Total
4312 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-7632 | 1 Lifesize | 8 Networker 220, Networker 220 Firmware, Passport 220 and 5 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| LifeSize Team, Room, Passport, and Networker 220 devices allow Authenticated Remote OS Command Injection, as demonstrated by shell metacharacters in the support/mtusize.php mtu_size parameter. The lifesize default password for the cli account may sometimes be used for authentication. | |||||
| CVE-2019-7385 | 1 Raisecom | 8 Iscom Ht803g-1ge, Iscom Ht803g-1ge Firmware, Iscom Ht803g-u and 5 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below, The values of the newpass and confpass parameters in /bin/WebMGR are used in a system call in the firmware. Because there is no user input validation, this leads to authenticated code execution on the device. | |||||
| CVE-2019-7384 | 1 Raisecom | 8 Iscom Ht803g-1ge, Iscom Ht803g-1ge Firmware, Iscom Ht803g-u and 5 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below. The value of the fmgpon_loid parameter is used in a system call inside the boa binary. Because there is no user input validation, this leads to authenticated code execution on the device. | |||||
| CVE-2019-7383 | 1 Systrome | 6 Cumilon Isg-600c, Cumilon Isg-600c Firmware, Cumilon Isg-600h and 3 more | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered on Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W devices with firmware V1.1-R2.1_TRUNK-20181105.bin. A shell command injection occurs by editing the description of an ISP file. The file network/isp/isp_update_edit.php does not properly validate user input, which leads to shell command injection via the des parameter. | |||||
| CVE-2019-7301 | 1 Zevenet | 1 Zen Load Balancer | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| Zen Load Balancer 3.10.1 allows remote authenticated admin users to execute arbitrary commands as root via shell metacharacters in the index.cgi?action=View_Cert certname parameter. | |||||
| CVE-2019-7298 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body, such as a body of ' /bin/telnetd' for the GetDeviceSettingsset API function. Consequently, an attacker can execute any command remotely when they control this input. | |||||
| CVE-2019-7297 | 2 D-link, Dlink | 2 Dir-823g Firmware, Dir-823g | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request. This occurs when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named Address. Consequently, an attacker can execute any command remotely when they control this input. | |||||
| CVE-2019-7269 | 1 Nortekcontrol | 4 Linear Emerge 5000p, Linear Emerge 5000p Firmware, Linear Emerge 50p and 1 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Linear eMerge 50P/5000P devices allow Authenticated Command Injection with root Code Execution. | |||||
| CVE-2019-7198 | 1 Qnap | 2 Qts, Quts Hero | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later | |||||
| CVE-2019-6962 | 1 Rdkcentral | 1 Rdkb Ccsppandm | 2024-11-21 | 8.5 HIGH | 7.5 HIGH |
| A shell injection issue in cosa_wifi_apis.c in the RDK RDKB-20181217-1 CcspWifiAgent module allows attackers with login credentials to execute arbitrary shell commands under the CcspWifiSsp process (running as root) if the platform was compiled with the ENABLE_FEATURE_MESHWIFI macro. The attack is conducted by changing the Wi-Fi network password to include crafted escape characters. This is related to the WebUI module. | |||||
| CVE-2019-6739 | 1 Malwarebytes | 1 Antimalware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Malwarebytes Antimalware 3.6.1.2711. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page. There is an issue with the way the product handles URIs within certain schemes. The product does not warn the user that a dangerous navigation is about to take place. Because special characters in the URI are not sanitized, this could lead to the execution of arbitrary commands. An attacker can leverage this vulnerability to execute code in the context of the current user at medium integrity. Was ZDI-CAN-7162. | |||||
| CVE-2019-6738 | 1 Bitdefender | 1 Safepay | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender SafePay 23.0.10.34. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of TIScript. When processing the launch method the application does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability execute code in the context of the current process. Was ZDI-CAN-7250. | |||||
| CVE-2019-6736 | 1 Bitdefender | 1 Safepay | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender SafePay 23.0.10.34. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of tiscript. When processing the System.Exec method the application does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7234. | |||||
| CVE-2019-6621 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 11 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection by an admin/resource admin user. This issue impacts both iControl REST and tmsh implementations. | |||||
| CVE-2019-6620 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 11 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4 and BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, an undisclosed iControl REST worker vulnerable to command injection for an Administrator user. | |||||
| CVE-2019-6552 | 1 Advantech | 1 Webaccess | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple command injection vulnerabilities, caused by a lack of proper validation of user-supplied data, may allow remote code execution. | |||||
| CVE-2019-6487 | 1 Tp-link | 10 Tl-wdr3500, Tl-wdr3500 Firmware, Tl-wdr3600 and 7 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field. | |||||
| CVE-2019-6014 | 1 Dlink | 2 Dba-1510p, Dba-1510p Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| DBA-1510P firmware 1.70b009 and earlier allows an attacker to execute arbitrary OS commands via Web User Interface. | |||||
| CVE-2019-6013 | 1 Dlink | 2 Dba-1510p, Dba-1510p Firmware | 2024-11-21 | 6.8 MEDIUM | 6.6 MEDIUM |
| DBA-1510P firmware 1.70b009 and earlier allows authenticated attackers to execute arbitrary OS commands via Command Line Interface (CLI). | |||||
| CVE-2019-5987 | 1 Anglers-net | 1 Cgi An-anlyzer | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Access analysis CGI An-Analyzer released in 2019 June 24 and earlier allows remote authenticated attackers to execute arbitrary OS commands via the Management Page. | |||||