Filtered by vendor
Subscriptions
Total
2607 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2014-3556 | 1 F5 | 1 Nginx | 2025-04-12 | N/A |
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. | ||||
CVE-2015-2208 | 1 Avinu | 1 Phpmoadmin | 2025-04-12 | N/A |
The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter. | ||||
CVE-2016-3105 | 2 Debian, Mercurial | 2 Debian Linux, Mercurial | 2025-04-12 | N/A |
The convert extension in Mercurial before 3.8 might allow context-dependent attackers to execute arbitrary code via a crafted git repository name. | ||||
CVE-2015-2051 | 1 Dlink | 2 Dir-645, Dir-645 Firmware | 2025-04-12 | 8.8 High |
The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface. | ||||
CVE-2016-3081 | 2 Apache, Oracle | 2 Struts, Siebel E-billing | 2025-04-12 | N/A |
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. | ||||
CVE-2014-4336 | 1 Linuxfoundation | 1 Cups-filters | 2025-04-12 | N/A |
The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the host name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707. | ||||
CVE-2016-3069 | 6 Debian, Fedoraproject, Mercurial and 3 more | 15 Debian Linux, Fedora, Mercurial and 12 more | 2025-04-12 | N/A |
Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a crafted name when converting a Git repository. | ||||
CVE-2025-2732 | 2025-04-11 | 8 High | ||
A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/wizard/getWifiNeighbour of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
CVE-2025-2731 | 2025-04-11 | 8 High | ||
A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/wizard/getDualbandSync of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
CVE-2025-2730 | 2025-04-11 | 8 High | ||
A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. It has been classified as critical. Affected is an unknown function of the file /api/wizard/getssidname of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
CVE-2025-2729 | 2025-04-11 | 8 High | ||
A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014 and classified as critical. This issue affects some unknown processing of the file /api/wizard/networkSetup of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack can only be done within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
CVE-2025-2728 | 2025-04-11 | 8 High | ||
A vulnerability has been found in H3C Magic NX30 Pro and Magic NX400 up to V100R014 and classified as critical. This vulnerability affects unknown code of the file /api/wizard/getNetworkConf. The manipulation leads to command injection. The attack needs to be approached within the local network. It is recommended to upgrade the affected component. | ||||
CVE-2025-2727 | 2025-04-11 | 8 High | ||
A vulnerability, which was classified as critical, was found in H3C Magic NX30 Pro up to V100R007. This affects an unknown part of the file /api/wizard/getNetworkStatus of the component HTTP POST Request Handler. The manipulation leads to command injection. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
CVE-2025-2726 | 2025-04-11 | 8 High | ||
A vulnerability, which was classified as critical, has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. Affected by this issue is some unknown functionality of the file /api/esps of the component HTTP POST Request Handler. The manipulation leads to command injection. Access to the local network is required for this attack. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
CVE-2025-2725 | 2025-04-11 | 8 High | ||
A vulnerability classified as critical was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014. Affected by this vulnerability is an unknown functionality of the file /api/login/auth of the component HTTP POST Request Handler. The manipulation leads to command injection. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | ||||
CVE-2022-44621 | 1 Apache | 1 Kylin | 2025-04-11 | 9.8 Critical |
Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. | ||||
CVE-2010-2008 | 3 Canonical, Fedoraproject, Oracle | 3 Ubuntu Linux, Fedora, Mysql | 2025-04-11 | N/A |
MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory. | ||||
CVE-2012-1823 | 8 Apple, Debian, Fedoraproject and 5 more | 20 Mac Os X, Debian Linux, Fedora and 17 more | 2025-04-11 | 9.8 Critical |
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. | ||||
CVE-2010-2713 | 2 Gnome, Nalin Dahyabhai | 2 Gnome-terminal, Vte | 2025-04-11 | N/A |
The vte_sequence_handler_window_manipulation function in vteseq.c in libvte (aka libvte9) in VTE 0.25.1 and earlier, as used in gnome-terminal, does not properly handle escape sequences, which allows remote attackers to execute arbitrary commands or obtain potentially sensitive information via a (1) window title or (2) icon title sequence. NOTE: this issue exists because of a CVE-2003-0070 regression. | ||||
CVE-2010-0136 | 3 Apache, Canonical, Debian | 3 Openoffice, Ubuntu Linux, Debian Linux | 2025-04-11 | N/A |
OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce Visual Basic for Applications (VBA) macro security settings, which allows remote attackers to run arbitrary macros via a crafted document. |