Filtered by CWE-77
Total 2590 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-3483 1 Microfocus 1 Imanager 2025-01-21 7.8 High
Remote Code Execution has been discovered in OpenText™ iManager 3.2.6.0200. The vulnerability can trigger command injection and insecure deserialization issues.
CVE-2024-54681 2025-01-21 3.5 Low
Multiple bash files were present in the application's private directory. Bash files can be used on their own, by an attacker that has already full access to the mobile platform to compromise the translations for the application.
CVE-2023-33294 1 Kaiostech 1 Kaios 2025-01-21 9.8 Critical
An issue was discovered in KaiOS 3.0 before 3.1. The /system/bin/tctweb_server binary exposes a local web server that responds to GET and POST requests on port 2929. The server accepts arbitrary Bash commands and executes them as root. Because it is not permission or context restricted and returns proper CORS headers, it's accessible to all websites via the browser. At a bare minimum, this allows an attacker to retrieve a list of the user's installed apps, notifications, and downloads. It also allows an attacker to delete local files and modify system properties including the boolean persist.moz.killswitch property (which would render the device inoperable). This vulnerability is partially mitigated by SELinux which prevents reads, writes, or modifications to files or permissions within protected partitions.
CVE-2024-3908 1 Tenda 2 Ac500, Ac500 Firmware 2025-01-17 6.3 Medium
A vulnerability classified as critical has been found in Tenda AC500 2.0.1.9(1307). Affected is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-261144. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-11772 1 Ivanti 1 Cloud Services Appliance 2025-01-17 9.1 Critical
Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
CVE-2024-11634 1 Ivanti 2 Connect Secure, Policy Secure 2025-01-17 9.1 Critical
Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. (Not applicable to 9.1Rx)
CVE-2023-25911 1 Danfoss 2 Ak-em100, Ak-em100 Firmware 2025-01-17 9.9 Critical
The Danfoss AK-EM100 web applications allow for an authenticated user to perform OS command injection through the web application parameters.
CVE-2023-31996 1 Hanwhavision 236 Ane-l6012r, Ane-l6012r Firmware, Ane-l7012r and 233 more 2025-01-17 8.8 High
Hanwha IP Camera ANE-L7012R 1.41.01 is vulnerable to Command Injection due to improper sanitization of special characters for the NAS storage test function.
CVE-2022-4616 1 Deltaww 2 Dx-3021l9, Dx-3021l9 Firmware 2025-01-16 7.2 High
The webserver in Delta DX-3021 versions prior to 1.24 is vulnerable to command injection through the network diagnosis page. This vulnerability could allow a remote unauthenticated user to add files, delete files, and change file permissions.
CVE-2023-0351 1 Akuvox 2 E11, E11 Firmware 2025-01-16 8.8 High
The Akuvox E11 web server backend library allows command injection in the device phone-book contacts functionality. This could allow an attacker to upload files with executable command instructions.
CVE-2023-1141 1 Deltaww 1 Infrasuite Device Master 2025-01-16 8.8 High
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a command injection vulnerability that could allow an attacker to inject arbitrary commands, which could result in remote code execution.
CVE-2023-28712 1 Propumpservice 2 Osprey Pump Controller, Osprey Pump Controller Firmware 2025-01-16 8.2 High
Osprey Pump Controller version 1.01 contains an unauthenticated command injection vulnerability that could allow system access with www-data permissions.
CVE-2023-4212 1 Trane 8 Pivot, Pivot Firmware, Xl1050 and 5 more 2025-01-16 6.8 Medium
​A command injection vulnerability exists in Trane XL824, XL850, XL1050, and Pivot thermostats allowing an attacker to execute arbitrary commands as root using a specially crafted filename. The vulnerability requires physical access to the device via a USB stick.
CVE-2024-39367 2025-01-15 9.1 Critical
An os command injection vulnerability exists in the firewall.cgi iptablesWebsFilterRun() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2024-3009 1 Tenda 2 Fh1205, Fh1205 Firmware 2025-01-15 6.3 Medium
A vulnerability has been found in Tenda FH1205 2.0.0.7(775) and classified as critical. Affected by this vulnerability is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-258295. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-39360 2025-01-14 9.1 Critical
An os command injection vulnerability exists in the nas.cgi remove_dir() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2022-22688 1 Synology 1 Diskstation Manager 2025-01-14 8.8 High
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
CVE-2017-12075 1 Synology 1 Diskstation Manager 2025-01-14 N/A
Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter.
CVE-2022-47028 1 Actionlauncher 1 Action Launcher 2025-01-14 5.5 Medium
An issue discovered in Action Launcher for Android v50.5 allows an attacker to cause a denial of service via arbitary data injection to function insert.
CVE-2015-20108 1 Onelogin 1 Ruby-saml 2025-01-14 9.8 Critical
xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.