1 Redhat | 1 Openshift | 2019-12-16 | 9.0 HIGH | 8.8 HIGH |
| Openshift has shell command injection flaws due to unsanitized data being passed into shell commands. | |||||
| CVE-2019-3985 | 1 Amazon | 2 Blink Xt2 Sync Module, Blink Xt2 Sync Module Firmware | 2019-12-13 | 8.3 HIGH | 8.8 HIGH |
| Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the ssid parameter. | |||||
| CVE-2019-3986 | 1 Amazon | 2 Blink Xt2 Sync Module, Blink Xt2 Sync Module Firmware | 2019-12-13 | 8.3 HIGH | 8.8 HIGH |
| Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the encryption parameter. | |||||
| CVE-2019-3987 | 1 Amazon | 2 Blink Xt2 Sync Module, Blink Xt2 Sync Module Firmware | 2019-12-13 | 8.3 HIGH | 8.8 HIGH |
| Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the key parameter. | |||||
| CVE-2019-3988 | 1 Amazon | 2 Blink Xt2 Sync Module, Blink Xt2 Sync Module Firmware | 2019-12-13 | 8.3 HIGH | 8.8 HIGH |
| Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the bssid parameter. | |||||
| CVE-2019-3989 | 1 Amazon | 2 Blink Xt2 Sync Module, Blink Xt2 Sync Module Firmware | 2019-12-13 | 9.3 HIGH | 9.8 CRITICAL |
| Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when retrieving internal network configuration data. | |||||
| CVE-2019-16242 | 1 Alcatelmobile | 2 Cingular Flip 2, Cingular Flip 2 Firmware | 2019-12-10 | 7.2 HIGH | 6.8 MEDIUM |
| On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an engineering application named omamock that is vulnerable to OS command injection. An attacker with physical access to the device can abuse this vulnerability to execute arbitrary OS commands as the root user via the application's UI. | |||||
| CVE-2017-12945 | 1 Mersive | 2 Solstice, Solstice Firmware | 2019-12-04 | 9.0 HIGH | 8.8 HIGH |
| Insufficient validation of user-supplied input for the Solstice Pod before 2.8.4 networking configuration enables authenticated attackers to execute arbitrary commands as root. | |||||
| CVE-2019-19041 | 1 Xorur | 3 Lpar2rrd, Stor2rrd, Xorur | 2019-11-19 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by the underlying system. It is possible to achieve this by modifying the values in the files.SUM file (which are used for integrity control) and injecting malicious code into the upgrade.sh file. | |||||
| CVE-2019-18873 | 1 Fudforum | 1 Fudforum | 2019-11-15 | 8.5 HIGH | 9.0 CRITICAL |
| FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php. | |||||
| CVE-2019-18839 | 1 Fudforum | 1 Fudforum | 2019-11-15 | 8.5 HIGH | 9.0 CRITICAL |
| FUDForum 3.0.9 is vulnerable to Stored XSS via the nlogin parameter. This may result in remote code execution. An attacker can use a user account to fully compromise the system using a POST request. When the admin visits the user information, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. | |||||
| CVE-2019-8159 | 1 Magento | 1 Magento | 2019-11-07 | 9.0 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection. | |||||
| CVE-2019-15588 | 1 Sonatype | 1 Nexus Repository Manager | 2019-11-06 | 9.0 HIGH | 7.2 HIGH |
| There is an OS Command Injection in Nexus Repository Manager <= 2.14.14 (bypass CVE-2019-5475) that could allow an attacker a Remote Code Execution (RCE). All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability. | |||||
| CVE-2019-15710 | 1 Fortiguard | 2 Fortiextender, Fortiextender Firmware | 2019-11-06 | 9.0 HIGH | 7.2 HIGH |
| An OS command injection vulnerability in FortiExtender 4.1.0 to 4.1.1, 4.0.0 and below under CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted "execute date" commands. | |||||
| CVE-2019-16662 | 1 Rconfig | 1 Rconfig | 2019-10-29 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution. | |||||