Total
2356 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28443 | 1 Sonar-wrapper Project | 1 Sonar-wrapper | 2024-11-21 | N/A | 9.8 CRITICAL |
| This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js. | |||||
| CVE-2020-28440 | 1 Corenlp-js-interface Project | 1 Corenlp-js-interface | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function. | |||||
| CVE-2020-28439 | 1 Corenlp-js-prefab Project | 1 Corenlp-js-prefab | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package corenlp-js-prefab. The injection point is located in line 10 in 'index.js.' It depends on a vulnerable package 'corenlp-js-interface.' Vulnerability can be exploited with the following PoC: | |||||
| CVE-2020-28438 | 1 Deferred-exec Project | 1 Deferred-exec | 2024-11-21 | N/A | 9.8 CRITICAL |
| This affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js | |||||
| CVE-2020-28437 | 1 Heroku-env Project | 1 Heroku-env | 2024-11-21 | N/A | 9.4 CRITICAL |
| This affects all versions of package heroku-env. The injection point is located in lib/get.js which is required by index.js. | |||||
| CVE-2020-28436 | 1 Google-cloudstorage-commands Project | 1 Google-cloudstorage-commands | 2024-11-21 | N/A | 7.3 HIGH |
| This affects all versions of package google-cloudstorage-commands. | |||||
| CVE-2020-28435 | 1 Ffmpeg-sdk Project | 1 Ffmpeg-sdk | 2024-11-21 | N/A | 9.4 CRITICAL |
| This affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js. | |||||
| CVE-2020-28434 | 1 Gitblame Project | 1 Gitblame | 2024-11-21 | N/A | 9.4 CRITICAL |
| This affects all versions of package gitblame. The injection point is located in line 15 in lib/gitblame.js. | |||||
| CVE-2020-28433 | 1 Node-latex-pdf Project | 1 Node-latex-pdf | 2024-11-21 | N/A | 7.3 HIGH |
| This affects all versions of package node-latex-pdf. | |||||
| CVE-2020-28429 | 1 Geojson2kml Project | 1 Geojson2kml | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. PoC: var a =require("geojson2kml"); a("./","& touch JHU",function(){}) | |||||
| CVE-2020-28426 | 1 Kill-process-on-port Project | 1 Kill-process-on-port | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| All versions of package kill-process-on-port are vulnerable to Command Injection via a.getProcessPortId. | |||||
| CVE-2020-28425 | 1 Curljs Project | 1 Curljs | 2024-11-21 | N/A | 7.3 HIGH |
| This affects all versions of package curljs. | |||||
| CVE-2020-28423 | 1 Monorepo-build Project | 1 Monorepo-build | 2024-11-21 | N/A | 9.8 CRITICAL |
| This affects all versions of package monorepo-build. | |||||
| CVE-2020-28422 | 1 Git-archive Project | 1 Git-archive | 2024-11-21 | N/A | 6.4 MEDIUM |
| All versions of package git-archive are vulnerable to Command Injection via the exports function. | |||||
| CVE-2020-28347 | 1 Tp-link | 2 Ac1750, Ac1750 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled. | |||||
| CVE-2020-28243 | 3 Debian, Fedoraproject, Saltstack | 3 Debian Linux, Fedora, Salt | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
| An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory. | |||||
| CVE-2020-27867 | 1 Netgear | 38 Ac2100, Ac2100 Firmware, Ac2400 and 35 more | 2024-11-21 | 7.7 HIGH | 6.8 MEDIUM |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, R7450, JNR3210, WNR2020, Nighthawk AC2100, and Nighthawk AC2400 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the mini_httpd service, which listens on TCP port 80 by default. When parsing the funjsq_access_token parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11653. | |||||
| CVE-2020-27864 | 1 Dlink | 2 Dap-1860, Dap-1860 Firmware | 2024-11-21 | 8.3 HIGH | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1860 firmware version 1.04B03 WiFi extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HNAP service, which listens on TCP port 80 by default. When parsing the Authorization request header, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-10880. | |||||
| CVE-2020-27862 | 1 Dlink | 4 Dsl-2888a, Dsl-2888a Firmware, Dva-2800 and 1 more | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DVA-2800 and DSL-2888A routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dhttpd service, which listens on TCP port 8008 by default. When parsing the path parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the web server. Was ZDI-CAN-10911. | |||||
| CVE-2020-27575 | 1 Maxum | 1 Rumpus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation. | |||||