ReportizFlow
Filtered by vendor
Subscriptions
Total
4128 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-8686 | 1 Paloaltonetworks | 3 Cloud Ngfw, Pan-os, Prisma Access | 2024-10-03 | 7.2 High |
| A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as root on the firewall. | ||||
| CVE-2024-43405 | 1 Projectdiscovery | 1 Nuclei | 2024-10-01 | 7.4 High |
| Nuclei is a vulnerability scanner powered by YAML based templates. Starting in version 3.0.0 and prior to version 3.3.2, a vulnerability in Nuclei's template signature verification system could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template. The vulnerability is present in the template signature verification process, specifically in the `signer` package. The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template. CLI users are affected if they execute custom code templates from unverified sources. This includes templates authored by third parties or obtained from unverified repositories. SDK Users are affected if they are developers integrating Nuclei into their platforms, particularly if they permit the execution of custom code templates by end-users. The vulnerability is addressed in Nuclei v3.3.2. Users are strongly recommended to update to this version to mitigate the security risk. As an interim measure, users should refrain from using custom templates if unable to upgrade immediately. Only trusted, verified templates should be executed. Those who are unable to upgrade Nuclei should disable running custom code templates as a workaround. | ||||
| CVE-2024-43402 | 1 Rust-lang | 1 Rust | 2024-10-01 | 8.2 High |
| Rust is a programming language. The fix for CVE-2024-24576, where `std::process::Command` incorrectly escaped arguments when invoking batch files on Windows, was incomplete. Prior to Rust version 1.81.0, it was possible to bypass the fix when the batch file name had trailing whitespace or periods (which are ignored and stripped by Windows). To determine whether to apply the `cmd.exe` escaping rules, the original fix for the vulnerability checked whether the command name ended with `.bat` or `.cmd`. At the time that seemed enough, as we refuse to invoke batch scripts with no file extension. Windows removes trailing whitespace and periods when parsing file paths. For example, `.bat. .` is interpreted by Windows as `.bat`, but the original fix didn't check for that. Affected users who are using Rust 1.77.2 or greater can remove the trailing whitespace (ASCII 0x20) and trailing periods (ASCII 0x2E) from the batch file name to bypass the incomplete fix and enable the mitigations. Users are affected if their code or one of their dependencies invoke a batch script on Windows with trailing whitespace or trailing periods in the name, and pass untrusted arguments to it. Rust 1.81.0 will update the standard library to apply the CVE-2024-24576 mitigations to all batch files invocations, regardless of the trailing chars in the file name. | ||||
| CVE-2024-9166 | 1 Atelmo | 1 Atemio Am 520 Hd Firmware | 2024-09-30 | N/A |
| The device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the 'getcommand' query within the application, allowing the attacker to gain root access. | ||||
| CVE-2024-46329 | 1 Vonets | 1 Vap11g-300 Firmware | 2024-09-30 | 8 High |
| VONETS VAP11G-300 v3.3.23.6.9 was discovered to contain a command injection vulnerability via the SystemCommand object. | ||||
| CVE-2024-46330 | 1 Vonets | 1 Vap11g-300 Firmware | 2024-09-30 | 7.4 High |
| VONETS VAP11G-300 v3.3.23.6.9 was discovered to contain a command injection vulnerability via the iptablesWebsFilterRun object. | ||||
| CVE-2024-33368 | 1 Plasmoapp | 1 Rpshare | 2024-09-30 | 8.8 High |
| An issue in Plasmoapp RPShare Fabric mod v.1.0.0 allows a remote attacker to execute arbitrary code via the build method in DonwloadPromptScreen | ||||
| CVE-2023-47563 | 1 Qnap | 1 Video Station | 2024-09-29 | 7.4 High |
| An OS command injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later | ||||
| CVE-2024-43387 | 1 Phoenixcontact | 72 Fl Mguard 2102, Fl Mguard 2102 Firmware, Fl Mguard 2105 and 69 more | 2024-09-27 | 8.8 High |
| A low privileged remote attacker can read and write files as root due to improper neutralization of special elements in the variable EMAIL_RELAY_PASSWORD in mGuard devices. | ||||
| CVE-2024-43386 | 1 Phoenixcontact | 72 Fl Mguard 2102, Fl Mguard 2102 Firmware, Fl Mguard 2105 and 69 more | 2024-09-27 | 8.8 High |
| A low privileged remote attacker can trigger the execution of arbitrary OS commands as root due to improper neutralization of special elements in the variable EMAIL_NOTIFICATION.TO in mGuard devices. | ||||
| CVE-2024-43385 | 1 Phoenixcontact | 72 Fl Mguard 2102, Fl Mguard 2102 Firmware, Fl Mguard 2105 and 69 more | 2024-09-27 | 8.8 High |
| A low privileged remote attacker can trigger the execution of arbitrary OS commands as root due to improper neutralization of special elements in the variable PROXY_HTTP_PORT in mGuard devices. | ||||
| CVE-2024-7699 | 1 Phoenixcontact | 72 Fl Mguard 2102, Fl Mguard 2102 Firmware, Fl Mguard 2105 and 69 more | 2024-09-27 | 8.8 High |
| An low privileged remote attacker can execute OS commands with root privileges due to improper neutralization of special elements in user data. | ||||
| CVE-2024-45682 | 2 Millbeck, Millbeck Communications | 3 Proroute H685t-w, Proroute H685t-w Firmware, Proroute H685t-w | 2024-09-27 | 8.8 High |
| There is a command injection vulnerability that may allow an attacker to inject malicious input on the device's operating system. | ||||
| CVE-2024-44678 | 1 Gigastone | 1 Travel Router R101 Firmware | 2024-09-26 | 8 High |
| Gigastone TR1 Travel Router R101 v1.0.2 is vulnerable to Command Injection. This allows an authenticated attacker to execute arbitrary commands on the device by sending a crafted HTTP request to the ssid parameter in the request. | ||||
| CVE-2023-39300 | 1 Qnap | 1 Qts | 2024-09-24 | 7.2 High |
| An OS command injection vulnerability has been reported to affect legacy QTS. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 4.3.6.2805 build 20240619 and later QTS 4.3.4.2814 build 20240618 and later QTS 4.3.3.2784 build 20240619 and later QTS 4.2.6 build 20240618 and later | ||||
| CVE-2024-9001 | 1 Totolink | 2 T10, T10 Firmware | 2024-09-24 | 6.3 Medium |
| A vulnerability was found in TOTOLINK T10 4.1.8cu.5207. It has been declared as critical. This vulnerability affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument command leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-9004 | 2 D-link, Dlink | 3 Dar-7000, Dar-7000, Dar-7000 Firmware | 2024-09-23 | 6.3 Medium |
| A vulnerability classified as critical has been found in D-Link DAR-7000 up to 20240912. Affected is an unknown function of the file /view/DBManage/Backup_Server_commit.php. The manipulation of the argument host leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-8869 | 1 Totolink | 2 A720r, A720r Firmware | 2024-09-20 | 5 Medium |
| A vulnerability classified as critical has been found in TOTOLINK A720R 4.1.5. Affected is the function exportOvpn. The manipulation leads to os command injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-20469 | 1 Cisco | 2 Identity Services Engine, Identity Services Engine Software | 2024-09-20 | 6 Medium |
| A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have valid Administrator privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root. | ||||
| CVE-2024-21906 | 1 Qnap | 2 Qts, Quts Hero | 2024-09-20 | 4.7 Medium |
| An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later | ||||