Filtered by CWE-77
Filtered by vendor Subscriptions
Total 2150 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-12111 2024-12-20 8 High
In a specific scenario a LDAP user can abuse the authentication process in OpenText Privileged Access Manager that allows authentication bypass. This issue affects Privileged Access Manager version 23.3(4.4); 24.3(4.5)
CVE-2022-32203 2024-12-20 9.8 Critical
There is a command injection vulnerability in Huawei terminal printer product. Successful exploitation could result in the highest privileges of the printer. (Vulnerability ID: HWPSIRT-2022-51773) This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2022-32203.
CVE-2024-49026 1 Microsoft 5 365 Apps, Excel, Office and 2 more 2024-12-20 7.8 High
Microsoft Excel Remote Code Execution Vulnerability
CVE-2024-43613 2024-12-20 7.2 High
Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability
CVE-2024-49042 2024-12-20 7.2 High
Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability
CVE-2024-12356 1 Beyondtrust 2 Privileged Remote Access, Remote Support 2024-12-20 9.8 Critical
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.
CVE-2024-55956 1 Cleo 3 Harmony, Lexicom, Vltrader 2024-12-20 9.8 Critical
In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
CVE-2024-42427 1 Dell 2 Wyse Proprietary Os, Wyse Thinos 2024-12-20 7.6 High
Dell ThinOS versions 2402 and 2405, contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. An unauthenticated attacker with physical access could potentially exploit this vulnerability, leading to Elevation of privileges.
CVE-2010-5330 1 Ui 1 Airos 2024-12-19 9.8 Critical
On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters. The fixed version is v4.0.1 for 802.11 ISP products, v5.3.5 for AirMax ISP products, and v5.4.5 for AirSync firmware. For example, Nanostation5 (Air OS) is affected.
CVE-2023-23356 2024-12-19 5.5 Medium
A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QuFirewall 2.3.3 ( 2023/03/27 ) and later and later
CVE-2024-49194 2024-12-18 7.3 High
Databricks JDBC Driver before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile.
CVE-2023-24032 1 Zimbra 1 Collaboration 2024-12-18 7.8 High
In Zimbra Collaboration Suite through 9.0 and 8.8.15, an attacker (who has initial user access to a Zimbra server instance) can execute commands as root by passing one of JVM arguments, leading to local privilege escalation (LPE).
CVE-2024-39703 2024-12-18 8.8 High
In ThreatQuotient ThreatQ before 5.29.3, authenticated users are able to execute arbitrary commands by sending a crafted request to an API endpoint.
CVE-2020-10826 1 Draytek 6 Vigor2960, Vigor2960 Firmware, Vigor300b and 3 more 2024-12-18 9.8 Critical
/cgi-bin/activate.cgi on Draytek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1 allows remote attackers to achieve command injection via a remote HTTP request in DEBUG mode.
CVE-2024-10966 1 Totolink 2 X18, X18 Firmware 2024-12-17 6.3 Medium
A vulnerability, which was classified as critical, has been found in TOTOLINK X18 9.1.0cu.2024_B20220329. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-56087 2024-12-16 5.9 Medium
An issue was discovered in Logpoint before 7.5.0. Authenticated users can inject payloads while querying Search Template Dashboard. These are executed, leading to Server-Side Template Injection.
CVE-2024-56086 2024-12-16 7.1 High
An issue was discovered in Logpoint before 7.5.0. Authenticated users can inject payloads in Report Templates. These are executed when the backup process is initiated, leading to Remote Code Execution.
CVE-2024-56085 2024-12-16 5.9 Medium
An issue was discovered in Logpoint before 7.5.0. Authenticated users can inject payloads while creating Search Template Dashboard. These are executed, leading to Server-Side Template Injection.
CVE-2024-56084 2024-12-16 7.1 High
An issue was discovered in Logpoint UniversalNormalizer before 5.7.0. Authenticated users can inject payloads while creating Universal Normalizer. These are executed, leading to Remote Code Execution.
CVE-2024-11634 2024-12-14 9.1 Critical
Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)