Vulnerabilities (CVE)

Filtered by CWE-78
Total 4341 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-15103 2 Heketi Project, Redhat 2 Heketi, Enterprise Linux 2025-04-20 9.0 HIGH 8.8 HIGH
A security-check flaw was found in the way the Heketi 5 server API handled user requests. An authenticated Heketi user could send specially crafted requests to the Heketi server, resulting in remote command execution as the user running Heketi server and possibly privilege escalation.
CVE-2017-12636 1 Apache 1 Couchdb 2025-04-20 9.0 HIGH 7.2 HIGH
CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.
CVE-2015-3431 1 Pydio 1 Pydio 2025-04-20 10.0 HIGH 9.8 CRITICAL
Pydio (formerly AjaXplorer) before 6.0.7 allows remote attackers to execute arbitrary commands via unspecified vectors, aka "Pydio OS Command Injection Vulnerabilities."
CVE-2017-8051 1 Tenable 1 Appliance 2025-04-20 10.0 HIGH 9.8 CRITICAL
Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands.
CVE-2017-14001 1 Digium 1 Asterisk Gui 2025-04-20 9.0 HIGH 8.8 HIGH
An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2.1.0 and prior. An OS command injection vulnerability has been identified that may allow the execution of arbitrary code on the system through the inclusion of OS commands in the URL request of the program.
CVE-2017-6360 1 Qnap 1 Qts 2025-04-20 10.0 HIGH 9.8 CRITICAL
QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and obtain sensitive information via unspecified vectors.
CVE-2017-16926 1 Ohcount Project 1 Ohcount 2025-04-20 10.0 HIGH 9.8 CRITICAL
Ohcount 3.0.0 is prone to a command injection via specially crafted filenames containing shell metacharacters, which can be exploited by an attacker (providing a source tree for Ohcount processing) to execute arbitrary code as the user running Ohcount.
CVE-2017-2866 1 Meetcircle 2 Circle With Disney, Circle With Disney Firmware 2025-04-20 9.0 HIGH 8.8 HIGH
An exploitable vulnerability exists in the /api/CONFIG/backup functionality of Circle with Disney. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.
CVE-2017-1000215 1 Xrootd 1 Xrootd 2025-04-20 10.0 HIGH 9.8 CRITICAL
ROOT xrootd version 4.6.0 and below is vulnerable to an unauthenticated shell command injection resulting in remote code execution
CVE-2017-14867 2 Debian, Git-scm 2 Debian Linux, Git 2025-04-20 9.0 HIGH 8.8 HIGH
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
CVE-2017-2845 1 Foscam 2 C1 Indoor Hd Camera, C1 Indoor Hd Camera Firmware 2025-04-20 6.5 MEDIUM 8.8 HIGH
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during the SMTP configuration tests resulting in command execution
CVE-2017-9483 1 Cisco 2 Dpc3939, Dpc3939 Firmware 2025-04-20 10.0 HIGH 9.8 CRITICAL
The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST) devices allows Network Processor (NP) Linux users to obtain root access to the Application Processor (AP) Linux system via shell metacharacters in commands.
CVE-2017-8768 1 Atlassian 1 Sourcetree 2025-04-20 10.0 HIGH 9.8 CRITICAL
Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme. It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command. The Atlassian ID number is SRCTREE-4632.
CVE-2017-14500 1 Newsbeuter 1 Newsbeuter 2025-04-20 6.8 MEDIUM 8.8 HIGH
Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure (i.e., a podcast file) that includes shell metacharacters in its filename, related to pb_controller.cpp and queueloader.cpp, a different vulnerability than CVE-2017-12904.
CVE-2017-16960 1 Tp-link 93 Tl-er3210g, Tl-er3210g Firmware, Tl-er3220g and 90 more 2025-04-20 9.0 HIGH 8.8 HIGH
TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the t_bindif field of an admin/interface command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/interface.lua in uhttpd.
CVE-2017-10951 1 Foxitsoftware 1 Foxit Reader 2025-04-20 6.8 MEDIUM 8.8 HIGH
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.0.14878. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within app.launchURL method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4724.
CVE-2017-11321 1 Ucopia 1 Wireless Appliance 2025-04-20 6.5 MEDIUM 7.2 HIGH
The restricted shell interface in UCOPIA Wireless Appliance before 5.1.8 allows remote authenticated users to gain 'admin' privileges via shell metacharacters in the less command.
CVE-2016-0634 1 Gnu 1 Bash 2025-04-20 6.0 MEDIUM 7.5 HIGH
The expansion of '\h' in the prompt string in bash 4.3 allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine.
CVE-2017-1000203 1 Cern 1 Root 2025-04-20 9.0 HIGH 8.8 HIGH
ROOT version 6.9.03 and below is vulnerable to an authenticated shell metacharacter injection in the rootd daemon resulting in remote code execution
CVE-2017-2917 1 Meetcircle 2 Circle With Disney, Circle With Disney Firmware 2025-04-20 9.0 HIGH 8.8 HIGH
An exploitable vulnerability exists in the notifications functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.