A vulnerability was found in D-Link DCS-932L 2.18.01. It has been rated as critical. Affected by this issue is the function setSystemWizard/setSystemControl of the file /setSystemWizard. The manipulation of the argument AdminID leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been declared as critical. Affected by this vulnerability is the function WPS of the file /goform/WPS. The manipulation of the argument PIN leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been declared as critical. This vulnerability affects the function ssid1MACFilter of the file /goform/ssid1MACFilter. The manipulation of the argument apselect_%d/newap_text_%d leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability in the web UI of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to inject arbitrary code and execute arbitrary commands at the underlying operating system level. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to inject and execute arbitrary commands at the underlying operating system level.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7900 before 1.0.4.38, R7900P before 1.4.2.84, R8000 before 1.0.4.68, R8000P before 1.4.2.84, RAX200 before 1.0.3.106, MR60 before 1.0.6.110, RAX45 before 1.0.2.72, RAX80 before 1.0.3.106, MS60 before 1.0.6.110, RAX50 before 1.0.2.72, RAX75 before 1.0.3.106, RBR750 before 3.2.16.6, RBR850 before 3.2.16.6, RBS750 before 3.2.16.6, RBS850 before 3.2.16.6, RBK752 before 3.2.16.6, and RBK852 before 3.2.16.6.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7900P before 1.4.2.84, R7960P before 1.4.2.84, and R8000P before 1.4.2.84.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.60, DM200 before 1.0.0.66, EX2700 before 1.0.1.56, EX6150v2 before 1.0.1.86, EX6200v2 before 1.0.1.86, EX6250 before 1.0.0.128, EX6400 before 1.0.2.144, EX6400v2 before 1.0.0.128, EX6410 before 1.0.0.128, EX6420 before 1.0.0.128, EX7300 before 1.0.2.144, EX7300v2 before 1.0.0.128, EX7320 before 1.0.0.128, R7500v2 before 1.0.3.46, R7800 before 1.0.2.74, R8900 before 1.0.5.26, R9000 before 1.0.5.2, RAX120 before 1.0.1.128, WN3000RPv2 before 1.0.0.78, WN3000RPv3 before 1.0.2.80, WNR2000v5 before 1.0.0.74, XR500 before 2.3.2.66, RBK20 before 2.7.3.22, RBR20 before 2.7.3.22, RBS20 before 2.7.3.22, RBK40 before 2.7.3.22, RBR40 before 2.7.3.22, and RBS40 before 2.7.3.22.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects AC2100 before 1.2.0.88, AC2400 before 1.2.0.88, AC2600 before 1.2.0.88, D7000 before 1.0.1.82, R6220 before 1.1.0.110, R6230 before 1.1.0.110, R6260 before 1.1.0.84, R6330 before 1.1.0.84, R6350 before 1.1.0.84, R6700v2 before 1.2.0.88, R6800 before 1.2.0.88, R6850 before 1.1.0.84, R6900v2 before 1.2.0.88, R7200 before 1.2.0.88, R7350 before 1.2.0.88, R7400 before 1.2.0.88, and R7450 before 1.2.0.88.
A vulnerability was found in Tenda AC18 15.03.05.05. It has been declared as critical. This vulnerability affects the function formSetIptv of the file /goform/SetIPTVCfg. The manipulation of the argument list leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability classified as critical has been found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function NTP of the file /goform/NTP. The manipulation of the argument manual_year_select/manual_month_select/manual_day_select/manual_hour_select/manual_min_select/manual_sec_select leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects LBR20 before 2.6.3.50, RBS50Y before 2.7.3.22, RBR10 before 2.7.3.22, RBR20 before 2.7.3.22, RBR40 before 2.7.3.22, RBR50 before 2.7.3.22, RBS10 before 2.7.3.22, RBS20 before 2.7.3.22, RBS40 before 2.7.3.22, RBS50 before 2.7.3.22, RBK12 before 2.7.3.22, RBK20 before 2.7.3.22, RBK40 before 2.7.3.22, and RBK50 before 2.7.3.22.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects GS108Tv2 before 5.4.2.36, GS110TPP before 7.0.7.2, GS110TPv2 before 5.4.2.36., GS110TPv3 before 7.0.7.2, GS308T before 1.0.3.2, GS310TP before 1.0.3.2, GS724TPP before 2.0.6.3, GS724TPv2 before 2.0.6.3, GS728TPPv2 before 6.0.8.2, GS728TPv2 before 6.0.8.2, GS752TPP before 6.0.8.2, GS752TPv2 before 6.0.8.2, MS510TXM before 1.0.4.2, and MS510TXUP before 1.0.4.2.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects GC108P before 1.0.8.2, GC108PP before 1.0.8.2, GS108Tv3 before 7.0.7.2, GS110TPv3 before 7.0.7.2, GS110TPP before 7.0.7.2, GS110TUP before 1.0.5.3, GS710TUP before 1.0.5.3, GS308T before 1.0.3.2, GS310TP before 1.0.3.2, GS710TUP before 1.0.5.3, GS716TP before 1.0.4.2, GS716TPP before 1.0.4.2, GS724TPP before 2.0.6.3, GS724TPv2 before 2.0.6.3, GS724TPP before 2.0.6.3, GS728TPPv2 before 6.0.8.2, GS728TPv2 before 6.0.8.2, GS752TPv2 before 6.0.8.2, GS752TPP before 6.0.8.2, GS750E before 1.0.1.10, MS510TXM before 1.0.4.2, and MS510TXUP before 1.0.4.2.
The snaptPowered2 component of Snapt Aria v12.8 was discovered to contain a command injection vulnerability. This vulnerability allows authenticated attackers to execute arbitrary commands.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D6200 before 1.1.00.40, D7000 before 1.0.1.78, R6020 before 1.0.0.42, R6080 before 1.0.0.42, R6050 before 1.0.1.26, JR6150 before 1.0.1.26, R6120 before 1.0.0.66, R6220 before 1.1.0.110, R6230 before 1.1.0.110, R6260 before 1.1.0.64, R6800 before 1.2.0.62, R6700v2 before 1.2.0.62, R6900v2 before 1.2.0.62, R7450 before 1.2.0.62, AC2100 before 1.2.0.62, AC2400 before 1.2.0.62, AC2600 before 1.2.0.62, and WNR2020 before 1.1.0.62.
A vulnerability has been found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001 and classified as critical. Affected by this vulnerability is the function RP_UpgradeFWByBBS of the file /goform/RP_UpgradeFWByBBS. The manipulation of the argument type/ch/ssidhex/security/extch/pwd/mode/ip/nm/gw leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects CBR750 before 4.6.3.6, RBK752 before 3.2.17.12, RBR750 before 3.2.17.12, RBS750 before 3.2.17.12, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects CBR750 before 4.6.3.6, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7850 before 1.0.5.74, R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 1.0.4.74, R8000P before 1.4.2.84, RAX200 before 1.0.4.120, RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.58, R7500v2 before 1.0.3.48, R7800 before 1.0.2.68, R8900 before 1.0.5.2, R9000 before 1.0.5.2, RAX120 before 1.0.1.108, and XR700 before 1.0.1.20.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7000 before 1.0.11.126, R6900P before 1.3.2.126, and R7000P before 1.3.2.126.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects CBR40 before 2.5.0.24, CBR750 before 4.6.3.6, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12.
A vulnerability has been found in TOTOLINK X2000R 1.0.0-B20230726.1108 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formWsc. The manipulation of the argument peerRptPin leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects CBR40 before 2.5.0.24, CBR750 before 4.6.3.6, RBR850 before 3.2.17.12, RBS850 before 3.2.17.12, and RBS850 before 3.2.17.12.
Command Injection vulnerability in the web interface in McAfee Advanced Threat Defense (ATD) 3.10, 3.8, 3.6, 3.4 allows remote authenticated users to execute a command of their choice via a crafted HTTP request parameter.
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R7850 before 1.0.5.74, R7900P before 1.4.2.84, R7960P before 1.4.2.84, R8000 before 1.0.4.74, R8000P before 1.4.2.84, RAX200 before 1.0.4.120, RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK752 before 3.2.17.12, RBK852 before 3.2.17.12, RBR750 before 3.2.17.12, RBR850 before 3.2.17.12, RBS750 before 3.2.17.12, and RBS850 before 3.2.17.12.
A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.
A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been classified as critical. This affects the function RP_checkCredentialsByBBS of the file /goform/RP_checkCredentialsByBBS. The manipulation of the argument pwd leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
A vulnerability was found in D-Link DAR-8000-10 up to 20230809. It has been classified as critical. This affects an unknown part of the file /app/sys1.php. The manipulation of the argument cmd with the input id leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-238047. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability, which was classified as critical, has been found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This issue affects the function RP_pingGatewayByBBS of the file /goform/RP_pingGatewayByBBS. The manipulation of the argument ip/nm/gw leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. It has been rated as critical. Affected by this issue is the function verifyFacebookLike of the file /goform/verifyFacebookLike. The manipulation of the argument uid/accessToken leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during account creation resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.
In the web management interface in Foscam C1 Indoor HD Camera running application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resulting in command execution. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in mail sending and receiving component in Synology Mail Station before 20211105-10315 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
A vulnerability, which was classified as critical, has been found in TOTOLINK X2000R 1.0.0-B20230726.1108. Affected by this issue is some unknown functionality of the file /boafrm/formMapDel. The manipulation of the argument devicemac1 leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 5.0.0.1986 build 20220324 and later
A vulnerability classified as critical was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function setDeviceURL of the file /goform/setDeviceURL. The manipulation of the argument DeviceURL leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resulting in command execution. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during the SMTP configuration tests resulting in command execution
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary characters in the pureftpd.passwd file during a username change, which in turn allows for bypassing chroot restrictions in the FTP server. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the 'Create a New Setting' function.
Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation.
Gerapy is a distributed crawler management framework. Gerapy prior to version 0.9.8 is vulnerable to remote code execution, and this issue is patched in version 0.9.8.
In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. For example, a new admin user could be created.
A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the doSwitchApi function in /cgi-bin/luci/api/switch.