Total
4257 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-30078 | 1 Netgear | 4 R6200, R6200 Firmware, R6300 and 1 more | 2024-11-21 | N/A | 8.8 HIGH |
| NETGEAR R6200_V2 firmware versions through R6200v2-V1.0.3.12_10.1.11 and R6300_V2 firmware versions through R6300v2-V1.0.4.52_10.0.93 allow remote authenticated attackers to execute arbitrary command via shell metacharacters in the ipv6_fix.cgi ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, or ipv6_lan_length parameters. | |||||
| CVE-2022-30023 | 1 Tenda | 2 Hg9, Hg9 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. | |||||
| CVE-2022-2550 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | N/A | 8.8 HIGH |
| OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5. | |||||
| CVE-2022-2487 | 1 Wavlink | 4 Wl-wn535k2, Wl-wn535k2 Firmware, Wl-wn535k3 and 1 more | 2024-11-21 | N/A | 8.0 HIGH |
| A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and classified as critical. This vulnerability affects unknown code of the file /cgi-bin/nightled.cgi. The manipulation of the argument start_hour leads to os command injection. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-2486 | 1 Wavlink | 4 Wl-wn535k2, Wl-wn535k2 Firmware, Wl-wn535k3 and 1 more | 2024-11-21 | N/A | 8.0 HIGH |
| A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-2253 | 1 Webhmi | 2 Webhmi, Webhmi Firmware | 2024-11-21 | 9.0 HIGH | 9.1 CRITICAL |
| A user with administrative privileges in Distributed Data Systems WebHMI 4.1.1.7662 may send OS commands to execute on the host server. | |||||
| CVE-2022-2234 | 1 Myscada | 1 Mypro | 2024-11-21 | N/A | 9.9 CRITICAL |
| An authenticated mySCADA myPRO 8.26.0 user may be able to modify parameters to run commands directly in the operating system. | |||||
| CVE-2022-2185 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 7.5 HIGH | 9.9 CRITICAL |
| A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution. | |||||
| CVE-2022-2024 | 1 Gogs | 1 Gogs | 2024-11-21 | N/A | 9.8 CRITICAL |
| OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11. | |||||
| CVE-2022-29937 | 1 Usu | 1 Oracle Optimization | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| USU Oracle Optimization before 5.17.5 allows authenticated DataCollection users to achieve agent root access because some common OS commands are blocked but (for example) an OS command for base64 decoding is not blocked. NOTE: this is not an Oracle Corporation product. | |||||
| CVE-2022-29843 | 1 Westerndigital | 16 My Cloud Dl2100, My Cloud Dl2100 Firmware, My Cloud Dl4100 and 13 more | 2024-11-21 | N/A | 6.2 MEDIUM |
| A command injection vulnerability in the DDNS service configuration of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to execute code in the context of the root user. | |||||
| CVE-2022-29841 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2024-11-21 | N/A | 8.0 HIGH |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. This command could be triggered by an attacker remotely to cause code execution and gain a reverse shell in Western Digital My Cloud OS 5 devices.This issue affects My Cloud OS 5: before 5.26.119. | |||||
| CVE-2022-29592 | 1 Tenda | 2 Tx9 Pro, Tx9 Pro Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Tenda TX9 Pro 22.03.02.10 devices allow OS command injection via set_route (called by doSystemCmd_route). | |||||
| CVE-2022-29539 | 1 Resi | 1 Gemini-net | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| resi-calltrace in RESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user. | |||||
| CVE-2022-29520 | 1 Goabode | 2 Iota All-in-one Security Kit, Iota All-in-one Security Kit Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| An OS command injection vulnerability exists in the console_main_loop :sys functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z. A specially-crafted XCMD can lead to arbitrary command execution. An attacker can send an XML payload to trigger this vulnerability. | |||||
| CVE-2022-29516 | 1 Fujitsu | 92 Ipcom Ex2 Dc 3200, Ipcom Ex2 Dc 3200 Firmware, Ipcom Ex2 Dc 3500 and 89 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The web console of FUJITSU Network IPCOM series (IPCOM EX2 IN(3200, 3500), IPCOM EX2 LB(1100, 3200, 3500), IPCOM EX2 SC(1100, 3200, 3500), IPCOM EX2 NW(1100, 3200, 3500), IPCOM EX2 DC, IPCOM EX2 DC, IPCOM EX IN(2300, 2500, 2700), IPCOM EX LB(1100, 1300, 2300, 2500, 2700), IPCOM EX SC(1100, 1300, 2300, 2500, 2700), and IPCOM EX NW(1100, 1300, 2300, 2500, 2700)) allows a remote attacker to execute an arbitrary OS command via unspecified vectors. | |||||
| CVE-2022-29472 | 1 Goabode | 2 Iota All-in-one Security Kit, Iota All-in-one Security Kit Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| An OS command injection vulnerability exists in the web interface util_set_serial_mac functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9X and 6.9Z. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-29337 | 1 Cdatatec | 2 Fd702xw-x-r430, Fd702xw-x-r430 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| C-DATA FD702XW-X-R430 v2.1.13_X001 was discovered to contain a command injection vulnerability via the va_cmd parameter in formlanipv6. This vulnerability allows attackers to execute arbitrary commands via a crafted HTTP request. | |||||
| CVE-2022-29256 | 1 Sharp Project | 1 Sharp | 2024-11-21 | 4.6 MEDIUM | 6.5 MEDIUM |
| sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5. | |||||
| CVE-2022-29080 | 1 Npm-dependency-versions Project | 1 Npm-dependency-versions | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The npm-dependency-versions package through 0.3.0 for Node.js allows command injection if an attacker is able to call dependencyVersions with a JSON object in which pkgs is a key, and there are shell metacharacters in a value. | |||||