Total
4412 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-26616 | 1 Secuwiz | 1 Secuwayssl U | 2024-11-21 | 7.5 HIGH | 7.8 HIGH |
| An OS command injection was found in SecuwaySSL, when special characters injection on execute command with runCommand arguments. | |||||
| CVE-2021-26543 | 1 Wayfair | 1 Git-parse | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. The issue has been resolved in version 1.0.5. | |||||
| CVE-2021-26476 | 1 Eprints | 1 Eprints | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| EPrints 3.4.2 allows remote attackers to execute OS commands via crafted LaTeX input to a cgi/cal?year= URI. | |||||
| CVE-2021-26472 | 2 Microsoft, Vembu | 3 Windows, Bdr Suite, Offsite Dr | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges. | |||||
| CVE-2021-26116 | 1 Fortinet | 1 Fortiauthenticator | 2024-11-21 | 6.5 MEDIUM | 6.7 MEDIUM |
| An improper neutralization of special elements used in an OS command vulnerability in the command line interpreter of FortiAuthenticator before 6.3.1 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands. | |||||
| CVE-2021-26106 | 1 Fortinet | 3 Fortiap, Fortiap-s, Fortiap-w2 | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| An improper neutralization of special elements used in an OS Command vulnerability in FortiAP's console 6.4.1 through 6.4.5 and 6.2.4 through 6.2.5 may allow an authenticated attacker to execute unauthorized commands by running the kdbg CLI command with specifically crafted arguments. | |||||
| CVE-2021-26104 | 1 Fortinet | 3 Fortianalyzer, Fortimanager, Fortiportal | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| Multiple OS command injection (CWE-78) vulnerabilities in the command line interface of FortiManager 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, FortiAnalyzer 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, and FortiPortal 5.2.5 and below, 5.3.5 and below and 6.0.4 and below may allow a local authenticated and unprivileged user to execute arbitrary shell commands as root via specifically crafted CLI command parameters. | |||||
| CVE-2021-26097 | 1 Fortinet | 1 Fortisandbox | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An improper neutralization of special elements used in an OS Command vulnerability in FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6 may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests. | |||||
| CVE-2021-25310 | 1 Belkin | 2 Linksys Wrt160nl, Linksys Wrt160nl Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** The administration web interface on Belkin Linksys WRT160NL 1.0.04.002_US_20130619 devices allows remote authenticated attackers to execute system commands with root privileges via shell metacharacters in the ui_language POST parameter to the apply.cgi form endpoint. This occurs in do_upgrade_post in mini_httpd. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | |||||
| CVE-2021-25167 | 1 Arubanetworks | 1 Airwave | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A remote unauthorized access vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability. | |||||
| CVE-2021-24684 | 1 Teamlead | 1 Pdf-light-viewer | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| The WordPress PDF Light Viewer Plugin WordPress plugin before 1.4.12 allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript. | |||||
| CVE-2021-24312 | 1 Automattic | 1 Wp Super Cache | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3 result in RCE because they allow input of '$' and '\n'. This is due to an incomplete fix of CVE-2021-24209. | |||||
| CVE-2021-24033 | 1 Facebook | 1 React-dev-utils | 2024-11-21 | 6.8 MEDIUM | 5.6 MEDIUM |
| react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoked with user-provided values (ie: by custom code) is there the potential for command injection. If you're consuming it from react-scripts then this issue does not affect you. | |||||
| CVE-2021-24023 | 1 Fortinet | 2 Fortiai 3500f, Fortiai Firmware | 2024-11-21 | 9.0 HIGH | 7.8 HIGH |
| An improper input validation in FortiAI v1.4.0 and earlier may allow an authenticated user to gain system shell access via a malicious payload in the "diagnose" command. | |||||
| CVE-2021-24015 | 1 Fortinet | 1 Fortimail | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| An improper neutralization of special elements used in an OS Command vulnerability in the administrative interface of FortiMail before 6.4.4 may allow an authenticated attacker to execute unauthorized commands via specifically crafted HTTP requests. | |||||
| CVE-2021-24009 | 1 Fortinet | 1 Fortiwan | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| Multiple improper neutralization of special elements used in an OS command vulnerabilities (CWE-78) in the Web GUI of FortiWAN before 4.5.9 may allow an authenticated attacker to execute arbitrary commands on the underlying system's shell via specifically crafted HTTP requests. | |||||
| CVE-2021-23862 | 1 Bosch | 8 Bosch Video Management System, Divar Ip 5000 Firmware, Divar Ip 7000 Firmware and 5 more | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| A crafted configuration packet sent by an authenticated administrative user can be used to execute arbitrary commands in system context. This issue also affects installations of the VRM, DIVAR IP, BVMS with VRM installed, the VIDEOJET decoder (VJD-7513 and VJD-8000). | |||||
| CVE-2021-23732 | 1 Quobject | 1 Docker-cli-js | 2024-11-21 | 9.3 HIGH | 9.0 CRITICAL |
| This affects all versions of package docker-cli-js. If the command parameter of the Docker.command method can at least be partially controlled by a user, they will be in a position to execute any arbitrary OS commands on the host system. | |||||
| CVE-2021-23632 | 1 Git Project | 1 Git | 2024-11-21 | 7.5 HIGH | 6.6 MEDIUM |
| All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js with the following content: js var Git = require("git").Git; var repo = new Git("repo-test"); var user_input = "version; date"; repo.git(user_input, function(err, result) { console.log(result); }) 2. In the same directory as exploit.js, run npm install git. 3. Run exploit.js: node exploit.js. You should see the outputs of both the git version and date command-lines. Note that the repo-test Git repository does not need to be present to make this PoC work. | |||||
| CVE-2021-23422 | 1 Bikeshed Project | 1 Bikeshed | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| This affects the package bikeshed before 3.0.0. This can occur when an untrusted source file containing Inline Tag Command metadata is processed. When an arbitrary OS command is executed, the command output would be included in the HTML output. | |||||