Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-23369

Summary
Assigner-qnap
Assigner Org ID-2fd009eb-170a-4625-932b-17a53af1051f
Published At-03 Nov, 2023 | 16:34
Updated At-27 Feb, 2025 | 20:34
Rejected At-
Credits

QTS, Multimedia Console, and Media Streaming add-on

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) and later QTS 5.1.0.2399 build 20230515 and later QTS 4.3.6.2441 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:qnap
Assigner Org ID:2fd009eb-170a-4625-932b-17a53af1051f
Published At:03 Nov, 2023 | 16:34
Updated At:27 Feb, 2025 | 20:34
Rejected At:
▼CVE Numbering Authority (CNA)
QTS, Multimedia Console, and Media Streaming add-on

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) and later QTS 5.1.0.2399 build 20230515 and later QTS 4.3.6.2441 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later

Affected Products
Vendor
QNAP Systems, Inc.QNAP Systems Inc.
Product
Multimedia Console
Default Status
unaffected
Versions
Affected
  • From 2.1.x before 2.1.2 ( 2023/05/04 ) (custom)
  • From 1.4.x before 1.4.8 ( 2023/05/05 ) (custom)
Vendor
QNAP Systems, Inc.QNAP Systems Inc.
Product
QTS
Default Status
unaffected
Versions
Affected
  • From 5.1.x before 5.1.0.2399 build 20230515 (custom)
  • From 4.3.6 before 4.3.6.2441 build 20230621 (custom)
  • From 4.3.4 before 4.3.4.2451 build 20230621 (custom)
  • From 4.3.3 before 4.3.3.2420 build 20230621 (custom)
  • From 4.2.x before 4.2.6 build 20230621 (custom)
Vendor
QNAP Systems, Inc.QNAP Systems Inc.
Product
Media Streaming add-on
Default Status
unaffected
Versions
Affected
  • From 500.1.x before 500.1.1.2 ( 2023/06/12 ) (custom)
  • From 500.0.x before 500.0.0.11 ( 2023/06/16 ) (custom)
Problem Types
TypeCWE IDDescription
CWECWE-77CWE-77
CWECWE-78CWE-78
Type: CWE
CWE ID: CWE-77
Description: CWE-77
Type: CWE
CWE ID: CWE-78
Description: CWE-78
Metrics
VersionBase scoreBase severityVector
3.19.0CRITICAL
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-88CAPEC-88
CAPEC ID: CAPEC-88
Description: CAPEC-88
Solutions

We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) and later QTS 5.1.0.2399 build 20230515 and later QTS 4.3.6.2441 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later

Configurations
Workarounds
Exploits
Credits
finder
Eqqie
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.qnap.com/en/security-advisory/qsa-23-35
N/A
Hyperlink: https://www.qnap.com/en/security-advisory/qsa-23-35
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.qnap.com/en/security-advisory/qsa-23-35
x_transferred
Hyperlink: https://www.qnap.com/en/security-advisory/qsa-23-35
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@qnapsecurity.com.tw
Published At:03 Nov, 2023 | 17:15
Updated At:15 Nov, 2023 | 16:29

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) and later QTS 5.1.0.2399 build 20230515 and later QTS 4.3.6.2441 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.19.0CRITICAL
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CPE Matches
QNAP Systems, Inc.
qnap
>>qts>>5.1.0.2348
cpe:2.3:o:qnap:qts:5.1.0.2348:build_20230325:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.0895
cpe:2.3:o:qnap:qts:4.3.6.0895:build_20190328:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.0907
cpe:2.3:o:qnap:qts:4.3.6.0907:build_20190409:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.0923
cpe:2.3:o:qnap:qts:4.3.6.0923:build_20190425:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.0944
cpe:2.3:o:qnap:qts:4.3.6.0944:build_20190516:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.0959
cpe:2.3:o:qnap:qts:4.3.6.0959:build_20190531:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.0979
cpe:2.3:o:qnap:qts:4.3.6.0979:build_20190620:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.0993
cpe:2.3:o:qnap:qts:4.3.6.0993:build_20190704:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1013
cpe:2.3:o:qnap:qts:4.3.6.1013:build_20190724:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1033
cpe:2.3:o:qnap:qts:4.3.6.1033:build_20190813:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1070
cpe:2.3:o:qnap:qts:4.3.6.1070:build_20190919:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1154
cpe:2.3:o:qnap:qts:4.3.6.1154:build_20191212:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1218
cpe:2.3:o:qnap:qts:4.3.6.1218:build_20200214:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1263
cpe:2.3:o:qnap:qts:4.3.6.1263:build_20200330:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1286
cpe:2.3:o:qnap:qts:4.3.6.1286:build_20200422:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1333
cpe:2.3:o:qnap:qts:4.3.6.1333:build_20200608:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1411
cpe:2.3:o:qnap:qts:4.3.6.1411:build_20200825:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1446
cpe:2.3:o:qnap:qts:4.3.6.1446:build_20200929:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1620
cpe:2.3:o:qnap:qts:4.3.6.1620:build_20210322:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1663
cpe:2.3:o:qnap:qts:4.3.6.1663:build_20210504:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1711
cpe:2.3:o:qnap:qts:4.3.6.1711:build_20210621:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1750
cpe:2.3:o:qnap:qts:4.3.6.1750:build_20210730:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1831
cpe:2.3:o:qnap:qts:4.3.6.1831:build_20211019:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1907
cpe:2.3:o:qnap:qts:4.3.6.1907:build_20220103:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.1965
cpe:2.3:o:qnap:qts:4.3.6.1965:build_20220302:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.2050
cpe:2.3:o:qnap:qts:4.3.6.2050:build_20220526:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.6.2232
cpe:2.3:o:qnap:qts:4.3.6.2232:build_20221124:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.0899
cpe:2.3:o:qnap:qts:4.3.4.0899:build_20190322:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.1029
cpe:2.3:o:qnap:qts:4.3.4.1029:build_20190730:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.1082
cpe:2.3:o:qnap:qts:4.3.4.1082:build_20190921:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.1190
cpe:2.3:o:qnap:qts:4.3.4.1190:build_20200107:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.1282
cpe:2.3:o:qnap:qts:4.3.4.1282:build_20200408:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.1368
cpe:2.3:o:qnap:qts:4.3.4.1368:build_20200703:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.1417
cpe:2.3:o:qnap:qts:4.3.4.1417:build_20200821:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.1463
cpe:2.3:o:qnap:qts:4.3.4.1463:build_20201006:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.1632
cpe:2.3:o:qnap:qts:4.3.4.1632:build_20210324:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.1652
cpe:2.3:o:qnap:qts:4.3.4.1652:build_20210413:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.1976
cpe:2.3:o:qnap:qts:4.3.4.1976:build_20220303:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.2107
cpe:2.3:o:qnap:qts:4.3.4.2107:build_20220712:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.4.2242
cpe:2.3:o:qnap:qts:4.3.4.2242:build_20221124:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.3.0174
cpe:2.3:o:qnap:qts:4.3.3.0174:build_20170503:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.3.0868
cpe:2.3:o:qnap:qts:4.3.3.0868:build_20190322:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.3.0998
cpe:2.3:o:qnap:qts:4.3.3.0998:build_20190730:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.3.1051
cpe:2.3:o:qnap:qts:4.3.3.1051:build_20190921:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.3.1098
cpe:2.3:o:qnap:qts:4.3.3.1098:build_20191107:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.3.1161
cpe:2.3:o:qnap:qts:4.3.3.1161:build_20200109:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.3.1252
cpe:2.3:o:qnap:qts:4.3.3.1252:build_20200409:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.3.1315
cpe:2.3:o:qnap:qts:4.3.3.1315:build_20200611:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.3.1386
cpe:2.3:o:qnap:qts:4.3.3.1386:build_20200821:*:*:*:*:*:*
QNAP Systems, Inc.
qnap
>>qts>>4.3.3.1432
cpe:2.3:o:qnap:qts:4.3.3.1432:build_20201006:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-78Primarynvd@nist.gov
CWE-77Secondarysecurity@qnapsecurity.com.tw
CWE-78Secondarysecurity@qnapsecurity.com.tw
CWE ID: CWE-78
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-77
Type: Secondary
Source: security@qnapsecurity.com.tw
CWE ID: CWE-78
Type: Secondary
Source: security@qnapsecurity.com.tw
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.qnap.com/en/security-advisory/qsa-23-35security@qnapsecurity.com.tw
Vendor Advisory
Hyperlink: https://www.qnap.com/en/security-advisory/qsa-23-35
Source: security@qnapsecurity.com.tw
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

2023Records found
CVE-2023-23362
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-0.43% / 61.85%
||
7 Day CHG~0.00%
Published-22 Sep, 2023 | 03:27
Updated-24 Sep, 2024 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero, QuTScloud

An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability allows remote authenticated users to execute commands via susceptible QNAP devices. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqutscloudqtsQuTScloudQuTS heroQTS
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-23373
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-0.28% / 50.87%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 16:14
Updated-16 Sep, 2024 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QUSBCam2

An OS command injection vulnerability has been reported to affect QUSBCam2. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following version: QUSBCam2 2.0.3 ( 2023/06/15 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qusbcam2QUSBCam2qusbcam2
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-23367
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.16% / 37.77%
||
7 Day CHG~0.00%
Published-10 Nov, 2023 | 14:49
Updated-26 Feb, 2025 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero, QuTScloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTScloud c5.1.0.2498 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqutscloudqtsQuTS heroQuTScloudQTS
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-23355
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-6.6||MEDIUM
EPSS-0.33% / 55.35%
||
7 Day CHG~0.00%
Published-29 Mar, 2023 | 04:02
Updated-12 Feb, 2025 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances), QVR

An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors. QES is not affected. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2348 build 20230324 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qvp-41a_firmwareqvp-85b_firmwareqvp-21aqtsqvp-63b_firmwareqvp-63aqvp-85aqvp-41bqvp-85bqvp-63a_firmwareqvp-41b_firmwareqvp-85a_firmwarequts_heroqvrqutscloudqvp-21a_firmwareqvp-63bqvp-41aQuTScloudQTSQESQuTS hero
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-23356
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.10% / 27.89%
||
7 Day CHG~0.00%
Published-19 Dec, 2024 | 01:39
Updated-24 Dec, 2024 | 00:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QuFirewall

A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QuFirewall 2.3.3 ( 2023/03/27 ) and later and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QuFirewall
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2017-6361
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-90.51% / 99.59%
||
7 Day CHG~0.00%
Published-23 Mar, 2017 | 16:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbitrary commands via unspecified vectors.

Action-Not Available
Vendor-n/aQNAP Systems, Inc.
Product-qtsn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-34349
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.2||HIGH
EPSS-1.09% / 77.00%
||
7 Day CHG~0.00%
Published-27 Sep, 2021 | 00:45
Updated-17 Sep, 2024 | 00:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection Vulnerability in QVR

A command injection vulnerability has been reported to affect QNAP device running QVR. If exploited, this vulnerability could allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.5 build 20210803 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qvrQVR
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-34362
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.7||HIGH
EPSS-0.87% / 74.24%
||
7 Day CHG~0.00%
Published-22 Oct, 2021 | 04:25
Updated-16 Sep, 2024 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection Vulnerability in Media Streaming Add-on

A command injection vulnerability has been reported to affect QNAP device running Media Streaming add-on. If exploited, this vulnerability allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of Media Streaming add-on: QTS 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QTS 4.5.4: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QTS 4.3.6: Media Streaming add-on 430.1.8.12 ( 2021/08/20 ) and later QTS 4.3.3: Media Streaming add-on 430.1.8.12 ( 2021/09/29 ) and later QuTS-Hero 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqtsmedia_streaming_add-onMedia Streaming add-on
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-27124
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-0.12% / 31.31%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 15:00
Updated-02 Aug, 2024 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero, QuTScloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QuTScloudQuTS heroQTSquts_heroqutscloudqts
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-22481
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.7||HIGH
EPSS-0.75% / 72.23%
||
7 Day CHG~0.00%
Published-06 Jun, 2025 | 15:53
Updated-11 Jun, 2025 | 04:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.4.3079 build 20250321 and later QuTS hero h5.2.4.3079 build 20250321 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QTSQuTS hero
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-28812
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-0.48% / 64.06%
||
7 Day CHG~0.00%
Published-03 Jun, 2021 | 02:45
Updated-16 Sep, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection Vulnerability in Video Station

A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Video Station versions prior to 5.5.4 on QTS 4.5.2; versions prior to 5.5.4 on QuTS hero h4.5.2; versions prior to 5.5.4 on QuTScloud c4.5.4. This issue does not affect: QNAP Systems Inc. Video Station on QTS 4.3.6; on QTS 4.3.3.

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-video_stationquts_heroqutscloudqtsVideo Station
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-1286
Improper Validation of Syntactic Correctness of Input
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-53700
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.32% / 54.63%
||
7 Day CHG~0.00%
Published-07 Mar, 2025 | 16:14
Updated-07 Mar, 2025 | 17:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QHora

A command injection vulnerability has been reported to affect QHora. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QuRouter
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-53692
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.10% / 28.06%
||
7 Day CHG~0.00%
Published-07 Mar, 2025 | 16:13
Updated-07 Mar, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.2.3.3006 build 20250108 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QTSQuTS hero
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-38644
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.7||HIGH
EPSS-0.89% / 74.62%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 15:32
Updated-22 Nov, 2024 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Notes Station 3

An OS command injection vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to execute commands. We have already fixed the vulnerability in the following version: Notes Station 3 3.9.7 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-Notes Station 3notes_station_3
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-38641
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.3||HIGH
EPSS-0.14% / 35.23%
||
7 Day CHG~0.00%
Published-06 Sep, 2024 | 16:27
Updated-16 Sep, 2024 | 12:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network users to execute commands via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqtsQuTS heroQTSquts_heroqts
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-32766
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-10||CRITICAL
EPSS-0.42% / 61.09%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 15:00
Updated-02 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero, QuTScloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QuTScloudQuTS heroQTSquts_heroqutscloudqts
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-21906
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.59% / 68.12%
||
7 Day CHG~0.00%
Published-06 Sep, 2024 | 16:27
Updated-20 Sep, 2024 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqtsQuTS heroQTS
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-21898
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-1.69% / 81.47%
||
7 Day CHG~0.00%
Published-06 Sep, 2024 | 16:26
Updated-11 Sep, 2024 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqtsQuTS heroQTSquts_heroqts
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-21903
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-6.6||MEDIUM
EPSS-0.59% / 68.12%
||
7 Day CHG~0.00%
Published-06 Sep, 2024 | 16:26
Updated-11 Sep, 2024 | 13:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-quts_heroqtsQuTS heroQTS
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-50390
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.7||HIGH
EPSS-0.87% / 74.27%
||
7 Day CHG~0.00%
Published-07 Mar, 2025 | 16:13
Updated-07 Mar, 2025 | 17:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QHora

A command injection vulnerability has been reported to affect QHora. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.5.032 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QuRouter
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-50388
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-9.5||CRITICAL
EPSS-2.33% / 84.19%
||
7 Day CHG~0.00%
Published-06 Dec, 2024 | 16:35
Updated-06 Dec, 2024 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HBS 3 Hybrid Backup Sync

An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute commands. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 25.1.1.673 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-HBS 3 Hybrid Backup Synchbs_3
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-50393
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-8.7||HIGH
EPSS-0.90% / 74.78%
||
7 Day CHG~0.00%
Published-06 Dec, 2024 | 16:36
Updated-10 Dec, 2024 | 04:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QuTS heroQTSquts_heroqts
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48860
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-9.5||CRITICAL
EPSS-0.88% / 74.44%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 15:32
Updated-22 Nov, 2024 | 16:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QHora

An OS command injection vulnerability has been reported to affect several product versions. If exploited, the vulnerability could allow remote attackers to execute commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.3.103 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QuRouterqurouter
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48861
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.3||HIGH
EPSS-1.28% / 78.75%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 15:32
Updated-26 Nov, 2024 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QHora

An OS command injection vulnerability has been reported to affect several product versions. If exploited, the vulnerability could allow local network attackers to execute commands. We have already fixed the vulnerability in the following versions: QuRouter 2.4.4.106 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QuRouterqurouter
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-48863
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-7.7||HIGH
EPSS-1.05% / 76.62%
||
7 Day CHG~0.00%
Published-06 Dec, 2024 | 16:36
Updated-06 Dec, 2024 | 19:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
License Center

A command injection vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following version: License Center 1.9.43 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-License Centerlicense_center
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-12442
Matching Score-4
Assigner-Mandiant Inc.
ShareView Details
Matching Score-4
Assigner-Mandiant Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 60.60%
||
7 Day CHG~0.00%
Published-09 May, 2025 | 13:55
Updated-13 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command injection in EnerSys AMPA versions 24.04 through 24.16, inclusive

EnerSys AMPA versions 24.04 through 24.16, inclusive, are vulnerable to command injection leading to privileged remote shell access.

Action-Not Available
Vendor-EnerSys
Product-AMPA
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2018-25083
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.09% / 77.09%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 00:00
Updated-24 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The pullit package before 1.4.0 for Node.js allows OS Command Injection because eval is used on an attacker-supplied Git branch name.

Action-Not Available
Vendor-pull_it_projectn/a
Product-pull_itn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-21162
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.33% / 55.40%
||
7 Day CHG~0.00%
Published-23 Apr, 2020 | 20:16
Updated-05 Aug, 2024 | 12:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D6400 before 1.0.0.78, EX6200 before 1.0.3.86, EX7000 before 1.0.0.64, R6250 before 1.0.4.8, R6300v2 before 1.0.4.6, R6400 before 1.0.1.12, R6700 before 1.0.1.16, R7000 before 1.0.7.10, R7100LG before 1.0.0.42, R7300DST before 1.0.0.44, R7900 before 1.0.1.12, R8000 before 1.0.3.36, R8300 before 1.0.2.74, R8500 before 1.0.2.74, WNDR3400v3 before 1.0.1.14, and WNR3500Lv2 before 1.2.0.48.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8000r6400_firmwareex7000ex6200r7100lgr7900wndr3400r8300r7100lg_firmwarer7300dst_firmwarer8500_firmwarer7000_firmwared6400_firmwarer7300dstr6300_firmwarer6250_firmwarer8500wndr3400_firmwarer6700r8300_firmwarer7000wnr3500l_firmwareex6200_firmwared6400wnr3500lr7900_firmwareex7000_firmwarer6300r6400r6700_firmwarer8000_firmwarer6250n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-12986
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-35.19% / 96.91%
||
7 Day CHG~0.00%
Published-27 Dec, 2024 | 15:31
Updated-28 May, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DrayTek Vigor2960/Vigor300B Web Management Interface apmcfgupptim os command injection

A vulnerability, which was classified as critical, has been found in DrayTek Vigor2960 and Vigor300B 1.5.1.3/1.5.1.4. This issue affects some unknown processing of the file /cgi-bin/mainfunction.cgi/apmcfgupptim of the component Web Management Interface. The manipulation of the argument session leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-DrayTek Corp.
Product-vigor300bvigor2960_firmwarevigor2960vigor300b_firmwareVigor2960Vigor300B
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-22657
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-10||CRITICAL
EPSS-0.40% / 60.04%
||
7 Day CHG~0.00%
Published-23 Dec, 2021 | 19:48
Updated-17 Sep, 2024 | 00:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mySCADA myPRO

mySCADA myPRO: Versions 8.20.0 and prior has a feature where the API password can be specified, which may allow an attacker to inject arbitrary operating system commands through a specific parameter.

Action-Not Available
Vendor-myscadamySCADA
Product-mypromyPRO
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-22795
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-9.1||CRITICAL
EPSS-3.19% / 86.48%
||
7 Day CHG~0.00%
Published-28 Mar, 2022 | 16:25
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause remote code execution when performed over the network. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior)

Action-Not Available
Vendor-
Product-struxureware_data_center_expertStruxureWare Data Center Expert
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-20334
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.70% / 87.47%
||
7 Day CHG~0.00%
Published-20 Mar, 2020 | 00:11
Updated-05 Aug, 2024 | 11:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in ASUSWRT 3.0.0.4.384.20308. When processing the /start_apply.htm POST data, there is a command injection issue via shell metacharacters in the fb_email parameter. By using this issue, an attacker can control the router and get shell.

Action-Not Available
Vendor-n/aASUS (ASUSTeK Computer Inc.)
Product-rt-ac1750rt-ax3000rt-n56rrt-acrh13rt-ac1200gert-ac66urt-ac1200grt-ac66rrt-ac1200rt-n10\+d1rt-ac3200rt-acrh12rt-n600rt-ac68urt-ac5300rt-ax88urt-n56urt-n19rt-ax92urt-ac68pgt-ac2900rt-n10ert-ac86urt-ac56srt-n65urt-ax56urt-ac56urt-n16rt-ac66u-b1rt-n14urt-ac55urt-ax58uasuswrtrt-ac88urt-ac87urt-ac56rrt-n66rrt-g32rt-n66urt-ac51urt-ac1900pgt-ax11000rt-ac3100rt-ac66u_b1rt-ac1750_b1rt-ac1200_v2gt-ac5300n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-36231
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-28.77% / 96.37%
||
7 Day CHG~0.00%
Published-23 Feb, 2023 | 00:00
Updated-13 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

pdf_info 0.5.3 is vulnerable to Command Execution because the Ruby code uses backticks instead of Open3.

Action-Not Available
Vendor-newspaperclubn/a
Product-pdf_infon/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-12987
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-84.30% / 99.27%
||
7 Day CHG~0.00%
Published-27 Dec, 2024 | 16:00
Updated-30 Jul, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-06-05||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
DrayTek Vigor2960/Vigor300B Web Management Interface apmcfgupload os command injection

A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-DrayTek Corp.
Product-vigor300bvigor300b_firmwarevigor2960_firmwarevigor2960Vigor2960Vigor300BVigor Routers
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-22502
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-4
Assigner-OpenText (formerly Micro Focus)
CVSS Score-9.8||CRITICAL
EPSS-93.98% / 99.88%
||
7 Day CHG~0.00%
Published-08 Feb, 2021 | 21:12
Updated-30 Jul, 2025 | 01:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2021-11-17||Apply updates per vendor instructions.

Remote Code execution vulnerability in Micro Focus Operation Bridge Reporter (OBR) product, affecting version 10.40. The vulnerability could be exploited to allow Remote Code Execution on the OBR server.

Action-Not Available
Vendor-n/aMicro Focus International Limited
Product-operation_bridge_reporterOperation Bridge Reporter.Operation Bridge Reporter (OBR)
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-35975
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9||CRITICAL
EPSS-1.26% / 78.55%
||
7 Day CHG~0.00%
Published-18 Aug, 2022 | 17:55
Updated-23 Apr, 2025 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper object validation allows for arbitrary code execution in GitOps Tools Extension for VSCode

The GitOps Tools Extension for VSCode can make it easier to manage Flux objects. A specially crafted Flux object may allow for remote code execution in the machine running the extension, in the context of the user that is running VSCode. Users using the VSCode extension to manage clusters that are shared amongst other users are affected by this issue. The only safe mitigation is to update to the latest version of the extension.

Action-Not Available
Vendor-weaveweaveworks
Product-gitops_toolsvscode-gitops-tools
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-20114
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.60% / 92.06%
||
7 Day CHG~0.00%
Published-02 Jan, 2019 | 18:00
Updated-05 Aug, 2024 | 11:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On D-Link DIR-818LW Rev.A 2.05.B03 and DIR-860L Rev.B 2.03.B03 devices, unauthenticated remote OS command execution can occur in the soap.cgi service of the cgibin binary via an "&&" substring in the service parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-6530.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-818lwdir-818lw_firmwaredir-860ldir-860l_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-16920
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-94.34% / 99.95%
||
7 Day CHG~0.00%
Published-27 Sep, 2019 | 11:34
Updated-30 Jul, 2025 | 01:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-04-15||The impacted product is end-of-life and should be disconnected if still in use.

Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dap-1533_firmwaredir-825dir-862ldir-835_firmwaredir-652dir-655_firmwaredir-655dir-825_firmwaredir-855ldir-866l_firmwaredir-652_firmwaredir-855l_firmwaredir-866ldhp-1565_firmwaredir-835dir-615dap-1533dir-615_firmwaredhp-1565dir-862l_firmwaren/aMultiple Routers
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-12356
Matching Score-4
Assigner-BeyondTrust Inc.
ShareView Details
Matching Score-4
Assigner-BeyondTrust Inc.
CVSS Score-9.8||CRITICAL
EPSS-93.69% / 99.84%
||
7 Day CHG~0.00%
Published-17 Dec, 2024 | 04:29
Updated-30 Jul, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-12-27||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Command Injection Vulnerability in Remote Support(RS) & Privileged Remote Access (PRA)

A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.

Action-Not Available
Vendor-BeyondTrust Corporation
Product-privileged_remote_accessremote_supportPrivileged Remote AccessRemote SupportPrivileged Remote Access (PRA) and Remote Support (RS)
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-1212
Matching Score-4
Assigner-Progress Software Corporation
ShareView Details
Matching Score-4
Assigner-Progress Software Corporation
CVSS Score-10||CRITICAL
EPSS-94.36% / 99.96%
||
7 Day CHG~0.00%
Published-21 Feb, 2024 | 17:39
Updated-30 Jul, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-12-09||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
LoadMaster Pre-Authenticated OS Command Injection

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.

Action-Not Available
Vendor-KempProgress Software Corporation
Product-loadmasterLoadMasterloadmasterKemp LoadMaster
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-11861
Matching Score-4
Assigner-Mandiant Inc.
ShareView Details
Matching Score-4
Assigner-Mandiant Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 60.60%
||
7 Day CHG~0.00%
Published-09 May, 2025 | 13:51
Updated-12 May, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command injection in EnerSys AMPA 22.09 and prior versions

EnerSys AMPA 22.09 and prior versions are vulnerable to command injection leading to privileged remote shell access.

Action-Not Available
Vendor-EnerSys
Product-AMPA
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2014-5470
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-74.34% / 98.79%
||
7 Day CHG~0.00%
Published-21 Jun, 2024 | 00:00
Updated-06 Aug, 2024 | 11:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Actual Analyzer through 2014-08-29 allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval operation.

Action-Not Available
Vendor-n/aactualscripts
Product-n/aactualanalyzer
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-11482
Matching Score-4
Assigner-Trellix
ShareView Details
Matching Score-4
Assigner-Trellix
CVSS Score-9.8||CRITICAL
EPSS-2.51% / 84.77%
||
7 Day CHG~0.00%
Published-29 Nov, 2024 | 07:03
Updated-18 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in ESM 11.6.10 allows unauthenticated access to the internal Snowservice API and enables remote code execution through command injection, executed as the root user.

Action-Not Available
Vendor-HP Inc.Musarubra US LLC (Trellix)
Product-Trellix Enterprise Security Manager (ESM)enterprise_security_manager
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2014-4981
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-38.68% / 97.15%
||
7 Day CHG~0.00%
Published-17 Feb, 2020 | 21:21
Updated-06 Aug, 2024 | 11:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LPAR2RRD in 3.5 and earlier allows remote attackers to execute arbitrary commands due to insufficient input sanitization of the web GUI parameters.

Action-Not Available
Vendor-xoruxn/a
Product-lpar2rrdn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-10443
Matching Score-4
Assigner-Synology Inc.
ShareView Details
Matching Score-4
Assigner-Synology Inc.
CVSS Score-9.8||CRITICAL
EPSS-67.42% / 98.50%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 10:23
Updated-10 Apr, 2025 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-beestation_osbeephotosdiskstation_managerphotosSynology PhotosBeePhotosphoto_station
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2021-32530
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.01% / 76.19%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 14:12
Updated-16 Sep, 2024 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QSAN XEVO - Command Injection Following via Array function

OS command injection vulnerability in Array function in QSAN XEVO allows remote unauthenticated attackers to execute arbitrary commands via status parameter. The referred vulnerability has been solved with the updated version of QSAN XEVO v2.1.0.

Action-Not Available
Vendor-qsanQSAN
Product-xevoXEVO
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-11120
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-63.47% / 98.34%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 02:00
Updated-30 Jul, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-05-28||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
GeoVision EOL devices - OS Command Injection

Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.

Action-Not Available
Vendor-geovisionGeoVisiongeovisionGeoVision
Product-gvlx_4gv-dsp_lpr_firmwaregv-vs12gv-vs11_firmwaregvlx_4_firmwaregv-dsp_lprgv-vs12_firmwaregv-vs11GV-DSP_LPR_V3GVLX 4 V2GV-VS11GV-VS12GVLX 4 V3gvlx_4_v2_firmwaregvlx_4_v3_firmwaregv-vs11_firmwaregv-vs12_firmwaregv-dsp_lpr_v3_firmwareMultiple Devices
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-1115
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-0.65% / 69.77%
||
7 Day CHG~0.00%
Published-31 Jan, 2024 | 20:00
Updated-29 May, 2025 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
openBI Setting.php dlfile os command injection

A vulnerability was found in openBI up to 1.0.8 and classified as critical. This issue affects the function dlfile of the file /application/websocket/controller/Setting.php. The manipulation of the argument phpPath leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252473 was assigned to this vulnerability.

Action-Not Available
Vendor-openbin/a
Product-openbiopenBI
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-10914
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-9.2||CRITICAL
EPSS-93.97% / 99.88%
||
7 Day CHG~0.00%
Published-06 Nov, 2024 | 13:31
Updated-24 Nov, 2024 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-320/DNS-320LW/DNS-325/DNS-340L account_mgr.cgi cgi_user_add os command injection

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldns-325_firmwaredns-320dns-320lw_firmwaredns-320_firmwaredns-320lwdns-340l_firmwaredns-325DNS-320LWDNS-325DNS-320DNS-340Ldns-340l_firmwaredns-320_firmwaredns-320lw_firmwaredns-325_firmware
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-11320
Matching Score-4
Assigner-Pandora FMS
ShareView Details
Matching Score-4
Assigner-Pandora FMS
CVSS Score-6.9||MEDIUM
EPSS-92.17% / 99.70%
||
7 Day CHG~0.00%
Published-21 Nov, 2024 | 10:03
Updated-26 Nov, 2024 | 17:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection leading to RCE via LDAP Misconfiguration

Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora FMS: from 700 through <=777.4

Action-Not Available
Vendor-Pandora FMS S.L.U.
Product-pandora_fmsPandora FMS
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 40
  • 41
  • Next
Details not found