Total
2296 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-12078 | 1 Synology | 1 Router Manager | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Command injection vulnerability in EZ-Internet in Synology Router Manager (SRM) before 1.1.6-6931 allows remote authenticated users to execute arbitrary command via the username parameter. | |||||
| CVE-2017-0916 | 2 Debian, Gitlab | 2 Debian Linux, Gitlab | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Gitlab Community Edition version 10.3 is vulnerable to a lack of input validation in the system_hook_push queue through web hook component resulting in remote code execution. | |||||
| CVE-2017-0915 | 2 Debian, Gitlab | 2 Debian Linux, Gitlab | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Gitlab Community Edition version 10.2.4 is vulnerable to a lack of input validation in the GitlabProjectsImportService resulting in remote code execution. | |||||
| CVE-2016-9044 | 1 Informationbuilders | 1 Webfocus | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An exploitable command execution vulnerability exists in Information Builders WebFOCUS Business Intelligence Portal 8.1 . A specially crafted web parameter can cause a command injection. An authenticated attacker can send a crafted web request to trigger this vulnerability. | |||||
| CVE-2016-8628 | 1 Redhat | 1 Ansible | 2024-11-21 | 9.0 HIGH | 7.6 HIGH |
| Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as. | |||||
| CVE-2016-8523 | 1 Hp | 1 Smart Storage Administrator | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A Remote Arbitrary Code Execution vulnerability in HPE Smart Storage Administrator version before v2.60.18.0 was found. | |||||
| CVE-2016-7076 | 1 Sudo Project | 1 Sudo | 2024-11-21 | 7.2 HIGH | 6.4 MEDIUM |
| sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges. | |||||
| CVE-2016-6558 | 1 Asus | 14 Ea-n66, Ea-n66 Firmware, Rp-ac52 and 11 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be executed if the action_mode parameter does not contain a valid state. If the input provided by action_script does not match one of the hard coded options, then it will be executed as the argument of either a system() or an eval() call allowing arbitrary commands to be executed. | |||||
| CVE-2016-5397 | 1 Apache | 1 Thrift | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0. | |||||
| CVE-2016-4991 | 1 Nodepdf Project | 1 Nodepdf | 2024-11-21 | N/A | 9.8 CRITICAL |
| Input passed to the Pdf() function is shell escaped and passed to child_process.exec() during PDF rendering. However, the shell escape does not properly encode all special characters, namely, semicolon and curly braces. This can be abused to achieve command execution. This problem affects nodepdf 1.3.0. | |||||
| CVE-2016-10849 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| cPanel before 11.54.0.4 allows certain file-chmod operations in scripts/secureit (SEC-82). | |||||
| CVE-2016-10843 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| cPanel before 11.54.0.4 allows code execution in the context of shared users via JSON-API (SEC-76). | |||||
| CVE-2016-10762 | 1 Automattic | 1 Camptix Event Ticketing | 2024-11-21 | 5.1 MEDIUM | 7.5 HIGH |
| The CampTix Event Ticketing plugin before 1.5 for WordPress allows CSV injection when the export tool is used. | |||||
| CVE-2016-10760 | 1 Seowonintech | 8 Swr-300a, Swr-300a Firmware, Swr-300b and 5 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| On Seowon Intech routers, there is a Command Injection vulnerability in diagnostic.cgi via shell metacharacters in the ping_ipaddr parameter. | |||||
| CVE-2016-10729 | 3 Debian, Redhat, Zmanda | 3 Debian Linux, Enterprise Linux, Amanda | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. The "runtar" setuid root binary does not check for additional arguments supplied after --create, allowing users to manipulate commands and perform command injection as root. | |||||
| CVE-2016-1000282 | 1 Haraka Project | 1 Haraka | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection. | |||||
| CVE-2016-0324 | 1 Ibm | 1 Security Identity Manager Virtual Appliance | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.0 before 7.0.1-ISS-SIM-FP0001 allows remote authenticated users to execute arbitrary code with administrator privileges via unspecified vectors. IBM X-Force ID: 111640. | |||||
| CVE-2015-20107 | 3 Fedoraproject, Netapp, Python | 5 Fedora, Active Iq Unified Manager, Ontap Select Deploy Administration Utility and 2 more | 2024-11-21 | 8.0 HIGH | 7.6 HIGH |
| In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9 | |||||
| CVE-2015-1877 | 2 Debian, Freedesktop | 2 Debian Linux, Xdg-utils | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The open_generic_xdg_mime function in xdg-open in xdg-utils 1.1.0 rc1 in Debian, when using dash, does not properly handle local variables, which allows remote attackers to execute arbitrary commands via a crafted file. | |||||
| CVE-2015-10096 | 1 Irc Twitter Announcer Bot Project | 1 Irc Twitter Announcer Bot | 2024-11-21 | 4.6 MEDIUM | 5.0 MEDIUM |
| A vulnerability, which was classified as critical, was found in Zarthus IRC Twitter Announcer Bot up to 1.1.0. This affects the function get_tweets of the file lib/twitterbot/plugins/twitter_announcer.rb. The manipulation of the argument tweet leads to command injection. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.1.1 is able to address this issue. The patch is named 6b1941b7fc2c70e1f40981b43c84a2c20cc12bd3. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223383. | |||||