Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-31977

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-24 Jul, 2024 | 00:00
Updated At-04 Sep, 2024 | 14:21
Rejected At-
Credits

Adtran 834-5 11.1.0.101-202106231430, and fixed as of SmartOS Version 12.6.3.1, devices allow OS Command Injection via shell metacharacters to the Ping or Traceroute utility.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:24 Jul, 2024 | 00:00
Updated At:04 Sep, 2024 | 14:21
Rejected At:
▼CVE Numbering Authority (CNA)

Adtran 834-5 11.1.0.101-202106231430, and fixed as of SmartOS Version 12.6.3.1, devices allow OS Command Injection via shell metacharacters to the Ping or Traceroute utility.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/actuator/cve/tree/main/AdTran/834-5
N/A
https://drive.proton.me/urls/GXDM5T5NSG#RHa0yVWSKyoz
N/A
https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-31977
N/A
https://supportcommunity.adtran.com/t5/Security-Advisories/ADTSA-2024001-Multiple-vulnerabilities-in-Service-Delivery-Gateway-products/ta-p/39332
N/A
Hyperlink: https://github.com/actuator/cve/tree/main/AdTran/834-5
Resource: N/A
Hyperlink: https://drive.proton.me/urls/GXDM5T5NSG#RHa0yVWSKyoz
Resource: N/A
Hyperlink: https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-31977
Resource: N/A
Hyperlink: https://supportcommunity.adtran.com/t5/Security-Advisories/ADTSA-2024001-Multiple-vulnerabilities-in-Service-Delivery-Gateway-products/ta-p/39332
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
Adtran, Incadtran
Product
834-5_firmware
CPEs
  • cpe:2.3:o:adtran:834-5_firmware:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 11.1.0.101-202106231430 before 12.6.3.1 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
3.18.0HIGH
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/actuator/cve/tree/main/AdTran/834-5
x_transferred
https://drive.proton.me/urls/GXDM5T5NSG#RHa0yVWSKyoz
x_transferred
https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-31977
x_transferred
Hyperlink: https://github.com/actuator/cve/tree/main/AdTran/834-5
Resource:
x_transferred
Hyperlink: https://drive.proton.me/urls/GXDM5T5NSG#RHa0yVWSKyoz
Resource:
x_transferred
Hyperlink: https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-31977
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:24 Jul, 2024 | 15:15
Updated At:03 Sep, 2024 | 21:15

Adtran 834-5 11.1.0.101-202106231430, and fixed as of SmartOS Version 12.6.3.1, devices allow OS Command Injection via shell metacharacters to the Ping or Traceroute utility.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Secondary3.18.0HIGH
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches

Adtran, Inc
adtran
>>sdg_smartos>>Versions before 12.5.5.1(exclusive)
cpe:2.3:o:adtran:sdg_smartos:*:*:*:*:*:*:*:*
Adtran, Inc
adtran
>>834-5_firmware>>11.1.0.101-202106231430
cpe:2.3:o:adtran:834-5_firmware:11.1.0.101-202106231430:*:*:*:*:*:*:*
Adtran, Inc
adtran
>>834-5>>-
cpe:2.3:h:adtran:834-5:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-78Primarynvd@nist.gov
CWE-78Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-78
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-78
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://drive.proton.me/urls/GXDM5T5NSG#RHa0yVWSKyozcve@mitre.org
Permissions Required
https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-31977cve@mitre.org
Third Party Advisory
https://github.com/actuator/cve/tree/main/AdTran/834-5cve@mitre.org
Broken Link
https://supportcommunity.adtran.com/t5/Security-Advisories/ADTSA-2024001-Multiple-vulnerabilities-in-Service-Delivery-Gateway-products/ta-p/39332cve@mitre.org
N/A
Hyperlink: https://drive.proton.me/urls/GXDM5T5NSG#RHa0yVWSKyoz
Source: cve@mitre.org
Resource:
Permissions Required
Hyperlink: https://github.com/actuator/cve/blob/main/AdTran/CVE-2024-31977
Source: cve@mitre.org
Resource:
Third Party Advisory
Hyperlink: https://github.com/actuator/cve/tree/main/AdTran/834-5
Source: cve@mitre.org
Resource:
Broken Link
Hyperlink: https://supportcommunity.adtran.com/t5/Security-Advisories/ADTSA-2024001-Multiple-vulnerabilities-in-Service-Delivery-Gateway-products/ta-p/39332
Source: cve@mitre.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1219Records found

CVE-2024-51252
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.78% / 51.63%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 00:00
Updated-05 Nov, 2024 | 20:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the restore function.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51253
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.67% / 47.43%
||
7 Day CHG~0.00%
Published-04 Nov, 2024 | 00:00
Updated-10 Apr, 2025 | 15:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doL2TP function.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-54404
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-3.64% / 88.17%
||
7 Day CHG-0.05%
Published-07 Oct, 2025 | 13:55
Updated-03 Nov, 2025 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the swctrl functionality of Planet WGR-500 v1.3411b190912. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is related to the `new_device_name` request parameter.

Action-Not Available
Vendor-planetPlanet
Product-wgr-500wgr-500_firmwareWGR-500
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-10660
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.67% / 83.89%
||
7 Day CHG~0.00%
Published-30 Mar, 2019 | 16:43
Updated-04 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field.

Action-Not Available
Vendor-grandstreamn/a
Product-gxv3611ir_hd_firmwaregxv3611ir_hdn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51246
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.42% / 33.67%
||
7 Day CHG~0.00%
Published-04 Nov, 2024 | 00:00
Updated-11 Apr, 2025 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doPPTP function.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900vigor3900_firmwaren/avigor3900_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-50809
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-0.70% / 48.64%
||
7 Day CHG~0.00%
Published-08 Nov, 2024 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The theme.php file in SDCMS 2.8 has a command execution vulnerability that allows for the execution of system commands

Action-Not Available
Vendor-n/asdcms
Product-n/asdcms
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-50852
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.64% / 73.53%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 00:00
Updated-21 Nov, 2024 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda G3 v3.0 v15.11.0.20 was discovered to contain a command injection vulnerability via the formSetUSBPartitionUmount function.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-g3g3_firmwaren/ag3
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-51010
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.94% / 56.46%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-21 May, 2025 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160, XR300 v1.0.3.78, R7000P v1.3.3.154, and R6400 v2 1.0.4.128 were discovered to contain a command injection vulnerability in the component ap_mode.cgi via the apmode_gateway parameter. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500_firmwarer6400v2_firmwarer8500r7000pr7000p_firmwarexr300xr300_firmwarer6400v2n/axr300_firmwarer8500_firmwarer6400_firmwarer7000p_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-10659
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.67% / 83.89%
||
7 Day CHG~0.00%
Published-30 Mar, 2019 | 16:43
Updated-04 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field.

Action-Not Available
Vendor-grandstreamn/a
Product-gxv3370gxv3370_firmwarewp820_firmwarewp820n/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-10658
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-2.67% / 83.89%
||
7 Day CHG~0.00%
Published-30 Mar, 2019 | 16:42
Updated-04 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.

Action-Not Available
Vendor-grandstreamn/a
Product-gwn7610gwn7610_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2014-0163
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-1.99% / 78.25%
||
7 Day CHG~0.00%
Published-11 Dec, 2019 | 15:33
Updated-06 Aug, 2024 | 09:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Openshift has shell command injection flaws due to unsanitized data being passed into shell commands.

Action-Not Available
Vendor-OpenshiftRed Hat, Inc.
Product-openshiftOpenshift
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51251
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.70% / 48.52%
||
7 Day CHG~0.00%
Published-04 Nov, 2024 | 00:00
Updated-10 Apr, 2025 | 15:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the backup function.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51008
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.94% / 56.46%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear XR300 v1.0.3.78 was discovered to contain a command injection vulnerability in the system_name parameter at wiz_dyn.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-xr300_firmwarexr300n/axr300_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-11527
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-3.49% / 87.70%
||
7 Day CHG~0.00%
Published-10 Oct, 2019 | 19:37
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Softing uaGate SI 1.60.01. A CGI script is vulnerable to command injection with a maliciously crafted url parameter.

Action-Not Available
Vendor-softingn/a
Product-uagate_si_firmwareuagate_sin/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51245
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.78% / 51.48%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 00:00
Updated-05 Nov, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In DrayTek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the rename_table function.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-10656
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-3.95% / 89.17%
||
7 Day CHG~0.00%
Published-30 Mar, 2019 | 16:42
Updated-04 Aug, 2024 | 22:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call.

Action-Not Available
Vendor-grandstreamn/a
Product-gwn7000gwn7000_firmwaren/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51503
Matching Score-4
Assigner-Trend Micro, Inc.
ShareView Details
Matching Score-4
Assigner-Trend Micro, Inc.
CVSS Score-8||HIGH
EPSS-4.03% / 89.36%
||
7 Day CHG~0.00%
Published-19 Nov, 2024 | 19:00
Updated-04 Sep, 2025 | 23:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A security agent manual scan command injection vulnerability in the Trend Micro Deep Security 20 Agent could allow an attacker to escalate privileges and execute arbitrary code on an affected machine. In certain circumstances, attackers that have legitimate access to the domain may be able to remotely inject commands to other machines in the same domain. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability locally and must have domain user privileges to affect other machines.

Action-Not Available
Vendor-Trend Micro Incorporated
Product-deep_security_agentTrend Micro Deep Security
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-50853
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-1.64% / 73.53%
||
7 Day CHG~0.00%
Published-13 Nov, 2024 | 00:00
Updated-21 Nov, 2024 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda G3 v3.0 v15.11.0.20 was discovered to contain a command injection vulnerability via the formSetDebugCfg function.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-g3g3_firmwaren/ag3
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-51450
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.1||CRITICAL
EPSS-1.01% / 58.81%
||
7 Day CHG~0.00%
Published-06 Feb, 2025 | 00:15
Updated-08 Aug, 2025 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Verify Directory Command Execution

IBM Security Verify Directory 10.0.0 through 10.0.3 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_directorySecurity Verify Directory
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-50993
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.94% / 56.46%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-22 Apr, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the sysNewPasswd parameter at admin_account.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500r8500_firmwaren/ar8500_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-52018
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-1.59% / 72.69%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear XR300 v1.0.3.78 was discovered to contain a command injection vulnerability in the system_name parameter at genie_dyn.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-xr300_firmwarexr300n/axr300_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-11409
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-87.48% / 99.73%
||
7 Day CHG~0.00%
Published-17 Jun, 2019 | 18:02
Updated-04 Aug, 2024 | 22:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module.

Action-Not Available
Vendor-fusionpbxn/a
Product-fusionpbxn/a
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-1082
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-8.8||HIGH
EPSS-0.98% / 57.94%
||
7 Day CHG~0.00%
Published-09 Apr, 2024 | 08:25
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Welotec: Command injection vulnerability in TK500v1 router series

An remote attacker with low privileges can perform a command injection which can lead to root access.

Action-Not Available
Vendor-Welotecwelotec
Product-TK525U SetTK525LTK525L SetTK515L-W SetTK525WTK515L-WTK515L SetTK535L1 SetTK525L-WTK525L-W SetTK515LTK535L1TK525W SetTK525Utk535l1_set
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-5440
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-8.05% / 94.09%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 10:00
Updated-02 Jul, 2025 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 NTP os command injection

A vulnerability classified as critical has been found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function NTP of the file /goform/NTP. The manipulation of the argument manual_year_select/manual_month_select/manual_day_select/manual_hour_select/manual_min_select/manual_sec_select leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Linksys Holdings, Inc.
Product-re9000_firmwarere6250re7000re6300re6300_firmwarere7000_firmwarere6500_firmwarere9000re6350re6350_firmwarere6250_firmwarere6500RE7000RE6350RE9000RE6500RE6300RE6250
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-54406
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-4.23% / 89.81%
||
7 Day CHG~0.00%
Published-07 Oct, 2025 | 13:55
Updated-03 Nov, 2025 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This command injection is related to the `counts` request parameter.

Action-Not Available
Vendor-planetPlanet
Product-wgr-500wgr-500_firmwareWGR-500
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2019-10392
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-8.8||HIGH
EPSS-25.78% / 97.71%
||
7 Day CHG+0.19%
Published-12 Sep, 2019 | 13:55
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.

Action-Not Available
Vendor-Jenkins
Product-git_clientJenkins Git Client Plugin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-53949
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-7||HIGH
EPSS-15.54% / 96.42%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 17:19
Updated-26 Feb, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortiSandbox
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-54403
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-3.64% / 88.17%
||
7 Day CHG-0.05%
Published-07 Oct, 2025 | 13:55
Updated-03 Nov, 2025 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the swctrl functionality of Planet WGR-500 v1.3411b190912. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is related to the `new_password` request parameter.

Action-Not Available
Vendor-planetPlanet
Product-wgr-500wgr-500_firmwareWGR-500
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-0861
Matching Score-4
Assigner-ONEKEY GmbH
ShareView Details
Matching Score-4
Assigner-ONEKEY GmbH
CVSS Score-7.2||HIGH
EPSS-28.66% / 97.90%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 08:58
Updated-18 Mar, 2025 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Command Injection in NetModule NSRW

NetModule NSRW web administration interface executes an OS command constructed with unsanitized user input. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. This issue affects NSRW: from 4.3.0.0 before 4.3.0.119, from 4.4.0.0 before 4.4.0.118, from 4.6.0.0 before 4.6.0.105, from 4.7.0.0 before 4.7.0.103.

Action-Not Available
Vendor-netmoduleNetModule
Product-nb1810nb2800nb3800nb1601ng800nb800nb1800netmodule_router_softwarenb3701nb2810NSRW
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51244
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.78% / 51.38%
||
7 Day CHG~0.00%
Published-01 Nov, 2024 | 00:00
Updated-05 Nov, 2024 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doIPSec function.

Action-Not Available
Vendor-n/aDrayTek Corp.
Product-vigor3900_firmwarevigor3900n/avigor3900_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-0164
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-8.8||HIGH
EPSS-1.38% / 68.82%
||
7 Day CHG~0.00%
Published-18 Jan, 2023 | 00:00
Updated-03 Apr, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function.

Action-Not Available
Vendor-orangescrumn/a
Product-orangescrumOrangeScrum
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-28254
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.8||HIGH
EPSS-45.73% / 98.65%
||
7 Day CHG~0.00%
Published-15 Mar, 2024 | 19:55
Updated-04 Sep, 2025 | 13:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SpEL Injection in `GET /api/v1/events/subscriptions/validation/condition/<expr>` in OpenMetadata

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `‎AlertUtil::validateExpression` method evaluates an SpEL expression using `getValue` which by default uses the `StandardEvaluationContext`, allowing the expression to reach and interact with Java classes such as `java.lang.Runtime`, leading to Remote Code Execution. The `/api/v1/events/subscriptions/validation/condition/<expression>` endpoint passes user-controlled data `AlertUtil::validateExpession` allowing authenticated (non-admin) users to execute arbitrary system commands on the underlaying operating system. In addition, there is a missing authorization check since `Authorizer.authorize()` is never called in the affected path and, therefore, any authenticated non-admin user is able to trigger this endpoint and evaluate arbitrary SpEL expressions leading to arbitrary command execution. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-235`. This issue may lead to Remote Code Execution and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-open-metadataopen-metadataopenmetadata
Product-openmetadataOpenMetadataopenmetadata
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-0830
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-20.86% / 97.25%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 16:13
Updated-01 May, 2025 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EasyNAS backup.pl system os command injection

A vulnerability classified as critical has been found in EasyNAS 1.1.0. Affected is the function system of the file /backup.pl. The manipulation leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-easynasn/a
Product-easynasEasyNAS
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-52019
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-1.58% / 72.61%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-02 May, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear R8500 v1.0.2.160 was discovered to contain a command injection vulnerability in the wan_gateway parameter at genie_fix2.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r8500r8500_firmwaren/ar8500_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-54405
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.8||HIGH
EPSS-4.23% / 89.81%
||
7 Day CHG~0.00%
Published-07 Oct, 2025 | 13:55
Updated-03 Nov, 2025 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This command injection is related to the `ipaddr` request parameter.

Action-Not Available
Vendor-planetPlanet
Product-wgr-500wgr-500_firmwareWGR-500
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-8664
Matching Score-4
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-4
Assigner-Rapid7, Inc.
CVSS Score-6||MEDIUM
EPSS-0.83% / 53.20%
||
7 Day CHG+0.10%
Published-25 Jun, 2026 | 01:28
Updated-29 Jun, 2026 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection in Rapid7 InsightConnect Finger Plugin

OS Command Injection vulnerability in Rapid7 InsightConnect Finger Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the user or host parameters due to insufficient input validation in shell command construction.

Action-Not Available
Vendor-Rapid7 LLC
Product-insightconnect_fingerInsightConnect Finger Plugin
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48595
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-0.61% / 44.79%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 18:19
Updated-10 Oct, 2024 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability exists in the “ticket template watchers” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-48600
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-0.61% / 44.79%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 18:28
Updated-09 Oct, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability exists in the “notes view” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-48587
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-0.61% / 44.79%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 17:46
Updated-10 Oct, 2024 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability exists in the “schedule editor” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-48580
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-1.31% / 67.17%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 17:02
Updated-10 Oct, 2024 | 14:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability exists in the ARP ping device tool feature of the ScienceLogic SL1 that takes unsanitized user controlled input and passes it directly to a shell command. This allows for the injection of arbitrary commands to the underlying operating system.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48598
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-0.61% / 44.79%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 18:25
Updated-10 Oct, 2024 | 18:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability exists in the “reporter events type date” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-48588
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-0.60% / 44.17%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 17:47
Updated-10 Oct, 2024 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability exists in the “schedule editor decoupled” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-48601
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-0.61% / 44.79%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 18:32
Updated-09 Oct, 2024 | 20:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability exists in the “network print report” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-48594
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-0.61% / 44.79%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 18:18
Updated-10 Oct, 2024 | 12:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability exists in the “ticket watchers email” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-48584
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-1.32% / 67.42%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 17:29
Updated-10 Oct, 2024 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability exists in the download and convert report feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a shell command. This allows for the injection of arbitrary commands to the underlying operating system.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48591
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-0.61% / 44.79%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 18:04
Updated-10 Oct, 2024 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability exists in the vendor_state parameter of the “vendor print report” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-48581
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-1.34% / 67.96%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 17:08
Updated-10 Oct, 2024 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A command injection vulnerability exists in the “dash export” feature of the ScienceLogic SL1 that takes unsanitized user controlled input and passes it directly to a shell command. This allows for the injection of arbitrary commands to the underlying operating system.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48604
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-0.61% / 44.79%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 18:35
Updated-10 Oct, 2024 | 12:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability exists in the “logging export” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-51021
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8||HIGH
EPSS-0.82% / 52.92%
||
7 Day CHG~0.00%
Published-05 Nov, 2024 | 00:00
Updated-21 May, 2025 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netgear XR300 v1.0.3.78, R7000P v1.3.3.154, and R6400 v2 1.0.4.128 was discovered to contain a command injection vulnerability via the wan_gateway parameter at genie_fix2.cgi. This vulnerability allows attackers to execute arbitrary OS commands via a crafted request.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-r6400v2_firmwarer7000pr7000p_firmwarexr300_firmwarexr300r6400v2n/axr300_firmwarer6400_firmwarer7000p_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-48596
Matching Score-4
Assigner-Securifera, Inc.
ShareView Details
Matching Score-4
Assigner-Securifera, Inc.
CVSS Score-8.8||HIGH
EPSS-0.61% / 44.79%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 18:21
Updated-10 Oct, 2024 | 14:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL injection vulnerability exists in the “ticket queue watchers” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database.

Action-Not Available
Vendor-ScienceLogic, Inc.
Product-sl1SL 1
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • ...
  • 24
  • 25
  • Next
Details not found