Total
4781 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13502 | 2025-01-17 | N/A | ||
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Newtec/iDirect NTC2218, NTC2250, NTC2299 on Linux, PowerPC, ARM allows Local Code Inclusion.This issue affects NTC2218, NTC2250, NTC2299: from 1.0.1.1 through 2.2.6.19. The `commit_multicast` page used to configure multicasts in the modem's web administration interface uses improperly parses incoming data from the request before passing it to an `eval` statement in a bash script. This allows attackers to inject arbitrary shell commands. | ||||
| CVE-2023-22598 | 1 Inhandnetworks | 4 Inrouter302, Inrouter302 Firmware, Inrouter615-s and 1 more | 2025-01-16 | 7.2 High |
| InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). An unauthorized user with privileged access to the local web interface or the cloud account managing the affected devices could push a specially crafted configuration update file to gain root access. This could lead to remote code execution with root privileges. | ||||
| CVE-2022-43483 | 1 Sewio | 1 Real-time Location System Studio | 2025-01-16 | 9.1 Critical |
| Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the monitor services of the software. This could allow a remote attacker to access sensitive functions of the application and execute arbitrary system commands. | ||||
| CVE-2022-47911 | 1 Sewio | 1 Real-time Location System Studio | 2025-01-16 | 9.1 Critical |
| Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not properly validate the input module name to the backup services of the software. This could allow a remote attacker to access sensitive functions of the application and execute arbitrary system commands. | ||||
| CVE-2023-27886 | 1 Propumpservice | 2 Osprey Pump Controller, Osprey Pump Controller Firmware | 2025-01-16 | 9.8 Critical |
| Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through a HTTP POST parameter called by index.php script. | ||||
| CVE-2023-27394 | 1 Propumpservice | 2 Osprey Pump Controller, Osprey Pump Controller Firmware | 2025-01-16 | 9.8 Critical |
| Osprey Pump Controller version 1.01 is vulnerable an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through a HTTP GET parameter called by DataLogView.php, EventsView.php and AlarmsView.php scripts. | ||||
| CVE-2023-2131 | 1 Inea | 2 Me Rtu, Me Rtu Firmware | 2025-01-16 | 10 Critical |
| Versions of INEA ME RTU firmware prior to 3.36 are vulnerable to OS command injection, which could allow an attacker to remotely execute arbitrary code. | ||||
| CVE-2023-32350 | 1 Teltonika-networks | 36 Rut200, Rut200 Firmware, Rut240 and 33 more | 2025-01-16 | 8 High |
| Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload. | ||||
| CVE-2023-40145 | 1 Weintek | 14 Cmt-fhd, Cmt-fhd Firmware, Cmt-hdm and 11 more | 2025-01-16 | 8.8 High |
| In Weintek's cMT3000 HMI Web CGI device, an anonymous attacker can execute arbitrary commands after login to the device. | ||||
| CVE-2023-4249 | 1 Zavio | 22 B8220, B8220 Firmware, B8520 and 19 more | 2025-01-16 | 8.8 High |
| Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 IP Cameras with firmware version M2.1.6.05 has a command injection vulnerability in their implementation of their binaries and handling of network requests. | ||||
| CVE-2023-27514 | 1 Contec | 4 Sv-cpt-mc310, Sv-cpt-mc310 Firmware, Sv-cpt-mc310f and 1 more | 2025-01-16 | 8.8 High |
| OS command injection vulnerability in the download page of SolarView Compact SV-CPT-MC310 versions prior to Ver.8.10 and SV-CPT-MC310F versions prior to Ver.8.10 allows a remote authenticated attacker to execute an arbitrary OS command. | ||||
| CVE-2025-0457 | 2025-01-16 | 8.8 High | ||
| The airPASS from NetVision Information has an OS Command Injection vulnerability, allowing remote attackers with regular privileges to inject and execute arbitrary OS commands. | ||||
| CVE-2023-47709 | 1 Ibm | 1 Security Guardium | 2025-01-14 | 9.1 Critical |
| IBM Security Guardium 11.3, 11.4, 11.5, and 12.0 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 271524. | ||||
| CVE-2023-31128 | 1 Nextcloud | 1 Cookbook | 2025-01-14 | 8.1 High |
| NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 on the `master` branch and commit 489bb744 on the `main-0.9.x` branch, the `pull-checks.yml` workflow is vulnerable to command injection attacks because of using an untrusted `github.head_ref` field. The `github.head_ref` value is an attacker-controlled value. Assigning the value to `zzz";echo${IFS}"hello";#` can lead to command injection. Since the permission is not restricted, the attacker has a write-access to the repository. This issue is fixed in commit a46d9855 on the `master` branch and commit 489bb744 on the `main-0.9.x` branch. There is no risk for the user of the app within the NextCloud server. This only affects the main repository and possible forks of it. Those who have forked the NextCloud Cookbook repository should make sure their forks are on the latest version to prevent code injection attacks and similar. | ||||
| CVE-2018-13284 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | N/A |
| Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command. | ||||
| CVE-2021-29083 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 7.2 High |
| Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter. | ||||
| CVE-2022-22684 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 7.2 High |
| Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors. | ||||
| CVE-2022-27616 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 7.2 High |
| Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 7.0.1-42218-3 allows remote authenticated users to execute arbitrary commands via unspecified vectors. | ||||
| CVE-2023-30253 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2025-01-14 | 8.8 High |
| Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data. | ||||
| CVE-2023-27988 | 1 Zyxel | 6 Nas326, Nas326 Firmware, Nas540 and 3 more | 2025-01-14 | 7.2 High |
| The post-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.13)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device remotely. | ||||