Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-14100

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-02 Sep, 2017 | 16:00
Updated At-05 Aug, 2024 | 19:20
Rejected At-
Credits

In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:02 Sep, 2017 | 16:00
Updated At:05 Aug, 2024 | 19:20
Rejected At:
▼CVE Numbering Authority (CNA)

In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://issues.asterisk.org/jira/browse/ASTERISK-27103
x_refsource_CONFIRM
http://www.securitytracker.com/id/1039252
vdb-entry
x_refsource_SECTRACK
https://bugs.debian.org/873908
x_refsource_CONFIRM
https://security.gentoo.org/glsa/201710-29
vendor-advisory
x_refsource_GENTOO
http://www.debian.org/security/2017/dsa-3964
vendor-advisory
x_refsource_DEBIAN
http://downloads.asterisk.org/pub/security/AST-2017-006.html
x_refsource_CONFIRM
Hyperlink: https://issues.asterisk.org/jira/browse/ASTERISK-27103
Resource:
x_refsource_CONFIRM
Hyperlink: http://www.securitytracker.com/id/1039252
Resource:
vdb-entry
x_refsource_SECTRACK
Hyperlink: https://bugs.debian.org/873908
Resource:
x_refsource_CONFIRM
Hyperlink: https://security.gentoo.org/glsa/201710-29
Resource:
vendor-advisory
x_refsource_GENTOO
Hyperlink: http://www.debian.org/security/2017/dsa-3964
Resource:
vendor-advisory
x_refsource_DEBIAN
Hyperlink: http://downloads.asterisk.org/pub/security/AST-2017-006.html
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://issues.asterisk.org/jira/browse/ASTERISK-27103
x_refsource_CONFIRM
x_transferred
http://www.securitytracker.com/id/1039252
vdb-entry
x_refsource_SECTRACK
x_transferred
https://bugs.debian.org/873908
x_refsource_CONFIRM
x_transferred
https://security.gentoo.org/glsa/201710-29
vendor-advisory
x_refsource_GENTOO
x_transferred
http://www.debian.org/security/2017/dsa-3964
vendor-advisory
x_refsource_DEBIAN
x_transferred
http://downloads.asterisk.org/pub/security/AST-2017-006.html
x_refsource_CONFIRM
x_transferred
Hyperlink: https://issues.asterisk.org/jira/browse/ASTERISK-27103
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: http://www.securitytracker.com/id/1039252
Resource:
vdb-entry
x_refsource_SECTRACK
x_transferred
Hyperlink: https://bugs.debian.org/873908
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://security.gentoo.org/glsa/201710-29
Resource:
vendor-advisory
x_refsource_GENTOO
x_transferred
Hyperlink: http://www.debian.org/security/2017/dsa-3964
Resource:
vendor-advisory
x_refsource_DEBIAN
x_transferred
Hyperlink: http://downloads.asterisk.org/pub/security/AST-2017-006.html
Resource:
x_refsource_CONFIRM
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:02 Sep, 2017 | 16:29
Updated At:20 Apr, 2025 | 01:37

In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.09.8CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.0
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
Digium, Inc.
digium
>>asterisk>>13.0.0
cpe:2.3:a:digium:asterisk:13.0.0:*:*:*:lts:*:*:*
Digium, Inc.
digium
>>asterisk>>13.0.0
cpe:2.3:a:digium:asterisk:13.0.0:beta1:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.0.0
cpe:2.3:a:digium:asterisk:13.0.0:beta2:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.0.0
cpe:2.3:a:digium:asterisk:13.0.0:beta3:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.0.1
cpe:2.3:a:digium:asterisk:13.0.1:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.0.2
cpe:2.3:a:digium:asterisk:13.0.2:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.1.0
cpe:2.3:a:digium:asterisk:13.1.0:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.1.0
cpe:2.3:a:digium:asterisk:13.1.0:rc1:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.1.0
cpe:2.3:a:digium:asterisk:13.1.0:rc2:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.1.1
cpe:2.3:a:digium:asterisk:13.1.1:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.2.0
cpe:2.3:a:digium:asterisk:13.2.0:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.2.0
cpe:2.3:a:digium:asterisk:13.2.0:rc1:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.2.1
cpe:2.3:a:digium:asterisk:13.2.1:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.3.0
cpe:2.3:a:digium:asterisk:13.3.0:rc1:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.3.2
cpe:2.3:a:digium:asterisk:13.3.2:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.4.0
cpe:2.3:a:digium:asterisk:13.4.0:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.4.0
cpe:2.3:a:digium:asterisk:13.4.0:rc1:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.5.0
cpe:2.3:a:digium:asterisk:13.5.0:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.5.0
cpe:2.3:a:digium:asterisk:13.5.0:rc1:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.6.0
cpe:2.3:a:digium:asterisk:13.6.0:rc1:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.7.0
cpe:2.3:a:digium:asterisk:13.7.0:rc1:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.7.0
cpe:2.3:a:digium:asterisk:13.7.0:rc2:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.7.1
cpe:2.3:a:digium:asterisk:13.7.1:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.7.2
cpe:2.3:a:digium:asterisk:13.7.2:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.8.0
cpe:2.3:a:digium:asterisk:13.8.0:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.8.0
cpe:2.3:a:digium:asterisk:13.8.0:rc1:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.8.1
cpe:2.3:a:digium:asterisk:13.8.1:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.8.2
cpe:2.3:a:digium:asterisk:13.8.2:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.9.0
cpe:2.3:a:digium:asterisk:13.9.0:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.9.1
cpe:2.3:a:digium:asterisk:13.9.1:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.10.0
cpe:2.3:a:digium:asterisk:13.10.0:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.10.0
cpe:2.3:a:digium:asterisk:13.10.0:rc1:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.11.0
cpe:2.3:a:digium:asterisk:13.11.0:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.11.1
cpe:2.3:a:digium:asterisk:13.11.1:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.11.2
cpe:2.3:a:digium:asterisk:13.11.2:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.12
cpe:2.3:a:digium:asterisk:13.12:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.12.0
cpe:2.3:a:digium:asterisk:13.12.0:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.12.1
cpe:2.3:a:digium:asterisk:13.12.1:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.12.2
cpe:2.3:a:digium:asterisk:13.12.2:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.13
cpe:2.3:a:digium:asterisk:13.13:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.13.0
cpe:2.3:a:digium:asterisk:13.13.0:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.13.1
cpe:2.3:a:digium:asterisk:13.13.1:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.14.0
cpe:2.3:a:digium:asterisk:13.14.0:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.14.0
cpe:2.3:a:digium:asterisk:13.14.0:rc1:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.14.0
cpe:2.3:a:digium:asterisk:13.14.0:rc2:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.14.1
cpe:2.3:a:digium:asterisk:13.14.1:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.15.0
cpe:2.3:a:digium:asterisk:13.15.0:*:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.15.0
cpe:2.3:a:digium:asterisk:13.15.0:rc1:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.15.0
cpe:2.3:a:digium:asterisk:13.15.0:rc2:*:*:*:*:*:*
Digium, Inc.
digium
>>asterisk>>13.15.0
cpe:2.3:a:digium:asterisk:13.15.0:rc3:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-78Primarynvd@nist.gov
CWE ID: CWE-78
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://downloads.asterisk.org/pub/security/AST-2017-006.htmlcve@mitre.org
Vendor Advisory
http://www.debian.org/security/2017/dsa-3964cve@mitre.org
N/A
http://www.securitytracker.com/id/1039252cve@mitre.org
Third Party Advisory
VDB Entry
https://bugs.debian.org/873908cve@mitre.org
Issue Tracking
Patch
Third Party Advisory
https://issues.asterisk.org/jira/browse/ASTERISK-27103cve@mitre.org
Issue Tracking
Patch
Third Party Advisory
https://security.gentoo.org/glsa/201710-29cve@mitre.org
N/A
http://downloads.asterisk.org/pub/security/AST-2017-006.htmlaf854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
http://www.debian.org/security/2017/dsa-3964af854a3a-2127-422b-91ae-364da2661108
N/A
http://www.securitytracker.com/id/1039252af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
VDB Entry
https://bugs.debian.org/873908af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Patch
Third Party Advisory
https://issues.asterisk.org/jira/browse/ASTERISK-27103af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Patch
Third Party Advisory
https://security.gentoo.org/glsa/201710-29af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: http://downloads.asterisk.org/pub/security/AST-2017-006.html
Source: cve@mitre.org
Resource:
Vendor Advisory
Hyperlink: http://www.debian.org/security/2017/dsa-3964
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.securitytracker.com/id/1039252
Source: cve@mitre.org
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://bugs.debian.org/873908
Source: cve@mitre.org
Resource:
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://issues.asterisk.org/jira/browse/ASTERISK-27103
Source: cve@mitre.org
Resource:
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://security.gentoo.org/glsa/201710-29
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://downloads.asterisk.org/pub/security/AST-2017-006.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: http://www.debian.org/security/2017/dsa-3964
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.securitytracker.com/id/1039252
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
VDB Entry
Hyperlink: https://bugs.debian.org/873908
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://issues.asterisk.org/jira/browse/ASTERISK-27103
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://security.gentoo.org/glsa/201710-29
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

616Records found
CVE-2022-26990
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.87% / 92.70%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 05:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the firewall-local log function via the EmailAddress, SmtpServerName, SmtpUsername, and SmtpPassword parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-arrisn/a
Product-sbr-ac1900p_firmwaresbr-ac3200p_firmwaresbr-ac1200psbr-ac1900psbr-ac1200p_firmwaresbr-ac3200pn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26211
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-17.83% / 94.88%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function CloudACMunualUpdate, via the deviceMac and deviceName parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3000rua950rg_firmwarea950rga800r_firmwarea3100ra3000ru_firmwarea830ra800ra830r_firmwarea810ra810r_firmwarea3100r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26992
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.87% / 92.70%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 05:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the ddns function via the DdnsUserName, DdnsHostName, and DdnsPassword parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-arrisn/a
Product-sbr-ac1900p_firmwaresbr-ac3200p_firmwaresbr-ac1200psbr-ac1900psbr-ac1200p_firmwaresbr-ac3200pn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-27003
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-31.35% / 96.62%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-12 Sep, 2024 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6rd function via the relay6rd parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7000r_firmwarex5000r_firmwarex5000ra7000rn/aa7000r_firmwarex5000r_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26209
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-17.83% / 94.88%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUploadSetting, via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3000rua950rg_firmwarea950rga800r_firmwarea3100ra3000ru_firmwarea830ra800ra830r_firmwarea810ra810r_firmwarea3100r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-0545
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-3.75% / 87.57%
||
7 Day CHG~0.00%
Published-09 Apr, 2018 | 13:00
Updated-05 Aug, 2024 | 03:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LXR version 1.0.0 to 2.3.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

Action-Not Available
Vendor-lxr_projectLXR Project
Product-lxrLXR
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-0694
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-2.89% / 85.80%
||
7 Day CHG~0.00%
Published-15 Nov, 2018 | 15:00
Updated-05 Aug, 2024 | 03:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FileZen V3.0.0 to V4.2.1 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

Action-Not Available
Vendor-solitonSoliton Systems K.K.
Product-filezenFileZen
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26258
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-89.42% / 99.53%
||
7 Day CHG~0.00%
Published-27 Mar, 2022 | 00:00
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-09-29||The impacted product is end-of-life and should be disconnected if still in use.

D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-820l_firmwaredir-820ln/aDIR-820L
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7206
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-9.8||CRITICAL
EPSS-1.04% / 76.58%
||
7 Day CHG~0.00%
Published-17 Jul, 2020 | 21:16
Updated-04 Aug, 2024 | 09:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HP nagios plugin for iLO (nagios-plugins-hpilo v1.50 and earlier) has a php code injection vulnerability.

Action-Not Available
Vendor-n/aHP Inc.
Product-nagios-plugins-hpilonagios-plugins-ilo
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7794
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.57% / 67.66%
||
7 Day CHG~0.00%
Published-08 Jan, 2021 | 12:25
Updated-16 Sep, 2024 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection

This affects all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function install(requestedModule).

Action-Not Available
Vendor-buns_projectn/a
Product-bunsbuns
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7626
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.23% / 78.33%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 21:23
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

karma-mojo through 1.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument.

Action-Not Available
Vendor-karma-mojo_projectn/a
Product-karma-mojokarma-mojo
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7633
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.23% / 78.33%
||
7 Day CHG~0.00%
Published-06 Apr, 2020 | 12:24
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

apiconnect-cli-plugins through 6.0.1 is vulnerable to Command Injection.It allows execution of arbitrary commands via the pluginUri argument.

Action-Not Available
Vendor-apiconnect-cli-plugins_projectn/a
Product-apiconnect-cli-pluginsapiconnect-cli-plugins
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7607
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.41%
||
7 Day CHG~0.00%
Published-15 Mar, 2020 | 21:40
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

gulp-styledocco through 0.0.3 allows execution of arbitrary commands. The argument 'options' of the exports function in 'index.js' can be controlled by users without any sanitization.

Action-Not Available
Vendor-gulp-styledocco_projectn/a
Product-gulp-styledoccogulp-styledocco
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26993
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.87% / 92.70%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 05:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pppoe function via the pppoeUserName, pppoePassword, and pppoe_Service parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-arrisn/a
Product-sbr-ac1900p_firmwaresbr-ac1200psbr-ac3200p_firmwaresbr-ac1900psbr-ac1200p_firmwaresbr-ac3200pn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7629
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.23% / 78.33%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 21:38
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

install-package through 0.4.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.

Action-Not Available
Vendor-install-package_projectn/a
Product-install-packageinstall-package
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7632
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.23% / 78.33%
||
7 Day CHG~0.00%
Published-06 Apr, 2020 | 12:21
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

node-mpv through 1.4.3 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.

Action-Not Available
Vendor-node-mpv_projectn/a
Product-node-mpvnode-mpv
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26210
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-10.17% / 92.83%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setUpgradeFW, via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3000rua950rg_firmwarea950rga800r_firmwarea3100ra3000ru_firmwarea830ra800ra830r_firmwarea810ra810r_firmwarea3100r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7645
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.58% / 68.06%
||
7 Day CHG~0.00%
Published-02 May, 2020 | 15:25
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems.

Action-Not Available
Vendor-n/aGoogle LLC
Product-chrome-launcherchrome-launcher
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7614
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.35% / 79.27%
||
7 Day CHG~0.00%
Published-07 Apr, 2020 | 13:21
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

npm-programmatic through 0.0.12 is vulnerable to Command Injection.The packages and option properties are concatenated together without any validation and are used by the 'exec' function directly.

Action-Not Available
Vendor-npm-programmatic_projectn/a
Product-npm-programmaticnpm-programmatic
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26214
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-27.12% / 96.20%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function NTPSyncWithHost. This vulnerability allows attackers to execute arbitrary commands via the host_time parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3000rua950rg_firmwarea950rga800r_firmwarea3100ra3000ru_firmwarea830ra800ra830r_firmwarea810ra810r_firmwarea3100r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7625
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.23% / 78.33%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 21:19
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

op-browser through 1.0.6 is vulnerable to Command Injection. It allows execution of arbitrary commands via the url function.

Action-Not Available
Vendor-op-browser_projectn/a
Product-op-browserop-browser
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26991
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.87% / 92.70%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 05:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the ntp function via the TimeZone parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-arrisn/a
Product-sbr-ac1900p_firmwaresbr-ac1200psbr-ac3200p_firmwaresbr-ac1900psbr-ac1200p_firmwaresbr-ac3200pn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-26207
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-17.83% / 94.88%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 21:56
Updated-03 Aug, 2024 | 04:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026 were discovered to contain a command injection vulnerability in the function setDiagnosisCfg, via the ipDoamin parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3000rua950rg_firmwarea950rga800r_firmwarea3100ra3000ru_firmwarea830ra800ra830r_firmwarea810ra810r_firmwarea3100r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7781
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.56% / 67.27%
||
7 Day CHG~0.00%
Published-16 Dec, 2020 | 18:10
Updated-16 Sep, 2024 | 20:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection

This affects the package connection-tester before 0.2.1. The injection point is located in line 15 in index.js. The following PoC demonstrates the vulnerability:

Action-Not Available
Vendor-connection-tester_projectn/a
Product-connection-testerconnection-tester
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25075
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-38.95% / 97.16%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink A3000RU V5.9c.2280_B20180512 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3000ru_firmwarea3000run/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-6948
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.28% / 86.69%
||
7 Day CHG~0.00%
Published-13 Jan, 2020 | 18:58
Updated-04 Aug, 2024 | 09:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A remote code execution issue was discovered in HashBrown CMS through 1.3.3. Server/Entity/Deployer/GitDeployer.js has a Service.AppService.exec call that mishandles the URL, repository, username, and password.

Action-Not Available
Vendor-hashbrowncmsn/a
Product-hashbrown_cmsn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7601
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.71% / 71.39%
||
7 Day CHG~0.00%
Published-15 Mar, 2020 | 21:23
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands to the "exec" function located in "src/command.js" via the provided options.

Action-Not Available
Vendor-gulp-scss-lint_projectn/a
Product-gulp-scss-lintgulp-scss-lint
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7603
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.41%
||
7 Day CHG~0.00%
Published-15 Mar, 2020 | 21:48
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization.

Action-Not Available
Vendor-closure-compiler-stream_projectn/a
Product-closure-compiler-streamclosure-compiler-stream
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7782
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.61% / 68.90%
||
7 Day CHG~0.00%
Published-08 Feb, 2021 | 18:35
Updated-16 Sep, 2024 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection

This affects all versions of package spritesheet-js. It depends on a vulnerable package platform-command. The injection point is located in line 32 in lib/generator.js, which is triggered by main entry of the package.

Action-Not Available
Vendor-spritesheet-js_projectn/a
Product-spritesheet-jsspritesheet-js
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29013
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-92.74% / 99.74%
||
7 Day CHG~0.00%
Published-08 Jun, 2022 | 23:28
Updated-03 Aug, 2024 | 06:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection in the command parameter of Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to execute arbitrary commands via a crafted POST request.

Action-Not Available
Vendor-razern/a
Product-sila_firmwaresilan/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7602
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.41%
||
7 Day CHG~0.00%
Published-15 Mar, 2020 | 21:26
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the argument of function "execSync()", which can be controlled by users without any sanitization.

Action-Not Available
Vendor-node-prompt-here_projectn/a
Product-node-prompt-herenode-prompt-here
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7630
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-1.23% / 78.33%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 21:41
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name argument.

Action-Not Available
Vendor-git-add-remote_projectn/a
Product-git-add-remotegit-add-remote
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7640
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.65% / 69.77%
||
7 Day CHG~0.00%
Published-27 Apr, 2020 | 21:34
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

pixl-class prior to 1.0.3 allows execution of arbitrary commands. The members argument of the create function can be controlled by users without any sanitization.

Action-Not Available
Vendor-pixlcoren/a
Product-pixl-classpixl-class
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7634
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-3.26% / 86.65%
||
7 Day CHG~0.00%
Published-06 Apr, 2020 | 12:27
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

heroku-addonpool through 0.1.15 is vulnerable to Command Injection.

Action-Not Available
Vendor-heroku-addonpool_projectn/a
Product-heroku-addonpoolheroku-addonpool
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-8171
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-6.93% / 91.03%
||
7 Day CHG~0.00%
Published-26 May, 2020 | 15:40
Updated-04 Aug, 2024 | 09:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:There are certain end-points containing functionalities that are vulnerable to command injection. It is possible to craft an input string that passes the filter check but still contains commands, resulting in remote code execution.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page.

Action-Not Available
Vendor-n/aUbiquiti Inc.
Product-nsm365airospbe-m5-400nb-2g18pbe-m5-620nbe-m5-19picom2hpbm5hpnsm2pbm10locom5nbm365litestation_m5arpbe-m2-400ag-hp-5g23nb-5g22pbm365nbm3nsm5ar-hpbm5-tilocom2airgrid_m5is-m5rm2-tim2nbe-m5-16bm2-tipbe-m5-300ag-hp-2g16pbe-m5-400-isonbm9ag-hp-2g20pbm5pbe-m5-300-isom3rm5-tim365bm2hplocom9nbe-m2-13m900nsm3airgrid_m2power_ap_nairgrid_mag-hp-5g27lbem5-23m5nb-5g25AirMax AirOS for TI, XW and XM boards
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7775
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 65.50%
||
7 Day CHG~0.00%
Published-02 Feb, 2021 | 18:20
Updated-17 Sep, 2024 | 00:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection

This affects all versions of package freediskspace. The vulnerability arises out of improper neutralization of arguments in line 71 of freediskspace.js.

Action-Not Available
Vendor-freediskspace_projectn/a
Product-freediskprojectfreediskspace
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25081
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.66% / 90.02%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink T10 V5.9c.5061_B20200511 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-t10_v2t10_v2_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7785
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.61% / 68.90%
||
7 Day CHG~0.00%
Published-08 Feb, 2021 | 18:25
Updated-16 Sep, 2024 | 19:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection

This affects all versions of package node-ps. The injection point is located in line 72 in lib/index.js.

Action-Not Available
Vendor-node-ps_projectn/a
Product-node-psnode-ps
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25079
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.66% / 90.02%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink A810R V4.1.2cu.5182_B20201026 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a810r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7786
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.51% / 65.50%
||
7 Day CHG~0.00%
Published-08 Feb, 2021 | 18:40
Updated-17 Sep, 2024 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection

This affects all versions of package macfromip. The injection point is located in line 66 in macfromip.js.

Action-Not Available
Vendor-macfromip_projectn/a
Product-macfromipmacfromip
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25061
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-76.03% / 98.87%
||
7 Day CHG~0.00%
Published-25 Feb, 2022 | 19:39
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.

Action-Not Available
Vendor-n/aTP-Link Systems Inc.
Product-tl-wr840n_firmwaretl-wr840nn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-15612
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-9.8||CRITICAL
EPSS-2.07% / 83.23%
||
7 Day CHG~0.00%
Published-28 Jul, 2020 | 17:01
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of CentOS Web Panel cwp-e17.0.9.8.923. Authentication is not required to exploit this vulnerability. The specific flaw exists within ajax_ftp_manager.php. When parsing the userLogin parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9737.

Action-Not Available
Vendor-control-webpanelCentOS Web Panel
Product-webpanelCentOS Web Panel
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25077
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-51.03% / 97.78%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink A3100R V4.1.2cu.5050_B20200504 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a3100ra3100r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25080
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.66% / 90.02%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink A830R V5.9c.4729_B20191112 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a830ra830r_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7730
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-8.00% / 91.75%
||
7 Day CHG~0.00%
Published-04 Sep, 2020 | 09:30
Updated-16 Sep, 2024 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection

The package bestzip before 2.1.7 are vulnerable to Command Injection via the options param.

Action-Not Available
Vendor-bestzip_projectn/a
Product-bestzipbestzip
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-29337
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-31.99% / 96.67%
||
7 Day CHG~0.00%
Published-24 May, 2022 | 21:26
Updated-03 Aug, 2024 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

C-DATA FD702XW-X-R430 v2.1.13_X001 was discovered to contain a command injection vulnerability via the va_cmd parameter in formlanipv6. This vulnerability allows attackers to execute arbitrary commands via a crafted HTTP request.

Action-Not Available
Vendor-n/aC-DATA Technologies Co., Ltd.
Product-fd702xw-x-r430fd702xw-x-r430_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7620
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-2.06% / 83.18%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 20:38
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params.

Action-Not Available
Vendor-neteasen/a
Product-pomelo-monitorpomelo-monitor
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25076
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.66% / 90.02%
||
7 Day CHG~0.00%
Published-22 Feb, 2022 | 22:44
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLink A800R V4.1.2cu.5137_B20200730 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a800r_firmwarea800rn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-25064
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-56.25% / 98.02%
||
7 Day CHG~0.00%
Published-25 Feb, 2022 | 19:38
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.

Action-Not Available
Vendor-n/aTP-Link Systems Inc.
Product-tl-wr840n_firmwaretl-wr840nn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-7778
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.3||HIGH
EPSS-1.10% / 77.19%
||
7 Day CHG~0.00%
Published-26 Nov, 2020 | 10:40
Updated-16 Sep, 2024 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prototype Pollution

This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.

Action-Not Available
Vendor-systeminformationn/a
Product-systeminformationsysteminformation
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 12
  • 13
  • Next
Details not found