Total
2154 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-26319 | 1 Mi | 2 Xiaomi Router Ax3200, Xiaomi Router Ax3200 Firmware | 2024-11-21 | N/A | 6.7 MEDIUM |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection. | |||||
| CVE-2023-26317 | 1 Mi | 1 Xiaomi Router Firmware | 2024-11-21 | N/A | 7.0 HIGH |
| Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing. | |||||
| CVE-2023-26310 | 1 Oppo | 2 Coloros, Find X3 | 2024-11-21 | N/A | 7.4 HIGH |
| There is a command injection problem in the old version of the mobile phone backup app. | |||||
| CVE-2023-26155 | 1 Nrhirani | 1 Node-qpdf | 2024-11-21 | N/A | 7.3 HIGH |
| All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path. | |||||
| CVE-2023-26145 | 1 Derrickgilland | 1 Pydash | 2024-11-21 | N/A | 7.4 HIGH |
| This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects. **Note:** The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied: 1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible) 2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method) The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function. | |||||
| CVE-2023-26134 | 1 Git-commit-info Project | 1 Git-commit-info | 2024-11-21 | N/A | 9.8 CRITICAL |
| Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they control the hash content. | |||||
| CVE-2023-26130 | 1 Cpp-httplib Project | 1 Cpp-httplib | 2024-11-21 | N/A | 7.5 HIGH |
| Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors. **Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507). | |||||
| CVE-2023-25805 | 1 Versionn Project | 1 Versionn | 2024-11-21 | N/A | 9.8 CRITICAL |
| versionn, software for changing version information across multiple files, has a command injection vulnerability in all versions prior to version 1.1.0. This issue is patched in version 1.1.0. | |||||
| CVE-2023-25649 | 1 Zte | 2 Mf286r, Mf286r Firmware | 2024-11-21 | N/A | 6.8 MEDIUM |
| There is a command injection vulnerability in a mobile internet product of ZTE. Due to insufficient validation of SET_DEVICE_LED interface parameter, an authenticated attacker could use the vulnerability to execute arbitrary commands. | |||||
| CVE-2023-25643 | 1 Zte | 4 Mc801a, Mc801a1, Mc801a1 Firmware and 1 more | 2024-11-21 | N/A | 8.4 HIGH |
| There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands. | |||||
| CVE-2023-24583 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| Two OS command injection vulnerabilities exist in the urvpn_client cmd_name_action functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This OS command injection is triggered through a UDP packet. | |||||
| CVE-2023-24229 | 1 Draytek | 2 Vigor2960, Vigor2960 Firmware | 2024-11-21 | N/A | 7.8 HIGH |
| DrayTek Vigor2960 v1.5.1.4 allows an authenticated attacker with network access to the web management interface to inject operating system commands via the mainfunction.cgi 'parameter' parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-24135 | 1 Jensenofscandinavia | 2 Eagle 1200ac, Eagle 1200ac Firmware | 2024-11-21 | N/A | 7.8 HIGH |
| Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a command injection vulnerability in the function formWriteFacMac. This vulnerability allows attackers to execute arbitrary commands via manipulation of the mac parameter. | |||||
| CVE-2023-24046 | 1 Connectize | 2 Ac21000 G6, Ac21000 G6 Firmware | 2024-11-21 | N/A | 6.8 MEDIUM |
| An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to run arbitrary commands via use of a crafted string in the ping utility. | |||||
| CVE-2023-24032 | 1 Zimbra | 1 Collaboration | 2024-11-21 | N/A | 7.8 HIGH |
| In Zimbra Collaboration Suite through 9.0 and 8.8.15, an attacker (who has initial user access to a Zimbra server instance) can execute commands as root by passing one of JVM arguments, leading to local privilege escalation (LPE). | |||||
| CVE-2023-23564 | 1 Geomatika | 1 Isigeo Web | 2024-11-21 | N/A | 8.8 HIGH |
| An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to execute commands. | |||||
| CVE-2023-23355 | 1 Qnap | 18 Qts, Quts Hero, Qutscloud and 15 more | 2024-11-21 | N/A | 6.6 MEDIUM |
| An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors. QES is not affected. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2348 build 20230324 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later | |||||
| CVE-2023-23294 | 1 Korenix | 29 Jetwave 2111, Jetwave 2111 Firmware, Jetwave 2111l and 26 more | 2024-11-21 | N/A | 8.8 HIGH |
| Korenix JetWave 4200 Series 1.3.0 and JetWave 3000 Series 1.6.0 are vulnerable to Command Injection. An attacker can modify the file_name parameter to execute commands as root. | |||||
| CVE-2023-23080 | 1 Tenda | 10 Cp3, Cp3 Firmware, Cp7 and 7 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| Certain Tenda products are vulnerable to command injection. This affects Tenda CP7 Tenda CP7<=V11.10.00.2211041403 and Tenda CP3 v.10 Tenda CP3 v.10<=V20220906024_2025 and Tenda IT7-PCS Tenda IT7-PCS<=V2209020914 and Tenda IT7-LCS Tenda IT7-LCS<=V2209020914 and Tenda IT7-PRS Tenda IT7-PRS<=V2209020908. | |||||
| CVE-2023-22935 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-11-21 | N/A | 8.1 HIGH |
| In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘display.page.search.patterns.sensitivity’ search parameter lets a search bypass SPL safeguards for risky commands. The vulnerability requires a higher privileged user to initiate a request within their browser and only affects instances with Splunk Web enabled. | |||||