Total
4204 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8869 | 1 Totolink | 2 A720r, A720r Firmware | 2024-09-20 | 4.6 MEDIUM | 8.1 HIGH |
| A vulnerability classified as critical has been found in TOTOLINK A720R 4.1.5. Affected is the function exportOvpn. The manipulation leads to os command injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-20469 | 1 Cisco | 1 Identity Services Engine | 2024-09-20 | N/A | 6.7 MEDIUM |
| A vulnerability in specific CLI commands in Cisco Identity Services Engine (ISE) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have valid Administrator privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root. | |||||
| CVE-2024-21906 | 1 Qnap | 2 Qts, Quts Hero | 2024-09-20 | N/A | 4.7 MEDIUM |
| An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later | |||||
| CVE-2024-45798 | 2024-09-20 | N/A | 9.9 CRITICAL | ||
| arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts. | |||||
| CVE-2024-43778 | 2024-09-20 | N/A | 8.8 HIGH | ||
| OS command injection vulnerability in multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings. | |||||
| CVE-2024-42502 | 2024-09-20 | N/A | 7.2 HIGH | ||
| Authenticated command injection vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability result in the ability to inject shell commands on the underlying operating system. | |||||
| CVE-2024-42503 | 2024-09-20 | N/A | 7.2 HIGH | ||
| Authenticated command execution vulnerability exist in the ArubaOS command line interface (CLI). Successful exploitation of this vulnerabilities result in the ability to run arbitrary commands as a priviledge user on the underlying operating system. | |||||
| CVE-2023-47105 | 2024-09-20 | N/A | 8.6 HIGH | ||
| exec.CommandContext in Chaosblade 0.3 through 1.7.3, when server mode is used, allows OS command execution via the cmd parameter without authentication. | |||||
| CVE-2024-6091 | 1 Agpt | 1 Autogpt | 2024-09-18 | N/A | 9.8 CRITICAL |
| A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises when the denylist is configured to block specific commands, such as 'whoami' and '/bin/whoami'. An attacker can circumvent this restriction by executing commands with a modified path, such as '/bin/./whoami', which is not recognized by the denylist. | |||||
| CVE-2023-34979 | 1 Qnap | 2 Qts, Quts Hero | 2024-09-17 | N/A | 7.2 HIGH |
| An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 4.5.4.2790 build 20240605 and later QuTS hero h4.5.4.2790 build 20240606 and later | |||||
| CVE-2024-38641 | 1 Qnap | 2 Qts, Quts Hero | 2024-09-16 | N/A | 7.8 HIGH |
| An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network users to execute commands via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later | |||||
| CVE-2024-8279 | 2024-09-14 | N/A | 7.2 HIGH | ||
| A privilege escalation vulnerability was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads. | |||||
| CVE-2024-8281 | 2024-09-14 | N/A | 7.2 HIGH | ||
| An input validation weakness was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection through specially crafted command line input in the XCC SSH captive shell. | |||||
| CVE-2024-8278 | 2024-09-14 | N/A | 7.2 HIGH | ||
| A privilege escalation vulnerability was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands. | |||||
| CVE-2024-8280 | 2024-09-14 | N/A | 7.2 HIGH | ||
| An input validation weakness was discovered in XCC that could allow a valid, authenticated XCC user with elevated privileges to perform command injection or cause a recoverable denial of service using a specially crafted file. | |||||
| CVE-2023-34974 | 1 Qnap | 2 Qts, Quts Hero | 2024-09-13 | N/A | 8.8 HIGH |
| An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. QuTScloud, QVR, QES are not affected. We have already fixed the vulnerability in the following versions: QTS 4.5.4.2790 build 20240605 and later QuTS hero h4.5.4.2626 build 20231225 and later | |||||
| CVE-2024-7261 | 1 Zyxel | 58 Nwa110ax, Nwa110ax Firmware, Nwa1123-ac Pro and 55 more | 2024-09-13 | N/A | 9.8 CRITICAL |
| The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device. | |||||
| CVE-2024-8504 | 2024-09-12 | N/A | 8.8 HIGH | ||
| An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective. | |||||
| CVE-2024-44844 | 1 Draytek | 2 Vigor3900, Vigor3900 Firmware | 2024-09-11 | N/A | 8.8 HIGH |
| DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerability via the name parameter in the run_command function. | |||||
| CVE-2024-44845 | 1 Draytek | 2 Vigor3900, Vigor3900 Firmware | 2024-09-11 | N/A | 8.8 HIGH |
| DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerability via the value parameter in the filter_string function. | |||||