Total
3597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-35714 | 1 Linksys | 2 Re6500, Re6500 Firmware | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Belkin LINKSYS RE6500 devices before 1.0.11.001 allow remote authenticated users to execute arbitrary commands via goform/systemCommand?command= in conjunction with the goform/pingstart program. | |||||
| CVE-2020-7607 | 1 Gulp-styledocco Project | 1 Gulp-styledocco | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| gulp-styledocco through 0.0.3 allows execution of arbitrary commands. The argument 'options' of the exports function in 'index.js' can be controlled by users without any sanitization. | |||||
| CVE-2020-36199 | 1 Kaspersky | 1 Tinycheck | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| TinyCheck before commits 9fd360d and ea53de8 was vulnerable to command injection due to insufficient checks of input parameters in several places. | |||||
| CVE-2019-3702 | 1 Lifesize | 6 Icon 300, Icon 300 Firmware, Icon 500 and 3 more | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| A Remote Code Execution issue in the DNS Query Web UI in Lifesize Icon LS_RM3_3.7.0 (2421) allows remote authenticated attackers to execute arbitrary commands via a crafted DNS Query address field in a JSON API request. | |||||
| CVE-2020-4006 | 3 Linux, Microsoft, Vmware | 7 Linux Kernel, Windows, Cloud Foundation and 4 more | 2021-07-21 | 9.0 HIGH | 9.1 CRITICAL |
| VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability. | |||||
| CVE-2020-8797 | 1 Juplink | 2 Rx4-1500, Rx4-1500 Firmware | 2021-07-21 | 6.9 MEDIUM | 6.7 MEDIUM |
| Juplink RX4-1500 v1.0.3 allows remote attackers to gain root access to the Linux subsystem via an unsanitized exec call (aka Command Line Injection), if the undocumented telnetd service is enabled and the attacker can authenticate as admin from the local network. | |||||
| CVE-2019-15490 | 1 It-novum | 1 Openitcockpit | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21. | |||||
| CVE-2019-16730 | 2 Petwant, Skymee | 4 Pf-103, Pf-103 Firmware, Petalk Ai and 1 more | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| processCommandUpgrade() in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | |||||
| CVE-2020-7633 | 1 Apiconnect-cli-plugins Project | 1 Apiconnect-cli-plugins | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| apiconnect-cli-plugins through 6.0.1 is vulnerable to Command Injection.It allows execution of arbitrary commands via the pluginUri argument. | |||||
| CVE-2020-15477 | 1 Raspberrytorte | 1 Raspberrytortoise | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| The WebControl in RaspberryTortoise through 2012-10-28 is vulnerable to remote code execution via shell metacharacters in a URI. The file nodejs/raspberryTortoise.js has no validation on the parameter incomingString before passing it to the child_process.exec function. | |||||
| CVE-2020-7782 | 1 Spritesheet-js Project | 1 Spritesheet-js | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package spritesheet-js. It depends on a vulnerable package platform-command. The injection point is located in line 32 in lib/generator.js, which is triggered by main entry of the package. | |||||
| CVE-2020-18568 | 1 Dlink | 4 Dsr-1000n, Dsr-1000n Firmware, Dsr-250 and 1 more | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The D-Link DSR-250 (3.14) DSR-1000N (2.11B201) UPnP service contains a command injection vulnerability, which can cause remote command execution. | |||||
| CVE-2020-7596 | 1 Codecov | 1 Nodejs Uploader | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument. | |||||
| CVE-2020-14162 | 1 Pi-hole | 1 Pi-hole | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in Pi-Hole through 5.0. The local www-data user has sudo privileges to execute the pihole core script as root without a password, which could allow an attacker to obtain root access via shell metacharacters to this script's setdns command. | |||||
| CVE-2020-28429 | 1 Geojson2kml Project | 1 Geojson2kml | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. PoC: var a =require("geojson2kml"); a("./","& touch JHU",function(){}) | |||||
| CVE-2020-29311 | 1 Ubilling | 1 Ubilling | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| Ubilling v1.0.9 allows Remote Command Execution as Root user by executing a malicious command that is injected inside the config file and being triggered by another part of the software. | |||||
| CVE-2020-5505 | 1 Vaaip | 1 Freelancy | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Freelancy v1.0.0 allows remote command execution via the "file":"data:application/x-php;base64 substring (in conjunction with "type":"application/x-php"} to the /api/files/ URI. | |||||
| CVE-2020-13619 | 1 Locutus | 1 Locutus Php | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution. | |||||
| CVE-2020-24849 | 1 Fruitywifi Project | 1 Fruitywifi | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability is identified in FruityWifi through 2.4. Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317. | |||||
| CVE-2020-35459 | 2 Clusterlabs, Debian | 2 Crmsh, Debian Linux | 2021-07-21 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history commandline, potentially allowing escalation of privileges. | |||||