Total
4471 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-2707 | 1 Tenda | 2 Ac10u, Ac10u Firmware | 2024-12-12 | 6.5 MEDIUM | 6.3 MEDIUM |
A vulnerability has been found in Tenda AC10U 15.03.06.49 and classified as critical. This vulnerability affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257458 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
CVE-2023-34642 | 1 Kioware | 1 Kioware | 2024-12-12 | N/A | 7.8 HIGH |
KioWare for Windows through v8.33 was discovered to contain an incomplete blacklist filter for blocked dialog boxes on Windows 10. This issue can allow attackers to open a file dialog box via the function showDirectoryPicker() which can then be used to open an unprivileged command prompt. | |||||
CVE-2024-28138 | 2024-12-11 | N/A | 7.3 HIGH | ||
An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msg_events.php" script as the www-data user. The HTTP GET parameter "data" is not properly sanitized. | |||||
CVE-2024-54008 | 2024-12-11 | N/A | 7.2 HIGH | ||
An authenticated Remote Code Execution (RCE) vulnerability exists in the AirWave CLI. Successful exploitation of this vulnerability could allow a remote authenticated threat actor to run arbitrary commands as a privileged user on the underlying host. | |||||
CVE-2024-8358 | 1 Visteon | 1 Infotainment | 2024-12-11 | N/A | 6.8 MEDIUM |
Visteon Infotainment UPDATES_ExtractFile Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Visteon Infotainment systems. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPDATES_ExtractFile function. A crafted software update file can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-23422. | |||||
CVE-2024-8359 | 1 Visteon | 1 Infotainment | 2024-12-11 | N/A | 6.8 MEDIUM |
Visteon Infotainment REFLASH_DDU_FindFile Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Visteon Infotainment systems. Authentication is not required to exploit this vulnerability. The specific flaw exists within the REFLASH_DDU_FindFile function. A crafted software update file can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-23420. | |||||
CVE-2024-12358 | 1 Datax-web Project | 1 Datax-web | 2024-12-10 | 6.5 MEDIUM | 6.3 MEDIUM |
A vulnerability was found in WeiYe-Jing datax-web 2.1.1. It has been classified as critical. This affects an unknown part of the file /api/job/add/. The manipulation of the argument glueSource leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2023-24261 | 1 Gl-inet | 2 Gl-e750, Gl-e750 Firmware | 2024-12-06 | N/A | 7.2 HIGH |
A vulnerability in GL.iNET GL-E750 Mudi before firmware v3.216 allows authenticated attackers to execute arbitrary code via a crafted POST request. | |||||
CVE-2024-52320 | 2024-12-06 | N/A | 9.8 CRITICAL | ||
The affected product is vulnerable to a command injection. An unauthenticated attacker could send commands through a malicious HTTP request which could result in remote code execution. | |||||
CVE-2024-50393 | 2024-12-06 | N/A | N/A | ||
A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later | |||||
CVE-2024-50388 | 2024-12-06 | N/A | N/A | ||
An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute commands. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 25.1.1.673 and later | |||||
CVE-2024-48863 | 2024-12-06 | N/A | N/A | ||
A command injection vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following version: License Center 1.9.43 and later | |||||
CVE-2024-8360 | 1 Visteon | 1 Infotainment | 2024-12-04 | N/A | 6.8 MEDIUM |
Visteon Infotainment REFLASH_DDU_ExtractFile Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Visteon Infotainment systems. Authentication is not required to exploit this vulnerability. The specific flaw exists within the REFLASH_DDU_ExtractFile function. A crafted software update file can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-23421. | |||||
CVE-2023-32622 | 1 Wavlink | 2 Wl-wn531ax2, Wl-wn531ax2 Firmware | 2024-12-04 | N/A | 7.2 HIGH |
Improper neutralization of special elements in WL-WN531AX2 firmware versions prior to 2023526 allows an attacker with an administrative privilege to execute OS commands with the root privilege. | |||||
CVE-2024-53940 | 2024-12-03 | N/A | 8.8 HIGH | ||
An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. Certain /cgi-bin/luci/admin endpoints are vulnerable to command injection. Attackers can exploit this by sending crafted payloads through parameters intended for the ping utility, enabling arbitrary command execution with root-level permissions on the device. | |||||
CVE-2024-53939 | 2024-12-03 | N/A | 8.8 HIGH | ||
An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The /cgi-bin/luci/admin/opsw/Dual_freq_un_apple endpoint is vulnerable to command injection through the 2.4 GHz and 5 GHz name parameters, allowing an attacker to execute arbitrary commands on the device (with root-level permissions) via crafted input. | |||||
CVE-2024-24426 | 2024-12-03 | N/A | 7.5 HIGH | ||
Reachable assertions in the NGAP_FIND_PROTOCOLIE_BY_ID function of OpenAirInterface Magma v1.8.0 and OAI EPC Federation v1.2.0 allow attackers to cause a Denial of Service (DoS) via a crafted NGAP packet. | |||||
CVE-2024-44759 | 2024-12-03 | N/A | 7.5 HIGH | ||
An arbitrary file download vulnerability in the component /Doc/DownloadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to download arbitrary files and access sensitive information via a crafted interface request. | |||||
CVE-2024-53992 | 2024-12-02 | N/A | N/A | ||
unzip-bot is a Telegram bot to extract various types of archives. Users could exploit unsanitized inputs to inject malicious commands that are executed through subprocess.Popen with shell=True. Attackers can exploit this vulnerability using a crafted archive name, password, or video name. This vulnerability is fixed in 7.0.3a. | |||||
CVE-2024-31976 | 2024-11-29 | N/A | 8.0 HIGH | ||
EnGenius EWS356-FIR 1.1.30 and earlier devices allow a remote attacker to execute arbitrary OS commands via the Controller connectivity parameter. |