Total
3237 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-26319 | 2 Mi, Xiaomi | 3 Xiaomi Router Ax3200, Xiaomi Router Ax3200 Firmware, Xiaomi Router | 2024-11-21 | 6.7 Medium |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection. | ||||
| CVE-2023-26317 | 1 Mi | 1 Xiaomi Router Firmware | 2024-11-21 | 7 High |
| Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing. | ||||
| CVE-2023-26310 | 1 Oppo | 2 Coloros, Find X3 | 2024-11-21 | 7.4 High |
| There is a command injection problem in the old version of the mobile phone backup app. | ||||
| CVE-2023-26155 | 1 Nrhirani | 1 Node-qpdf | 2024-11-21 | 7.3 High |
| All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path. | ||||
| CVE-2023-26145 | 1 Derrickgilland | 1 Pydash | 2024-11-21 | 7.4 High |
| This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects. **Note:** The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied: 1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible) 2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method) The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function. | ||||
| CVE-2023-25649 | 1 Zte | 2 Mf286r, Mf286r Firmware | 2024-11-21 | 6.8 Medium |
| There is a command injection vulnerability in a mobile internet product of ZTE. Due to insufficient validation of SET_DEVICE_LED interface parameter, an authenticated attacker could use the vulnerability to execute arbitrary commands. | ||||
| CVE-2023-25643 | 1 Zte | 4 Mc801a, Mc801a1, Mc801a1 Firmware and 1 more | 2024-11-21 | 8.4 High |
| There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands. | ||||
| CVE-2023-24229 | 1 Draytek | 2 Vigor2960, Vigor2960 Firmware | 2024-11-21 | 7.8 High |
| DrayTek Vigor2960 v1.5.1.4 allows an authenticated attacker with network access to the web management interface to inject operating system commands via the mainfunction.cgi 'parameter' parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2023-24135 | 1 Jensenofscandinavia | 2 Eagle 1200ac, Eagle 1200ac Firmware | 2024-11-21 | 7.8 High |
| Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a command injection vulnerability in the function formWriteFacMac. This vulnerability allows attackers to execute arbitrary commands via manipulation of the mac parameter. | ||||
| CVE-2023-24046 | 1 Connectize | 2 Ac21000 G6, Ac21000 G6 Firmware | 2024-11-21 | 8.8 High |
| An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to run arbitrary commands via use of a crafted string in the ping utility. | ||||
| CVE-2023-23564 | 1 Geomatika | 1 Isigeo Web | 2024-11-21 | 8.8 High |
| An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to execute commands. | ||||
| CVE-2023-23550 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-11-21 | 7.2 High |
| An OS command injection vulnerability exists in the ys_thirdparty user_delete functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
| CVE-2023-22816 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2024-11-21 | 6 Medium |
| A post-authentication remote command injection vulnerability in a CGI file in Western Digital My Cloud OS 5 devices that could allow an attacker to build files with redirects and execute larger payloads. This issue affects My Cloud OS 5 devices: before 5.26.300. | ||||
| CVE-2023-22815 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2024-11-21 | 6.2 Medium |
| Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high. This issue affects My Cloud OS 5 devices: before 5.26.300. | ||||
| CVE-2023-22659 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-11-21 | 7.2 High |
| An os command injection vulnerability exists in the libzebra.so change_hostname functionality of Milesight UR32L v32.3.0.5. A specially-crafted network packets can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
| CVE-2023-22371 | 1 Milesight | 1 Milesightvpn | 2024-11-21 | 8.1 High |
| An os command injection vulnerability exists in the liburvpn.so create_private_key functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to command execution. An attacker can send a malicious packet to trigger this vulnerability. | ||||
| CVE-2023-22306 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-11-21 | 7.2 High |
| An OS command injection vulnerability exists in the libzebra.so bridge_group functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
| CVE-2023-20237 | 1 Cisco | 4 Intersight Assist, Intersight Connected Virtual Appliance, Intersight Private Virtual Appliance and 1 more | 2024-11-21 | 4.3 Medium |
| A vulnerability in Cisco Intersight Virtual Appliance could allow an unauthenticated, adjacent attacker to access internal HTTP services that are otherwise inaccessible. This vulnerability is due to insufficient restrictions on internally accessible http proxies. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker access to internal subnets beyond the sphere of their intended access level. | ||||
| CVE-2023-20153 | 1 Cisco | 1 Identity Services Engine | 2024-11-21 | 6 Medium |
| Multiple vulnerabilities in specific Cisco Identity Services Engine (ISE) CLI commands could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit these vulnerabilities, an attacker must have valid Administrator privileges on the affected device. These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root. | ||||
| CVE-2023-20152 | 1 Cisco | 1 Identity Services Engine | 2024-11-21 | 6 Medium |
| Multiple vulnerabilities in specific Cisco Identity Services Engine (ISE) CLI commands could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit these vulnerabilities, an attacker must have valid Administrator privileges on the affected device. These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root. | ||||