Total
4244 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-13851 | 1 Pandorafms | 1 Pandora Fms | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Artica Pandora FMS 7.44 allows remote command execution via the events feature. | |||||
| CVE-2020-13802 | 1 Erlang | 1 Rebar3 | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification. | |||||
| CVE-2020-13782 | 1 Dlink | 2 Dir-865l, Dir-865l Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| D-Link DIR-865L Ax 1.20B01 Beta devices allow Command Injection. | |||||
| CVE-2020-13778 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| rConfig 3.9.4 and earlier allows authenticated code execution (of system commands) by sending a forged GET request to lib/ajaxHandlers/ajaxAddTemplate.php or lib/ajaxHandlers/ajaxEditTemplate.php. | |||||
| CVE-2020-13694 | 1 Quickbox | 1 Quickbox | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the mysql -e option. | |||||
| CVE-2020-13619 | 1 Locutus | 1 Locutus Php | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution. | |||||
| CVE-2020-13448 | 1 Quickbox | 1 Quickbox | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter. | |||||
| CVE-2020-13404 | 1 Quadra-informatique | 1 Atos\/sips | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| The ATOS/Sips (aka Atos-Magento) community module 3.0.0 to 3.0.5 for Magento allows command injection. | |||||
| CVE-2020-13388 | 1 Python | 1 Jw.util | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used. | |||||
| CVE-2020-13252 | 1 Centreon | 1 Centreon | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page. | |||||
| CVE-2020-13167 | 1 Netsweeper | 1 Netsweeper | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters. | |||||
| CVE-2020-13159 | 1 Articatech | 1 Artica Proxy | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Artica Proxy before 4.30.000000 Community Edition allows OS command injection via the Netbios name, Server domain name, dhclient_mac, Hostname, or Alias field. NOTE: this may overlap CVE-2020-10818. | |||||
| CVE-2020-13151 | 1 Aerospike | 1 Aerospike Server | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code execution by disabling os.execute() calls, but this is insufficient. Anyone with network access can use a crafted UDF to execute arbitrary OS commands on all nodes of the cluster at the permission level of the user running the Aerospike service. | |||||
| CVE-2020-13124 | 1 Sabnzbd | 1 Sabnzbd | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| SABnzbd 2.3.9 and 3.0.0Alpha2 has a command injection vulnerability in the web configuration interface that permits an authenticated user to execute arbitrary Python commands on the underlying operating system. | |||||
| CVE-2020-13122 | 1 Noviflow | 1 Noviware | 2024-11-21 | 8.0 HIGH | 8.8 HIGH |
| The novish command-line interface, included in NoviFlow NoviWare before NW500.2.12 and deployed on NoviSwitch devices, is vulnerable to command injection in the "show status destination ipaddr" command. This could be used by a read-only user (monitoring group) or admin to execute commands on the operating system. | |||||
| CVE-2020-12775 | 1 Moica | 1 Hicos | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Hicos citizen certificate client-side component does not filter special characters for command parameters in specific web URLs. An unauthenticated remote attacker can exploit this vulnerability to perform command injection attack to execute arbitrary system command, disrupt system or terminate service. | |||||
| CVE-2020-12774 | 1 Dlink | 2 Dsl-7740c, Dsl-7740c Firmware | 2024-11-21 | 4.6 MEDIUM | 8.2 HIGH |
| D-Link DSL-7740C does not properly validate user input, which allows an authenticated LAN user to inject arbitrary command. | |||||
| CVE-2020-12620 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection (shell metacharacters after an IP address). | |||||
| CVE-2020-12522 | 1 Wago | 42 750-8101\/025-000, 750-8102\/025-000, 750-8202\/000-012 and 39 more | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| The reported vulnerability allows an attacker who has network access to the device to execute code with specially crafted packets in WAGO Series PFC 100 (750-81xx/xxx-xxx), Series PFC 200 (750-82xx/xxx-xxx), Series Wago Touch Panel 600 Standard Line (762-4xxx), Series Wago Touch Panel 600 Advanced Line (762-5xxx), Series Wago Touch Panel 600 Marine Line (762-6xxx) with firmware versions <=FW10. | |||||
| CVE-2020-12513 | 1 Pepperl-fuchs | 24 Io-link Master 4-eip, Io-link Master 4-eip Firmware, Io-link Master 4-pnio and 21 more | 2024-11-21 | 9.0 HIGH | 7.5 HIGH |
| Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection. | |||||