Total
3837 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-13353 | 1 Terra-master | 1 Terramaster Operating System | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter. | |||||
| CVE-2018-11155 | 1 Quest | 1 Disk Backup | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 13 of 46). | |||||
| CVE-2017-8220 | 1 Tp-link | 4 C2, C20i, C20i Firmware and 1 more | 2019-10-03 | 9.0 HIGH | 9.9 CRITICAL |
| TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n allow remote code execution with a single HTTP request by placing shell commands in a "host=" line within HTTP POST data. | |||||
| CVE-2018-13358 | 1 Terra-master | 1 Terramaster Operating System | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter. | |||||
| CVE-2017-11322 | 1 Ucopia | 1 Ucopia Wireless Appliance | 2019-10-03 | 7.2 HIGH | 8.2 HIGH |
| The chroothole_client executable in UCOPIA Wireless Appliance before 5.1.8 allows remote attackers to gain root privileges via a dollar sign ($) metacharacter in the argument to chroothole_client. | |||||
| CVE-2018-11169 | 1 Quest | 1 Disk Backup | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 27 of 46). | |||||
| CVE-2017-16666 | 1 Xplico | 1 Xplico | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| Xplico before 1.2.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the name of an uploaded PCAP file. NOTE: this issue can be exploited without authentication by leveraging the user registration feature. | |||||
| CVE-2017-6398 | 1 Trendmicro | 1 Interscan Messaging Security Virtual Appliance | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. An authenticated user can execute a terminal command in the context of the web server user (which is root). Besides, the default installation of IMSVA comes with default administrator credentials. The saveCert.imss endpoint takes several user inputs and performs blacklisting. After that, it uses them as arguments to a predefined operating-system command without proper sanitization. However, because of an improper blacklisting rule, it's possible to inject arbitrary commands into it. | |||||
| CVE-2017-6359 | 1 Qnap | 1 Qts | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and execute arbitrary commands via unspecified vectors. | |||||
| CVE-2017-1000159 | 1 Gnome | 1 Evince | 2019-10-03 | 4.6 MEDIUM | 7.8 HIGH |
| Command injection in evince via filename when printing to PDF. This affects versions earlier than 3.25.91. | |||||
| CVE-2017-17758 | 1 Tp-link | 30 Tl-war1200l, Tl-war1200l Firmware, Tl-war1300l and 27 more | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the interface field of an admin/dhcps command to cgi-bin/luci, related to the zone_get_iface_bydev function in /usr/lib/lua/luci/controller/admin/dhcps.lua in uhttpd. | |||||
| CVE-2017-1000220 | 1 Pidusage Project | 1 Pidusage | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| soyuka/pidusage <=1.1.4 is vulnerable to command injection in the module resulting in arbitrary command execution | |||||
| CVE-2017-6087 | 1 Eonweb Project | 1 Eonweb | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the selected_events[] parameter in the (1) acknowledge, (2) delete, or (3) ownDisown function in module/monitoring_ged/ged_functions.php or the (4) module parameter to module/index.php. | |||||
| CVE-2018-11184 | 1 Quest | 1 Disk Backup | 2019-10-03 | 6.5 MEDIUM | 7.2 HIGH |
| Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 42 of 46). | |||||
| CVE-2018-11185 | 1 Quest | 1 Disk Backup | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 43 of 46). | |||||
| CVE-2018-16146 | 1 Opsview | 1 Opsview | 2019-10-03 | 9.0 HIGH | 7.2 HIGH |
| The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account. | |||||
| CVE-2018-1000885 | 1 Phkp Project | 1 Phkp | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| PHKP version including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b contains a Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in function pgp_exec() phkp.php:98 that can result in It is possible to manipulate gpg-keys or execute commands remotely. This attack appear to be exploitable via HKP-Api: /pks/lookup?search. | |||||
| CVE-2018-13320 | 1 Buffalo | 2 Ts5600d1206, Ts5600d1206 Firmware | 2019-10-03 | 6.5 MEDIUM | 7.2 HIGH |
| System Command Injection in network.set_auth_settings in Buffalo TS5600D1206 version 3.70-0.10 allows attackers to execute system commands via the adminUsername and adminPassword parameters. | |||||
| CVE-2018-10987 | 1 Diqee | 2 Diqee360, Diqee360 Firmware | 2019-10-03 | 8.5 HIGH | 7.5 HIGH |
| An issue was discovered on Dongguan Diqee Diqee360 devices. The affected vacuum cleaner suffers from an authenticated remote code execution vulnerability. An authenticated attacker can send a specially crafted UDP packet, and execute commands on the vacuum cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153). A crafted UDP packet runs "/mnt/skyeye/mode_switch.sh %s" with an attacker controlling the %s variable. In some cases, authentication can be achieved with the default password of 888888 for the admin account. | |||||
| CVE-2018-11174 | 1 Quest | 1 Disk Backup | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Quest DR Series Disk Backup software version before 4.0.3.1 allows command injection (issue 32 of 46). | |||||