Total
945 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-44959 | 1 Dlink | 2 Dsl-3782, Dsl-3782 Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| An issue found in D-Link DSL-3782 v.1.03 and before allows remote authenticated users to execute arbitrary code as root via the Router IP Address fields of the network settings page. | |||||
| CVE-2023-44827 | 1 Easycorp | 3 Zentao, Zentao Biz, Zentao Max | 2024-11-21 | N/A | 8.8 HIGH |
| An issue in ZenTao Community Edition v.18.6 and before, ZenTao Biz v.8.6 and before, ZenTao Max v.4.7 and before allows an attacker to execute arbitrary code via a crafted script to the Office Conversion Settings function. | |||||
| CVE-2023-43322 | 1 Zpesystems | 1 Nodegrid Os | 2024-11-21 | N/A | 8.8 HIGH |
| ZPE Systems, Inc Nodegrid OS v5.0.0 to v5.0.17, v5.2.0 to v5.2.19, v5.4.0 to v5.4.16, v5.6.0 to v5.6.13, v5.8.0 to v5.8.10, and v5.10.0 to v5.10.3 was discovered to contain a command injection vulnerability via the endpoint /v1/system/toolkit/files/. | |||||
| CVE-2023-43138 | 1 Tp-link | 2 Tl-er5120g, Tl-er5120g Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| TPLINK TL-ER5120G 4.0 2.0.0 Build 210817 Rel.80868n has a command injection vulnerability, when an attacker adds NAPT rules after authentication, and the rule name has an injection point. | |||||
| CVE-2023-43137 | 1 Tp-link | 2 Tl-er5120g, Tl-er5120g Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| TPLINK TL-ER5120G 4.0 2.0.0 Build 210817 Rel.80868n has a command injection vulnerability, when an attacker adds ACL rules after authentication, and the rule name parameter has injection points. | |||||
| CVE-2023-42326 | 1 Netgate | 2 Pfsense, Pfsense Plus | 2024-11-21 | N/A | 8.8 HIGH |
| An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components. | |||||
| CVE-2023-42136 | 1 Paxtechnology | 9 A50, A6650, A77 and 6 more | 2024-11-21 | N/A | 7.8 HIGH |
| PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow the execution of arbitrary commands with system account privilege by shell injection starting with a specific word. The attacker must have shell access to the device in order to exploit this vulnerability. | |||||
| CVE-2023-41724 | 1 Ivanti | 1 Standalone Sentry | 2024-11-21 | N/A | 8.8 HIGH |
| A command injection vulnerability in Ivanti Sentry prior to 9.19.0 allows unauthenticated threat actor to execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network. | |||||
| CVE-2023-41334 | 2024-11-21 | N/A | 8.4 HIGH | ||
| Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`. Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue. | |||||
| CVE-2023-41303 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | N/A | 7.5 HIGH |
| Command injection vulnerability in the distributed file system module. Successful exploitation of this vulnerability may cause variables in the sock structure to be modified. | |||||
| CVE-2023-41031 | 1 Juplink | 2 Rx4-1500, Rx4-1500 Firmware | 2024-11-21 | 7.7 HIGH | 8.0 HIGH |
| Command injection in homemng.htm in Juplink RX4-1500 versions V1.0.2, V1.0.3, V1.0.4, and V1.0.5 allows remote authenticated attackers to execute commands via specially crafted requests to the vulnerable endpoint. | |||||
| CVE-2023-41029 | 1 Juplink | 2 Rx4-1500, Rx4-1500 Firmware | 2024-11-21 | 7.7 HIGH | 8.0 HIGH |
| Command injection vulnerability in the homemng.htm endpoint in Juplink RX4-1500 Wifi router firmware versions V1.0.2, V1.0.3, V1.0.4, and V1.0.5 allows authenticated remote attackers to execute commands as root via specially crafted HTTP requests to the vulnerable endpoint. | |||||
| CVE-2023-40796 | 1 Phicomm | 2 K2, K2 Firmware | 2024-11-21 | N/A | 7.8 HIGH |
| Phicomm k2 v22.6.529.216 was discovered to contain a command injection vulnerability via the function luci.sys.call. | |||||
| CVE-2023-40598 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-11-21 | N/A | 8.5 HIGH |
| In Splunk Enterprise versions below 8.2.12, 9.0.6, and 9.1.1, an attacker can create an external lookup that calls a legacy internal function. The attacker can use this internal function to insert code into the Splunk platform installation directory. From there, a user can execute arbitrary code on the Splunk platform Instance. | |||||
| CVE-2023-3718 | 1 Hpe | 27 Aruba Cx 10000-48y6, Aruba Cx 4100i, Aruba Cx 6000 12g and 24 more | 2024-11-21 | N/A | 8.8 HIGH |
| An authenticated command injection vulnerability exists in the AOS-CX command line interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands on the underlying operating system as a privileged user on the affected switch. This allows an attacker to fully compromise the underlying operating system on the device running AOS-CX. | |||||
| CVE-2023-39509 | 1 Bosch | 4 Cpp13, Cpp13 Firmware, Cpp14 and 1 more | 2024-11-21 | N/A | 7.2 HIGH |
| A command injection vulnerability exists in Bosch IP cameras that allows an authenticated user with administrative rights to run arbitrary commands on the OS of the camera. | |||||
| CVE-2023-39362 | 2 Cacti, Fedoraproject | 2 Cacti, Fedora | 2024-11-21 | N/A | 7.2 HIGH |
| Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-38921 | 1 Netgear | 4 Wag302v2, Wag302v2 Firmware, Wg302v2 and 1 more | 2024-11-21 | N/A | 8.8 HIGH |
| Netgear WG302v2 v5.2.9 and WAG302v2 v5.1.19 were discovered to contain multiple command injection vulnerabilities in the upgrade_handler function via the firmwareRestore and firmwareServerip parameters. | |||||
| CVE-2023-38829 | 1 Netis-systems | 2 Wf2409e, Wf2409e Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| An issue in NETIS SYSTEMS WF2409E v.3.6.42541 allows a remote attacker to execute arbitrary code via the ping and traceroute functions of the diagnostic tools component in the admin management interface. | |||||
| CVE-2023-38286 | 2 Codecentric, Thymeleaf | 2 Spring Boot Admin, Thymeleaf | 2024-11-21 | N/A | 7.5 HIGH |
| Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI. | |||||