Total
5654 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-37066 | 1 Wyze | 2 Cam V4, Cam V4 Firmware | 2024-11-21 | 6.8 Medium |
| A command injection vulnerability exists in Wyze V4 Pro firmware versions before 4.50.4.9222, which allows attackers to execute arbitrary commands over Bluetooth as root during the camera setup process. | ||||
| CVE-2024-36475 | 1 Centurysys | 35 Futurenet Nxr-1200, Futurenet Nxr-1200 Firmware, Futurenet Nxr-120\/c and 32 more | 2024-11-21 | 7.2 High |
| FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. contain an active debug code vulnerability. If a user who knows how to use the debug function logs in to the product, the debug function may be used and an arbitrary OS command may be executed. | ||||
| CVE-2024-36394 | 1 Sysaid | 1 Sysaid | 2024-11-21 | 9.1 Critical |
| SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | ||||
| CVE-2024-31977 | 1 Adtran | 3 834-5, 834-5 Firmware, Sdg Smartos | 2024-11-21 | 8 High |
| Adtran 834-5 11.1.0.101-202106231430, and fixed as of SmartOS Version 12.6.3.1, devices allow OS Command Injection via shell metacharacters to the Ping or Traceroute utility. | ||||
| CVE-2024-30368 | 1 A10networks | 2 Advanced Core Operating System, Thunder Adc | 2024-11-21 | 8.8 High |
| A10 Thunder ADC CsrRequestView Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of A10 Thunder ADC. Authentication is required to exploit this vulnerability. The specific flaw exists within the CsrRequestView class. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of a10user. Was ZDI-CAN-22517. | ||||
| CVE-2024-2854 | 1 Tenda | 2 Ac18, Ac18 Firmware | 2024-11-21 | 6.3 Medium |
| A vulnerability classified as critical has been found in Tenda AC18 15.03.05.05. Affected is the function formSetSambaConf of the file /goform/setsambacfg. The manipulation of the argument usbName leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257778 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-2853 | 1 Tenda | 2 Ac10u, Ac10u Firmware | 2024-11-21 | 6.3 Medium |
| A vulnerability was found in Tenda AC10U 15.03.06.48/15.03.06.49. It has been rated as critical. This issue affects the function formSetSambaConf of the file /goform/setsambacfg. The manipulation of the argument usbName leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-2851 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2024-11-21 | 6.3 Medium |
| A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi. It has been classified as critical. This affects the function formSetSambaConf of the file /goform/setsambacfg. The manipulation of the argument usbName leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257775. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-2812 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2024-11-21 | 6.3 Medium |
| A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi. It has been classified as critical. This affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257667. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-2359 | 1 Lollms | 1 Lollms Web Ui | 2024-11-21 | 9.8 Critical |
| A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the `/execute_code` endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the `/update_setting` endpoint, which lacks proper access control, to modify the `host` configuration at runtime. By changing the `host` setting to an attacker-controlled value, the restriction on the `/execute_code` endpoint can be bypassed, leading to remote code execution. This vulnerability is due to improper neutralization of special elements used in an OS command (`Improper Neutralization of Special Elements used in an OS Command`). | ||||
| CVE-2024-24623 | 1 Softaculous | 1 Webuzo | 2024-11-21 | 8.8 High |
| Softaculous Webuzo contains a command injection vulnerability in the FTP management functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system. | ||||
| CVE-2024-24622 | 1 Softaculous | 1 Webuzo | 2024-11-21 | 8.8 High |
| Softaculous Webuzo contains a command injection in the password reset functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system. | ||||
| CVE-2024-24328 | 1 Totolink | 2 A3300r, A3300r Firmware | 2024-11-21 | 9.8 Critical |
| TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setMacFilterRules function. | ||||
| CVE-2024-24326 | 1 Totolink | 2 A3300r, A3300r Firmware | 2024-11-21 | 9.8 Critical |
| TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the arpEnable parameter in the setStaticDhcpRules function. | ||||
| CVE-2024-23812 | 1 Siemens | 1 Sinec Nms | 2024-11-21 | 8 High |
| A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application incorrectly neutralizes special elements when creating a report which could lead to command injection. | ||||
| CVE-2024-23058 | 1 Totolink | 2 A3300r, A3300r Firmware | 2024-11-21 | 9.8 Critical |
| TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the pass parameter in the setTr069Cfg function. | ||||
| CVE-2024-23057 | 1 Totolink | 2 A3300r, A3300r Firmware | 2024-11-21 | 9.8 Critical |
| TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the tz parameter in the setNtpCfg function. | ||||
| CVE-2024-22445 | 1 Dell | 1 Powerprotect Data Manager | 2024-11-21 | 7.2 High |
| Dell PowerProtect Data Manager, version 19.15 and prior versions, contain an OS command injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. | ||||
| CVE-2024-22222 | 1 Dell | 1 Unity Operating Environment | 2024-11-21 | 7.8 High |
| Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability within its svc_udoctor utility. An authenticated malicious user with local access could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. | ||||
| CVE-2024-20277 | 1 Cisco | 1 Thousandeyes Enterprise Agent | 2024-11-21 | 6.8 Medium |
| A vulnerability in the web-based management interface of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied input for the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP packet to the affected device. A successful exploit could allow the attacker to execute arbitrary commands and elevate privileges to root. | ||||