Total
4312 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17148 | 1 Parallels | 1 Parallels Desktop | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop version 14.1.3 (45485). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of root. Was ZDI-CAN-8685. | |||||
| CVE-2019-17107 | 1 Centreon | 1 Centreon Web | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect. | |||||
| CVE-2019-17096 | 1 Bitdefender | 3 Box 2, Box 2 Firmware, Central | 2024-11-21 | 9.3 HIGH | 9.0 CRITICAL |
| A OS Command Injection vulnerability in the bootstrap stage of Bitdefender BOX 2 allows the manipulation of the `get_image_url()` function in special circumstances to inject a system command. | |||||
| CVE-2019-17095 | 1 Bitdefender | 2 Box 2, Box 2 Firmware | 2024-11-21 | 10.0 HIGH | 8.1 HIGH |
| A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability. | |||||
| CVE-2019-17059 | 1 Sophos | 2 Cyberoam, Cyberoamos | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A shell injection vulnerability on the Sophos Cyberoam firewall appliance with CyberoamOS before 10.6.6 MR-6 allows remote attackers to execute arbitrary commands via the Web Admin and SSL VPN consoles. | |||||
| CVE-2019-16965 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data. | |||||
| CVE-2019-16964 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any commands on the host as www-data. | |||||
| CVE-2019-16790 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2024-11-21 | 6.5 MEDIUM | 6.5 MEDIUM |
| In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted. | |||||
| CVE-2019-16737 | 2 Petwant, Skymee | 4 Pf-103, Pf-103 Firmware, Petalk Ai and 1 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The processCommandSetMac() function of libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | |||||
| CVE-2019-16733 | 2 Petwant, Skymee | 4 Pf-103, Pf-103 Firmware, Petalk Ai and 1 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| processCommandSetUid() in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | |||||
| CVE-2019-16730 | 2 Petwant, Skymee | 4 Pf-103, Pf-103 Firmware, Petalk Ai and 1 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| processCommandUpgrade() in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | |||||
| CVE-2019-16718 | 1 Radare | 1 Radare2 | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| In radare2 before 3.9.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to an insufficient fix for CVE-2019-14745 and improper handling of symbol names embedded in executables. | |||||
| CVE-2019-16701 | 1 Netgate | 1 Pfsense | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value. | |||||
| CVE-2019-16663 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to search.crud.php because the catCommand parameter is passed to the exec function without filtering, which can lead to command execution. | |||||
| CVE-2019-16662 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution. | |||||
| CVE-2019-16639 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| An issue was found on the Ruijie EG-2000 series gateway. There is a newcli.php API interface without access control, which can allow an attacker (who only has web interface access) to use TELNET commands and/or show admin passwords via the mode_url=exec&command= substring. This affects EG-2000SE EG_RGOS 11.9 B11P1. | |||||
| CVE-2019-16293 | 1 Opmantek | 1 Open-audit | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The Create Discoveries feature of Open-AudIT before 3.2.0 allows an authenticated attacker to execute arbitrary OS commands via a crafted value for a URL field. | |||||
| CVE-2019-16242 | 1 Alcatelmobile | 2 Cingular Flip 2, Cingular Flip 2 Firmware | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
| On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an engineering application named omamock that is vulnerable to OS command injection. An attacker with physical access to the device can abuse this vulnerability to execute arbitrary OS commands as the root user via the application's UI. | |||||
| CVE-2019-16213 | 1 Tendacn | 2 Pa6, Pa6 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted string, an attacker could modify the device name of an attached PLC adapter to inject and execute arbitrary commands on the system with root privileges. | |||||
| CVE-2019-16072 | 1 Netsas | 1 Enigma Network Management Solution | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an attacker to execute arbitrary code because of improper neutralization of shell metacharacters in the ip_address variable within an snmp_browser action. | |||||