Total
4312 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19838 | 1 Ruckuswireless | 17 C110, E510, H320 and 14 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote attackers to execute OS commands via a POST request with the attribute xcmd=get-platform-depends to admin/_cmdstat.jsp via the uploadFile attribute. | |||||
| CVE-2019-19824 | 1 Totolink | 16 A3002ru, A3002ru Firmware, A702r and 13 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| On certain TOTOLINK Realtek SDK based routers, an authenticated attacker may execute arbitrary OS commands via the sysCmd parameter to the boafrm/formSysCmd URI, even if the GUI (syscmd.htm) is not available. This allows for full control over the device's internals. This affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, N100RE through 3.4.0, and N302RE 2.0.2. | |||||
| CVE-2019-19642 | 1 Supermicro | 3 X8sti-f, X8sti-f Bios, X8sti-f Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareName. The attacker can achieve a persistent backdoor. | |||||
| CVE-2019-19609 | 1 Strapi | 1 Strapi | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function. | |||||
| CVE-2019-19606 | 1 X-plane | 1 X-plane | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| X-Plane before 11.41 has multiple improper path validations that could allow reading and writing files from/to arbitrary paths (or a leak of OS credentials to a remote system) via crafted network packets. This could be used to execute arbitrary commands on the system. | |||||
| CVE-2019-19604 | 4 Debian, Fedoraproject, Git-scm and 1 more | 4 Debian Linux, Fedora, Git and 1 more | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. | |||||
| CVE-2019-19509 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in rConfig 3.9.3. A remote authenticated user can directly execute system commands by sending a GET request to ajaxArchiveFiles.php because the path parameter is passed to the exec function without filtering, which can lead to command execution. | |||||
| CVE-2019-19487 | 1 Centreon | 1 Centreon | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Command Injection in minPlayCommand.php in Centreon (19.04.4 and below) allows an attacker to achieve command injection via a plugin test. | |||||
| CVE-2019-19469 | 1 Zmanda | 1 Amanda | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In Zmanda Management Console 3.3.9, ZMC_Admin_Advanced?form=adminTasks&action=Apply&command= allows CSRF, as demonstrated by command injection with shell metacharacters. This may depend on weak default credentials. | |||||
| CVE-2019-19220 | 1 Bmcsoftware | 1 Control-m\/agent | 2024-11-21 | 8.5 HIGH | 8.8 HIGH |
| BMC Control-M/Agent 7.0.00.000 allows OS Command Injection (issue 2 of 2). | |||||
| CVE-2019-19217 | 1 Bmcsoftware | 1 Control-m\/agent | 2024-11-21 | 8.5 HIGH | 8.8 HIGH |
| BMC Control-M/Agent 7.0.00.000 allows OS Command Injection. | |||||
| CVE-2019-19148 | 1 Tellabs | 2 Optical Line Terminal 1150, Optical Line Terminal 1150 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Tellabs Optical Line Terminal (OLT) 1150 devices allow Remote Command Execution via the -l option to TELNET or SSH. Tellabs has addressed this issue in the SR30.1 and SR31.1 release on February 18, 2020. | |||||
| CVE-2019-19117 | 1 Phicomm | 2 K2\(psg1218\), K2\(psg1218\) Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| /usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter. | |||||
| CVE-2019-19041 | 1 Xorur | 3 Lpar2rrd, Stor2rrd, Xorur | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by the underlying system. It is possible to achieve this by modifying the values in the files.SUM file (which are used for integrity control) and injecting malicious code into the upgrade.sh file. | |||||
| CVE-2019-19034 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges. | |||||
| CVE-2019-18934 | 3 Fedoraproject, Nlnetlabs, Opensuse | 3 Fedora, Unbound, Leap | 2024-11-21 | 6.8 MEDIUM | 7.3 HIGH |
| Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration. | |||||
| CVE-2019-18910 | 1 Hp | 1 Thinpro | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
| The Citrix Receiver wrapper function does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with local user privileges. | |||||
| CVE-2019-18909 | 2 Hp, Linux | 2 Thinpro, Linux Kernel | 2024-11-21 | 7.7 HIGH | 8.0 HIGH |
| The VPN software within HP ThinPro does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with root privileges. | |||||
| CVE-2019-18894 | 1 Avast | 1 Premium Security | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| In Avast Premium Security 19.8.2393, attackers can send a specially crafted request to the local web server run by Avast Antivirus on port 27275 to support Bank Mode functionality. A flaw in the processing of a command allows execution of arbitrary OS commands with the privileges of the currently logged in user. This allows for example attackers who compromised a browser extension to escape from the browser sandbox. | |||||
| CVE-2019-18873 | 1 Fudforum | 1 Fudforum | 2024-11-21 | 8.5 HIGH | 9.0 CRITICAL |
| FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php. | |||||