Total
5081 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-28614 | 1 Freewillsolutions | 1 Smart Trade | 2024-11-21 | 9.8 Critical |
| Freewill iFIS (aka SMART Trade) 20.01.01.04 allows OS Command Injection via shell metacharacters to a report page. | ||||
| CVE-2023-28000 | 1 Fortinet | 1 Fortiadc | 2024-11-21 | 6.3 Medium |
| An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC CLI 7.1.0, 7.0.0 through 7.0.3, 6.2.0 through 6.2.4, 6.1 all versions, 6.0 all versions may allow a local and authenticated attacker to execute unauthorized commands via specifically crafted arguments in diagnose system df CLI command. | ||||
| CVE-2023-27999 | 1 Fortinet | 1 Fortiadc | 2024-11-21 | 7.6 High |
| An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC 7.2.0, 7.1.0 through 7.1.1 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands. | ||||
| CVE-2023-27380 | 1 Peplink | 2 Surf Soho, Surf Soho Firmware | 2024-11-21 | 7.2 High |
| An OS command injection vulnerability exists in the admin.cgi USSD_send functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | ||||
| CVE-2023-27198 | 1 Paxtechnology | 2 Pax A930, Pax A930 Firmware | 2024-11-21 | 6.8 Medium |
| PAX A930 device with PayDroid_7.1.1_Virgo_V04.5.02_20220722 can allow the execution of arbitrary commands by using the exec service and including a specific word in the command to be executed. The attacker must have physical USB access to the device in order to exploit this vulnerability. | ||||
| CVE-2023-26317 | 1 Mi | 1 Xiaomi Router Firmware | 2024-11-21 | 7 High |
| Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing. | ||||
| CVE-2023-26210 | 1 Fortinet | 2 Fortiadc, Fortiadc Manager | 2024-11-21 | 7.8 High |
| Multiple improper neutralization of special elements used in an os command ('OS Command Injection') vulnerabilties [CWE-78] in Fortinet FortiADCManager version 7.1.0 and before 7.0.0, FortiADC version 7.2.0 and before 7.1.2 allows a local authenticated attacker to execute arbitrary shell code as `root` user via crafted CLI requests. | ||||
| CVE-2023-26156 | 1 Chromedriver Project | 1 Chromedriver | 2024-11-21 | 5.6 Medium |
| Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system. **Note:** An attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver. | ||||
| CVE-2023-26155 | 1 Nrhirani | 1 Node-qpdf | 2024-11-21 | 7.3 High |
| All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path. | ||||
| CVE-2023-26153 | 1 Geokit | 1 Geokit-rails | 2024-11-21 | 8.3 High |
| Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie. This issue can be exploited remotely via a malicious cookie value. **Note:** An attacker can use this vulnerability to execute commands on the host system. | ||||
| CVE-2023-26145 | 1 Derrickgilland | 1 Pydash | 2024-11-21 | 7.4 High |
| This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects. **Note:** The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied: 1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible) 2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method) The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function. | ||||
| CVE-2023-25395 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2024-11-21 | 9.8 Critical |
| TOTOlink A7100RU V7.4cu.2313_B20191024 router was discovered to contain a command injection vulnerability via the ou parameter at /setting/delStaticDhcpRules. | ||||
| CVE-2023-24595 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-11-21 | 7.2 High |
| An OS command injection vulnerability exists in the ys_thirdparty system_user_script functionality of Milesight UR32L v32.3.0.5. A specially crafted series of network requests can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
| CVE-2023-24229 | 1 Draytek | 2 Vigor2960, Vigor2960 Firmware | 2024-11-21 | 7.8 High |
| DrayTek Vigor2960 v1.5.1.4 allows an authenticated attacker with network access to the web management interface to inject operating system commands via the mainfunction.cgi 'parameter' parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2023-24046 | 1 Connectize | 2 Ac21000 G6, Ac21000 G6 Firmware | 2024-11-21 | 6.8 Medium |
| An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to run arbitrary commands via use of a crafted string in the ping utility. | ||||
| CVE-2023-23779 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 6.6 Medium |
| Multiple improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in FortiWeb version 7.0.1 and below, 6.4 all versions, version 6.3.19 and below may allow an authenticated attacker to execute unauthorized code or commands via crafted parameters of HTTP requests. | ||||
| CVE-2023-23777 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 7.2 High |
| An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb version 7.0.1 and below, 6.4 all versions, version 6.3.18 and below may allow a privileged attacker to execute arbitrary bash commands via crafted cli backup parameters. | ||||
| CVE-2023-23550 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-11-21 | 7.2 High |
| An OS command injection vulnerability exists in the ys_thirdparty user_delete functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
| CVE-2023-23373 | 1 Qnap | 1 Qusbcam2 | 2024-11-21 | 8.8 High |
| An OS command injection vulnerability has been reported to affect QUSBCam2. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following version: QUSBCam2 2.0.3 ( 2023/06/15 ) and later | ||||
| CVE-2023-23362 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2024-11-21 | 8.8 High |
| An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability allows remote authenticated users to execute commands via susceptible QNAP devices. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later | ||||