Filtered by CWE-78
Filtered by vendor Subscriptions
Total 4128 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-8358 1 Visteon 1 Infotainment 2024-12-11 6.8 Medium
Visteon Infotainment UPDATES_ExtractFile Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Visteon Infotainment systems. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPDATES_ExtractFile function. A crafted software update file can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-23422.
CVE-2024-8359 1 Visteon 1 Infotainment 2024-12-11 6.8 Medium
Visteon Infotainment REFLASH_DDU_FindFile Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Visteon Infotainment systems. Authentication is not required to exploit this vulnerability. The specific flaw exists within the REFLASH_DDU_FindFile function. A crafted software update file can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-23420.
CVE-2024-12358 2 Datax-web Project, Weiye-jing 2 Datax-web, Datax-web 2024-12-11 6.3 Medium
A vulnerability was found in WeiYe-Jing datax-web 2.1.1. It has been classified as critical. This affects an unknown part of the file /api/job/add/. The manipulation of the argument glueSource leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-47115 1 Ibm 2 Aix, Vios 2024-12-10 7.8 High
IBM AIX 7.2, 7.3 and VIOS 3.1 and 4.1 could allow a local user to execute arbitrary commands on the system due to improper neutralization of input.
CVE-2023-27992 1 Zyxel 6 Nas326, Nas326 Firmware, Nas540 and 3 more 2024-12-10 9.8 Critical
The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.
CVE-2024-50393 1 Qnap 2 Qts, Quts Hero 2024-12-10 N/A
A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later
CVE-2023-33869 1 Enphase 2 Envoy, Envoy Firmware 2024-12-07 6.3 Medium
Enphase Envoy versions D7.0.88 is vulnerable to a command injection exploit that may allow an attacker to execute root commands.
CVE-2024-52320 1 Planet Technology Corp 1 Wgs-804hpt Firmware 2024-12-06 9.8 Critical
The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution.
CVE-2023-24261 1 Gl-inet 2 Gl-e750, Gl-e750 Firmware 2024-12-06 7.2 High
A vulnerability in GL.iNET GL-E750 Mudi before firmware v3.216 allows authenticated attackers to execute arbitrary code via a crafted POST request.
CVE-2024-50388 1 Qnap 1 Hbs 3 2024-12-06 N/A
An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute commands. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 25.1.1.673 and later
CVE-2024-48863 1 Qnap 1 License Center 2024-12-06 N/A
A command injection vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following version: License Center 1.9.43 and later
CVE-2024-51378 1 Cyberpanel 1 Cyberpanel 2024-12-06 10 Critical
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected.
CVE-2023-35174 2 Livebook, Microsoft 2 Livebook, Windows 2024-12-06 8.6 High
Livebook is a web application for writing interactive and collaborative code notebooks. On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine. Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser. This vulnerability has been fixed in version 0.8.2 and 0.9.3.
CVE-2024-9200 1 Zyxel 6 Emg6726-b10a Firmware, Vmg3927-b50b Firmware, Vmg4005-b50a Firmware and 3 more 2024-12-06 7.2 High
A post-authentication command injection vulnerability in the "host" parameter of the diagnostic function in Zyxel VMG4005-B50A firmware versions through V5.15(ABQA.2.2)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.
CVE-2024-31408 2024-12-05 N/A
OS command injection vulnerability exists in AIPHONE IX SYSTEM and IXG SYSTEM. A network-adjacent authenticated attacker may execute an arbitrary OS command with root privileges by sending a specially crafted request.
CVE-2023-30258 1 Magnussolution 1 Magnusbilling 2024-12-05 9.8 Critical
Command Injection vulnerability in MagnusSolution magnusbilling 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.
CVE-2024-53992 1 Emd115 1 Unzip Bot 2024-12-05 N/A
unzip-bot is a Telegram bot to extract various types of archives. Users could exploit unsanitized inputs to inject malicious commands that are executed through subprocess.Popen with shell=True. Attackers can exploit this vulnerability using a crafted archive name, password, or video name. This vulnerability is fixed in 7.0.3a.
CVE-2024-11120 1 Geovision 11 Gv-dsp Lpr, Gv-dsp Lpr Firmware, Gv-dsp Lpr V3 Firmware and 8 more 2024-12-05 9.8 Critical
Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.
CVE-2023-36664 4 Artifex, Debian, Fedoraproject and 1 more 5 Ghostscript, Debian Linux, Fedora and 2 more 2024-12-05 7.8 High
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).
CVE-2024-6247 1 Wyze 1 Cam V3 Firmware 2024-12-05 N/A
Wyze Cam v3 Wi-Fi SSID OS Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SSIDs embedded in scanned QR codes. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22337.