Total
2537 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-14868 | 3 Apple, Debian, Ksh Project | 3 Mac Os X, Debian Linux, Ksh | 2024-11-21 | 7.2 HIGH | 7.4 HIGH |
| In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely. | |||||
| CVE-2019-14745 | 2 Fedoraproject, Radare | 2 Fedora, Radare2 | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables. | |||||
| CVE-2019-14719 | 1 Verifone | 2 Mx900, Mx900 Firmware | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Verifone MX900 series Pinpad Payment Terminals with OS 30251000 allow multiple arbitrary command injections, as demonstrated by the file manager. | |||||
| CVE-2019-13552 | 1 Advantech | 1 Webaccess | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In WebAccess versions 8.4.1 and prior, multiple command injection vulnerabilities are caused by a lack of proper validation of user-supplied data and may allow arbitrary file deletion and remote code execution. | |||||
| CVE-2019-13152 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. There is a command injection in apply.cgi (exploitable with authentication) via the IP Address in Add Gaming Rule. | |||||
| CVE-2019-13150 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. There is a command injection in apply.cgi (exploitable with authentication). The command injection exists in the key ip_addr. | |||||
| CVE-2019-13148 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. There is a command injection in apply.cgi (exploitable with authentication) via the UDP Ports To Open in Add Gaming Rule. | |||||
| CVE-2019-13024 | 1 Centreon | 1 Centreon | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands). | |||||
| CVE-2019-12921 | 3 Debian, Graphicsmagick, Opensuse | 4 Debian Linux, Graphicsmagick, Backports Sle and 1 more | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| In GraphicsMagick before 1.3.32, the text filename component allows remote attackers to read arbitrary files via a crafted image because of TranslateTextEx for SVG. | |||||
| CVE-2019-12805 | 1 Ncsoft | 1 Nc Launcher2 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| NCSOFT Game Launcher, NC Launcher2 2.4.1.691 and earlier versions have a vulnerability in the custom protocol handler that could allow remote attacker to execute arbitrary command. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page. This can be leveraged for code execution in the context of the current user. | |||||
| CVE-2019-12786 | 1 Dlink | 2 Dir-818lw, Dir-818lw Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered on D-Link DIR-818LW devices from 2.05.B03 to 2.06B01 BETA. There is a command injection in HNAP1 SetWanSettings via an XML injection of the value of the IPAddress key. | |||||
| CVE-2019-12736 | 1 Jetbrains | 1 Ktor | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| JetBrains Ktor framework before 1.2.0-rc does not sanitize the username provided by the user for the LDAP protocol, leading to command injection. | |||||
| CVE-2019-12661 | 1 Cisco | 1 Ios Xe | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in a Virtualization Manager (VMAN) related CLI command of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root. The vulnerability is due to insufficient validation of arguments passed to a specific VMAN CLI command on the affected device. An attacker who has administrator access to an affected device could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges, which may lead to complete system compromise. | |||||
| CVE-2019-12651 | 1 Cisco | 5 Cloud Services Router 1000v, Cloud Services Router 1000v Firmware, Integrated Services Virtual Router and 2 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2019-12650 | 1 Cisco | 79 1100-4p Integrated Services Router, 1100-8p Integrated Services Router, 1101-4p Integrated Services Router and 76 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2019-12629 | 1 Cisco | 8 Sd-wan Firmware, Vedge-100, Vedge-1000 and 5 more | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| A vulnerability in the WebUI of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. The vulnerability is due to insufficient input validation of data parameters for certain fields in the affected solution. An attacker could exploit this vulnerability by configuring a malicious username on the login page of the affected solution. A successful exploit could allow the attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. | |||||
| CVE-2019-12591 | 1 Netgear | 1 Insight | 2024-11-21 | 6.5 MEDIUM | 6.8 MEDIUM |
| NETGEAR Insight Cloud with firmware before Insight 5.6 allows remote authenticated users to achieve command injection. | |||||
| CVE-2019-12430 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in GitLab Community and Enterprise Edition 11.11. A specially crafted payload would allow an authenticated malicious user to execute commands remotely through the repository download feature. It allows Command Injection. | |||||
| CVE-2019-12104 | 1 Tp-link | 2 M7350, M7350 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by several post-authentication command injection vulnerabilities. | |||||
| CVE-2019-11853 | 1 Sierrawireless | 9 Airlink Es450, Airlink Gx450, Airlink Lx40 and 6 more | 2024-11-21 | 6.5 MEDIUM | 3.9 LOW |
| Several potential command injections vulnerabilities exist in the AT command interface of ALEOS before 4.11.0, and 4.9.4. | |||||