Total
2608 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-26429 | 1 Open-xchange | 1 Open-xchange Appsuite Backend | 2024-11-21 | 3.5 Low |
| Control characters were not removed when exporting user feedback content. This allowed attackers to include unexpected content via user feedback and potentially break the exported data structure. We now drop all control characters that are not whitespace character during the export. No publicly available exploits are known. | ||||
| CVE-2023-26320 | 2 Mi, Xiaomi | 3 Xiaomi Router Ax3200, Xiaomi Router Ax3200 Firmware, Xiaomi Router | 2024-11-21 | 7.5 High |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection. | ||||
| CVE-2023-26319 | 2 Mi, Xiaomi | 3 Xiaomi Router Ax3200, Xiaomi Router Ax3200 Firmware, Xiaomi Router | 2024-11-21 | 6.7 Medium |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection. | ||||
| CVE-2023-26317 | 1 Mi | 1 Xiaomi Router Firmware | 2024-11-21 | 7 High |
| Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing. | ||||
| CVE-2023-26310 | 1 Oppo | 2 Coloros, Find X3 | 2024-11-21 | 7.4 High |
| There is a command injection problem in the old version of the mobile phone backup app. | ||||
| CVE-2023-26155 | 1 Nrhirani | 1 Node-qpdf | 2024-11-21 | 7.3 High |
| All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path. | ||||
| CVE-2023-26145 | 1 Derrickgilland | 1 Pydash | 2024-11-21 | 7.4 High |
| This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_map() accept dotted paths (Deep Path Strings) to target a nested Python object, relative to the original source object. These paths can be used to target internal class attributes and dict items, to retrieve, modify or invoke nested Python objects. **Note:** The pydash.objects.invoke() method is vulnerable to Command Injection when the following prerequisites are satisfied: 1) The source object (argument 1) is not a built-in object such as list/dict (otherwise, the __init__.__globals__ path is not accessible) 2) The attacker has control over argument 2 (the path string) and argument 3 (the argument to pass to the invoked method) The pydash.collections.invoke_map() method is also vulnerable, but is harder to exploit as the attacker does not have direct control over the argument to be passed to the invoked function. | ||||
| CVE-2023-25649 | 1 Zte | 2 Mf286r, Mf286r Firmware | 2024-11-21 | 6.8 Medium |
| There is a command injection vulnerability in a mobile internet product of ZTE. Due to insufficient validation of SET_DEVICE_LED interface parameter, an authenticated attacker could use the vulnerability to execute arbitrary commands. | ||||
| CVE-2023-25643 | 1 Zte | 4 Mc801a, Mc801a1, Mc801a1 Firmware and 1 more | 2024-11-21 | 8.4 High |
| There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands. | ||||
| CVE-2023-24583 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-11-21 | 8.8 High |
| Two OS command injection vulnerabilities exist in the urvpn_client cmd_name_action functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This OS command injection is triggered through a UDP packet. | ||||
| CVE-2023-24582 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-11-21 | 8.8 High |
| Two OS command injection vulnerabilities exist in the urvpn_client cmd_name_action functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This OS command injection is triggered through a TCP packet. | ||||
| CVE-2023-24520 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-11-21 | 8.8 High |
| Two OS command injection vulnerability exist in the vtysh_ubus toolsh_excute.constprop.1 functionality of Milesight UR32L v32.3.0.5. A specially-crafted network request can lead to command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is in the trace tool utility. | ||||
| CVE-2023-24519 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-11-21 | 8.8 High |
| Two OS command injection vulnerability exist in the vtysh_ubus toolsh_excute.constprop.1 functionality of Milesight UR32L v32.3.0.5. A specially-crafted network request can lead to command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is in the ping tool utility. | ||||
| CVE-2023-24229 | 1 Draytek | 2 Vigor2960, Vigor2960 Firmware | 2024-11-21 | 7.8 High |
| DrayTek Vigor2960 v1.5.1.4 allows an authenticated attacker with network access to the web management interface to inject operating system commands via the mainfunction.cgi 'parameter' parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2023-24135 | 1 Jensenofscandinavia | 2 Eagle 1200ac, Eagle 1200ac Firmware | 2024-11-21 | 7.8 High |
| Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a command injection vulnerability in the function formWriteFacMac. This vulnerability allows attackers to execute arbitrary commands via manipulation of the mac parameter. | ||||
| CVE-2023-24046 | 1 Connectize | 2 Ac21000 G6, Ac21000 G6 Firmware | 2024-11-21 | 6.8 Medium |
| An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to run arbitrary commands via use of a crafted string in the ping utility. | ||||
| CVE-2023-23564 | 1 Geomatika | 1 Isigeo Web | 2024-11-21 | 8.8 High |
| An issue was discovered in Geomatika IsiGeo Web 6.0. It allows remote authenticated users to execute commands. | ||||
| CVE-2023-23550 | 1 Milesight | 2 Ur32l, Ur32l Firmware | 2024-11-21 | 7.2 High |
| An OS command injection vulnerability exists in the ys_thirdparty user_delete functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability. | ||||
| CVE-2023-22816 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2024-11-21 | 6 Medium |
| A post-authentication remote command injection vulnerability in a CGI file in Western Digital My Cloud OS 5 devices that could allow an attacker to build files with redirects and execute larger payloads. This issue affects My Cloud OS 5 devices: before 5.26.300. | ||||
| CVE-2023-22815 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2024-11-21 | 6.2 Medium |
| Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context of the root user on vulnerable CGI files. This vulnerability can only be exploited over the network and the attacker must already have admin/root privileges to carry out the exploit. An authentication bypass is required for this exploit, thereby making it more complex. The attack may not require user interaction. Since an attacker must already be authenticated, the confidentiality impact is low while the integrity and availability impact is high. This issue affects My Cloud OS 5 devices: before 5.26.300. | ||||