Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2015-5082

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-28 Sep, 2015 | 15:00
Updated At-06 Aug, 2024 | 06:32
Rejected At-
Credits

Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:28 Sep, 2015 | 15:00
Updated At:06 Aug, 2024 | 06:32
Rejected At:
▼CVE Numbering Authority (CNA)

Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.exploit-db.com/exploits/37428/
exploit
x_refsource_EXPLOIT-DB
https://www.exploit-db.com/exploits/38096/
exploit
x_refsource_EXPLOIT-DB
https://www.exploit-db.com/exploits/37426/
exploit
x_refsource_EXPLOIT-DB
http://www.rapid7.com/db/modules/exploit/linux/http/efw_chpasswd_exec
x_refsource_MISC
http://packetstormsecurity.com/files/133469/Endian-Firewall-Proxy-Password-Change-Command-Injection.html
x_refsource_MISC
Hyperlink: https://www.exploit-db.com/exploits/37428/
Resource:
exploit
x_refsource_EXPLOIT-DB
Hyperlink: https://www.exploit-db.com/exploits/38096/
Resource:
exploit
x_refsource_EXPLOIT-DB
Hyperlink: https://www.exploit-db.com/exploits/37426/
Resource:
exploit
x_refsource_EXPLOIT-DB
Hyperlink: http://www.rapid7.com/db/modules/exploit/linux/http/efw_chpasswd_exec
Resource:
x_refsource_MISC
Hyperlink: http://packetstormsecurity.com/files/133469/Endian-Firewall-Proxy-Password-Change-Command-Injection.html
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.exploit-db.com/exploits/37428/
exploit
x_refsource_EXPLOIT-DB
x_transferred
https://www.exploit-db.com/exploits/38096/
exploit
x_refsource_EXPLOIT-DB
x_transferred
https://www.exploit-db.com/exploits/37426/
exploit
x_refsource_EXPLOIT-DB
x_transferred
http://www.rapid7.com/db/modules/exploit/linux/http/efw_chpasswd_exec
x_refsource_MISC
x_transferred
http://packetstormsecurity.com/files/133469/Endian-Firewall-Proxy-Password-Change-Command-Injection.html
x_refsource_MISC
x_transferred
Hyperlink: https://www.exploit-db.com/exploits/37428/
Resource:
exploit
x_refsource_EXPLOIT-DB
x_transferred
Hyperlink: https://www.exploit-db.com/exploits/38096/
Resource:
exploit
x_refsource_EXPLOIT-DB
x_transferred
Hyperlink: https://www.exploit-db.com/exploits/37426/
Resource:
exploit
x_refsource_EXPLOIT-DB
x_transferred
Hyperlink: http://www.rapid7.com/db/modules/exploit/linux/http/efw_chpasswd_exec
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://packetstormsecurity.com/files/133469/Endian-Firewall-Proxy-Password-Change-Command-Injection.html
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:28 Sep, 2015 | 15:59
Updated At:12 Apr, 2025 | 10:46

Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.010.0HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C
Type: Primary
Version: 2.0
Base score: 10.0
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
CPE Matches

endian_firewall
endian_firewall
>>endian_firewall>>Versions up to 2.5.1(inclusive)
cpe:2.3:a:endian_firewall:endian_firewall:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-77Primarynvd@nist.gov
CWE ID: CWE-77
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
http://packetstormsecurity.com/files/133469/Endian-Firewall-Proxy-Password-Change-Command-Injection.htmlcve@mitre.org
Exploit
http://www.rapid7.com/db/modules/exploit/linux/http/efw_chpasswd_execcve@mitre.org
N/A
https://www.exploit-db.com/exploits/37426/cve@mitre.org
Exploit
https://www.exploit-db.com/exploits/37428/cve@mitre.org
Exploit
https://www.exploit-db.com/exploits/38096/cve@mitre.org
Exploit
http://packetstormsecurity.com/files/133469/Endian-Firewall-Proxy-Password-Change-Command-Injection.htmlaf854a3a-2127-422b-91ae-364da2661108
Exploit
http://www.rapid7.com/db/modules/exploit/linux/http/efw_chpasswd_execaf854a3a-2127-422b-91ae-364da2661108
N/A
https://www.exploit-db.com/exploits/37426/af854a3a-2127-422b-91ae-364da2661108
Exploit
https://www.exploit-db.com/exploits/37428/af854a3a-2127-422b-91ae-364da2661108
Exploit
https://www.exploit-db.com/exploits/38096/af854a3a-2127-422b-91ae-364da2661108
Exploit
Hyperlink: http://packetstormsecurity.com/files/133469/Endian-Firewall-Proxy-Password-Change-Command-Injection.html
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: http://www.rapid7.com/db/modules/exploit/linux/http/efw_chpasswd_exec
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://www.exploit-db.com/exploits/37426/
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: https://www.exploit-db.com/exploits/37428/
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: https://www.exploit-db.com/exploits/38096/
Source: cve@mitre.org
Resource:
Exploit
Hyperlink: http://packetstormsecurity.com/files/133469/Endian-Firewall-Proxy-Password-Change-Command-Injection.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Hyperlink: http://www.rapid7.com/db/modules/exploit/linux/http/efw_chpasswd_exec
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://www.exploit-db.com/exploits/37426/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Hyperlink: https://www.exploit-db.com/exploits/37428/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Hyperlink: https://www.exploit-db.com/exploits/38096/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit

Change History

0
Information is not available yet

Similar CVEs

128Records found

CVE-2020-8298
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-4.17% / 88.24%
||
7 Day CHG~0.00%
Published-04 Mar, 2021 | 19:09
Updated-04 Aug, 2024 | 09:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

fs-path node module before 0.0.25 is vulnerable to command injection by way of user-supplied inputs via the `copy`, `copySync`, `remove`, and `removeSync` methods.

Action-Not Available
Vendor-fs-path_projectn/a
Product-fs-pathfs-path
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2017-7977
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.47% / 80.16%
||
7 Day CHG~0.00%
Published-19 Jul, 2017 | 18:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Screensavercc component in eLux RP before 5.5.0 allows attackers to bypass intended configuration restrictions and execute arbitrary commands with root privileges by inserting commands in a local configuration dialog in the control panel.

Action-Not Available
Vendor-unicon-softwaren/a
Product-eluxn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2017-7722
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||CRITICAL
EPSS-51.51% / 97.80%
||
7 Day CHG+1.63%
Published-12 Apr, 2017 | 16:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a menu system is encountered when the SSH service is accessed with "cmc" and "password" (the default username and password). By exploiting a vulnerability in the restrictssh feature of the menuing script, an attacker can escape from the restricted shell.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-log_\&_event_managern/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2016-2002
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.45% / 92.50%
||
7 Day CHG~0.00%
Published-20 Apr, 2016 | 17:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The validateAdminConfig handler in the Analytics Management Console in HPE Vertica 7.0.x before 7.0.2.12, 7.1.x before 7.1.2-12, and 7.2.x before 7.2.2-1 allows remote attackers to execute arbitrary commands via the mcPort parameter, aka ZDI-CAN-3417.

Action-Not Available
Vendor-n/aHP Inc.
Product-vertican/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2016-1555
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-9.8||CRITICAL
EPSS-94.12% / 99.90%
||
7 Day CHG~0.00%
Published-21 Apr, 2017 | 15:00
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-04-15||Apply updates per vendor instructions.

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute arbitrary commands.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-wndap360_firmwarewndap350_firmwarewnap320wndap350wn604_firmwarewn802tv2_firmwarewndap210v2wn802tv2wndap660_firmwarewn604wndap210v2_firmwarewnap320_firmwarewndap360wndap660n/aWireless Access Point (WAP) Devices
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2016-10108
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-91.16% / 99.63%
||
7 Day CHG~0.00%
Published-03 Jan, 2017 | 00:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data.

Action-Not Available
Vendor-n/aWestern Digital Corp.
Product-mycloud_nasn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2016-10760
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.63% / 90.81%
||
7 Day CHG~0.00%
Published-11 Jun, 2019 | 20:46
Updated-06 Aug, 2024 | 03:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On Seowon Intech routers, there is a Command Injection vulnerability in diagnostic.cgi via shell metacharacters in the ping_ipaddr parameter.

Action-Not Available
Vendor-seowonintechn/a
Product-swr-300a_firmwareswr-300bgswr-300bswr-300bg_firmwareswr-300c_firmwareswr-300cswr-300b_firmwareswr-300an/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2016-10312
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.58% / 89.94%
||
7 Day CHG~0.00%
Published-03 Apr, 2017 | 05:44
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to execute arbitrary commands via shell metacharacters to certain /goform/* pages.

Action-Not Available
Vendor-jensenofscandinavian/a
Product-al5000ac_firmwareal59300_firmwareal5000acal3g_firmwareal3gal59300n/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-26275
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.59% / 89.95%
||
7 Day CHG~0.00%
Published-18 Mar, 2021 | 23:34
Updated-03 Aug, 2024 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The eslint-fixer package through 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The ozum/eslint-fixer GitHub repository has been intentionally deleted

Action-Not Available
Vendor-eslint-fixer_projectn/a
Product-eslint-fixern/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2016-10107
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.34% / 88.49%
||
7 Day CHG~0.00%
Published-03 Jan, 2017 | 06:34
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 index.php page via a modified Cookie header.

Action-Not Available
Vendor-n/aWestern Digital Corp.
Product-mycloud_nasn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2019-11535
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.36% / 86.86%
||
7 Day CHG~0.00%
Published-17 Jul, 2019 | 19:35
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unsanitized user input in the web interface for Linksys WiFi extender products (RE6400 and RE6300 through 1.2.04.022) allows for remote command execution. An attacker can access system OS configurations and commands that are not intended for use beyond the web UI.

Action-Not Available
Vendor-n/aLinksys Holdings, Inc.
Product-re6400re6300_firmwarere6300re6400_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-3779
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-8.91% / 92.23%
||
7 Day CHG~0.00%
Published-10 Aug, 2018 | 21:00
Updated-05 Aug, 2024 | 04:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system.

Action-Not Available
Vendor-activesupport_projectHackerOne
Product-activesupportactive-support ruby gem
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2015-8969
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-2.49% / 84.71%
||
7 Day CHG~0.00%
Published-03 Nov, 2016 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

git-fastclone before 1.0.5 passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to "cd " and "git clone " commands in the library.

Action-Not Available
Vendor-squareupn/a
Product-git-fastclonegit-fastclone ruby gem All versions before 1.0.5
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2015-9059
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-16.71% / 94.67%
||
7 Day CHG~0.00%
Published-28 May, 2017 | 00:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

picocom before 2.0 has a command injection vulnerability in the 'send and receive file' command because the command line is executed by /bin/sh unsafely.

Action-Not Available
Vendor-picocom_projectn/a
Product-picocomn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2015-7541
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-10||CRITICAL
EPSS-1.30% / 78.91%
||
7 Day CHG~0.00%
Published-08 Jan, 2016 | 21:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metacharacters in the (1) image_path, (2) colors, or (3) depth variable.

Action-Not Available
Vendor-colorscore_projectn/a
Product-colorscoren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-3786
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-10.47% / 92.95%
||
7 Day CHG~0.00%
Published-24 Aug, 2018 | 20:00
Updated-16 Sep, 2024 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument.

Action-Not Available
Vendor-eggjsEgg
Product-egg-scriptsegg-scripts
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-9684
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-13.52% / 93.96%
||
7 Day CHG~0.00%
Published-22 Feb, 2017 | 05:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. This vulnerability occurs in the 'viewcert' CGI (/cgi-bin/viewcert) component responsible for processing SSL certificate information. The CGI application doesn't properly escape the information it's passed in the 'CERT' variable before a call to system() is performed - allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account.

Action-Not Available
Vendor-n/aDell Inc.
Product-sonicwall_secure_remote_access_servern/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2019-10095
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-9.8||CRITICAL
EPSS-4.04% / 88.04%
||
7 Day CHG~0.00%
Published-02 Sep, 2021 | 00:00
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
bash command injection in spark interpreter

bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.

Action-Not Available
Vendor-The Apache Software Foundation
Product-zeppelinApache Zeppelin
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2008-7319
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.13% / 88.19%
||
7 Day CHG~0.00%
Published-07 Nov, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing for shell command injection and arbitrary command execution if untrusted input is used.

Action-Not Available
Vendor-net-ping-external_projectn/a
Product-net-ping-externaln/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-5439
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-1.32% / 79.04%
||
7 Day CHG~0.00%
Published-19 Feb, 2018 | 18:00
Updated-05 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Command Injection issue was discovered in Nortek Linear eMerge E3 series Versions V0.32-07e and prior. A remote attacker may be able to execute arbitrary code on a target machine with elevated privileges.

Action-Not Available
Vendor-nortekcontroln/a
Product-emerge_e3_firmwareemerge_e3Nortek Linear eMerge E3 Series
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-3746
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-3.25% / 86.63%
||
7 Day CHG~0.00%
Published-01 Jun, 2018 | 17:00
Updated-05 Aug, 2024 | 04:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine.

Action-Not Available
Vendor-pdfinfojs_projectHackerOne
Product-pdfinfojspdfinfojs
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2015-2051
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-90.73% / 99.60%
||
7 Day CHG~0.00%
Published-23 Feb, 2015 | 17:00
Updated-30 Jul, 2025 | 01:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-08-10||The impacted product is end-of-life and should be disconnected if still in use.

The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-645dir-645_firmwaren/adir-645_firmwaredir-645DIR-645 Router
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2015-1815
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-10||HIGH
EPSS-36.47% / 97.00%
||
7 Day CHG~0.00%
Published-30 Mar, 2015 | 14:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The get_rpm_nvr_by_file_path_temporary function in util.py in setroubleshoot before 3.2.22 allows remote attackers to execute arbitrary commands via shell metacharacters in a file name.

Action-Not Available
Vendor-selinuxn/aFedora Project
Product-setroubleshootfedoran/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2015-1938
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-10||HIGH
EPSS-14.34% / 94.15%
||
7 Day CHG~0.00%
Published-30 Jun, 2015 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to execute arbitrary commands via unspecified vectors, a different vulnerability than CVE-2015-1986.

Action-Not Available
Vendor-n/aIBM Corporation
Product-tivoli_storage_manager_fastbackn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2014-8888
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.47% / 92.00%
||
7 Day CHG~0.00%
Published-12 Apr, 2018 | 21:00
Updated-06 Aug, 2024 | 13:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The remote administration interface in D-Link DIR-815 devices with firmware before 2.03.B02 allows remote attackers to execute arbitrary commands via vectors related to an "HTTP command injection issue."

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-815_firmwaredir-815n/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2014-9682
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||HIGH
EPSS-1.04% / 76.52%
||
7 Day CHG~0.00%
Published-28 Feb, 2015 | 01:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

Action-Not Available
Vendor-dns-sync_projectn/a
Product-dns-syncn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2014-9188
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-10||HIGH
EPSS-9.12% / 92.34%
||
7 Day CHG~0.00%
Published-27 Dec, 2014 | 15:00
Updated-24 Jul, 2025 | 22:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Schneider Electric ProClima Command Injection

Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-8514. NOTE: this may be clarified later based on details provided by researchers.

Action-Not Available
Vendor-schneider_electricSchneider Electric SE
Product-proclimaProClima
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2021-33963
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.83% / 82.16%
||
7 Day CHG~0.00%
Published-15 Jan, 2022 | 09:16
Updated-04 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

China Mobile An Lianbao WF-1 v1.0.1 router web interface through /api/ZRMacClone/mac_addr_clone receives parameters by POST request, and the parameter macType has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands.

Action-Not Available
Vendor-chinamobilen/a
Product-an_lianbao_wf-1an_lianbao_wf-1_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found