Total
4781 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-0481 | 1 Cisco | 1 Ios Xe | 2024-11-26 | 6.7 Medium |
| A vulnerability in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to execute commands on the underlying Linux shell of an affected device with root privileges. The vulnerability exist because the affected software improperly sanitizes command arguments, failing to prevent access to certain internal data structures on an affected device. An attacker who has privileged EXEC mode (privilege level 15) access to an affected device could exploit these vulnerabilities on the device by executing CLI commands that contain custom arguments. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the affected device. | ||||
| CVE-2018-15368 | 1 Cisco | 1 Ios Xe | 2024-11-26 | 6.7 Medium |
| A vulnerability in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to gain access to the underlying Linux shell of an affected device and execute arbitrary commands with root privileges on the device. The vulnerability is due to the affected software improperly sanitizing command arguments to prevent modifications to the underlying Linux filesystem on a device. An attacker who has privileged EXEC mode (privilege level 15) access to an affected device could exploit this vulnerability on the device by executing CLI commands that contain crafted arguments. A successful exploit could allow the attacker to gain access to the underlying Linux shell of the affected device and execute arbitrary commands with root privileges on the device. | ||||
| CVE-2018-15442 | 1 Cisco | 2 Webex Meetings Desktop, Webex Productivity Tools | 2024-11-26 | N/A |
| A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools. | ||||
| CVE-2024-50359 | 1 Advantech | 3 Eki-6333ac-1gpo Firmware, Eki-6333ac-2g Firmware, Eki-6333ac-2gd Firmware | 2024-11-26 | 7.2 High |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "scan_ap" API which are not properly sanitized before being concatenated to OS level commands. | ||||
| CVE-2024-50360 | 1 Advantech | 3 Eki-6333ac-1gpo Firmware, Eki-6333ac-2g Firmware, Eki-6333ac-2gd Firmware | 2024-11-26 | 7.2 High |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "snmp_apply" API which are not properly sanitized before being concatenated to OS level commands. | ||||
| CVE-2024-50366 | 1 Advantech | 3 Eki-6333ac-1gpo Firmware, Eki-6333ac-2g Firmware, Eki-6333ac-2gd Firmware | 2024-11-26 | 7.2 High |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "applications_apply" API which are not properly sanitized before being concatenated to OS level commands. | ||||
| CVE-2024-50368 | 2024-11-26 | 7.2 High | ||
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "basic_htm" API which are not properly sanitized before being concatenated to OS level commands. | ||||
| CVE-2024-50369 | 2024-11-26 | 7.2 High | ||
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "multiple_ssid_htm" API which are not properly sanitized before being concatenated to OS level commands. | ||||
| CVE-2024-50370 | 2024-11-26 | 9.8 Critical | ||
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point and malicious commands are executed with root privileges. No authentication is enabled on the service and the source of the vulnerability resides in processing code associated to the "cfg_cmd_set_eth_conf" operation. | ||||
| CVE-2024-50371 | 1 Advantech | 3 Eki-6333ac-1gpo Firmware, Eki-6333ac-2g Firmware, Eki-6333ac-2gd Firmware | 2024-11-26 | 9.8 Critical |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point and malicious commands are executed with root privileges. No authentication is enabled on the service and the source of the vulnerability resides in processing code associated to the "wlan_scan" operation. | ||||
| CVE-2024-50372 | 1 Advantech | 3 Eki-6333ac-1gpo Firmware, Eki-6333ac-2g Firmware, Eki-6333ac-2gd Firmware | 2024-11-26 | 9.8 Critical |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point and malicious commands are executed with root privileges. No authentication is enabled on the service and the source of the vulnerability resides in processing code associated to the "backup_config_to_utility" operation. | ||||
| CVE-2024-50373 | 1 Advantech | 3 Eki-6333ac-1gpo Firmware, Eki-6333ac-2g Firmware, Eki-6333ac-2gd Firmware | 2024-11-26 | 9.8 Critical |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point and malicious commands are executed with root privileges. No authentication is enabled on the service and the source of the vulnerability resides in processing code associated to the "restore_config_from_utility" operation. | ||||
| CVE-2024-50374 | 1 Advantech | 3 Eki-6333ac-1gpo Firmware, Eki-6333ac-2g Firmware, Eki-6333ac-2gd Firmware | 2024-11-26 | 9.8 Critical |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point and malicious commands are executed with root privileges. No authentication is enabled on the service and the source of the vulnerability resides in processing code associated to the "capture_packages" operation. | ||||
| CVE-2024-50375 | 1 Advantech | 3 Eki-6333ac-1gpo Firmware, Eki-6333ac-2g Firmware, Eki-6333ac-2gd Firmware | 2024-11-26 | 9.8 Critical |
| A CWE-306 "Missing Authentication for Critical Function" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by remote unauthenticated users capable of interacting with the default "edgserver" service enabled on the access point. | ||||
| CVE-2024-50377 | 1 Advantech | 3 Eki-6333ac-1gpo Firmware, Eki-6333ac-2g Firmware, Eki-6333ac-2gd Firmware | 2024-11-26 | 6.5 Medium |
| A CWE-798 "Use of Hard-coded Credentials" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability is associated to the backup configuration functionality that by default encrypts the archives using a static password. | ||||
| CVE-2024-50376 | 2024-11-26 | 7.3 High | ||
| A CWE-79 "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited remotely leveraging a rogue Wi-Fi access point with a malicious SSID. | ||||
| CVE-2024-26258 | 1 Elecom | 2 Wrc-g01-w Firmware, Wrc-x3200gst3-b Firmware | 2024-11-26 | 7.1 High |
| OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with credentials to execute arbitrary OS commands by sending a specially crafted request to the product. | ||||
| CVE-2024-47407 | 1 Myscada | 2 Mypro Manager, Mypro Runtime | 2024-11-25 | 10 Critical |
| A parameter within a command does not properly validate input within myPRO Manager which could be exploited by an unauthenticated remote attacker to inject arbitrary operating system commands. | ||||
| CVE-2024-52034 | 1 Myscada | 2 Mypro Manager, Mypro Runtime | 2024-11-25 | 10 Critical |
| An OS Command Injection vulnerability exists within myPRO Manager. A parameter within a command can be exploited by an unauthenticated remote attacker to inject arbitrary operating system commands. | ||||
| CVE-2023-51625 | 1 Dlink | 2 Dcs-8300lhv2, Dcs-8300lhv2 Firmware | 2024-11-25 | 8.0 High |
| D-Link DCS-8300LHV2 ONVIF SetSystemDateAndTime Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DCS-8300LHV2 IP cameras. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the implementation of the ONVIF API, which listens on TCP port 80. When parsing the sch:TZ XML element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21319. | ||||