ReportizFlow
Filtered by vendor
Subscriptions
Total
2161 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2352 | 2024-11-21 | 6.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in 1Panel up to 1.10.1-lts. Affected by this issue is the function baseApi.UpdateDeviceSwap of the file /api/v1/toolbox/device/update/swap. The manipulation of the argument Path with the input 123123123\nopen -a Calculator leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-256304. | ||||
| CVE-2024-29949 | 2024-11-21 | 7.2 High | ||
| There is a command injection vulnerability in some Hikvision NVRs. This could allow an authenticated user with administrative rights to execute arbitrary commands. | ||||
| CVE-2024-29895 | 2024-11-21 | 10 Critical | ||
| Cacti provides an operational monitoring and fault management framework. A command injection vulnerability on the 1.3.x DEV branch allows any unauthenticated user to execute arbitrary command on the server when `register_argc_argv` option of PHP is `On`. In `cmd_realtime.php` line 119, the `$poller_id` used as part of the command execution is sourced from `$_SERVER['argv']`, which can be controlled by URL when `register_argc_argv` option of PHP is `On`. And this option is `On` by default in many environments such as the main PHP Docker image for PHP. Commit 53e8014d1f082034e0646edc6286cde3800c683d contains a patch for the issue, but this commit was reverted in commit 99633903cad0de5ace636249de16f77e57a3c8fc. | ||||
| CVE-2024-29864 | 2024-11-21 | 9.8 Critical | ||
| Distrobox before 1.7.0.1 allows attackers to execute arbitrary code via command injection into exported executables. | ||||
| CVE-2024-29737 | 1 Apache | 1 Streampark | 2024-11-21 | 8.8 High |
| In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Mitigation: all users should upgrade to 2.1.4 Background info: Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the "Build Argument". Note that there is no verification and interception of the special character "`". As a result, you will find that this injection command will be successfully executed after executing the build. In the latest version, the special symbol ` is intercepted. | ||||
| CVE-2024-29435 | 2024-11-21 | 4.1 Medium | ||
| An issue discovered in Alldata v0.4.6 allows attacker to run arbitrary commands via the processId parameter. | ||||
| CVE-2024-29385 | 2024-11-21 | 9.0 Critical | ||
| DIR-845L router <= v1.01KRb03 has an Unauthenticated remote code execution vulnerability in the cgibin binary via soapcgi_main function. | ||||
| CVE-2024-29366 | 2024-11-21 | 8.8 High | ||
| A command injection vulnerability exists in the cgibin binary in DIR-845L router firmware <= v1.01KRb03. | ||||
| CVE-2024-29269 | 2024-11-21 | 8.8 High | ||
| An issue discovered in Telesquare TLR-2005Ksh 1.0.0 and 1.1.4 allows attackers to run arbitrary system commands via the Cmd parameter. | ||||
| CVE-2024-28545 | 2024-11-21 | 9.8 Critical | ||
| Tenda AC18 V15.03.05.05 contains a command injection vulnerablility in the deviceName parameter of formsetUsbUnload function. | ||||
| CVE-2024-28354 | 2024-11-21 | 10.0 Critical | ||
| There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.@smb[%d].username in the apply.cgi interface, thereby gaining root shell privileges. | ||||
| CVE-2024-28353 | 2024-11-21 | 8.8 High | ||
| There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. An attacker can inject commands into the post request parameters usapps.config.smb_admin_name in the apply.cgi interface, thereby gaining root shell privileges. | ||||
| CVE-2024-28328 | 1 Asus | 1 Rt-n12\+ B1 Firmware | 2024-11-21 | 5.4 Medium |
| CSV Injection vulnerability in the Asus RT-N12+ router allows administrator users to inject arbitrary commands or formulas in the client name parameter which can be triggered and executed in a different user session upon exporting to CSV format. | ||||
| CVE-2024-28125 | 1 Fitnesse | 1 Fitnesse | 2024-11-21 | 9.8 Critical |
| FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation. | ||||
| CVE-2024-28041 | 2024-11-21 | 8.8 High | ||
| HGW BL1500HM Ver 002.001.013 and earlier allows a network-adjacent unauthenticated attacker to execute an arbitrary command. | ||||
| CVE-2024-27972 | 1 Verygoodplugins | 1 Wp Fusion | 2024-11-21 | 9.9 Critical |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Very Good Plugins WP Fusion Lite allows Command Injection.This issue affects WP Fusion Lite: from n/a through 3.41.24. | ||||
| CVE-2024-26298 | 2024-11-21 | 7.2 High | ||
| Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. | ||||
| CVE-2024-26297 | 2024-11-21 | 7.2 High | ||
| Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. | ||||
| CVE-2024-26296 | 2024-11-21 | 7.2 High | ||
| Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. | ||||
| CVE-2024-26295 | 2024-11-21 | 7.2 High | ||
| Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. | ||||