Total
4312 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-27600 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| HNAP1/control/SetMasterWLanSettings.php in D-Link D-Link Router DIR-846 DIR-846 A1_100.26 allows remote attackers to execute arbitrary commands via shell metacharacters in the ssid0 or ssid1 parameter. | |||||
| CVE-2020-27575 | 1 Maxum | 1 Rumpus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation. | |||||
| CVE-2020-27542 | 1 Company | 2 Cs-c2shw, Cs-c2shw Firmware | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| Rostelecom CS-C2SHW 5.0.082.1 is affected by: Bash command injection. The camera reads configuration from QR code (including network settings). The static IP configuration from QR code is copied to the file /config/ip-static and after reboot data from this file is inserted into bash command (without any escaping). So bash injection is possible. Camera doesn't parse QR codes if it's already successfully configured. Camera is always rebooted after successful configuration via QR code. | |||||
| CVE-2020-27373 | 1 Drtrustusa | 2 Icheck Connect Bp Monitor Bp Testing 118, Icheck Connect Bp Monitor Bp Testing 118 Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| Dr Trust USA iCheck Connect BP Monitor BP Testing 118 1.2.1 is vulnerable to Plain text command over BLE. | |||||
| CVE-2020-27298 | 1 Philips | 5 Coronary Tools, Dynamic Coronary Roadmap, Interventional Workspot and 2 more | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component. | |||||
| CVE-2020-27227 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameter to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and compromise underlying operating system. | |||||
| CVE-2020-27159 | 1 Westerndigital | 6 My Cloud Ex4100, My Cloud Expert Series Ex2, My Cloud Firmware and 3 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Addressed remote code execution vulnerability in DsdkProxy.php due to insufficient sanitization and insufficient validation of user input in Western Digital My Cloud NAS devices prior to 5.04.114 | |||||
| CVE-2020-27158 | 1 Westerndigital | 6 My Cloud Ex4100, My Cloud Expert Series Ex2, My Cloud Firmware and 3 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Addressed remote code execution vulnerability in cgi_api.php that allowed escalation of privileges in Western Digital My Cloud NAS devices prior to 5.04.114. | |||||
| CVE-2020-26878 | 1 Commscope | 2 Ruckus Iot Module, Ruckus Vriot | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py. | |||||
| CVE-2020-26838 | 1 Sap | 2 Business Warehouse, Bw\/4hana | 2024-11-21 | 9.0 HIGH | 9.1 CRITICAL |
| SAP Business Warehouse, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 782, and SAP BW4HANA, versions - 100, 200 allows an attacker authenticated with (high) developer privileges to submit a crafted request to generate and execute code without requiring any user interaction. It is possible to craft a request which will result in the execution of Operating System commands leading to Code Injection vulnerability which could completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it. | |||||
| CVE-2020-26772 | 1 Ppgo Jobs Project | 1 Ppgo Jobs | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Command Injection in PPGo_Jobs v2.8.0 allows remote attackers to execute arbitrary code via the 'AjaxRun()' function. | |||||
| CVE-2020-26707 | 1 Aaptjs Project | 1 Aaptjs | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the add function in Shenzhim AAPTJS 1.3.1 which allows attackers to execute arbitrary code via the filePath parameter. | |||||
| CVE-2020-26670 | 1 Bigtreecms | 1 Bigtree Cms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the 'Create a New Setting' function. | |||||
| CVE-2020-26582 | 1 Dlink | 2 Dap-1360u, Dap-1360u Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| D-Link DAP-1360U before 3.0.1 devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the IP JSON value for ping (aka res_config_action=3&res_config_id=18). | |||||
| CVE-2020-26301 | 2 Microsoft, Ssh2 Project | 2 Windows, Ssh2 | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0. | |||||
| CVE-2020-26300 | 1 Systeminformation | 1 Systeminformation | 2024-11-21 | 7.5 HIGH | 5.9 MEDIUM |
| systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command injection vulnerability. Problem was fixed in version 4.26.2 with a shell string sanitation fix. | |||||
| CVE-2020-26294 | 1 Target | 1 Compiler | 2024-11-21 | 5.0 MEDIUM | 7.4 HIGH |
| Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets. | |||||
| CVE-2020-26284 | 1 Gohugo | 1 Hugo | 2024-11-21 | 8.5 HIGH | 7.7 HIGH |
| Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround. | |||||
| CVE-2020-26274 | 1 Systeminformation | 1 Systeminformation | 2024-11-21 | 7.5 HIGH | 6.4 MEDIUM |
| In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix. | |||||
| CVE-2020-26259 | 3 Debian, Fedoraproject, Xstream Project | 3 Debian Linux, Fedora, Xstream | 2024-11-21 | 6.4 MEDIUM | 6.8 MEDIUM |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories. | |||||