Total
4227 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29369 | 1 Gnuplot Project | 1 Gnuplot | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The gnuplot package prior to version 0.1.0 for Node.js allows code execution via shell metacharacters in Gnuplot commands. | |||||
| CVE-2021-29300 | 1 Ronomon | 1 Opened | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The @ronomon/opened library before 1.5.2 is vulnerable to a command injection vulnerability which would allow a remote attacker to execute commands on the system if the library was used with untrusted input. | |||||
| CVE-2021-29147 | 1 Arubanetworks | 1 Clearpass | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. | |||||
| CVE-2021-29143 | 1 Arubanetworks | 8 Aos-cx Firmware, Cx 6200f, Cx 6300 and 5 more | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| A remote execution of arbitrary commands vulnerability was discovered in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): Aruba AOS-CX firmware: 10.04.xxxx - versions prior to 10.04.3070, 10.05.xxxx - versions prior to 10.05.0070, 10.06.xxxx - versions prior to 10.06.0110, 10.07.xxxx - versions prior to 10.07.0001. Aruba has released upgrades for Aruba AOS-CX devices that address this security vulnerability. | |||||
| CVE-2021-29003 | 1 Genexis | 2 Platinum 4410, Platinum 4410 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI. | |||||
| CVE-2021-28961 | 1 Openwrt | 1 Openwrt | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDNS package for OpenWrt 19.07 allows remote authenticated users to inject arbitrary commands via POST requests. | |||||
| CVE-2021-28958 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. | |||||
| CVE-2021-28927 | 2 Libretro, Microsoft | 2 Retroarch, Windows | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| The text-to-speech engine in libretro RetroArch for Windows 1.9.0 passes unsanitized input to PowerShell through platform_win32.c via the accessibility_speak_windows function, which allows attackers who have write access on filesystems that are used by RetroArch to execute code via command injection using specially a crafted file and directory names. | |||||
| CVE-2021-28804 | 1 Qnap | 2 Qts, Quts Hero | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217. | |||||
| CVE-2021-28802 | 1 Qnap | 2 Qts, Quts Hero | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217. | |||||
| CVE-2021-28800 | 1 Qnap | 1 Qts | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
| A command injection vulnerability has been reported to affect QNAP NAS running legacy versions of QTS. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.3.6.1663 Build 20210504; versions prior to 4.3.3.1624 Build 20210416. This issue does not affect: QNAP Systems Inc. QTS 4.5.3. QNAP Systems Inc. QuTS hero h4.5.3. QNAP Systems Inc. QuTScloud c4.5.5. | |||||
| CVE-2021-28634 | 1 Adobe | 2 Acrobat Dc, Acrobat Reader Dc | 2024-11-21 | 8.5 HIGH | 8.2 HIGH |
| Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Improper Neutralization of Special Elements used in an OS Command. An authenticated attacker could leverage this vulnerability to achieve arbitrary code execution on the host machine in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-28571 | 2 Adobe, Microsoft | 2 After Effects, Windows | 2024-11-21 | 7.6 HIGH | 8.3 HIGH |
| Adobe After Effects version 18.1 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
| CVE-2021-28398 | 1 Osgeo | 1 Geonetwork | 2024-11-21 | N/A | 7.2 HIGH |
| A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0. | |||||
| CVE-2021-28204 | 1 Asus | 6 Asmb8-ikvm, Asmb8-ikvm Firmware, Z10pe-d16 Ws and 3 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The specific function in ASUS BMC’s firmware Web management page (Modify user’s information function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can launch command injection to execute command arbitrary. | |||||
| CVE-2021-28203 | 1 Asus | 6 Asmb8-ikvm, Asmb8-ikvm Firmware, Z10pe-d16 Ws and 3 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Web Set Media Image function in ASUS BMC’s firmware Web management page does not filter the specific parameter. As obtaining the administrator permission, remote attackers can launch command injection to execute command arbitrary. | |||||
| CVE-2021-28151 | 1 Hongdian | 2 H8922, H8922 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest. | |||||
| CVE-2021-28144 | 1 Dlink | 2 Dir-3060, Dir-3060 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| prog.cgi on D-Link DIR-3060 devices before 1.11b04 HF2 allows remote authenticated users to inject arbitrary commands in an admin or root context because SetVirtualServerSettings calls CheckArpTables, which calls popen unsafely. | |||||
| CVE-2021-28143 | 1 Dlink | 2 Dir-841, Dir-841 Firmware | 2024-11-21 | 7.7 HIGH | 8.0 HIGH |
| /jsonrpc on D-Link DIR-841 3.03 and 3.04 devices allows authenticated command injection via ping, ping6, or traceroute (under System Tools). | |||||
| CVE-2021-28132 | 1 Lucysecurity | 1 Security Awareness | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| LUCY Security Awareness Software through 4.7.x allows unauthenticated remote code execution because the Migration Tool (in the Support section) allows upload of .php files within a system.tar.gz file. The .php file becomes accessible with a public/system/static URI. | |||||