Total
4663 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-46314 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Remote Command Execution (RCE) vulnerability exists in HNAP1/control/SetNetworkTomographySettings.php of D-Link Router DIR-846 DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin because backticks can be used for command injection when judging whether it is a reasonable domain name. | |||||
| CVE-2021-46007 | 1 Totolink | 2 Ar3100r, Ar3100r Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks. | |||||
| CVE-2021-45987 | 1 Tendacn | 4 G1, G1 Firmware, G3 and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetNetCheckTools. This vulnerability allows attackers to execute arbitrary commands via the hostName parameter. | |||||
| CVE-2021-45986 | 1 Tendacn | 4 G1, G1 Firmware, G3 and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetUSBShareInfo. This vulnerability allows attackers to execute arbitrary commands via the usbOrdinaryUserName parameter. | |||||
| CVE-2021-45979 | 2 Apple, Foxit | 3 Macos, Pdf Editor, Pdf Reader | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote attackers to execute arbitrary code via app.launchURL in the JavaScript API. | |||||
| CVE-2021-45978 | 2 Apple, Foxit | 3 Macos, Pdf Editor, Pdf Reader | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote attackers to execute arbitrary code via xfa.host.gotoURL in the XFA API. | |||||
| CVE-2021-45966 | 1 Pascom | 1 Cloud Phone System | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Pascom Cloud Phone System before 7.20.x. In the management REST API, /services/apply in exd.pl allows remote attackers to execute arbitrary code via shell metacharacters. | |||||
| CVE-2021-45912 | 1 Controlup | 1 Real-time Agent | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| An unauthenticated Named Pipe channel in Controlup Real-Time Agent (cuAgent.exe) before 8.5 potentially allows an attacker to run OS commands via the ProcessActionRequest WCF method. | |||||
| CVE-2021-45845 | 2 Debian, Freecadweb | 2 Debian Linux, Freecad | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| The Path Sanity Check script of FreeCAD 0.19 is vulnerable to OS command injection, allowing an attacker to execute arbitrary commands via a crafted FCStd document. | |||||
| CVE-2021-45844 | 2 Debian, Freecadweb | 2 Debian Linux, Freecad | 2024-11-21 | 7.6 HIGH | 7.8 HIGH |
| Improper sanitization in the invocation of ODA File Converter from FreeCAD 0.19 allows an attacker to inject OS commands via a crafted filename. | |||||
| CVE-2021-45602 | 1 Netgear | 36 D7800, D7800 Firmware, Ex2700 and 33 more | 2024-11-21 | 4.6 MEDIUM | 6.1 MEDIUM |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.66, EX2700 before 1.0.1.68, WN3000RPv2 before 1.0.0.90, WN3000RPv3 before 1.0.2.100, LBR1020 before 2.6.5.20, LBR20 before 2.6.5.32, R6700AX before 1.0.10.110, R7800 before 1.0.2.86, R8900 before 1.0.5.38, R9000 before 1.0.5.38, RAX10 before 1.0.10.110, RAX120v1 before 1.2.3.28, RAX120v2 before 1.2.3.28, RAX70 before 1.0.10.110, RAX78 before 1.0.10.110, XR450 before 2.3.2.130, XR500 before 2.3.2.130, and XR700 before 1.0.1.46. | |||||
| CVE-2021-44981 | 1 Quickbox | 1 Quickbox | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| In QuickBox Pro v2.5.8 and below, the config.php file has a variable which takes a GET parameter value and parses it into a shell_exec(''); function without properly sanitizing any shell arguments, therefore remote code execution is possible. Additionally, as the media server is running as root by default attackers can use the sudo command within this shell_exec(''); function, which allows for privilege escalation by means of RCE. | |||||
| CVE-2021-44827 | 1 Tp-link | 2 Archer C20i, Archer C20i Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| There is remote authenticated OS command injection on TP-Link Archer C20i 0.9.1 3.2 v003a.0 Build 170221 Rel.55462n devices vie the X_TP_ExternalIPv6Address HTTP parameter, allowing a remote attacker to run arbitrary commands on the router with root privileges. | |||||
| CVE-2021-44685 | 1 Git-it Project | 1 Git-it | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Git-it through 4.4.0 allows OS command injection at the Branches Aren't Just For Birds challenge step. During the verification process, it attempts to run the reflog command followed by the current branch name (which is not sanitized for execution). | |||||
| CVE-2021-44684 | 1 Github-todos Project | 1 Github-todos | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| naholyr github-todos 3.1.0 is vulnerable to command injection. The range argument for the _hook subcommand is concatenated without any validation, and is directly used by the exec function. | |||||
| CVE-2021-44453 | 1 Myscada | 1 Mypro | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| mySCADA myPRO: Versions 8.20.0 and prior has a vulnerable debug interface which includes a ping utility, which may allow an attacker to inject arbitrary operating system commands. | |||||
| CVE-2021-44235 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allow an attacker with high privileges and has direct access to SAP System, to inject code when executing with a certain transaction class builder. This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system. | |||||
| CVE-2021-44171 | 1 Fortinet | 1 Fortios | 2024-11-21 | N/A | 9.0 CRITICAL |
| A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiOS version 6.0.0 through 6.0.14, FortiOS version 6.2.0 through 6.2.10, FortiOS version 6.4.0 through 6.4.8, FortiOS version 7.0.0 through 7.0.3 allows attacker to execute privileged commands on a linked FortiSwitch via diagnostic CLI commands. | |||||
| CVE-2021-44080 | 1 Sercomm | 2 H500s, H500s Firmware | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| A Command Injection vulnerability in httpd web server (setup.cgi) in SerComm h500s, FW: lowi-h500s-v3.4.22 allows logged in administrators to arbitrary OS commands as root in the device via the connection_type parameter of the statussupport_diagnostic_tracing.json endpoint. | |||||
| CVE-2021-43984 | 1 Myscada | 1 Mypro | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| mySCADA myPRO: Versions 8.20.0 and prior has a feature where the firmware can be updated, which may allow an attacker to inject arbitrary operating system commands through a specific parameter. | |||||