Total
3597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-34540 | 1 Dw | 2 Megapix, Megapix Firmware | 2023-08-08 | N/A | 8.8 HIGH |
| Digital Watchdog DW MEGApix IP cameras A7.2.2_20211029 was discovered to contain a command injection vulnerability in the component /admin/vca/license/license_tok.cgi. This vulnerability is exploitable via a crafted POST request. | |||||
| CVE-2022-33941 | 1 Alfasado | 1 Powercms | 2023-08-08 | N/A | 9.8 CRITICAL |
| PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability. Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products/versions are as follows: PowerCMS 6.021 and earlier (PowerCMS 6 Series), PowerCMS 5.21 and earlier (PowerCMS 5 Series), and PowerCMS 4.51 and earlier (PowerCMS 4 Series). Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability. | |||||
| CVE-2022-24441 | 1 Snyk | 3 Snyk Cli, Snyk Language Server, Snyk Security | 2023-08-08 | N/A | 8.8 HIGH |
| The package snyk before 1.1064.0 are vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder must be marked as ‘trusted’ in order to be vulnerable. **NOTE:** This issue is independent of the one reported in [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342), and upgrading to a fixed version for this addresses that issue as well. The affected IDE plugins and versions are: - VS Code - Affected: <=1.8.0, Fixed: 1.9.0 - IntelliJ - Affected: <=2.4.47, Fixed: 2.4.48 - Visual Studio - Affected: <=1.1.30, Fixed: 1.1.31 - Eclipse - Affected: <=v20221115.132308, Fixed: All subsequent versions - Language Server - Affected: <=v20221109.114426, Fixed: All subsequent versions | |||||
| CVE-2022-37129 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2023-08-08 | N/A | 8.8 HIGH |
| D-Link DIR-816 A2_v1.10CNB04.img is vulnerable to Command Injection via /goform/SystemCommand. After the user passes in the command parameter, it will be spliced into byte_4836B0 by snprintf, and finally doSystem(&byte_4836B0); will be executed, resulting in a command injection. | |||||
| CVE-2022-48121 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the rsabits parameter in the setting/delStaticDhcpRules function. | |||||
| CVE-2022-46598 | 1 Trendnet | 2 Tew-755ap, Tew-755ap Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| TRENDnet TEW755AP 1.13B01 was discovered to contain a command injection vulnerability via the wps_sta_enrollee_pin parameter in the action set_sta_enrollee_pin_5g function. | |||||
| CVE-2022-24237 | 1 Snapt | 1 Aria | 2023-08-08 | 6.5 MEDIUM | 8.8 HIGH |
| The snaptPowered2 component of Snapt Aria v12.8 was discovered to contain a command injection vulnerability. This vulnerability allows authenticated attackers to execute arbitrary commands. | |||||
| CVE-2022-28491 | 1 Totolink | 2 Cp900, Cp900 Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 contains a command injection vulnerability in the NTPSyncWithHost function via the host_name parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | |||||
| CVE-2022-28573 | 1 Dlink | 2 Dir-823 Pro, Dir-823 Pro Firmware | 2023-08-08 | 10.0 HIGH | 9.8 CRITICAL |
| D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetNTPserverSeting. This vulnerability allows attackers to execute arbitrary commands via the system_time_timezone parameter. | |||||
| CVE-2022-30023 | 1 Tenda | 2 Hg9, Hg9 Firmware | 2023-08-08 | 9.0 HIGH | 8.8 HIGH |
| Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. | |||||
| CVE-2022-48124 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the FileName parameter in the setting/setOpenVpnCertGenerationCfg function. | |||||
| CVE-2022-48107 | 1 Dlink | 2 Dir 878, Dir 878 Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| D-Link DIR_878_FW1.30B08 was discovered to contain a command injection vulnerability via the component /setnetworksettings/IPAddress. This vulnerability allows attackers to escalate privileges to root via a crafted payload. | |||||
| CVE-2022-28584 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2023-08-08 | 10.0 HIGH | 9.8 CRITICAL |
| It is found that there is a command injection vulnerability in the setWiFiWpsStart interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload. | |||||
| CVE-2022-28580 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2023-08-08 | 10.0 HIGH | 9.8 CRITICAL |
| It is found that there is a command injection vulnerability in the setL2tpServerCfg interface in TOTOlink A7100RU (v7.4cu.2313_b20191024) router, which allows an attacker to execute arbitrary commands through a carefully constructed payload. | |||||
| CVE-2022-25076 | 1 Totolink | 2 A800r, A800r Firmware | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| TOTOLink A800R V4.1.2cu.5137_B20200730 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter. | |||||
| CVE-2022-46597 | 1 Trendnet | 2 Tew-755ap, Tew-755ap Firmware | 2023-08-08 | N/A | 9.8 CRITICAL |
| TRENDnet TEW755AP 1.13B01 was discovered to contain a command injection vulnerability via the sys_service parameter in the setup_wizard_mydlink (sub_4104B8) function. | |||||
| CVE-2022-24697 | 1 Apache | 1 Kylin | 2023-08-08 | N/A | 9.8 CRITICAL |
| Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier. | |||||
| CVE-2022-36749 | 1 Sourcefabric | 1 Rpi-jukebox-rfid | 2023-08-08 | N/A | 9.8 CRITICAL |
| RPi-Jukebox-RFID v2.3.0 was discovered to contain a command injection vulnerability via the component /htdocs/utils/Files.php. This vulnerability is exploited via a crafted payload injected into the file name of an uploaded file. | |||||
| CVE-2022-28905 | 1 Totolink | 2 N600r, N600r Firmware | 2023-08-08 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the devicemac parameter in /setting/setDeviceName. | |||||
| CVE-2022-36455 | 1 Totolink | 2 A3600r, A3600r Firmware | 2023-08-08 | N/A | 7.8 HIGH |
| TOTOLink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a command injection vulnerability via the username parameter in /cstecgi.cgi. | |||||