The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to authenticated command injection via crafted HTTP request sent by a remote, authenticated attacker to /GponForm/device_Form?script/.
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to command injection via crafted HTTP request sent by a remote, authenticated attacker to /GponForm/usb_restore_Form?script/.
Grandstream GWN7000 firmware version 1.0.9.4 and below allows authenticated remote users to modify the system's crontab via undocumented API. An attacker can use this functionality to execute arbitrary OS commands on the router.
The Alcatel Lucent I-240W-Q GPON ONT using firmware version 3FE54567BOZJ19 is vulnerable to a stack buffer overflow via crafted HTTP POST request sent by a remote, authenticated attacker to /GponForm/usb_Form?script/. An attacker can leverage this vulnerability to potentially execute arbitrary code.
Under certain conditions, Nessus Network Monitor could allow a low privileged user to escalate privileges to NT AUTHORITY\SYSTEM on Windows hosts by replacing a specially crafted file.
Vulnerability in Tenable Tenable.Io, Tenable Nessus, Tenable Security Center.This issue affects Tenable.Io: before Plugin Feed ID #202306261202 ; Nessus: before Plugin Feed ID #202306261202 ; Security Center: before Plugin Feed ID #202306261202 . This vulnerability could allow a malicious actor with sufficient permissions on a scan target to place a binary in a specific filesystem location, and abuse the impacted plugin in order to escalate privileges.
Command manipulation in LabKey Server Community Edition before 18.3.0-61806.763 allows an authenticated remote attacker to unmount any drive on the system leading to denial of service.
A DLL injection vulnerability exists where an authenticated, low-privileged local attacker could modify application files on the TIE Secure Relay host, which could allow for overriding of the configuration and running of new Secure Relay services.
A command injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Logging parameters, which could lead to the execution of arbitrary code on the Security Center host.
In the web management interface in Foscam C1 Indoor HD Camera running application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resulting in command execution. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary characters in the pureftpd.passwd file during a username change, which in turn allows for bypassing chroot restrictions in the FTP server. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resulting in command execution. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during account creation resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php.
lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter.
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the dns_query_name parameter in a dns_query.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected.
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resulting in command execution. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
The /admin/admapi.php script of Invigo Automatic Device Management (ADM) through 5.0 allows remote authenticated attackers to execute arbitrary OS commands on the server as the user running the application.
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during account creation resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
An authenticated command injection vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN gateways Command Line Interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system.
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during NTP server configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the date parameter in a system_time.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected.
An exploitable vulnerability exists in the /api/CONFIG/backup functionality of Circle with Disney. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.
Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m devices have Multiple Authenticated Command Injection vulnerabilities via the ping and traceroute diagnostic pages, as demonstrated by shell metacharacters in the pingIpAddress parameter to ping.cgi.
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
D-Link DIR-846W A1 FW100A43 was discovered to contain a remote command execution (RCE) vulnerability via the tomography_ping_address parameter in /HNAP1/ interface.
An issue was discovered on D-Link DIR-825 Rev.B 2.10 devices. They allow remote attackers to execute arbitrary commands via the wps_sta_enrollee_pin parameter in a set_sta_enrollee_pin.cgi POST request. TRENDnet TEW-632BRP 1.010B32 is also affected.
An exploitable vulnerability exists in the /api/CONFIG/restore functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability.
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during the SMTP configuration tests resulting in command execution
jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated user (with certificate management privileges) via untrusted input to the DNS provider configuration. NOTE: this is not part of any NGINX software shipped by F5.
Vesta Control Panel (VestaCP) 0.9.7 through 0.9.8-23 is vulnerable to an authenticated command execution that can result in remote root access on the server. The platform works with PHP as the frontend language and uses shell scripts to execute system actions. PHP executes shell script through the dangerous command exec. This function can be dangerous if arguments passed to it are not filtered. Every user input in VestaCP that is used as an argument is filtered with the escapeshellarg function. This function comes from the PHP library directly and its description is as follows: "escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument." It means that if you give Username, it will have 'Username' as a replacement. This works well and protects users from exploiting this potentially dangerous exec function. Unfortunately, VestaCP uses this escapeshellarg function incorrectly in several places.
**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device via Telnet.
**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.
Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 IP Cameras with firmware version M2.1.6.05 has a command injection vulnerability in their implementation of their binaries and handling of network requests.
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetStaticRouteIPv6Settings API function, as demonstrated by shell metacharacters in the DestNetwork field.
Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.
A vulnerability has been found in Tenda W30E 1.0.1.25(633) and classified as critical. This vulnerability affects the function formWriteFacMac of the file /goform/WriteFacMac. The manipulation of the argument mac leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-260914 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
D-Link DIR-823X firmware - 240126 was discovered to contain a remote command execution (RCE) vulnerability via the dhcpd_startip parameter at /goform/set_lan_settings.
An improper neutralization of special elements used in an os command ('OS Command Injection') [CWE-78] in FortiWeb 7.0.0 through 7.0.1, 6.3.0 through 6.3.19, 6.4 all versions may allow an authenticated attacker to execute arbitrary shell code as `root` user via crafted HTTP requests.
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetWebFilterSettings API function, as demonstrated by shell metacharacters in the WebFilterURLs field.
Command injection vulnerability was discovered in Netgear R6200 v2 firmware through R6200v2-V1.0.3.12 via binary /sbin/acos_service that could allow remote authenticated attackers the ability to modify values in the vulnerable parameter.
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetQoSSettings API function, as demonstrated by shell metacharacters in the IPAddress field.
Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function.
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetSysEmailSettings API function, as demonstrated by shell metacharacters in the SMTPServerPort field.
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the twsystem function with untrusted input from the request body for the SetSysLogSettings API function, as demonstrated by shell metacharacters in the IPAddress field.
An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions.