Total
4462 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14162 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| An issue was discovered in Pi-Hole through 5.0. The local www-data user has sudo privileges to execute the pihole core script as root without a password, which could allow an attacker to obtain root access via shell metacharacters to this script's setdns command. | |||||
| CVE-2020-14144 | 1 Gitea | 1 Gitea | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The git hook feature in Gitea 1.1.0 through 1.12.5 might allow for authenticated remote code execution in customer environments where the documentation was not understood (e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the ENABLE_GIT_HOOKS line in the config file). NOTE: The vendor has indicated this is not a vulnerability and states "This is a functionality of the software that is limited to a very limited subset of accounts. If you give someone the privilege to execute arbitrary code on your server, they can execute arbitrary code on your server. We provide very clear warnings to users around this functionality and what it provides. | |||||
| CVE-2020-14081 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| TRENDnet TEW-827DRU devices through 2.06B04 contain multiple command injections in apply.cgi via the action send_log_email with the key auth_acname (or auth_passwd), allowing an authenticated user to run arbitrary commands on the device. | |||||
| CVE-2020-14075 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| TRENDnet TEW-827DRU devices through 2.06B04 contain multiple command injections in apply.cgi via the action pppoe_connect, ru_pppoe_connect, or dhcp_connect with the key wan_ifname (or wan0_dns), allowing an authenticated user to run arbitrary commands on the device. | |||||
| CVE-2020-14072 | 1 Mk-auth | 1 Mk-auth | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in MK-AUTH 19.01. It allows command execution as root via shell metacharacters to /auth admin scripts. | |||||
| CVE-2020-13978 | 1 Monstra | 1 Monstra Cms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Monstra CMS 3.0.4 allows an attacker, who already has administrative access to modify .chunk.php files on the Edit Chunk screen, to execute arbitrary OS commands via the Theme Module by visiting the admin/index.php?id=themes&action=edit_chunk URI. NOTE: there is no indication that the Edit Chunk feature was intended to prevent an administrator from using PHP's exec feature | |||||
| CVE-2020-13976 | 1 Dd-wrt | 1 Dd-wrt | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in DD-WRT through 16214. The Diagnostic page allows remote attackers to execute arbitrary commands via shell metacharacters in the host field of the ping command. Exploitation through CSRF might be possible. NOTE: software maintainers consider the report invalid because it refers to an old software version, requires administrative privileges, and does not provide access beyond that already available to administrative users | |||||
| CVE-2020-13925 | 1 Apache | 1 Kylin | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0. | |||||
| CVE-2020-13851 | 1 Pandorafms | 1 Pandora Fms | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Artica Pandora FMS 7.44 allows remote command execution via the events feature. | |||||
| CVE-2020-13802 | 1 Erlang | 1 Rebar3 | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification. | |||||
| CVE-2020-13782 | 1 Dlink | 2 Dir-865l, Dir-865l Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| D-Link DIR-865L Ax 1.20B01 Beta devices allow Command Injection. | |||||
| CVE-2020-13778 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| rConfig 3.9.4 and earlier allows authenticated code execution (of system commands) by sending a forged GET request to lib/ajaxHandlers/ajaxAddTemplate.php or lib/ajaxHandlers/ajaxEditTemplate.php. | |||||
| CVE-2020-13694 | 1 Quickbox | 1 Quickbox | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the mysql -e option. | |||||
| CVE-2020-13619 | 1 Locutus | 1 Locutus Php | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution. | |||||
| CVE-2020-13448 | 1 Quickbox | 1 Quickbox | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter. | |||||
| CVE-2020-13404 | 1 Quadra-informatique | 1 Atos\/sips | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| The ATOS/Sips (aka Atos-Magento) community module 3.0.0 to 3.0.5 for Magento allows command injection. | |||||
| CVE-2020-13388 | 1 Python | 1 Jw.util | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used. | |||||
| CVE-2020-13252 | 1 Centreon | 1 Centreon | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page. | |||||
| CVE-2020-13167 | 1 Netsweeper | 1 Netsweeper | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters. | |||||
| CVE-2020-13159 | 1 Articatech | 1 Artica Proxy | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Artica Proxy before 4.30.000000 Community Edition allows OS command injection via the Netbios name, Server domain name, dhclient_mac, Hostname, or Alias field. NOTE: this may overlap CVE-2020-10818. | |||||