Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-41788

Summary
Assigner-siemens
Assigner Org ID-cec7a2ec-15b4-4faf-bd53-b40f371f3a77
Published At-08 Apr, 2025 | 08:22
Updated At-08 Apr, 2025 | 13:24
Rejected At-
Credits

A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the input parameters in specific GET requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:siemens
Assigner Org ID:cec7a2ec-15b4-4faf-bd53-b40f371f3a77
Published At:08 Apr, 2025 | 08:22
Updated At:08 Apr, 2025 | 13:24
Rejected At:
▼CVE Numbering Authority (CNA)

A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the input parameters in specific GET requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.

Affected Products
Vendor
Siemens AGSiemens
Product
SENTRON 7KT PAC1260 Data Manager
Default Status
unknown
Versions
Affected
  • From 0 before * (custom)
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.09.4CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Version: 4.0
Base score: 9.4
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://cert-portal.siemens.com/productcert/html/ssa-187636.html
N/A
Hyperlink: https://cert-portal.siemens.com/productcert/html/ssa-187636.html
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:productcert@siemens.com
Published At:08 Apr, 2025 | 09:15
Updated At:08 Apr, 2025 | 18:13

A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the input parameters in specific GET requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.09.4CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Type: Secondary
Version: 4.0
Base score: 9.4
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-78Primaryproductcert@siemens.com
CWE ID: CWE-78
Type: Primary
Source: productcert@siemens.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://cert-portal.siemens.com/productcert/html/ssa-187636.htmlproductcert@siemens.com
N/A
Hyperlink: https://cert-portal.siemens.com/productcert/html/ssa-187636.html
Source: productcert@siemens.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

108Records found
CVE-2021-36023
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-9.1||CRITICAL
EPSS-9.65% / 92.58%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 13:08
Updated-27 Feb, 2025 | 21:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Magento Commerce Widgets Update Layout XML Injection Vulnerability Could Lead To Remote Code Execution

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

Action-Not Available
Vendor-magentoAdobe Inc.
Product-magentoAdobe Commerce
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-31838
Matching Score-4
Assigner-Trellix
ShareView Details
Matching Score-4
Assigner-Trellix
CVSS Score-8.4||HIGH
EPSS-0.70% / 71.06%
||
7 Day CHG~0.00%
Published-29 Jun, 2021 | 09:45
Updated-03 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command injection through environment variable in MVISION EDR

A command injection vulnerability in MVISION EDR (MVEDR) prior to 3.4.0 allows an authenticated MVEDR administrator to trigger the EDR client to execute arbitrary commands through PowerShell using the EDR functionality 'execute reaction'.

Action-Not Available
Vendor-McAfee, LLC
Product-mvision_edrMVISION EDR
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51661
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-9.1||CRITICAL
EPSS-3.40% / 86.95%
||
7 Day CHG~0.00%
Published-04 Nov, 2024 | 11:06
Updated-08 Nov, 2024 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Media Library Assistant plugin <= 3.19 - Remote Code Execution (RCE) vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in David Lingren Media Library Assistant allows Command Injection.This issue affects Media Library Assistant: from n/a through 3.19.

Action-Not Available
Vendor-davidlingrenDavid Lingrendavidlingren
Product-media_library_assistantMedia Library Assistantmedia_library_assistant
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-51450
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.13% / 33.33%
||
7 Day CHG~0.00%
Published-06 Feb, 2025 | 00:15
Updated-08 Aug, 2025 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Verify Directory Command Execution

IBM Security Verify Directory 10.0.0 through 10.0.3 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_directorySecurity Verify Directory
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-32524
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.1||CRITICAL
EPSS-0.85% / 73.97%
||
7 Day CHG~0.00%
Published-07 Jul, 2021 | 14:12
Updated-17 Sep, 2024 | 04:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QSAN Storage Manager - Command Injection-3

Command injection vulnerability in QSAN Storage Manager allows remote privileged users to execute arbitrary commands. Suggest contacting with QSAN and refer to recommendations in QSAN Document.

Action-Not Available
Vendor-qsanQSAN
Product-storage_managerStorage Manager
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-45765
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9.1||CRITICAL
EPSS-0.44% / 62.47%
||
7 Day CHG+0.04%
Published-08 Nov, 2024 | 15:59
Updated-13 Nov, 2024 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. This is a critical severity vulnerability as it allows high privilege OS commands to be executed with a less privileged role; so Dell recommends customers to upgrade at the earliest opportunity.

Action-Not Available
Vendor-Dell Inc.
Product-enterprise_sonic_distributionEnterprise SONiC OSenterprise_sonic_os
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-42167
Matching Score-4
Assigner-CyberDanube
ShareView Details
Matching Score-4
Assigner-CyberDanube
CVSS Score-9.1||CRITICAL
EPSS-0.81% / 73.33%
||
7 Day CHG~0.00%
Published-12 Aug, 2024 | 11:38
Updated-29 Aug, 2024 | 15:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command Injection in Organisationname

The function "generate_app_certificates" in controllers/saml2/saml2.js of FIWARE Keyrock <= 8.4 does not neutralize special elements used in an OS Command properly. This allows an authenticated user with permissions to create applications to execute commands by creating an application with a malicious organisationname.

Action-Not Available
Vendor-fiwareFIWAREfiware
Product-keyrockFIWARE Keyrockkeyrock
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2020-4006
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-9.1||CRITICAL
EPSS-15.59% / 94.43%
||
7 Day CHG+1.08%
Published-23 Nov, 2020 | 21:22
Updated-30 Jul, 2025 | 01:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.

Action-Not Available
Vendor-n/aMicrosoft CorporationLinux Kernel Organization, IncVMware (Broadcom Inc.)
Product-linux_kernelone_accessvrealize_suite_lifecycle_manageridentity_managerwindowsidentity_manager_connectorcloud_foundationVMware Workspace One Access (Access), VMware Workspace One Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation, vRealize Suite Lifecycle ManagerMultiple Products
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found