Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-27227

Summary
Assigner-talos
Assigner Org ID-b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b
Published At-13 Apr, 2021 | 14:12
Updated At-04 Aug, 2024 | 16:11
Rejected At-
Credits

An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameter to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and compromise underlying operating system.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:talos
Assigner Org ID:b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b
Published At:13 Apr, 2021 | 14:12
Updated At:04 Aug, 2024 | 16:11
Rejected At:
▼CVE Numbering Authority (CNA)

An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameter to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and compromise underlying operating system.

Affected Products
Vendor
n/a
Product
OpenClinic
Versions
Affected
  • OpenClinic GA 5.173.3
Problem Types
TypeCWE IDDescription
CWECWE-77CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Type: CWE
CWE ID: CWE-77
Description: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Metrics
VersionBase scoreBase severityVector
3.010.0CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Version: 3.0
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1203
x_refsource_MISC
Hyperlink: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1203
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1203
x_refsource_MISC
x_transferred
Hyperlink: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1203
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:talos-cna@cisco.com
Published At:13 Apr, 2021 | 15:15
Updated At:29 Jul, 2022 | 13:01

An exploitable unatuhenticated command injection exists in the OpenClinic GA 5.173.3. Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameter to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and compromise underlying operating system.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.010.0CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary2.010.0HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.0
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 10.0
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
CPE Matches
openclinic_ga_project
openclinic_ga_project
>>openclinic_ga>>5.173.3
cpe:2.3:a:openclinic_ga_project:openclinic_ga:5.173.3:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-78Primarynvd@nist.gov
CWE-77Secondarytalos-cna@cisco.com
CWE ID: CWE-78
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-77
Type: Secondary
Source: talos-cna@cisco.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1203talos-cna@cisco.com
Exploit
Third Party Advisory
Hyperlink: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1203
Source: talos-cna@cisco.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

2172Records found
CVE-2024-39228
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.44% / 62.07%
||
7 Day CHG~0.00%
Published-06 Aug, 2024 | 00:00
Updated-15 Aug, 2024 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a shell injection vulnerability via the interface check_ovpn_client_config and check_config.

Action-Not Available
Vendor-gl-inetn/agl-inet
Product-mt3000usb150sft1200xe3000_firmwarear300mar300m16_firmwareb2200xe300x750mt1300e750_firmwaresft1200_firmwaremt300n-v2_firmwarea1300ar300m_firmwaree750b1300_firmwares1300x3000mt3000_firmwarear750sx300b_firmwaren300_firmwarear750xe300_firmwareax1800_firmwares1300_firmwarear300m16n300mv1000_firmwaremt2500_firmwareap1300ar750s_firmwareb2200_firmwarex300bmt1300_firmwaremt2500ax1800a1300_firmwaresf1200_firmwaremv1000w_firmwareap1300_firmwaremt6000_firmwaremv1000mt6000b1300mv1000waxt1800_firmwareusb150_firmwaremt300n-v2xe3000sf1200x3000_firmwarex750_firmwareaxt1800ar750_firmwaren/amv1000_firmwaremt2500_firmwarear750s_firmwareb2200_firmwarear300m16_firmwaregl-mt6000_firmwaremt1300_firmwarea1300_firmwaree750_firmwaresf1200_firmwaresft1200_firmwaremv1000w_firmwaremt300n-v2_firmwareap1300_firmwarex750_firmwarear300m_firmwareb1300_firmwareusb150_firmwaremt3000_firmwarex300b_firmwarexe300_firmwaren300_firmwarex3000_firmwares1300_firmwareax1800_firmwarear750_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-27231
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.19% / 86.49%
||
7 Day CHG~0.00%
Published-28 Mar, 2023 | 00:00
Updated-18 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the downBw parameter at /setting/setWanIeCfg.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-26921
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.81% / 82.09%
||
7 Day CHG~0.00%
Published-04 Apr, 2023 | 00:00
Updated-13 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS Command Injection vulnerability in quectel AG550QCN allows attackers to execute arbitrary commands via ql_atfwd.

Action-Not Available
Vendor-quecteln/a
Product-ag550qcn_firmwareag550qcnn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-27886
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.23% / 45.31%
||
7 Day CHG~0.00%
Published-28 Mar, 2023 | 20:04
Updated-16 Jan, 2025 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2023-27886

Osprey Pump Controller version 1.01 is vulnerable to an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through a HTTP POST parameter called by index.php script.

Action-Not Available
Vendor-propumpserviceProPump and Controls, Inc.
Product-osprey_pump_controller_firmwareosprey_pump_controllerOsprey Pump Controller
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-39761
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-10||CRITICAL
EPSS-0.58% / 67.83%
||
7 Day CHG-0.78%
Published-14 Jan, 2025 | 14:21
Updated-22 Aug, 2025 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the login.cgi set_sys_init() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger these vulnerabilities.A command injection vulnerability exists within the `restart_week_value` POST parameter.

Action-Not Available
Vendor-WAVLINK Technology Ltd.
Product-wl-wn533a8wl-wn533a8_firmwareWavlink AC3000
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-34204
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.98% / 90.32%
||
7 Day CHG~0.00%
Published-09 May, 2024 | 16:33
Updated-09 Apr, 2025 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK outdoor CPE CP450 v4.1.0cu.747_B20191224 was discovered to contain a command injection vulnerability in the setUpgradeFW function via the FileName parameter.

Action-Not Available
Vendor-n/aTOTOLINK
Product-cp450cp450_firmwaren/acp450_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2010-2445
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||HIGH
EPSS-1.60% / 80.97%
||
7 Day CHG~0.00%
Published-07 Jul, 2010 | 18:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

freeciv 2.2 before 2.2.1 and 2.3 before 2.3.0 allows attackers to read arbitrary files or execute arbitrary commands via a scenario that contains Lua functionality, related to the (1) os, (2) io, (3) package, (4) dofile, (5) loadfile, (6) loadlib, (7) module, and (8) require modules or functions.

Action-Not Available
Vendor-freecivn/a
Product-freecivn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-3483
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-7.8||HIGH
EPSS-0.12% / 32.48%
||
7 Day CHG~0.00%
Published-15 May, 2024 | 16:44
Updated-21 Jan, 2025 | 17:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution vulnerability in the iManager

Remote Code Execution has been discovered in OpenText™ iManager 3.2.6.0200. The vulnerability can trigger command injection and insecure deserialization issues.

Action-Not Available
Vendor-Open Text CorporationMicro Focus International Limited
Product-imanageriManagerimanager
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-27394
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-4.37% / 88.52%
||
7 Day CHG~0.00%
Published-28 Mar, 2023 | 20:05
Updated-16 Jan, 2025 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2023-27394

Osprey Pump Controller version 1.01 is vulnerable an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through a HTTP GET parameter called by DataLogView.php, EventsView.php and AlarmsView.php scripts.

Action-Not Available
Vendor-propumpserviceProPump and Controls, Inc.
Product-osprey_pump_controller_firmwareosprey_pump_controllerOsprey Pump Controller
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-40110
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-26.79% / 96.17%
||
7 Day CHG~0.00%
Published-12 Jul, 2024 | 00:00
Updated-23 Apr, 2025 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sourcecodester Poultry Farm Management System v1.0 contains an Unauthenticated Remote Code Execution (RCE) vulnerability via the productimage parameter at /farm/product.php.

Action-Not Available
Vendor-nikhil-bhaleraon/apoultry_farm_management_system_project
Product-poultry_farm_management_systemn/apoultry_farm_management_system
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-2682
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.18% / 39.92%
||
7 Day CHG~0.00%
Published-12 May, 2023 | 12:31
Updated-24 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Caton Live Mini_HTTPD ping.cgi command injection

A vulnerability was found in Caton Live up to 2023-04-26 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/ping.cgi of the component Mini_HTTPD. The manipulation of the argument address with the input ;id;uname${IFS}-a leads to command injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-228911. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-catontechnologyCaton
Product-caton_liveLive
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-27848
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.55% / 88.75%
||
7 Day CHG~0.00%
Published-24 Apr, 2023 | 00:00
Updated-05 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

Action-Not Available
Vendor-broccoli-compass_projectn/a
Product-broccoli-compassn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-26155
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-7.3||HIGH
EPSS-0.15% / 36.87%
||
7 Day CHG~0.00%
Published-14 Oct, 2023 | 05:00
Updated-17 Sep, 2024 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the input pdf file path.

Action-Not Available
Vendor-nrhiranin/a
Product-node-qpdfnode-qpdf
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-39685
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.22% / 44.63%
||
7 Day CHG-0.13%
Published-22 Jul, 2024 | 15:13
Updated-11 Sep, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
fishaudio/Bert-VITS2 Command Injection in webui_preprocess.py resample function

Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) in the resample function, which leads to arbitrary command execution. This affects fishaudio/Bert-VITS2 2.3 and earlier.

Action-Not Available
Vendor-fish.audioFishAudiofishaudio
Product-bert-vits2Bert-VITS2bert-vits2
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-22795
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-9.1||CRITICAL
EPSS-3.19% / 86.47%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 16:25
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when performed over the network. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)

Action-Not Available
Vendor-
Product-struxureware_data_center_expertStruxureWare Data Center Expert
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-25826
Matching Score-4
Assigner-Black Duck Software, Inc.
ShareView Details
Matching Score-4
Assigner-Black Duck Software, Inc.
CVSS Score-9.8||CRITICAL
EPSS-84.36% / 99.27%
||
7 Day CHG~0.00%
Published-03 May, 2023 | 18:33
Updated-13 Feb, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution in OpenTSDB

Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

Action-Not Available
Vendor-opentsdbOpenTSDB
Product-opentsdbOpenTSDB
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-17456
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-89.99% / 99.56%
||
7 Day CHG-0.72%
Published-19 Aug, 2020 | 18:20
Updated-04 Aug, 2024 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page.

Action-Not Available
Vendor-seowonintechn/a
Product-slr-120d42gslr-120t42gslr-120s42g_firmwareslr-120s_firmwareslr-120s42gslc-130slr-120t42g_firmwareslr-120sslr-120d42g_firmwareslc-130_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-26317
Matching Score-4
Assigner-Xiaomi Technology Co., Ltd.
ShareView Details
Matching Score-4
Assigner-Xiaomi Technology Co., Ltd.
CVSS Score-7||HIGH
EPSS-0.48% / 64.34%
||
7 Day CHG~0.00%
Published-02 Aug, 2023 | 00:00
Updated-16 Oct, 2024 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Xiaomi router external request interface has command injection

Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing.

Action-Not Available
Vendor-Xiaomi
Product-xiaomi_router_firmwareXiaomi router
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-25539
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-8.4||HIGH
EPSS-1.12% / 77.36%
||
7 Day CHG~0.00%
Published-31 May, 2023 | 04:50
Updated-09 Jan, 2025 | 20:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell NetWorker 19.6.1.2, contains an OS command injection Vulnerability in the NetWorker client. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. This is a high severity vulnerability as the exploitation allows an attacker to take complete control of a system, so Dell recommends customers to upgrade at the earliest opportunity.

Action-Not Available
Vendor-Dell Inc.Linux Kernel Organization, Inc
Product-networkerlinux_kernelNetWorker NVE
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-26310
Matching Score-4
Assigner-OPPO Mobile Telecommunication Corp., Ltd.
ShareView Details
Matching Score-4
Assigner-OPPO Mobile Telecommunication Corp., Ltd.
CVSS Score-7.4||HIGH
EPSS-0.51% / 65.43%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 06:13
Updated-09 Oct, 2024 | 10:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection In OPPO Service

There is a command injection problem in the old version of the mobile phone backup app.

Action-Not Available
Vendor-oppoOPPO
Product-colorosfind_x3OPPO Find X3
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-2143
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-58.60% / 98.13%
||
7 Day CHG~0.00%
Published-22 Jul, 2022 | 14:59
Updated-16 Apr, 2025 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech iView

The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-iviewiView
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2020-23151
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-28.45% / 96.34%
||
7 Day CHG~0.00%
Published-09 Aug, 2021 | 22:54
Updated-04 Aug, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rConfig 3.9.5 allows command injection by sending a crafted GET request to lib/ajaxHandlers/ajaxArchiveFiles.php since the path parameter is passed directly to the exec function without being escaped.

Action-Not Available
Vendor-rconfign/a
Product-rconfign/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-21941
Matching Score-4
Assigner-Johnson Controls
ShareView Details
Matching Score-4
Assigner-Johnson Controls
CVSS Score-10||CRITICAL
EPSS-2.75% / 85.42%
||
7 Day CHG~0.00%
Published-31 Aug, 2022 | 15:59
Updated-17 Sep, 2024 | 01:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
iSTAR Ultra

All versions of iSTAR Ultra prior to version 6.8.9.CU01 are vulnerable to a command injection that could allow an unauthenticated user root access to the system.

Action-Not Available
Vendor-johnsoncontrolsJohnson Controls
Product-istar_ultra_firmwareistar_ultraiSTAR Ultra
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-26153
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-8.3||HIGH
EPSS-0.27% / 49.73%
||
7 Day CHG~0.00%
Published-06 Oct, 2023 | 05:00
Updated-19 Sep, 2024 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie. This issue can be exploited remotely via a malicious cookie value. **Note:** An attacker can use this vulnerability to execute commands on the host system.

Action-Not Available
Vendor-geokitn/a
Product-geokit-railsgeokit-rails
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-24032
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-16.75% / 94.68%
||
7 Day CHG~0.00%
Published-18 Aug, 2020 | 20:15
Updated-04 Aug, 2024 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

tz.pl on XoruX LPAR2RRD and STOR2RRD 2.70 virtual appliances allows cmd=set&tz=OS command injection via shell metacharacters in a timezone.

Action-Not Available
Vendor-xoruxn/a
Product-lpar2rrdstor2rrdn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-37782
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.27% / 49.72%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 00:00
Updated-27 Nov, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An LDAP injection vulnerability in the login page of Gladinet CentreStack v13.12.9934.54690 allows attackers to access sensitive data or execute arbitrary commands via a crafted payload injected into the username field.

Action-Not Available
Vendor-n/agladinet
Product-n/acentrestack
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-33792
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.68% / 70.63%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 00:00
Updated-17 Jun, 2025 | 15:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

netis-systems MEX605 v2.00.06 allows attackers to execute arbitrary OS commands via a crafted payload to the tracert page.

Action-Not Available
Vendor-n/aNetis Systems Co., Ltd.
Product-mex605mex605_firmwaren/amex605
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-26295
Matching Score-4
Assigner-HP Inc.
ShareView Details
Matching Score-4
Assigner-HP Inc.
CVSS Score-9.8||CRITICAL
EPSS-2.38% / 84.38%
||
7 Day CHG~0.00%
Published-12 Jun, 2023 | 21:18
Updated-06 Jan, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Previous versions of HP Device Manager (prior to HPDM 5.0.10) could potentially allow command injection and/or elevation of privileges.

Action-Not Available
Vendor-HP Inc.
Product-hp_device_managerHP Device Manager
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-25805
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.81% / 73.20%
||
7 Day CHG~0.00%
Published-20 Feb, 2023 | 15:45
Updated-10 Mar, 2025 | 21:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
versionn Command Injection Vulnerability

versionn, software for changing version information across multiple files, has a command injection vulnerability in all versions prior to version 1.1.0. This issue is patched in version 1.1.0.

Action-Not Available
Vendor-versionn_projectcommenthol
Product-versionnversionn
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2010-0418
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-10||HIGH
EPSS-2.85% / 85.69%
||
7 Day CHG~0.00%
Published-09 Mar, 2010 | 19:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The web interface in chumby one before 1.0.4 and chumby classic before 1.7.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a request.

Action-Not Available
Vendor-chumbyn/a
Product-chumby_onechumby_classicn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-33789
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-7.47% / 91.39%
||
7 Day CHG~0.00%
Published-03 May, 2024 | 00:00
Updated-10 Jun, 2025 | 18:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Linksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability via the ipurl parameter at /API/info form endpoint.

Action-Not Available
Vendor-n/aLinksys Holdings, Inc.
Product-e5600_firmwaree5600n/ae5600_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-26134
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-9.8||CRITICAL
EPSS-0.22% / 44.70%
||
7 Day CHG~0.00%
Published-28 Jun, 2023 | 05:00
Updated-27 Nov, 2024 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they control the hash content.

Action-Not Available
Vendor-git-commit-info_projectn/a
Product-git-commit-infogit-commit-info
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-25699
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9||CRITICAL
EPSS-1.44% / 79.90%
||
7 Day CHG+0.38%
Published-03 Apr, 2024 | 12:22
Updated-15 Apr, 2025 | 21:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress VideoWhisper Live Streaming Integration plugin <= 5.5.15 - Remote Code Execution (RCE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in VideoWhisper.Com VideoWhisper Live Streaming Integration allows OS Command Injection.This issue affects VideoWhisper Live Streaming Integration: from n/a through 5.5.15.

Action-Not Available
Vendor-videowhisperVideoWhisper.comvideowhisper
Product-videowhisper_live_streaming_integrationVideoWhisper Live Streaming Integrationlive_streaming_integration_plugin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-25395
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.58% / 80.84%
||
7 Day CHG~0.00%
Published-08 Mar, 2023 | 00:00
Updated-02 Aug, 2024 | 11:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOlink A7100RU V7.4cu.2313_B20191024 router was discovered to contain a command injection vulnerability via the ou parameter at /setting/delStaticDhcpRules.

Action-Not Available
Vendor-n/aTOTOLINK
Product-a7100rua7100ru_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-24151
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.77% / 81.91%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the ip parameter in the function recvSlaveCloudCheckStatus of TOTOLINK T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet.

Action-Not Available
Vendor-n/aTOTOLINK
Product-t8_firmwaret8n/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2009-5156
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.88% / 91.00%
||
7 Day CHG~0.00%
Published-11 Jun, 2019 | 20:46
Updated-07 Aug, 2024 | 07:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on ASMAX AR-804gu 66.34.1 devices. There is Command Injection via the cgi-bin/script query string.

Action-Not Available
Vendor-veracompn/a
Product-asmax_ar-804gu_firmwareasmax_ar-804gun/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-24143
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.45% / 80.02%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagTracertHop parameter in the setNetworkDiag function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-ca300-poe_firmwareca300-poen/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-24152
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.77% / 81.91%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability in the serverIp parameter in the function meshSlaveUpdate of TOTOLINK T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet.

Action-Not Available
Vendor-n/aTOTOLINK
Product-t8_firmwaret8n/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2022-22140
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-9.6||CRITICAL
EPSS-4.94% / 89.23%
||
7 Day CHG~0.00%
Published-05 Aug, 2022 | 21:11
Updated-15 Apr, 2025 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An os command injection vulnerability exists in the confsrv ucloud_add_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability.

Action-Not Available
Vendor-TCL
Product-linkhub_mesh_wifi_ac1200LinkHub Mesh Wifi
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-24144
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.45% / 80.02%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the hour parameter in the setRebootScheCfg function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-ca300-poe_firmwareca300-poen/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-24540
Matching Score-4
Assigner-Go Project
ShareView Details
Matching Score-4
Assigner-Go Project
CVSS Score-9.8||CRITICAL
EPSS-0.24% / 47.46%
||
7 Day CHG~0.00%
Published-11 May, 2023 | 15:29
Updated-24 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper handling of JavaScript whitespace in html/template

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

Action-Not Available
Vendor-Go standard libraryGo
Product-gohtml/template
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-24612
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 63.95%
||
7 Day CHG~0.00%
Published-30 Jan, 2023 | 00:00
Updated-28 Mar, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The PdfBook extension through 2.0.5 before b07b6a64 for MediaWiki allows command injection via an option.

Action-Not Available
Vendor-pdfbook_projectn/a
Product-pdfbookn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-24467
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-8.8||HIGH
EPSS-0.95% / 75.45%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 15:34
Updated-10 Apr, 2025 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Possible Command Injection in OpenText iManager

Possible Command Injection in iManager GET parameter has been discovered in OpenText™ iManager 3.2.6.0000.

Action-Not Available
Vendor-Open Text CorporationMicro Focus International Limited
Product-imanageriManagerimanager
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-3871
Matching Score-4
Assigner-ONEKEY GmbH
ShareView Details
Matching Score-4
Assigner-ONEKEY GmbH
CVSS Score-9.8||CRITICAL
EPSS-1.72% / 81.64%
||
7 Day CHG~0.00%
Published-16 Apr, 2024 | 08:12
Updated-01 Aug, 2024 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Remote Command Injection in Delta Electronics DVW

The Delta Electronics DVW-W02W2-E2 devices expose a web administration interface to users. This interface implements multiple features that are affected by command injections and stack overflows vulnerabilities. Successful exploitation of these flaws would allow remote unauthenticated attackers to gain remote code execution with elevated privileges on the affected devices. This issue affects DVW-W02W2-E2 through version 2.5.2.

Action-Not Available
Vendor-Delta Electronics, Inc.
Product-DVW-W02W2-E2dvw-w02w2-e2_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2023-24140
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.45% / 80.02%
||
7 Day CHG~0.00%
Published-03 Feb, 2023 | 00:00
Updated-26 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingNum parameter in the setNetworkDiag function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-ca300-poe_firmwareca300-poen/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-24159
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.45% / 80.02%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 00:00
Updated-20 Mar, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the admpass parameter in the setPasswordCfg function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-ca300-poe_firmwareca300-poen/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-25279
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-72.10% / 98.69%
||
7 Day CHG~0.00%
Published-13 Mar, 2023 | 00:00
Updated-03 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-820l_firmwaredir-820ln/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-19527
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.39% / 59.52%
||
7 Day CHG~0.00%
Published-10 Dec, 2020 | 21:06
Updated-04 Aug, 2024 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

iCMS 7.0.14 attackers to execute arbitrary OS commands via shell metacharacters in the DB_NAME parameter to install/install.php.

Action-Not Available
Vendor-idreamsoftn/a
Product-icmsn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-24161
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.45% / 80.02%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 00:00
Updated-20 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the webWlanIdx parameter in the setWebWlanIdx function.

Action-Not Available
Vendor-n/aTOTOLINK
Product-ca300-poe_firmwareca300-poen/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-25280
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-93.59% / 99.83%
||
7 Day CHG~0.00%
Published-16 Mar, 2023 | 00:00
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-10-21||The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.

OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir820la1dir820la1_firmwaren/adir820la1_firmwareDIR-820 Router
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 43
  • 44
  • Next
Details not found