Total
3597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-42279 | 1 Nvidia | 2 Dgx A100, Dgx A100 Firmware | 2023-01-20 | N/A | 8.8 HIGH |
| NVIDIA BMC contains a vulnerability in SPX REST API, where an authorized attacker can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure and data tampering. | |||||
| CVE-2019-15715 | 1 Mantisbt | 1 Mantisbt | 2023-01-20 | 6.5 MEDIUM | 7.2 HIGH |
| MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution. | |||||
| CVE-2022-43390 | 1 Zyxel | 78 Ax7501-b0, Ax7501-b0 Firmware, Dx3301-t0 and 75 more | 2023-01-18 | N/A | 8.8 HIGH |
| A command injection vulnerability in the CGI program of Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to execute some OS commands on a vulnerable device by sending a crafted HTTP request. | |||||
| CVE-2022-48252 | 1 Pi.alert Project | 1 Pi.alert | 2023-01-18 | N/A | 9.8 CRITICAL |
| The jokob-sk/Pi.Alert fork (before 22.12.20) of Pi.Alert allows Remote Code Execution via nmap_scan.php (scan parameter) OS Command Injection. | |||||
| CVE-2022-36926 | 1 Zoom | 1 Rooms | 2023-01-13 | N/A | 7.8 HIGH |
| Zoom Rooms for macOS clients before version 5.11.3 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability to escalate their privileges to root. | |||||
| CVE-2022-43971 | 1 Linksys | 2 Wumc710, Wumc710 Firmware | 2023-01-13 | N/A | 7.2 HIGH |
| An arbitrary code exection vulnerability exists in Linksys WUMC710 Wireless-AC Universal Media Connector with firmware <= 1.0.02 (build3). The do_setNTP function within the httpd binary uses unvalidated user input in the construction of a system command. An authenticated attacker with administrator privileges can leverage this vulnerability over the network via a malicious GET or POST request to /setNTP.cgi to execute arbitrary commands on the underlying Linux operating system as root. | |||||
| CVE-2022-43973 | 1 Linksys | 2 Wrt54gl, Wrt54gl Firmware | 2023-01-13 | N/A | 7.2 HIGH |
| An arbitrary code execution vulnerability exisits in Linksys WRT54GL Wireless-G Broadband Router with firmware <= 4.30.18.006. The Check_TSSI function within the httpd binary uses unvalidated user input in the construction of a system command. An authenticated attacker with administrator privileges can leverage this vulnerability over the network via a malicious POST request to /apply.cgi to execute arbitrary commands on the underlying Linux operating system as root. | |||||
| CVE-2022-46304 | 1 Changingtec | 1 Servisign | 2023-01-09 | N/A | 8.8 HIGH |
| ChangingTec ServiSign component has insufficient filtering for special characters in the connection response parameter. An unauthenticated remote attacker can host a malicious website for the component user to access, which triggers command injection and allows the attacker to execute arbitrary system command to perform arbitrary system operation or disrupt service. | |||||
| CVE-2022-45915 | 1 Ilias | 1 Ilias | 2023-01-06 | N/A | 8.8 HIGH |
| ILIAS before 7.16 allows OS Command Injection. | |||||
| CVE-2022-40005 | 1 Intelbras | 2 Wifiber 120ac Inmesh, Wifiber 120ac Inmesh Firmware | 2023-01-05 | N/A | 8.8 HIGH |
| Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute. | |||||
| CVE-2022-44567 | 1 Rocket.chat | 1 Rocket.chat | 2023-01-04 | N/A | 9.8 CRITICAL |
| A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L17). To exploit the vulnerability, the internal video chat window must be disabled or a Mac App Store build must be used (internalVideoChatWindow.ts#L14). The vulnerability may be exploited by an XSS attack because the function openInternalVideoChatWindow is exposed in the Rocket.Chat-Desktop-API. | |||||
| CVE-2022-45711 | 1 Ip-com | 2 M50, M50 Firmware | 2023-01-04 | N/A | 9.8 CRITICAL |
| IP-COM M50 V15.11.0.33(10768) was discovered to contain a command injection vulnerability via the hostname parameter in the formSetNetCheckTools function. | |||||
| CVE-2022-4515 | 2 Debian, Exuberant Ctags Project | 2 Debian Linux, Exuberant Ctags | 2023-01-03 | N/A | 7.8 HIGH |
| A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way. | |||||
| CVE-2021-32692 | 2 Activitywatch, Apple | 2 Activitywatch, Macos | 2022-12-30 | N/A | 9.6 CRITICAL |
| Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file. | |||||
| CVE-2022-40624 | 1 Pfsense | 1 Pfblockerng | 2022-12-28 | N/A | 9.8 CRITICAL |
| pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814. | |||||
| CVE-2022-44456 | 1 Contec | 1 Conprosys Hmi System | 2022-12-22 | N/A | 9.8 CRITICAL |
| CONPROSYS HMI System (CHS) Ver.3.4.4?and earlier allows a remote unauthenticated attacker to execute an arbitrary OS command on the server where the product is running by sending a specially crafted request. | |||||
| CVE-2022-42139 | 1 Deltaww | 2 Dvw-w02w2-e2, Dvw-w02w2-e2 Firmware | 2022-12-16 | N/A | 8.8 HIGH |
| Delta Electronics DVW-W02W2-E2 1.5.0.10 is vulnerable to Command Injection via Crafted URL. | |||||
| CVE-2022-42140 | 1 Deltaww | 2 Dx-2100-l1-cn, Dx-2100-l1-cn Firmware | 2022-12-16 | N/A | 7.2 HIGH |
| Delta Electronics DX-2100-L1-CN 2.42 is vulnerable to Command Injection via lform/net_diagnose. | |||||
| CVE-2019-19920 | 3 Canonical, Debian, Sa-exim Project | 3 Ubuntu Linux, Debian Linux, Sa-exim | 2022-12-14 | 9.0 HIGH | 8.8 HIGH |
| sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805. | |||||
| CVE-2017-12121 | 1 Moxa | 2 Edr-810, Edr-810 Firmware | 2022-12-14 | 9.0 HIGH | 8.8 HIGH |
| An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the rsakey\_name= parm in the "/goform/WebRSAKEYGen" uri to trigger this vulnerability. | |||||