Vulnerabilities (CVE)

Filtered by CWE-78
Total 4344 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-31037 1 Nvidia 4 Bluefield 2 Ga, Bluefield 2 Lts, Bluefield 3 Ga and 1 more 2024-11-21 N/A 7.2 HIGH
NVIDIA Bluefield 2 and Bluefield 3 DPU BMC contains a vulnerability in ipmitool, where a root user may cause code injection by a network call. A successful exploit of this vulnerability may lead to code execution on the OS.
CVE-2023-30854 1 Wwbn 1 Avideo 2024-11-21 N/A 8.8 HIGH
AVideo is an open source video platform. Prior to version 12.4, an OS Command Injection vulnerability in an authenticated endpoint `/plugin/CloneSite/cloneClient.json.php` allows attackers to achieve Remote Code Execution. This issue is fixed in version 12.4.
CVE-2023-30806 1 Sangfor 1 Next-gen Application Firewall 2024-11-21 N/A 9.8 CRITICAL
The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an operating system command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /cgi-bin/login.cgi endpoint. This is due to mishandling of shell meta-characters in the PHPSESSID cookie.
CVE-2023-30805 1 Sangfor 1 Next-gen Application Firewall 2024-11-21 N/A 9.8 CRITICAL
The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an operating system command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /LogInOut.php endpoint. This is due to mishandling of shell meta-characters in the "un" parameter.
CVE-2023-30628 1 Kiwitcms 1 Kiwi Tcms 2024-11-21 N/A 8.8 HIGH
Kiwi TCMS is an open source test management system. In kiwitcms/Kiwi v12.2 and prior and kiwitcms/enterprise v12.2 and prior, the `changelog.yml` workflow is vulnerable to command injection attacks because of using an untrusted `github.head_ref` field. The `github.head_ref` value is an attacker-controlled value. Assigning the value to `zzz";echo${IFS}"hello";#` can lead to command injection. Since the permission is not restricted, the attacker has a write-access to the repository. Commit 834c86dfd1b2492ccad7ebbfd6304bfec895fed2 of the kiwitcms/Kiwi repository and commit e39f7e156fdaf6fec09a15ea6f4e8fec8cdbf751 of the kiwitcms/enterprise repository contain a fix for this issue.
CVE-2023-30621 1 Gipsy Project 1 Gipsy 2024-11-21 N/A 9.8 CRITICAL
Gipsy is a multi-purpose discord bot which aim to be as modular and user-friendly as possible. In versions prior to 1.3 users can run command on the host machine with sudoer permission. The `!ping` command when provided with an IP or hostname used to run a bash `ping <IP>` without verification that the IP or hostname was legitimate. This command was executed with root permissions and may lead to arbitrary command injection on the host server. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-30261 1 Openwb 1 Openwb 2024-11-21 N/A 9.8 CRITICAL
Command Injection vulnerability in OpenWB 1.6 and 1.7 allows remote attackers to run arbitrary commands via crafted GET request.
CVE-2023-2625 1 Abb 2 Txpert Hub Coretec 4, Txpert Hub Coretec 4 Firmware 2024-11-21 N/A 9.0 CRITICAL
A vulnerability exists that can be exploited by an authenticated client that is connected to the same network segment as the CoreTec 4, having any level of access VIEWER to ADMIN. To exploit the vulnerability the attacker can inject shell commands through a particular field of the web user interface that will be executed by the system.
CVE-2023-2564 1 Scanservjs Project 1 Scanservjs 2024-11-21 N/A 10.0 CRITICAL
OS Command Injection in GitHub repository sbs20/scanservjs prior to v2.27.0.
CVE-2023-2522 1 Feiyuxing 2 Vec40g, Vec40g Firmware 2024-11-21 5.8 MEDIUM 4.7 MEDIUM
A vulnerability was found in Chengdu VEC40G 3.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /send_order.cgi?parameter=access_detect of the component Network Detection. The manipulation of the argument COUNT with the input 3 | netstat -an leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228013 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2023-2479 1 Appium 1 Appium-desktop 2024-11-21 N/A 9.8 CRITICAL
OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4.
CVE-2023-2131 1 Inea 2 Me Rtu, Me Rtu Firmware 2024-11-21 N/A 10.0 CRITICAL
Versions of INEA ME RTU firmware prior to 3.36 are vulnerable to OS command injection, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-2091 1 Kylinos 1 Youker-assistant 2024-11-21 6.8 MEDIUM 7.8 HIGH
A vulnerability classified as critical was found in KylinSoft youker-assistant on KylinOS. Affected by this vulnerability is the function adjust_cpufreq_scaling_governer. The manipulation leads to os command injection. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.4.13 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-226099.
CVE-2023-29412 2 Microsoft, Schneider-electric 7 Windows 10, Windows 11, Windows Server 2016 and 4 more 2024-11-21 N/A 9.8 CRITICAL
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when manipulating internal methods through Java RMI interface.
CVE-2023-29048 1 Open-xchange 1 Ox App Suite 2024-11-21 N/A 8.8 HIGH
A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known.
CVE-2023-28983 1 Juniper 1 Junos Os Evolved 2024-11-21 N/A 8.8 HIGH
An OS Command Injection vulnerability in gRPC Network Operations Interface (gNOI) server module of Juniper Networks Junos OS Evolved allows an authenticated, low privileged, network based attacker to inject shell commands and execute code. This issue affects Juniper Networks Junos OS Evolved 21.4 version 21.4R1-EVO and later versions prior to 22.1R1-EVO.
CVE-2023-28805 1 Zscaler 1 Client Connector 2024-11-21 N/A 6.7 MEDIUM
An Improper Input Validation vulnerability in Zscaler Client Connector on Linux allows Privilege Escalation. This issue affects Client Connector: before 1.4.0.105
CVE-2023-28767 1 Zyxel 44 Usg 20w-vpn, Usg 20w-vpn Firmware, Usg 2200-vpn and 41 more 2024-11-21 N/A 8.8 HIGH
The configuration parser fails to sanitize user-controlled input in the Zyxel ATP series firmware versions 5.10 through 5.36, USG FLEX series firmware versions 5.00 through 5.36,  USG FLEX 50(W) series firmware versions 5.10 through 5.36, USG20(W)-VPN series firmware versions 5.10 through 5.36, and VPN series firmware versions 5.00 through 5.36. An unauthenticated, LAN-based attacker could leverage the vulnerability to inject some operating system (OS) commands into the device configuration data on an affected device when the cloud management mode is enabled.
CVE-2023-28742 1 F5 1 Big-ip Domain Name System 2024-11-21 N/A 7.2 HIGH
When DNS is provisioned, an authenticated remote command execution vulnerability exists in DNS iQuery mesh. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2023-28704 1 Furbo 2 Dog Camera, Dog Camera Firmware 2024-11-21 N/A 8.8 HIGH
Furbo dog camera has insufficient filtering for special parameter of device log management function. An unauthenticated remote attacker in the Bluetooth network with normal user privileges can exploit this vulnerability to perform command injection attack to execute arbitrary system commands or disrupt service.