Total
4663 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2742 | 2024-11-21 | N/A | 6.4 MEDIUM | ||
| Operating system command injection vulnerability in Planet IGS-4215-16T2S, affecting firmware version 1.305b210528. An authenticated attacker could execute arbitrary code on the remote host by exploiting IP address functionality. | |||||
| CVE-2024-2421 | 2024-11-21 | N/A | N/A | ||
| LenelS2 NetBox access control and event monitoring system was discovered to contain an unauthenticated RCE in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands with elevated permissions. | |||||
| CVE-2024-2415 | 2024-11-21 | N/A | 7.8 HIGH | ||
| Command injection vulnerability in Movistar 4G router affecting version ES_WLD71-T1_v2.0.201820. This vulnerability allows an authenticated user to execute commands inside the router by making a POST request to the URL '/cgi-bin/gui.cgi'. | |||||
| CVE-2024-2359 | 1 Lollms | 1 Lollms Web Ui | 2024-11-21 | N/A | 9.8 CRITICAL |
| A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the `/execute_code` endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the `/update_setting` endpoint, which lacks proper access control, to modify the `host` configuration at runtime. By changing the `host` setting to an attacker-controlled value, the restriction on the `/execute_code` endpoint can be bypassed, leading to remote code execution. This vulnerability is due to improper neutralization of special elements used in an OS command (`Improper Neutralization of Special Elements used in an OS Command`). | |||||
| CVE-2024-2162 | 2024-11-21 | N/A | 8.8 HIGH | ||
| An OS Command Injection vulnerability in Kiloview NDI allows a low-privileged user to execute arbitrary code remotely on the device with high privileges. This issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version 2.02.0227 . | |||||
| CVE-2024-29640 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component. | |||||
| CVE-2024-29189 | 2024-11-21 | N/A | 7.4 HIGH | ||
| PyAnsys Geometry is a Python client library for the Ansys Geometry service and other CAD Ansys products. On file src/ansys/geometry/core/connection/product_instance.py, upon calling this method _start_program directly, users could exploit its usage to perform malicious operations on the current machine where the script is ran. This vulnerability is fixed in 0.3.3 and 0.4.12. | |||||
| CVE-2024-29167 | 2024-11-21 | N/A | 7.2 HIGH | ||
| SVR-116 firmware version 1.6.0.30028871 allows a remote authenticated attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product. | |||||
| CVE-2024-28750 | 2024-11-21 | N/A | 7.2 HIGH | ||
| A remote attacker with high privileges may use a deleting file function to inject OS commands. | |||||
| CVE-2024-28749 | 2024-11-21 | N/A | 7.2 HIGH | ||
| A remote attacker with high privileges may use a writing file function to inject OS commands. | |||||
| CVE-2024-28748 | 2024-11-21 | N/A | 7.2 HIGH | ||
| A remote attacker with high privileges may use a reading file function to inject OS commands. | |||||
| CVE-2024-28048 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| OS command injection vulnerability exists in ffBull ver.4.11, which may allow a remote unauthenticated attacker to execute an arbitrary OS command with the privilege of the running web server. Note that the developer was unreachable, therefore, users should consider stop using ffBull ver.4.11. | |||||
| CVE-2024-28033 | 2024-11-21 | N/A | 7.3 HIGH | ||
| OS command injection vulnerability exists in WebProxy 1.7.8 and 1.7.9, which may allow a remote unauthenticated attacker to execute an arbitrary OS command with the privilege of the running web server. Note that the developer was unreachable, therefore, users should consider stop using WebProxy 1.7.8 and 1.7.9. | |||||
| CVE-2024-27920 | 2024-11-21 | N/A | 7.4 HIGH | ||
| projectdiscovery/nuclei is a fast and customisable vulnerability scanner based on simple YAML based DSL. A significant security oversight was identified in Nuclei v3, involving the execution of unsigned code templates through workflows. This vulnerability specifically affects users utilizing custom workflows, potentially allowing the execution of malicious code on the user's system. This advisory outlines the impacted users, provides details on the security patch, and suggests mitigation strategies. The vulnerability is addressed in Nuclei v3.2.0. Users are strongly recommended to update to this version to mitigate the security risk. Users should refrain from using custom workflows if unable to upgrade immediately. Only trusted, verified workflows should be executed. | |||||
| CVE-2024-27172 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Remote Command program allows an attacker to get Remote Code Execution. As for the affected products/models/versions, see the reference URL. | |||||
| CVE-2024-27124 | 2024-11-21 | N/A | 7.5 HIGH | ||
| An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later | |||||
| CVE-2024-25568 | 2024-11-21 | N/A | 8.8 HIGH | ||
| OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent unauthenticated attacker to execute arbitrary OS commands by sending a specially crafted request to the product. Affected products and versions are as follows: WRC-X3200GST3-B v1.25 and earlier, WRC-G01-W v1.24 and earlier, and WMC-X1800GST-B v1.41 and earlier. Note that WMC-X1800GST-B is also included in e-Mesh Starter Kit "WMC-2LX-B". | |||||
| CVE-2024-25002 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Command Injection in the diagnostics interface of the Bosch Network Synchronizer allows unauthorized users full access to the device. | |||||
| CVE-2024-24899 | 2024-11-21 | N/A | 7.2 HIGH | ||
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in openEuler aops-zeus on Linux allows Command Injection. This vulnerability is associated with program files https://gitee.Com/openeuler/aops-zeus/blob/master/zeus/conf/constant.Py. This issue affects aops-zeus: from 1.2.0 through 1.4.0. | |||||
| CVE-2024-24892 | 2024-11-21 | N/A | 8.1 HIGH | ||
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Improper Privilege Management vulnerability in openEuler migration-tools on Linux allows Command Injection, Restful Privilege Elevation. This vulnerability is associated with program files https://gitee.Com/openeuler/migration-tools/blob/master/index.Py. This issue affects migration-tools: from 1.0.0 through 1.0.1. | |||||