Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-42029

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-27 Jul, 2024 | 00:00
Updated At-02 Aug, 2024 | 04:54
Rejected At-
Credits

xdg-desktop-portal-hyprland (aka an XDG Desktop Portal backend for Hyprland) before 1.3.3 allows OS command execution, e.g., because single quotes are not used when sending a list of app IDs and titles via the environment.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:27 Jul, 2024 | 00:00
Updated At:02 Aug, 2024 | 04:54
Rejected At:
▼CVE Numbering Authority (CNA)

xdg-desktop-portal-hyprland (aka an XDG Desktop Portal backend for Hyprland) before 1.3.3 allows OS command execution, e.g., because single quotes are not used when sending a list of app IDs and titles via the environment.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/hyprwm/xdg-desktop-portal-hyprland/issues/242
N/A
https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd
N/A
https://github.com/hyprwm/xdg-desktop-portal-hyprland/releases/tag/v1.3.3
N/A
Hyperlink: https://github.com/hyprwm/xdg-desktop-portal-hyprland/issues/242
Resource: N/A
Hyperlink: https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd
Resource: N/A
Hyperlink: https://github.com/hyprwm/xdg-desktop-portal-hyprland/releases/tag/v1.3.3
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
xdg
Product
desktop_portal_hyperland
CPEs
  • cpe:2.3:a:xdg:desktop_portal_hyperland:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 1.3.3 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/hyprwm/xdg-desktop-portal-hyprland/issues/242
x_transferred
https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd
x_transferred
https://github.com/hyprwm/xdg-desktop-portal-hyprland/releases/tag/v1.3.3
x_transferred
Hyperlink: https://github.com/hyprwm/xdg-desktop-portal-hyprland/issues/242
Resource:
x_transferred
Hyperlink: https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd
Resource:
x_transferred
Hyperlink: https://github.com/hyprwm/xdg-desktop-portal-hyprland/releases/tag/v1.3.3
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:27 Jul, 2024 | 04:15
Updated At:01 Aug, 2024 | 13:59

xdg-desktop-portal-hyprland (aka an XDG Desktop Portal backend for Hyprland) before 1.3.3 allows OS command execution, e.g., because single quotes are not used when sending a list of app IDs and titles via the environment.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Type: Secondary
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-78Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-78
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cdcve@mitre.org
N/A
https://github.com/hyprwm/xdg-desktop-portal-hyprland/issues/242cve@mitre.org
N/A
https://github.com/hyprwm/xdg-desktop-portal-hyprland/releases/tag/v1.3.3cve@mitre.org
N/A
Hyperlink: https://github.com/hyprwm/xdg-desktop-portal-hyprland/commit/0bb709491baffd69f4f861802f00cf60c77cc2cd
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://github.com/hyprwm/xdg-desktop-portal-hyprland/issues/242
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://github.com/hyprwm/xdg-desktop-portal-hyprland/releases/tag/v1.3.3
Source: cve@mitre.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

152Records found
CVE-2024-9004
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.47% / 80.17%
||
7 Day CHG~0.00%
Published-19 Sep, 2024 | 21:00
Updated-23 Sep, 2024 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DAR-7000 Backup_Server_commit.php os command injection

A vulnerability classified as critical has been found in D-Link DAR-7000 up to 20240912. Affected is an unknown function of the file /view/DBManage/Backup_Server_commit.php. The manipulation of the argument host leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-D-Link Corporation
Product-dar-7000_firmwaredar-7000DAR-7000dar-7000
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8574
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-6.28% / 90.55%
||
7 Day CHG~0.00%
Published-08 Sep, 2024 | 11:00
Updated-10 Sep, 2024 | 14:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK AC1200 T8 cstecgi.cgi setParentalRules os command injection

A vulnerability has been found in TOTOLINK AC1200 T8 4.1.5cu.861_B20230220 and classified as critical. This vulnerability affects the function setParentalRules of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument slaveIpList leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-t8t8_firmwareAC1200 T8ac1200_t8_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-9001
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.68% / 81.44%
||
7 Day CHG~0.00%
Published-19 Sep, 2024 | 20:00
Updated-24 Sep, 2024 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK T10 cstecgi.cgi setTracerouteCfg os command injection

A vulnerability was found in TOTOLINK T10 4.1.8cu.5207. It has been declared as critical. This vulnerability affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument command leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-t10_firmwaret10T10t10
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8129
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.17% / 77.79%
||
7 Day CHG~0.00%
Published-24 Aug, 2024 | 15:31
Updated-27 Aug, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 HTTP POST Request s3.cgi cgi_s3_modify command injection

A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_s3_modify of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_job_name leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-327ldns-320lw_firmwaredns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-726-4_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8134
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.17% / 77.79%
||
7 Day CHG~0.00%
Published-24 Aug, 2024 | 20:00
Updated-27 Aug, 2024 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 HTTP POST Request hd_config.cgi cgi_FMT_Std2R5_1st_DiskMGR command injection

A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been rated as critical. This issue affects the function cgi_FMT_Std2R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-327ldns-320lw_firmwaredns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-726-4_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-23348
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-6.3||MEDIUM
EPSS-1.08% / 76.96%
||
7 Day CHG~0.00%
Published-31 Mar, 2021 | 14:25
Updated-16 Sep, 2024 | 20:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary Command Injection

This affects the package portprocesses before 1.0.5. If (attacker-controlled) user input is given to the killProcess function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

Action-Not Available
Vendor-portprocesses_projectn/a
Product-portprocessesportprocesses
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8131
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.53% / 66.33%
||
7 Day CHG~0.00%
Published-24 Aug, 2024 | 17:31
Updated-27 Aug, 2024 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 HTTP POST Request apkg_mgr.cgi module_enable_disable command injection

A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this issue is the function module_enable_disable of the file /cgi-bin/apkg_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_module_name leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-327ldns-320lw_firmwaredns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-726-4_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-7580
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-4.15% / 88.20%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 14:31
Updated-22 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Alien Technology ALR-F800 system.html os command injection

A vulnerability was found in Alien Technology ALR-F800 up to 19.10.24.00. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/system.html. The manipulation of the argument uploadedFile with the input ;whoami leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Alien Technology, LLC.
Product-alr-f800alr-f800_firmwareALR-F800alr-f800_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8214
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.23% / 78.37%
||
7 Day CHG~0.00%
Published-27 Aug, 2024 | 20:00
Updated-29 Aug, 2024 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 hd_config.cgi cgi_FMT_Std2R5_2nd_DiskMGR command injection

A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected by this vulnerability is the function cgi_FMT_Std2R5_2nd_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-320lw_firmwaredns-327ldns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-726-4_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8210
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.60% / 68.45%
||
7 Day CHG~0.00%
Published-27 Aug, 2024 | 18:31
Updated-29 Aug, 2024 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 hd_config.cgi sprintf command injection

A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function sprintf of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_mount leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-320lw_firmwaredns-327ldns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-726-4_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8213
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.25% / 78.50%
||
7 Day CHG~0.00%
Published-27 Aug, 2024 | 19:31
Updated-29 Aug, 2024 | 15:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 hd_config.cgi cgi_FMT_R12R5_1st_DiskMGR command injection

A vulnerability classified as critical has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. Affected is the function cgi_FMT_R12R5_1st_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_source_dev leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-320lw_firmwaredns-327ldns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-726-4_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8133
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.17% / 77.79%
||
7 Day CHG~0.00%
Published-24 Aug, 2024 | 19:00
Updated-27 Aug, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 HTTP POST Request hd_config.cgi cgi_FMT_R5_SpareDsk_DiskMGR command injection

A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_R5_SpareDsk_DiskMGR of the file /cgi-bin/hd_config.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_source_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-327ldns-320lw_firmwaredns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-726-4_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-7470
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-2.54% / 84.87%
||
7 Day CHG~0.00%
Published-05 Aug, 2024 | 04:00
Updated-06 Aug, 2024 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Raisecom MSG1200/MSG2100E/MSG2200/MSG2300 Web Interface vpn_template_style.php sslvpn_config_mod os command injection

A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. It has been rated as critical. This issue affects the function sslvpn_config_mod of the file /vpn/vpn_template_style.php of the component Web Interface. The manipulation of the argument template/stylenum leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273563. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-raisecomRaisecom
Product-msg1200_firmwaremsg2200msg1200msg2100emsg2300msg2100e_firmwaremsg2300_firmwaremsg2200_firmwareMSG1200MSG2100EMSG2200MSG2300
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8211
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.59% / 68.25%
||
7 Day CHG~0.00%
Published-27 Aug, 2024 | 19:00
Updated-29 Aug, 2024 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 hd_config.cgi cgi_FMT_Std2R1_DiskMGR command injection

A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_Std2R1_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_newly_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-320lw_firmwaredns-327ldns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-726-4_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2021-23363
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-6.3||MEDIUM
EPSS-1.00% / 76.05%
||
7 Day CHG~0.00%
Published-30 Mar, 2021 | 15:00
Updated-17 Sep, 2024 | 01:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary Command Injection

This affects the package kill-by-port before 0.0.2. If (attacker-controlled) user input is given to the killByPort function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

Action-Not Available
Vendor-kill-by-port_projectn/a
Product-kill-by-portkill-by-port
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8075
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.91% / 82.53%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 19:31
Updated-13 Dec, 2024 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK AC1200 T8 setDiagnosisCfg os command injection

A vulnerability has been found in TOTOLINK AC1200 T8 4.1.5cu.862_B20230228 and classified as critical. Affected by this vulnerability is the function setDiagnosisCfg. The manipulation leads to os command injection. The attack can be launched remotely. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-t8t8_firmwareAC1200 T8
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8077
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-7.30% / 91.29%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 20:00
Updated-13 Dec, 2024 | 14:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK AC1200 T8 setTracerouteCfg os command injection

A vulnerability was found in TOTOLINK AC1200 T8 4.1.5cu.862_B20230228. It has been classified as critical. This affects the function setTracerouteCfg. The manipulation leads to os command injection. It is possible to initiate the attack remotely. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-t8t8_firmwareAC1200 T8ac1200_t8
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8130
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.17% / 77.79%
||
7 Day CHG~0.00%
Published-24 Aug, 2024 | 16:31
Updated-27 Aug, 2024 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 HTTP POST Request s3.cgi cgi_s3 command injection

A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814 and classified as critical. Affected by this vulnerability is the function cgi_s3 of the file /cgi-bin/s3.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_a_key leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-327ldns-320lw_firmwaredns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-340ldnr-202ldns-1550-04dns-327ldns-320lwdns-320ldns-323dns-1200-05dns-325dns-120dns-343dns-1100-4dns-320dnr-326dns-726-4dns-345dns-315ldnr-322ldns-326dns-321
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-7467
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-2.66% / 85.21%
||
7 Day CHG~0.00%
Published-05 Aug, 2024 | 02:31
Updated-06 Aug, 2024 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Raisecom MSG1200/MSG2100E/MSG2200/MSG2300 Web Interface list_ip_network.php sslvpn_config_mod os command injection

A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90 and classified as critical. Affected by this issue is the function sslvpn_config_mod of the file /vpn/list_ip_network.php of the component Web Interface. The manipulation of the argument template/stylenum leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-273560. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-raisecomRaisecom
Product-msg1200_firmwaremsg2200msg1200msg2100emsg2300msg2100e_firmwaremsg2300_firmwaremsg2200_firmwareMSG1200MSG2100EMSG2200MSG2300
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8127
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.96% / 82.75%
||
7 Day CHG~0.00%
Published-24 Aug, 2024 | 09:31
Updated-27 Aug, 2024 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 HTTP POST Request webfile_mgr.cgi cgi_unzip command injection

A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This vulnerability affects the function cgi_unzip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-327ldns-320lw_firmwaredns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-343_firmwarednr-202l_firmwaredns-320lw_firmwaredns-323_firmwaredns-320_firmwaredns-315l_firmwaredns-321_firmwaredns-320l_firmwarednr-322l_firmwaredns-325_firmwaredns-120_firmwaredns-326_firmwaredns-1550-04_firmwaredns-1200-05_firmwaredns-340l_firmwaredns-726-4_firmwaredns-345_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-7469
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-3.21% / 86.54%
||
7 Day CHG~0.00%
Published-05 Aug, 2024 | 03:31
Updated-06 Aug, 2024 | 17:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Raisecom MSG1200/MSG2100E/MSG2200/MSG2300 Web Interface list_vpn_web_custom.php sslvpn_config_mod os command injection

A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. It has been declared as critical. This vulnerability affects the function sslvpn_config_mod of the file /vpn/list_vpn_web_custom.php of the component Web Interface. The manipulation of the argument template/stylenum leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-273562 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-raisecomRaisecom
Product-msg1200_firmwaremsg2200msg1200msg2100emsg2300msg2100e_firmwaremsg2300_firmwaremsg2200_firmwareMSG1200MSG2100EMSG2200MSG2300
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-7357
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.52% / 80.55%
||
7 Day CHG~0.00%
Published-01 Aug, 2024 | 13:00
Updated-16 Jul, 2025 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DIR-600 soap.cgi soapcgi_main os command injection

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-600 up to 2.18. It has been rated as critical. This issue affects the function soapcgi_main of the file /soap.cgi. The manipulation of the argument service leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273329 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dir-600dir-600_firmwareDIR-600dir-600
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-7579
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-4.15% / 88.20%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 14:00
Updated-28 Aug, 2024 | 18:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Alien Technology ALR-F800 File Name upgrade.cgi popen os command injection

A vulnerability was found in Alien Technology ALR-F800 up to 19.10.24.00. It has been declared as critical. Affected by this vulnerability is the function popen of the file /var/www/cgi-bin/upgrade.cgi of the component File Name Handler. The manipulation of the argument uploadedFile leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Alien Technology, LLC.
Product-alr-f800alr-f800_firmwareALR-F800alr-f800
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8128
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-2.11% / 83.41%
||
7 Day CHG~0.00%
Published-24 Aug, 2024 | 11:31
Updated-27 Aug, 2024 | 15:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 HTTP POST Request webfile_mgr.cgi cgi_add_zip command injection

A vulnerability, which was classified as critical, has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This issue affects the function cgi_add_zip of the file /cgi-bin/webfile_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument path leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-327ldns-320lw_firmwaredns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-726-4_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-7468
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-2.54% / 84.87%
||
7 Day CHG~0.00%
Published-05 Aug, 2024 | 03:00
Updated-06 Aug, 2024 | 17:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Raisecom MSG1200/MSG2100E/MSG2200/MSG2300 Web Interface list_service_manage.php sslvpn_config_mod os command injection

A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. It has been classified as critical. This affects the function sslvpn_config_mod of the file /vpn/list_service_manage.php of the component Web Interface. The manipulation of the argument template/stylenum leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273561 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-raisecomRaisecomraisecom
Product-msg1200_firmwaremsg2200msg1200msg2100emsg2300msg2100e_firmwaremsg2300_firmwaremsg2200_firmwareMSG1200MSG2100EMSG2200MSG2300msg1200_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-7175
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-7.54% / 91.44%
||
7 Day CHG~0.00%
Published-29 Jul, 2024 | 00:31
Updated-06 Aug, 2024 | 12:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK A3600R cstecgi.cgi setDiagnosisCfg os command injection

A vulnerability has been found in TOTOLINK A3600R 4.1.2cu.5182_B20201102 and classified as critical. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ipDoamin leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272596. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-a3600r_firmwarea3600rA3600Ra3600r_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-7120
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-92.42% / 99.72%
||
7 Day CHG~0.00%
Published-26 Jul, 2024 | 05:00
Updated-01 Aug, 2024 | 21:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Raisecom MSG1200/MSG2100E/MSG2200/MSG2300 Web Interface list_base_config.php os command injection

A vulnerability, which was classified as critical, was found in Raisecom MSG1200, MSG2100E, MSG2200 and MSG2300 3.90. This affects an unknown part of the file list_base_config.php of the component Web Interface. The manipulation of the argument template leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272451.

Action-Not Available
Vendor-Raisecomraisecom
Product-MSG1200MSG2100EMSG2200MSG2300msg2300_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-6186
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.78% / 72.76%
||
7 Day CHG~0.00%
Published-20 Jun, 2024 | 12:31
Updated-21 Aug, 2025 | 01:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ruijie RG-UAC commit.php os command injection

A vulnerability, which was classified as critical, was found in Ruijie RG-UAC 1.0. This affects an unknown part of the file /view/userAuthentication/SSO/commit.php. The manipulation of the argument ad_log_name leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-269157 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Ruijie Networks Co., Ltd.
Product-rg-uacrg-uac_firmwareRG-UAC
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-6187
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-1.43% / 79.84%
||
7 Day CHG~0.00%
Published-20 Jun, 2024 | 13:00
Updated-21 Aug, 2025 | 00:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ruijie RG-UAC sub_commit.php os command injection

A vulnerability has been found in Ruijie RG-UAC 1.0 and classified as critical. This vulnerability affects unknown code of the file /view/vpn/autovpn/sub_commit.php. The manipulation of the argument key leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-269158 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Ruijie Networks Co., Ltd.
Product-rg-uacrg-uac_firmwareRG-UACrg-uac
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-6184
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.51% / 65.46%
||
7 Day CHG~0.00%
Published-20 Jun, 2024 | 11:31
Updated-21 Aug, 2025 | 01:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ruijie RG-UAC reboot_commit.php os command injection

A vulnerability classified as critical was found in Ruijie RG-UAC 1.0. Affected by this vulnerability is an unknown functionality of the file /view/systemConfig/reboot/reboot_commit.php. The manipulation of the argument servicename leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269155. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Ruijie Networks Co., Ltd.
Product-rg-uacrg-uac_firmwareRG-UACrg-uac
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-4965
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-2.28% / 84.05%
||
7 Day CHG~0.00%
Published-16 May, 2024 | 07:31
Updated-15 Jul, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DAR-7000-40 resmanage.php os command injection

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DAR-7000-40 V31R02B1413C and classified as critical. This issue affects some unknown processing of the file /useratte/resmanage.php. The manipulation of the argument load leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264533 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dar-7000_firmwaredar-7000DAR-7000-40
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-4814
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-2.45% / 84.58%
||
7 Day CHG~0.00%
Published-13 May, 2024 | 10:00
Updated-21 Aug, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ruijie RG-UAC static_route_edit_commit.php os command injection

A vulnerability classified as critical was found in Ruijie RG-UAC up to 20240506. Affected by this vulnerability is an unknown functionality of the file /view/networkConfig/RouteConfig/StaticRoute/static_route_edit_commit.php. The manipulation of the argument oldipmask/oldgateway leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263935. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Ruijie Networks Co., Ltd.
Product-rg-uac_6000-x100_firmwarerg-uac_6000-e50mrg-uac_6000-sirg-uac_6000-ei_firmwarerg-uac_6000-isg02_firmwarerg-uac_6000-e10crg-uac_6000-x300d_firmwarerg-uac_6000-e50_firmwarerg-uac_6000-x20m_firmwarerg-uac_6000-e10rg-uac_6000-isg40rg-uac_6000-cc_firmwarerg-uac_6000-x20mrg-uac_6000-xs_firmwarerg-uac_6000-isg10rg-uac_6000-xsrg-uac_6000-earg-uac_6000-e50rg-uac_6000-x100srg-uac_6000-x60rg-uac_6000-u3210_firmwarerg-uac_6000-x60_firmwarerg-uac_6000-isg40_firmwarerg-uac_6000-e10c_firmwarerg-uac_6000-isg02rg-uac_6000-ea_firmwarerg-uac_6000-x100s_firmwarerg-uac_6000-u3210rg-uac_6000-x200rg-uac_6000-isg200rg-uac_6000-e50c_firmwarerg-uac_6000-e50crg-uac_6000-x20me_firmwarerg-uac_6000-e50m_firmwarerg-uac_6000-si_firmwarerg-uac_6000-u3100rg-uac_6000-e20mrg-uac_6000-u3100_firmwarerg-uac_6000-x20merg-uac_6000-e20m_firmwarerg-uac_6000-isg200_firmwarerg-uac_6000-x200_firmwarerg-uac_6000-e20rg-uac_6000-x100rg-uac_6000-e10_firmwarerg-uac_6000-e20crg-uac_6000-x20rg-uac_6000-x300drg-uac_6000-isg10_firmwarerg-uac_6000-x20_firmwarerg-uac_6000-ccrg-uac_6000-e20_firmwarerg-uac_6000-e20c_firmwarerg-uac_6000-eiRG-UACrg-uac
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-4815
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-2.45% / 84.58%
||
7 Day CHG~0.00%
Published-13 May, 2024 | 10:31
Updated-21 Aug, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ruijie RG-UAC detail.php os command injection

A vulnerability, which was classified as critical, has been found in Ruijie RG-UAC up to 20240506. Affected by this issue is some unknown functionality of the file /view/bugSolve/viewData/detail.php. The manipulation of the argument filename leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263936. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Ruijie Networks Co., Ltd.
Product-rg-uac_6000-x100_firmwarerg-uac_6000-e50mrg-uac_6000-sirg-uac_6000-ei_firmwarerg-uac_6000-isg02_firmwarerg-uac_6000-e10crg-uac_6000-x300d_firmwarerg-uac_6000-e50_firmwarerg-uac_6000-x20m_firmwarerg-uac_6000-e10rg-uac_6000-isg40rg-uac_6000-cc_firmwarerg-uac_6000-x20mrg-uac_6000-xs_firmwarerg-uac_6000-isg10rg-uac_6000-xsrg-uac_6000-earg-uac_6000-e50rg-uac_6000-x100srg-uac_6000-x60rg-uac_6000-u3210_firmwarerg-uac_6000-x60_firmwarerg-uac_6000-isg40_firmwarerg-uac_6000-e10c_firmwarerg-uac_6000-isg02rg-uac_6000-ea_firmwarerg-uac_6000-x100s_firmwarerg-uac_6000-u3210rg-uac_6000-x200rg-uac_6000-isg200rg-uac_6000-e50c_firmwarerg-uac_6000-e50crg-uac_6000-x20me_firmwarerg-uac_6000-e50m_firmwarerg-uac_6000-si_firmwarerg-uac_6000-u3100rg-uac_6000-e20mrg-uac_6000-u3100_firmwarerg-uac_6000-x20merg-uac_6000-e20m_firmwarerg-uac_6000-isg200_firmwarerg-uac_6000-x200_firmwarerg-uac_6000-e20rg-uac_6000-x100rg-uac_6000-e10_firmwarerg-uac_6000-e20crg-uac_6000-x20rg-uac_6000-x300drg-uac_6000-isg10_firmwarerg-uac_6000-x20_firmwarerg-uac_6000-ccrg-uac_6000-e20_firmwarerg-uac_6000-e20c_firmwarerg-uac_6000-eiRG-UAC
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-3880
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-1.58% / 80.84%
||
7 Day CHG+0.31%
Published-16 Apr, 2024 | 19:00
Updated-27 Jan, 2025 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda W30E WriteFacMac formWriteFacMac os command injection

A vulnerability has been found in Tenda W30E 1.0.1.25(633) and classified as critical. This vulnerability affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-260914 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-w30ew30e_firmwareW30Ew30e
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-3721
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-64.49% / 98.38%
||
7 Day CHG~0.00%
Published-13 Apr, 2024 | 12:00
Updated-01 Aug, 2024 | 20:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TBK DVR-4104/DVR-4216 os command injection

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260573 was assigned to this vulnerability.

Action-Not Available
Vendor-TBKtbkvision
Product-DVR-4216DVR-4104tbk-dvr4104tbk-dvr4216
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-3739
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-1.12% / 77.37%
||
7 Day CHG~0.00%
Published-13 Apr, 2024 | 18:31
Updated-21 Aug, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
cym1102 nginxWebUI upload os command injection

A vulnerability classified as critical was found in cym1102 nginxWebUI up to 3.9.9. This vulnerability affects unknown code of the file /adminPage/main/upload. The manipulation of the argument file leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-260578 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-nginxWebUI (cym1102)
Product-nginxwebuinginxWebUInginxwebui
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-3346
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.67% / 70.34%
||
7 Day CHG~0.00%
Published-05 Apr, 2024 | 15:31
Updated-01 Aug, 2024 | 20:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Byzoro Smart S80 webmailattach.php os command injection

A vulnerability was found in Byzoro Smart S80 up to 20240328. It has been declared as critical. This vulnerability affects unknown code of the file /log/webmailattach.php. The manipulation of the argument mail_file_path leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259450 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Byzorobyzoro
Product-Smart S80smart_s80
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-2910
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-2.84% / 85.70%
||
7 Day CHG~0.00%
Published-26 Mar, 2024 | 21:00
Updated-01 Aug, 2024 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ruijie RG-EG350 HTTP POST Request vpnAction os command injection

A vulnerability, which was classified as critical, has been found in Ruijie RG-EG350 up to 20240318. Affected by this issue is the function vpnAction of the file /itbox_pi/vpn_quickset_service.php?a=set_vpn of the component HTTP POST Request Handler. The manipulation of the argument ip/port/user/pass/dns/startIp leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-257978 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Ruijie Networks Co., Ltd.
Product-RG-EG350
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-2897
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-5.91% / 90.26%
||
7 Day CHG~0.00%
Published-26 Mar, 2024 | 18:31
Updated-22 Jan, 2025 | 17:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda AC7 WriteFacMac formWriteFacMac os command injection

A vulnerability classified as critical has been found in Tenda AC7 15.03.06.44. Affected is the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257940. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-ac7ac7_firmwareAC7
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-2853
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-1.90% / 82.50%
||
7 Day CHG~0.00%
Published-24 Mar, 2024 | 05:00
Updated-01 Aug, 2024 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda AC10U setsambacfg formSetSambaConf os command injection

A vulnerability was found in Tenda AC10U 15.03.06.48/15.03.06.49. It has been rated as critical. This issue affects the function formSetSambaConf of the file /goform/setsambacfg. The manipulation of the argument usbName leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-ac10uac10u_firmwareAC10Uac10u_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-2854
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-2.07% / 83.20%
||
7 Day CHG~0.00%
Published-24 Mar, 2024 | 05:31
Updated-12 Aug, 2024 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda AC18 setsambacfg formSetSambaConf os command injection

A vulnerability classified as critical has been found in Tenda AC18 15.03.05.05. Affected is the function formSetSambaConf of the file /goform/setsambacfg. The manipulation of the argument usbName leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257778 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-ac18_firmwareac18AC18ac18_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-2851
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-1.90% / 82.50%
||
7 Day CHG~0.00%
Published-24 Mar, 2024 | 03:00
Updated-22 Aug, 2024 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda AC15 setsambacfg formSetSambaConf os command injection

A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi. It has been classified as critical. This affects the function formSetSambaConf of the file /goform/setsambacfg. The manipulation of the argument usbName leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257775. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-ac15_firmwareac15AC15ac15_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-2812
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-6.18% / 90.47%
||
7 Day CHG~0.00%
Published-22 Mar, 2024 | 06:31
Updated-01 Aug, 2024 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tenda AC15 WriteFacMac formWriteFacMac os command injection

A vulnerability was found in Tenda AC15 15.03.05.18/15.03.20_multi. It has been classified as critical. This affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257667. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Tenda Technology Co., Ltd.
Product-ac15_firmwareac15AC15
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-22132
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-7.4||HIGH
EPSS-0.31% / 53.29%
||
7 Day CHG~0.00%
Published-13 Feb, 2024 | 02:33
Updated-24 Apr, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code Injection vulnerability in SAP IDES Systems

SAP IDES ECC-systems contain code that permits the execution of arbitrary program code of user's choice.An attacker can therefore control the behaviour of the system by executing malicious code which can potentially escalate privileges with low impact on confidentiality, integrity and availability of the system.

Action-Not Available
Vendor-SAP SE
Product-ides_eccSAP IDES Systems
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-22033
Matching Score-4
Assigner-SUSE
ShareView Details
Matching Score-4
Assigner-SUSE
CVSS Score-5.1||MEDIUM
EPSS-1.29% / 78.81%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 13:42
Updated-16 Oct, 2024 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
obs-service-download_url is vulnerable to argument injection

The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps

Action-Not Available
Vendor-SUSE
Product-SUSE Package Hub 15 SP5openSUSE TumbleweedopenSUSE Leap 15.5openSUSE Leap 15.6SUSE Package Hub 15 SP6
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-8132
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-2.11% / 83.41%
||
7 Day CHG~0.00%
Published-24 Aug, 2024 | 18:00
Updated-27 Aug, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
D-Link DNS-1550-04 HTTP POST Request webdav_mgr.cgi webdav_mgr command injection

A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been classified as critical. This affects the function webdav_mgr of the file /cgi-bin/webdav_mgr.cgi of the component HTTP POST Request Handler. The manipulation of the argument f_path leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Action-Not Available
Vendor-D-Link Corporation
Product-dns-340ldnr-202ldns-327ldns-320lw_firmwaredns-1200-05dns-321_firmwaredns-325dns-120dns-343dns-320l_firmwaredns-320dnr-326dns-726-4dns-326_firmwaredns-120_firmwaredns-315ldnr-322ldns-326dns-1200-05_firmwaredns-1100-4_firmwarednr-326_firmwaredns-343_firmwaredns-345_firmwarednr-202l_firmwaredns-1550-04dns-323_firmwaredns-320_firmwaredns-320lwdns-315l_firmwaredns-320ldns-323dns-1100-4dnr-322l_firmwaredns-325_firmwaredns-345dns-1550-04_firmwaredns-726-4_firmwaredns-340l_firmwaredns-321dns-327l_firmwareDNS-326DNR-326DNS-327LDNS-120DNR-202LDNS-321DNS-323DNS-340LDNS-320LWDNR-322LDNS-320LDNS-345DNS-1550-04DNS-1200-05DNS-325DNS-343DNS-315LDNS-726-4DNS-320DNS-1100-4dns-343_firmwarednr-202l_firmwaredns-320lw_firmwaredns-323_firmwaredns-320_firmwaredns-315l_firmwaredns-321_firmwaredns-320l_firmwarednr-322l_firmwaredns-325_firmwaredns-120_firmwaredns-326_firmwaredns-1550-04_firmwaredns-726-4_firmwaredns-1200-05_firmwaredns-340l_firmwaredns-1100-4_firmwarednr-326_firmwaredns-345_firmwaredns-327l_firmware
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-7171
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-7.54% / 91.44%
||
7 Day CHG~0.00%
Published-28 Jul, 2024 | 22:31
Updated-08 Aug, 2024 | 12:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TOTOLINK A3600R cstecgi.cgi NTPSyncWithHost os command injection

A vulnerability classified as critical has been found in TOTOLINK A3600R 4.1.2cu.5182_B20201102. Affected is the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument hostTime leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272592. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-TOTOLINK
Product-a3600r_firmwarea3600rA3600Ra3600r_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-6185
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.75% / 72.17%
||
7 Day CHG~0.00%
Published-20 Jun, 2024 | 12:00
Updated-20 Aug, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ruijie RG-UAC commit.php get_ip_addr_details os command injection

A vulnerability, which was classified as critical, has been found in Ruijie RG-UAC 1.0. Affected by this issue is the function get_ip_addr_details of the file /view/dhcp/dhcpConfig/commit.php. The manipulation of the argument ethname leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-269156. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Ruijie Networks Co., Ltd.
Product-rg-uac_firmwarerg-uacRG-UACrg_uac
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2022-3492
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-0.17% / 38.88%
||
7 Day CHG~0.00%
Published-13 Oct, 2022 | 00:00
Updated-03 Aug, 2024 | 01:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Human Resource Management System Profile Photo os command injection

A vulnerability classified as critical was found in SourceCodester Human Resource Management System 1.0. This vulnerability affects unknown code of the component Profile Photo Handler. The manipulation of the argument parameter leads to os command injection. The attack can be initiated remotely. The identifier of this vulnerability is VDB-210772.

Action-Not Available
Vendor-oretnom23SourceCodester
Product-human_resource_management_systemHuman Resource Management System
CWE ID-CWE-707
Improper Neutralization
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-4816
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-2.45% / 84.58%
||
7 Day CHG~0.00%
Published-13 May, 2024 | 12:31
Updated-21 Aug, 2025 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ruijie RG-UAC gre_add_commit.php os command injection

A vulnerability, which was classified as critical, was found in Ruijie RG-UAC up to 20240506. This affects an unknown part of the file /view/networkConfig/GRE/gre_add_commit.php. The manipulation of the argument name/remote/local/IP leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263937 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-Ruijie Networks Co., Ltd.
Product-rg-uac_6000-x100_firmwarerg-uac_6000-e50mrg-uac_6000-sirg-uac_6000-ei_firmwarerg-uac_6000-isg02_firmwarerg-uac_6000-e10crg-uac_6000-x300d_firmwarerg-uac_6000-e50_firmwarerg-uac_6000-x20m_firmwarerg-uac_6000-e10rg-uac_6000-isg40rg-uac_6000-cc_firmwarerg-uac_6000-x20mrg-uac_6000-xs_firmwarerg-uac_6000-isg10rg-uac_6000-xsrg-uac_6000-earg-uac_6000-e50rg-uac_6000-x100srg-uac_6000-x60rg-uac_6000-u3210_firmwarerg-uac_6000-x60_firmwarerg-uac_6000-isg40_firmwarerg-uac_6000-e10c_firmwarerg-uac_6000-isg02rg-uac_6000-ea_firmwarerg-uac_6000-x100s_firmwarerg-uac_6000-u3210rg-uac_6000-x200rg-uac_6000-isg200rg-uac_6000-e50c_firmwarerg-uac_6000-e50crg-uac_6000-x20me_firmwarerg-uac_6000-e50m_firmwarerg-uac_6000-si_firmwarerg-uac_6000-u3100rg-uac_6000-e20mrg-uac_6000-u3100_firmwarerg-uac_6000-x20merg-uac_6000-e20m_firmwarerg-uac_6000-isg200_firmwarerg-uac_6000-x200_firmwarerg-uac_6000-e20rg-uac_6000-x100rg-uac_6000-e10_firmwarerg-uac_6000-e20crg-uac_6000-x20rg-uac_6000-x300drg-uac_6000-isg10_firmwarerg-uac_6000-x20_firmwarerg-uac_6000-ccrg-uac_6000-e20_firmwarerg-uac_6000-e20c_firmwarerg-uac_6000-eiRG-UACrg-uac
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found