Total
3597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12107 | 1 Stengg | 2 Vpncrypt M10, Vpncrypt M10 Firmware | 2020-08-19 | 7.5 HIGH | 9.8 CRITICAL |
| The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows command injection via a text field, which allow full control over this module's Operating System. | |||||
| CVE-2013-2024 | 2 Call-cc, Debian | 2 Chicken, Debian Linux | 2020-08-18 | 9.0 HIGH | 8.8 HIGH |
| OS command injection vulnerability in the "qs" procedure from the "utils" module in Chicken before 4.9.0. | |||||
| CVE-2020-13124 | 1 Sabnzbd | 1 Sabnzbd | 2020-08-13 | 6.5 MEDIUM | 8.8 HIGH |
| SABnzbd 2.3.9 and 3.0.0Alpha2 has a command injection vulnerability in the web configuration interface that permits an authenticated user to execute arbitrary Python commands on the underlying operating system. | |||||
| CVE-2020-14324 | 1 Redhat | 1 Cloudforms Management Engine | 2020-08-13 | 6.5 MEDIUM | 9.1 CRITICAL |
| A high severity vulnerability was found in all active versions of Red Hat CloudForms before 5.11.7.0. The out of band OS command injection vulnerability can be exploited by authenticated attacker while setuping conversion host through Infrastructure Migration Solution. This flaw allows attacker to execute arbitrary commands on CloudForms server. | |||||
| CVE-2020-17352 | 1 Sophos | 1 Xg Firewall Firmware | 2020-08-12 | 6.5 MEDIUM | 8.8 HIGH |
| Two OS command injection vulnerabilities in the User Portal of Sophos XG Firewall through 2020-08-05 potentially allow an authenticated attacker to remotely execute arbitrary code. | |||||
| CVE-2020-13404 | 1 Quadra-informatique | 1 Atos\/sips | 2020-08-10 | 9.0 HIGH | 8.8 HIGH |
| The ATOS/Sips (aka Atos-Magento) community module 3.0.0 to 3.0.5 for Magento allows command injection. | |||||
| CVE-2020-7361 | 1 Easycorp | 1 Zentao Pro | 2020-08-10 | 9.0 HIGH | 8.8 HIGH |
| The EasyCorp ZenTao Pro application suffers from an OS command injection vulnerability in its '/pro/repo-create.html' component. After authenticating to the ZenTao dashboard, attackers may construct and send arbitrary OS commands via the POST parameter 'path', and those commands will run in an elevated SYSTEM context on the underlying Windows operating system. | |||||
| CVE-2020-15467 | 1 Cohesive | 1 Vns3 | 2020-08-05 | 9.0 HIGH | 8.8 HIGH |
| The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise. | |||||
| CVE-2017-1000009 | 1 Akeneo | 1 Product Information Management | 2020-08-05 | 7.5 HIGH | 9.8 CRITICAL |
| Akeneo PIM CE and EE <1.6.6, <1.5.15, <1.4.28 are vulnerable to shell injection in the mass edition, resulting in remote execution. | |||||
| CVE-2020-5760 | 1 Grandstream | 12 Ht801, Ht801 Firmware, Ht802 and 9 more | 2020-07-31 | 9.3 HIGH | 7.8 HIGH |
| Grandstream HT800 series firmware version 1.0.17.5 and below is vulnerable to an OS command injection vulnerability. Unauthenticated remote attackers can execute arbitrary commands as root by crafting a special configuration file and sending a crafted SIP message. | |||||
| CVE-2017-17458 | 2 Debian, Mercurial | 2 Debian Linux, Mercurial | 2020-07-31 | 10.0 HIGH | 9.8 CRITICAL |
| In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically. | |||||
| CVE-2020-15609 | 1 Centos-webpanel | 1 Centos Web Panel | 2020-07-28 | 10.0 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_dashboard.php. When parsing the service_stop parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9726. | |||||
| CVE-2020-15631 | 1 Dlink | 2 Dap-1860, Dap-1860 Firmware | 2020-07-28 | 5.8 MEDIUM | 8.0 HIGH |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1860 1.04B03_HOTFIX WiFi extenders. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the HNAP service, which listens on TCP port 80 by default. When parsing the SOAPAction header, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-10084. | |||||
| CVE-2020-15123 | 1 Codecov | 1 Codecov | 2020-07-27 | 6.8 MEDIUM | 9.3 CRITICAL |
| In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was issued but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer. The attack surface is low in this case. Particularly in the standard use of codecov, where the module is used directly in a build pipeline, not built against as a library in another application that may supply malicious input and perform command injection. | |||||
| CVE-2020-15916 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2020-07-27 | 10.0 HIGH | 9.8 CRITICAL |
| goform/AdvSetLanip endpoint on Tenda AC15 AC1900 15.03.05.19 devices allows remote attackers to execute arbitrary system commands via shell metacharacters in the lanIp POST parameter. | |||||
| CVE-2020-11981 | 1 Apache | 1 Airflow | 2020-07-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands. | |||||
| CVE-2020-7825 | 1 Tobesoft | 1 Miplatform | 2020-07-23 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability exists that could allow the execution of operating system commands on systems running MiPlatform 2019.05.16 and earlier. An attacker could execute arbitrary remote command by sending parameters to WinExec function in ExtCommandApi.dll module of MiPlatform. | |||||
| CVE-2020-5757 | 1 Grandstream | 6 Ucm6202, Ucm6202 Firmware, Ucm6204 and 3 more | 2020-07-23 | 10.0 HIGH | 9.8 CRITICAL |
| Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API. | |||||
| CVE-2020-3332 | 1 Cisco | 8 Rv110w Wireless-n Vpn Firewall, Rv110w Wireless-n Vpn Firewall Firmware, Rv130 Vpn Router and 5 more | 2020-07-23 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Series Routers could allow an authenticated, remote attacker to inject arbitrary shell commands that are executed by an affected device. The vulnerability is due to insufficient input validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary shell commands or scripts with root privileges on the affected device. | |||||
| CVE-2020-5758 | 1 Grandstream | 6 Ucm6202, Ucm6202 Firmware, Ucm6204 and 3 more | 2020-07-23 | 9.0 HIGH | 8.8 HIGH |
| Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can execute commands as the root user by sending a crafted HTTP GET to the UCM's "Old" HTTPS API. | |||||