ReportizFlow
Filtered by vendor
Subscriptions
Total
4128 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9977 | 1 Mitrastar | 1 Gpt-2541gnac | 2024-10-16 | 4.7 Medium |
| A vulnerability, which was classified as critical, was found in MitraStar GPT-2541GNAC BR_g5.6_1.11(WVK.0)b26. Affected is an unknown function of the file /cgi-bin/settings-firewall.cgi of the component Firewall Settings Page. The manipulation of the argument SrcInterface leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. We tried to contact the vendor early about the disclosure but the official mail address was not working properly. | ||||
| CVE-2024-22033 | 2024-10-16 | 6.3 Medium | ||
| The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps | ||||
| CVE-2024-45698 | 1 Dlink | 3 Dir-4860 A1, Dir-x4860, Dir-x4860 Firmware | 2024-10-15 | 9.8 Critical |
| Certain models of D-Link wireless routers do not properly validate user input in the telnet service, allowing unauthenticated remote attackers to use hard-coded credentials to log into telnet and inject arbitrary OS commands, which can then be executed on the device. | ||||
| CVE-2024-9380 | 1 Ivanti | 1 Endpoint Manager Cloud Services Appliance | 2024-10-10 | 7.2 High |
| An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution. | ||||
| CVE-2024-21532 | 1 Bahmutov | 1 Ggit | 2024-10-10 | 7.3 High |
| All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec() Node.js child process API. | ||||
| CVE-2024-45880 | 1 Motorola | 1 Cx2l Firmware | 2024-10-10 | 8 High |
| A command injection vulnerability exists in Motorola CX2L router v1.0.2 and below. The vulnerability is present in the SetStationSettings function. The system directly invokes the system function to execute commands for setting parameters such as MAC address without proper input filtering. This allows malicious users to inject and execute arbitrary commands. | ||||
| CVE-2024-46316 | 1 Draytek | 1 Vigor3900 Firmware | 2024-10-10 | 8 High |
| DrayTek Vigor3900 v1.5.1.6 was discovered to contain a command injection vulnerability via the sub_2C920 function at /cgi-bin/mainfunction.cgi. This vulnerability allows attackers to execute arbitrary commands via supplying a crafted HTTP message. | ||||
| CVE-2023-26315 | 1 Mi | 2 Ax9000, Ax9000 Firmware | 2024-10-08 | 6.5 Medium |
| The Xiaomi router AX9000 has a post-authentication command injection vulnerability. This vulnerability is caused by the lack of input filtering, allowing an attacker to exploit it to obtain root access to the device. | ||||
| CVE-2024-46658 | 1 Syrotech | 1 Sy-gpon-8olt-l3 Firmware | 2024-10-07 | 8 High |
| Syrotech SY-GOPON-8OLT-L3 v1.6.0_240629 was discovered to contain an authenticated command injection vulnerability. | ||||
| CVE-2024-46486 | 1 Tp-link | 1 Tl-wdr5620 Firmware | 2024-10-07 | 8 High |
| TP-LINK TL-WDR5620 v2.3 was discovered to contain a remote code execution (RCE) vulnerability via the httpProcDataSrv function. | ||||
| CVE-2024-41585 | 1 Draytek | 1 Vigor3910 Firmware | 2024-10-07 | 6.8 Medium |
| DrayTek Vigor3910 devices through 4.3.2.6 are affected by an OS command injection vulnerability that allows an attacker to leverage the recvCmd binary to escape from the emulated instance and inject arbitrary commands into the host machine. | ||||
| CVE-2024-47608 | 1 Definetlynotai | 1 Logicytics | 2024-10-07 | 9.8 Critical |
| Logicytics is designed to harvest and collect data for forensic analysis. Logicytics has a basic vuln affecting compromised devices from shell injections. This vulnerability is fixed in 2.3.2. | ||||
| CVE-2024-45251 | 1 Elsight | 1 Halo Firmware | 2024-10-07 | 9.8 Critical |
| Elsight – CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | ||||
| CVE-2024-45252 | 1 Elsight | 1 Halo Firmware | 2024-10-07 | 9.8 Critical |
| Elsight – CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | ||||
| CVE-2024-46628 | 2 Tenda, Tendacn | 3 G3 Firmware, G3, G3 Firmware | 2024-10-04 | 8 High |
| Tenda G3 Router firmware v15.03.05.05 was discovered to contain a remote code execution (RCE) vulnerability via the usbPartitionName parameter in the formSetUSBPartitionUmount function. | ||||
| CVE-2024-9441 | 1 Nortekcontrol | 1 Emerge E3 Firmware | 2024-10-04 | 9.8 Critical |
| The Linear eMerge e3-Series through version 1.00-07 is vulnerable to an OS command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary OS commands via the login_id parameter when invoking the forgot_password functionality over HTTP. | ||||
| CVE-2024-23961 | 2 Alpine, Alpsalpine | 3 Halo9, Ilx-f509, Ilx-f509 Firmware | 2024-10-03 | 6.8 Medium |
| Alpine Halo9 UPDM_wemCmdUpdFSpeDecomp Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Alpine Halo9 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPDM_wemCmdUpdFSpeDecomp function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23306 | ||||
| CVE-2024-23924 | 2 Alpine, Alpsalpine | 3 Halo9, Ilx-f509, Ilx-f509 Firmware | 2024-10-03 | 6.8 Medium |
| Alpine Halo9 UPDM_wemCmdCreatSHA256Hash Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Alpine Halo9 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPDM_wemCmdCreatSHA256Hash function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23105 | ||||
| CVE-2024-20398 | 1 Cisco | 2 Ios Xr, Ios Xr Software | 2024-10-03 | 8.8 High |
| A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to obtain read/write file system access on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root. | ||||
| CVE-2024-20483 | 1 Cisco | 1 Ios Xr | 2024-10-03 | 7.2 High |
| Multiple vulnerabilities in Cisco Routed PON Controller Software, which runs as a docker container on hardware that is supported by Cisco IOS XR Software, could allow an authenticated, remote attacker with Administrator-level privileges on the PON Manager or direct access to the PON Manager MongoDB instance to perform command injection attacks on the PON Controller container and execute arbitrary commands as root. These vulnerabilities are due to insufficient validation of arguments that are passed to specific configuration commands. An attacker could exploit these vulnerabilities by including crafted input as the argument of an affected configuration command. A successful exploit could allow the attacker to execute arbitrary commands as root on the PON controller. | ||||