Total
4255 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-3727 | 1 Planetargon | 1 Oh My Zsh | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| # Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function). | |||||
| CVE-2021-3726 | 1 Planetargon | 1 Oh My Zsh | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| # Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function. | |||||
| CVE-2021-3723 | 1 Ibm | 4 System X3550 M3, System X3550 M3 Firmware, System X3650 M3 and 1 more | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| A command injection vulnerability was reported in the Integrated Management Module (IMM) of legacy IBM System x 3550 M3 and IBM System x 3650 M3 servers that could allow the execution of operating system commands over an authenticated SSH or Telnet session. | |||||
| CVE-2021-3708 | 1 Dlink | 2 Dsl-2750u, Dsl-2750u Firmware | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to OS command injection. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3707, to execute any OS commands on the vulnerable device. | |||||
| CVE-2021-3621 | 2 Fedoraproject, Redhat | 8 Fedora, Sssd, Enterprise Linux and 5 more | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
| A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | |||||
| CVE-2021-3584 | 2 Redhat, Theforeman | 2 Satellite, Foreman | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker could use Sendmail configuration options to overwrite the defaults and perform command injection. The highest threat from this vulnerability is to confidentiality, integrity and availability of system. Fixed releases are 2.4.1, 2.5.1, 3.0.0. | |||||
| CVE-2021-3515 | 1 2ndquadrant | 1 Pglogical | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| A shell injection flaw was found in pglogical in versions before 2.3.4 and before 3.6.26. An attacker with CREATEDB privileges on a PostgreSQL server can craft a database name that allows execution of shell commands as the postgresql user when calling pglogical.create_subscription(). | |||||
| CVE-2021-3459 | 1 Motorola | 2 Mm1000, Mm1000 Firmware | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
| A privilege escalation vulnerability was reported in the MM1000 device configuration web server, which could allow privileged shell access and/or arbitrary privileged commands to be executed on the adapter. | |||||
| CVE-2021-3342 | 1 Eprints | 1 Eprints | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted LaTeX input to a cgi/latex2png?latex= URI. | |||||
| CVE-2021-3317 | 1 Klogserver | 1 Klog Server | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter. | |||||
| CVE-2021-3291 | 1 Zen-cart | 1 Zen Cart | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command. | |||||
| CVE-2021-3198 | 1 Ivanti | 1 Mobileiron | 2024-11-21 | 9.0 HIGH | 6.5 MEDIUM |
| By abusing the 'install rpm url' command, an attacker can escape the restricted clish shell on affected versions of Ivanti MobileIron Core. This issue was fixed in version 11.1.0.0. | |||||
| CVE-2021-3190 | 1 Async-git Project | 1 Async-git | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag. | |||||
| CVE-2021-3149 | 1 Netshieldcorp | 2 Nano 25, Nano 25 Firmware | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| On Netshield NANO 25 10.2.18 devices, /usr/local/webmin/System/manual_ping.cgi allows OS command injection (after authentication by the attacker) because the system C library function is used unsafely. | |||||
| CVE-2021-3122 | 1 Ncr | 1 Command Center Agent | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration." | |||||
| CVE-2021-3061 | 1 Paloaltonetworks | 2 Pan-os, Prisma Access | 2024-11-21 | 9.0 HIGH | 6.4 MEDIUM |
| An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 firewalls are impacted by this issue. | |||||
| CVE-2021-3060 | 1 Paloaltonetworks | 2 Pan-os, Prisma Access | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue. | |||||
| CVE-2021-3059 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 7.6 HIGH | 8.1 HIGH |
| An OS command injection vulnerability in the Palo Alto Networks PAN-OS management interface exists when performing dynamic updates. This vulnerability enables a man-in-the-middle attacker to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers that have Prisma Access 2.1 Preferred or Prisma Access 2.1 Innovation firewalls are impacted by this issue. | |||||
| CVE-2021-3058 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator with permissions to use XML API the ability to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. This issue does not impact Prisma Access firewalls. | |||||
| CVE-2021-3050 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An OS command injection vulnerability in the Palo Alto Networks PAN-OS web interface enables an authenticated administrator to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 9.0 version 9.0.10 through PAN-OS 9.0.14; PAN-OS 9.1 version 9.1.4 through PAN-OS 9.1.10; PAN-OS 10.0 version 10.0.7 and earlier PAN-OS 10.0 versions; PAN-OS 10.1 version 10.1.0 through PAN-OS 10.1.1. Prisma Access firewalls and firewalls running PAN-OS 8.1 versions are not impacted by this issue. | |||||