Total
4477 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5585 | 2 Fedoraproject, Php | 2 Fedora, Php | 2024-11-21 | N/A | 7.7 HIGH |
| In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, the fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. | |||||
| CVE-2024-5421 | 2024-11-21 | N/A | N/A | ||
| Missing input validation and OS command integration of the input in the utnserver Pro, utnserver ProMAX, INU-100 web-interface allows authenticated command injection.This issue affects utnserver Pro, utnserver ProMAX, INU-100 version 20.1.22 and below. | |||||
| CVE-2024-5403 | 2024-11-21 | N/A | 7.2 HIGH | ||
| ASKEY 5G NR Small Cell fails to properly filter user input for certain functionality, allowing remote attackers with administrator privilege to execute arbitrary system commands on the remote server. | |||||
| CVE-2024-5400 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Openfind Mail2000 does not properly filter parameters of specific CGI. Remote attackers with regular privileges can exploit this vulnerability to execute arbitrary system commands on the remote server. | |||||
| CVE-2024-5399 | 2024-11-21 | N/A | 7.2 HIGH | ||
| Openfind Mail2000 does not properly filter parameters of specific API. Remote attackers with administrative privileges can exploit this vulnerability to execute arbitrary system commands on the remote server. | |||||
| CVE-2024-5241 | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A vulnerability was found in Huashi Private Cloud CDN Live Streaming Acceleration Server up to 20240520. It has been classified as critical. Affected is an unknown function of the file /manager/ipconfig_new.php. The manipulation of the argument dev leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-265992. | |||||
| CVE-2024-4884 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The Apm.UI.Areas.APM.Controllers.CommunityController allows execution of commands with iisapppool\nmconsole privileges. | |||||
| CVE-2024-4883 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe. | |||||
| CVE-2024-4748 | 1 J11g | 1 Cruddiy | 2024-11-21 | N/A | 8.8 HIGH |
| The CRUDDIY project is vulnerable to shell command injection via sending a crafted POST request to the application server. The exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project running on their computer might visit a website which would send such a malicious request to the locally launched server. | |||||
| CVE-2024-4696 | 2024-11-21 | N/A | 7.5 HIGH | ||
| A privilege escalation vulnerability was reported in Lenovo Service Bridge prior to version 5.0.2.17 that could allow operating system commands to be executed if a specially crafted link is visited. | |||||
| CVE-2024-4582 | 2024-11-21 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability classified as critical has been found in Faraday GM8181 and GM828x up to 20240429. Affected is an unknown function of the component NTP Service. The manipulation of the argument ntp_srv leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-263304. | |||||
| CVE-2024-4301 | 2024-11-21 | N/A | 8.8 HIGH | ||
| N-Reporter and N-Cloud, products of the N-Partner, have an OS Command Injection vulnerability. Remote attackers with normal user privilege can execute arbitrary system commands by manipulating user inputs on a specific page. | |||||
| CVE-2024-4299 | 2024-11-21 | N/A | 7.2 HIGH | ||
| The system configuration interface of HGiga iSherlock (including MailSherlock, SpamSherock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability for Command Injection attacks, enabling execution of arbitrary system commands. | |||||
| CVE-2024-4298 | 2024-11-21 | N/A | 7.2 HIGH | ||
| The email search interface of HGiga iSherlock (including MailSherlock, SpamSherock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability for Command Injection attacks, enabling execution of arbitrary system commands. | |||||
| CVE-2024-42029 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| xdg-desktop-portal-hyprland (aka an XDG Desktop Portal backend for Hyprland) before 1.3.3 allows OS command execution, e.g., because single quotes are not used when sending a list of app IDs and titles via the environment. | |||||
| CVE-2024-41992 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Wi-Fi Alliance wfa_dut (in Wi-Fi Test Suite) through 9.0.0 allows OS command injection via 802.11x frames because the system() library function is used. For example, on Arcadyan FMIMG51AX000J devices, this leads to wfaTGSendPing remote code execution as root via traffic to TCP port 8000 or 8080 on a LAN interface. On other devices, this may be exploitable over a WAN interface. | |||||
| CVE-2024-41815 | 1 Starship | 1 Starship | 2024-11-21 | N/A | 7.4 HIGH |
| Starship is a cross-shell prompt. Starting in version 1.0.0 and prior to version 1.20.0, undocumented and unpredictable shell expansion and/or quoting rules make it easily to accidentally cause shell injection when using custom commands with starship in bash. This issue only affects users with custom commands, so the scope is limited, and without knowledge of others' commands, it could be hard to successfully target someone. Version 1.20.0 fixes the vulnerability. | |||||
| CVE-2024-41473 | 1 Tendacn | 2 Fh1201, Fh1201 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the mac parameter at ip/goform/WriteFacMac | |||||
| CVE-2024-41468 | 1 Tendacn | 2 Fh1201, Fh1201 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the cmdinput parameter at /goform/exeCommand | |||||
| CVE-2024-41136 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | N/A | 6.8 MEDIUM |
| An authenticated command injection vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN gateways Command Line Interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. | |||||