Total
4568 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-12328 | 1 Atcom | 2 A10w, A10w Firmware | 2024-11-21 | 9.0 HIGH | 9.0 CRITICAL |
| A command injection (missing input validation) issue in the remote phonebook configuration URI in the web interface of the Atcom A10W VoIP phone with firmware 2.6.1a2421 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request. | |||||
| CVE-2019-12324 | 1 Akuvox | 2 Sp-r50p, Sp-r50p Firmware | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| A command injection (missing input validation) issue in the IP address field for the logging server in the configuration web interface on the Akuvox R50P VoIP phone with firmware 50.0.6.156 allows an authenticated remote attacker in the same network to trigger OS commands via shell metacharacters in a POST request. | |||||
| CVE-2019-12272 | 1 Openwrt | 1 Luci | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/bandwidth_status and admin/status/realtime/wireless_status of the web application are affected by a command injection vulnerability. | |||||
| CVE-2019-12181 | 1 Solarwinds | 2 Serv-u Ftp Server, Serv-u Mft Server | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux. | |||||
| CVE-2019-12132 | 1 Onap | 1 Open Network Automation Platform | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in ONAP SDNC before Dublin. By executing sla/dgUpload with a crafted filename parameter, an unauthenticated attacker can execute an arbitrary command. All SDC setups that include admportal are affected. | |||||
| CVE-2019-12123 | 1 Onap | 1 Open Network Automation Platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in ONAP SDNC before Dublin. By executing sla/printAsXml with a crafted module parameter, an authenticated user can execute an arbitrary command. All SDC setups that include admportal are affected. | |||||
| CVE-2019-12113 | 1 Onap | 1 Open Network Automation Platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in ONAP SDNC before Dublin. By executing sla/printAsGv with a crafted module parameter, an authenticated user can execute an arbitrary command. All SDC setups that include admportal are affected. | |||||
| CVE-2019-12112 | 1 Onap | 1 Open Network Automation Platform | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in ONAP SDNC before Dublin. By executing sla/upload with a crafted filename parameter, an unauthenticated attacker can execute an arbitrary command. All SDC setups that include admportal are affected. | |||||
| CVE-2019-12103 | 1 Tp-link | 2 M7350, M7350 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The web-based configuration interface of the TP-Link M7350 V3 with firmware before 190531 is affected by a pre-authentication command injection vulnerability. | |||||
| CVE-2019-12091 | 1 Netskope | 1 Netskope | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2.0.214, running with NT\SYSTEM privilege, accepts network connections from localhost. The connection handling function in this service suffers from command injection vulnerability. Local users can use this vulnerability to execute code with NT\SYSTEM privilege. | |||||
| CVE-2019-11829 | 1 Synology | 1 Calendar | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP' header. | |||||
| CVE-2019-11689 | 1 Asustor | 1 Exfat Driver | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| An issue was discovered in ASUSTOR exFAT Driver through 1.0.0.r20. When conducting license validation, exfat.cgi and exfatctl fail to properly validate server responses and pass unsanitized text to the system shell, resulting in code execution as root. | |||||
| CVE-2019-11627 | 3 Debian, Opensuse, Signing-party Project | 3 Debian Linux, Leap, Signing-party | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| gpg-key2ps in signing-party 1.1.x and 2.x before 2.10-1 contains an unsafe shell call enabling shell injection via a User ID. | |||||
| CVE-2019-11527 | 1 Softing | 2 Uagate Si, Uagate Si Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered in Softing uaGate SI 1.60.01. A CGI script is vulnerable to command injection with a maliciously crafted url parameter. | |||||
| CVE-2019-11444 | 1 Liferay | 1 Liferay Portal | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw | |||||
| CVE-2019-11410 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| app/backup/index.php in the Backup Module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute commands on the host. | |||||
| CVE-2019-11409 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module. | |||||
| CVE-2019-11399 | 1 Trendnet | 6 Tew-651br, Tew-651br Firmware, Tew-652brp and 3 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12 devices. OS command injection occurs through the get_set.ccp lanHostCfg_HostName_1.1.1.0.0 parameter. | |||||
| CVE-2019-11364 | 1 Prophecyinternational | 1 Snare Central | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| An OS Command Injection vulnerability in Snare Central before 7.4.5 allows remote authenticated attackers to inject arbitrary OS commands via the ServerConf/DataManagement/DiskManager.php FORMNAS_share parameter. | |||||
| CVE-2019-11355 | 1 Polycom | 1 Hdx System Software | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Poly (formerly Polycom) HDX 3.1.13. A feature exists that allows the creation of a server / client certificate, or the upload of the user certificate, on the administrator's page. The value received from the user is the factor value of a shell script on the equipment. By entering a special character (such as a single quote) in a CN or other CSR field, one can insert a command into a factor value. A system command can be executed as root. | |||||