Vulnerabilities (CVE)

Filtered by CWE-78
Total 3506 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-9328 1 Terra-master 1 Terramaster Operating System 2024-02-04 10.0 HIGH 9.8 CRITICAL
Shell metacharacter injection vulnerability in /usr/www/include/ajax/GetTest.php in TerraMaster TOS before 3.0.34 leads to remote code execution as root.
CVE-2017-1000235 1 I-librarian 1 I Librarian 2024-02-04 10.0 HIGH 9.8 CRITICAL
I, Librarian version <=4.6 & 4.7 is vulnerable to OS Command Injection in batchimport.php resulting the web server being fully compromised.
CVE-2017-14867 2 Debian, Git-scm 2 Debian Linux, Git 2024-02-04 9.0 HIGH 8.8 HIGH
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
CVE-2017-12305 1 Cisco 1 Ip Phone 8800 Series Firmware 2024-02-04 7.2 HIGH 6.7 MEDIUM
A vulnerability in the debug interface of Cisco IP Phone 8800 series could allow an authenticated, local attacker to execute arbitrary commands, aka Debug Shell Command Injection. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting additional command input to the affected parameter in the debug shell. Cisco Bug IDs: CSCvf80034.
CVE-2017-6796 1 Cisco 1 Ios Xe 2024-02-04 7.2 HIGH 6.7 MEDIUM
A vulnerability in the USB-modem code of Cisco IOS XE Software running on Cisco ASR 920 Series Aggregation Services Routers could allow an authenticated, local attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. The vulnerability is due to improper input validation of the platform usb modem command in the CLI of the affected software. An attacker could exploit this vulnerability by modifying the platform usb modem command in the CLI of an affected device. A successful exploit could allow the attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. Cisco Bug IDs: CSCve48949.
CVE-2016-0634 1 Gnu 1 Bash 2024-02-04 6.0 MEDIUM 7.5 HIGH
The expansion of '\h' in the prompt string in bash 4.3 allows remote authenticated users to execute arbitrary code via shell metacharacters placed in 'hostname' of a machine.
CVE-2017-14127 1 Technicolor 2 Td5336, Td5336 Firmware 2024-02-04 10.0 HIGH 9.8 CRITICAL
Command Injection in the Ping Module in the Web Interface on Technicolor TD5336 OI_Fw_v7 devices allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the pingAddr parameter to mnt_ping.cgi.
CVE-2017-16958 1 Tp-link 108 Tl-er3210g, Tl-er3210g Firmware, Tl-er3220g and 105 more 2024-02-04 9.0 HIGH 8.8 HIGH
TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the t_bindif field of an admin/bridge command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/bridge.lua in uhttpd.
CVE-2017-6223 1 Ruckus 2 Zonedirector, Zonedirector Firmware 2024-02-04 9.3 HIGH 8.8 HIGH
Ruckus Wireless Zone Director Controller firmware releases ZD9.9.x, ZD9.10.x, ZD9.13.0.x less than 9.13.0.0.232 contain OS Command Injection vulnerabilities in the ping functionality that could allow local authenticated users to execute arbitrary privileged commands on the underlying operating system.
CVE-2017-8116 1 Teltonika 8 Rut900, Rut900 Firmware, Rut905 and 5 more 2024-02-04 10.0 HIGH 9.8 CRITICAL
The management interface for the Teltonika RUT9XX routers (aka LuCI) with firmware 00.03.265 and earlier allows remote attackers to execute arbitrary commands with root privileges via shell metacharacters in the username parameter in a login request.
CVE-2016-7844 1 Gigaccsecure 1 Gigacc Office 2024-02-04 6.0 MEDIUM 5.5 MEDIUM
GigaCC OFFICE ver.2.3 and earlier allows remote attackers to execute arbitrary OS commands via specially crafted mail template.
CVE-2017-9757 1 Ipfire 1 Ipfire 2024-02-04 6.5 MEDIUM 8.8 HIGH
IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi via the OINKCODE parameter, which is mishandled by a shell. This can be exploited directly by authenticated users, or through CSRF.
CVE-2017-16960 1 Tp-link 93 Tl-er3210g, Tl-er3210g Firmware, Tl-er3220g and 90 more 2024-02-04 9.0 HIGH 8.8 HIGH
TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the t_bindif field of an admin/interface command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/interface.lua in uhttpd.
CVE-2015-5958 1 Phpfilemanager Project 1 Phpfilemanager 2024-02-04 9.3 HIGH 8.8 HIGH
phpFileManager 0.9.8 allows remote attackers to execute arbitrary commands via a crafted URL.
CVE-2017-14119 1 Eyesofnetwork 1 Eyesofnetwork 2024-02-04 6.5 MEDIUM 8.8 HIGH
In the EyesOfNetwork web interface (aka eonweb) 5.1-0, module\tool_all\tools\snmpwalk.php does not properly restrict popen calls, which allows remote attackers to execute arbitrary commands via shell metacharacters in a parameter.
CVE-2017-10813 1 Corega 2 Wlr 300 Nm, Wlr 300 Nm Firmware 2024-02-04 7.7 HIGH 6.8 MEDIUM
CG-WLR300NM Firmware version 1.90 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors.
CVE-2017-6224 1 Ruckuswireless 4 Unleashed, Unleashed Firmware, Zonedirector and 1 more 2024-02-04 9.3 HIGH 8.8 HIGH
Ruckus Wireless Zone Director Controller firmware releases ZD9.x, ZD10.0.0.x, ZD10.0.1.x (less than 10.0.1.0.17 MR1 release) and Ruckus Wireless Unleashed AP Firmware releases 200.0.x, 200.1.x, 200.2.x, 200.3.x, 200.4.x. contain OS Command Injection vulnerabilities that could allow local authenticated users to execute arbitrary privileged commands on the underlying operating system by appending those commands in the Common Name field in the Certificate Generation Request.
CVE-2017-7341 1 Fortinet 1 Fortiwlc 2024-02-04 9.0 HIGH 7.2 HIGH
An OS Command Injection vulnerability in Fortinet FortiWLC 6.1-2 through 6.1-5, 7.0-7 through 7.0-10, 8.0 through 8.2, and 8.3.0 through 8.3.2 file management AP script download webUI page allows an authenticated admin user to execute arbitrary system console commands via crafted HTTP requests.
CVE-2017-17411 1 Linksys 2 Wvbr0, Wvbr0 Firmware 2024-02-04 10.0 HIGH 9.8 CRITICAL
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges. Was ZDI-CAN-4892.
CVE-2017-2850 1 Foscam 2 C1 Indoor Hd Camera, C1 Indoor Hd Camera Firmware 2024-02-04 6.5 MEDIUM 8.8 HIGH
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary characters in the pureftpd.passwd file during a username change, which in turn allows for bypassing chroot restrictions in the FTP server. An attacker can simply send an HTTP request to the device to trigger this vulnerability.