Total
4644 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3492 | 1 Oretnom23 | 1 Human Resource Management System | 2024-11-21 | N/A | 6.3 MEDIUM |
| A vulnerability classified as critical was found in SourceCodester Human Resource Management System 1.0. This vulnerability affects unknown code of the component Profile Photo Handler. The manipulation of the argument parameter leads to os command injection. The attack can be initiated remotely. The identifier of this vulnerability is VDB-210772. | |||||
| CVE-2022-3276 | 1 Puppet | 1 Puppetlabs-mysql | 2024-11-21 | N/A | 8.4 HIGH |
| Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise. | |||||
| CVE-2022-3275 | 2 Fedoraproject, Puppet | 2 Fedora, Puppetlabs-mysql | 2024-11-21 | N/A | 8.4 HIGH |
| Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise. | |||||
| CVE-2022-3210 | 1 Dlink | 2 Dir-2150, Dir-2150 Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 4.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the xupnpd service, which listens on TCP port 4044 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15905. | |||||
| CVE-2022-3183 | 1 Dataprobe | 24 Iboot-pdu4-n20, Iboot-pdu4-n20 Firmware, Iboot-pdu4a-n15 and 21 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where a specific function does not sanitize the input provided by the user, which may expose the affected to an OS command injection vulnerability. | |||||
| CVE-2022-3133 | 1 Diagrams | 1 Drawio | 2024-11-21 | N/A | 7.8 HIGH |
| OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0. | |||||
| CVE-2022-3008 | 2 Debian, Tinygltf Project | 2 Debian Linux, Tinygltf | 2024-11-21 | N/A | 8.1 HIGH |
| The tinygltf library uses the C library function wordexp() to perform file path expansion on untrusted paths that are provided from the input file. This function allows for command injection by using backticks. An attacker could craft an untrusted path input that would result in a path expansion. We recommend upgrading to 2.6.0 or past commit 52ff00a38447f06a17eab1caa2cf0730a119c751 | |||||
| CVE-2022-39951 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | N/A | 7.2 HIGH |
| A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.3.6 through 6.3.20, FortiWeb 6.4 all versions allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | |||||
| CVE-2022-39947 | 1 Fortinet | 1 Fortiadc | 2024-11-21 | N/A | 8.8 HIGH |
| A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiADC version 7.0.0 through 7.0.2, FortiADC version 6.2.0 through 6.2.3, FortiADC version version 6.1.0 through 6.1.6, FortiADC version 6.0.0 through 6.0.4, FortiADC version 5.4.0 through 5.4.5 may allow an attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | |||||
| CVE-2022-39819 | 1 Nokia | 1 1350 Optical Management System | 2024-11-21 | N/A | 8.8 HIGH |
| In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This allows authenticated users to execute commands on the operating system. | |||||
| CVE-2022-39818 | 1 Nokia | 1 Network Functions Manager For Transport | 2024-11-21 | N/A | 8.8 HIGH |
| In NOKIA NFM-T R19.9, an OS Command Injection vulnerability occurs in /cgi-bin/R19.9/log.pl of the VM Manager WebUI via the cmd HTTP GET parameter. This allows authenticated users to execute commands, with root privileges, on the operating system. | |||||
| CVE-2022-39815 | 1 Nokia | 1 1350 Optical Management System | 2024-11-21 | N/A | 9.8 CRITICAL |
| In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This vulnerability allow unauthenticated users to execute commands on the operating system. | |||||
| CVE-2022-39327 | 1 Microsoft | 2 Azure Command-line Interface, Windows | 2024-11-21 | N/A | 8.1 HIGH |
| Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability. | |||||
| CVE-2022-39321 | 1 Github | 1 Runner | 2024-11-21 | N/A | 8.8 HIGH |
| GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands was discovered in versions prior to 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4 that allows an input to escape the environment variable and modify that docker command invocation directly. Jobs that use container actions, job containers, or service containers alongside untrusted user inputs in environment variables may be vulnerable. The Actions Runner has been patched, both on `github.com` and hotfixes for GHES and GHAE customers in versions 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4. GHES and GHAE customers may want to patch their instance in order to have their runners automatically upgrade to these new runner versions. As a workaround, users may consider removing any container actions, job containers, or service containers from their jobs until they are able to upgrade their runner versions. | |||||
| CVE-2022-39224 | 1 Ruby-arr-pm Project | 1 Ruby-arr-pm | 2024-11-21 | N/A | 7.0 HIGH |
| Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool. | |||||
| CVE-2022-39057 | 1 Changingtec | 1 Rava Certificate Validation System | 2024-11-21 | N/A | 7.2 HIGH |
| RAVA certificate validation system has insufficient filtering for special parameter of the web page input field. A remote attacker with administrator privilege can exploit this vulnerability to perform arbitrary system command and disrupt service. | |||||
| CVE-2022-38828 | 1 Totolink | 2 T6, T6 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to command injection via cstecgi.cgi | |||||
| CVE-2022-38826 | 1 Totolink | 2 T6, T6 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| In TOTOLINK T6 V4.1.5cu.709_B20210518, there is an execute arbitrary command in cstecgi.cgi. | |||||
| CVE-2022-38547 | 1 Zyxel | 50 Atp100, Atp100 Firmware, Atp100w and 47 more | 2024-11-21 | N/A | 7.2 HIGH |
| A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72, VPN series firmware versions 4.30 through 5.32, USG FLEX series firmware versions 4.50 through 5.32, and ATP series firmware versions 4.32 through 5.32, which could allow an authenticated attacker with administrator privileges to execute OS commands. | |||||
| CVE-2022-38535 | 1 Totolink | 2 A720r, A720r Firmware | 2024-11-21 | N/A | 7.2 HIGH |
| TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg function. | |||||