Total
2943 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-45063 | 3 Fedoraproject, Invisible-island, Redhat | 3 Fedora, Xterm, Enterprise Linux | 2024-11-21 | 9.8 Critical |
| xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions. | ||||
| CVE-2022-43781 | 1 Atlassian | 1 Bitbucket | 2024-11-21 | 9.8 Critical |
| There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”. | ||||
| CVE-2022-41955 | 1 Autolabproject | 1 Autolab | 2024-11-21 | 8.8 High |
| Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A remote code execution vulnerability was discovered in Autolab's MOSS functionality, whereby an instructor with access to the feature might be able to execute code on the server hosting Autolab. This vulnerability has been patched in version 2.10.0. As a workaround, disable the MOSS feature if it is unneeded by replacing the body of `run_moss` in `app/controllers/courses_controller.rb` with `render(plain: "Feature disabled", status: :bad_request) && return`. | ||||
| CVE-2022-39987 | 1 Raspap | 1 Raspap | 2024-11-21 | 8.8 High |
| A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php. | ||||
| CVE-2022-39986 | 1 Raspap | 1 Raspap | 2024-11-21 | 9.8 Critical |
| A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. | ||||
| CVE-2022-37425 | 2 Linux, Opennebula | 2 Linux Kernel, Opennebula | 2024-11-21 | 9.9 Critical |
| Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in OpenNebula OpenNebula core on Linux allows Remote Code Inclusion. | ||||
| CVE-2022-37125 | 1 Dlink | 2 Dir-816, Dir-816 Firmware | 2024-11-21 | 9.8 Critical |
| D-link DIR-816 A2_v1.10CNB04.img is vulnerable to Command injection via /goform/NTPSyncWithHost. | ||||
| CVE-2022-36559 | 1 Seiko-sol | 2 Skybridge Mb-a200, Skybridge Mb-a200 Firmware | 2024-11-21 | 9.8 Critical |
| Seiko SkyBridge MB-A200 v01.00.04 and below was discovered to contain a command injection vulnerability via the Ping parameter at ping_exec.cgi. | ||||
| CVE-2022-36556 | 1 Seiko-sol | 4 Skybridge Mb-a100, Skybridge Mb-a100 Firmware, Skybridge Mb-a110 and 1 more | 2024-11-21 | 9.8 Critical |
| Seiko SkyBridge MB-A100/A110 v4.2.0 and below was discovered to contain a command injection vulnerability via the ipAddress parameter at 07system08execute_ping_01. | ||||
| CVE-2022-36554 | 1 Hytec | 2 Hwl-2511-ss, Hwl-2511-ss Firmware | 2024-11-21 | 9.8 Critical |
| A command injection vulnerability in the CLI (Command Line Interface) implementation of Hytec Inter HWL-2511-SS v1.05 and below allows attackers to execute arbitrary commands with root privileges. | ||||
| CVE-2022-36553 | 1 Hytec | 2 Hwl-2511-ss, Hwl-2511-ss Firmware | 2024-11-21 | 9.8 Critical |
| Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi. | ||||
| CVE-2022-36523 | 1 Dlink | 2 Go-rt-ac750, Go-rt-ac750 Firmware | 2024-11-21 | 9.8 Critical |
| D-Link Go-RT-AC750 GORTAC750_revA_v101b03 & GO-RT-AC750_revB_FWv200b02 is vulnerable to command injection via /htdocs/upnpinc/gena.php. | ||||
| CVE-2022-35503 | 2024-11-21 | 7.5 High | ||
| Improper verification of a user input in Open Source MANO v7-v12 allows an authenticated attacker to execute arbitrary code within the LCM module container via a Virtual Network Function (VNF) descriptor. An attacker may be able execute code to change the normal execution of the OSM components, retrieve confidential information, or gain access other parts of a Telco Operator infrastructure other than OSM itself. | ||||
| CVE-2022-34592 | 1 Wavlink | 2 Wl-wn575a3, Wl-wn575a3 Firmware | 2024-11-21 | 9.8 Critical |
| Wavlink WL-WN575A3 RPT75A3.V4300.201217 was discovered to contain a command injection vulnerability via the function obtw. This vulnerability allows attackers to execute arbitrary commands via a crafted POST request. | ||||
| CVE-2022-34383 | 1 Dell | 2 Edge Gateway 5200, Edge Gateway 5200 Firmware | 2024-11-21 | 8.1 High |
| Dell Edge Gateway 5200 (EGW) versions before 1.03.10 contain an operating system command injection vulnerability. A local malicious user may potentially exploit this vulnerability by using an SMI to bypass PMC mitigation and gain arbitrary code execution during SMM. | ||||
| CVE-2022-32449 | 1 Totolink | 2 Ex300 V2, Ex300 V2 Firmware | 2024-11-21 | 9.8 Critical |
| TOTOLINK EX300_V2 V4.0.3c.7484 was discovered to contain a command injection vulnerability via the langType parameter in the setLanguageCfg function. This vulnerability is exploitable via a crafted MQTT data packet. | ||||
| CVE-2022-32154 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-11-21 | 6.8 Medium |
| Dashboards in Splunk Enterprise versions before 9.0 might let an attacker inject risky search commands into a form token when the token is used in a query in a cross-origin request. The result bypasses SPL safeguards for risky commands. See New capabilities can limit access to some custom and potentially risky commands (https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards#New_capabilities_can_limit_access_to_some_custom_and_potentially_risky_commands) for more information. Note that the attack is browser-based and an attacker cannot exploit it at will. | ||||
| CVE-2022-31874 | 1 Asus | 2 Rt-n53, Rt-n53 Firmware | 2024-11-21 | 9.8 Critical |
| ASUS RT-N53 3.0.0.4.376.3754 has a command injection vulnerability in the SystemCmd parameter of the apply.cgi interface. | ||||
| CVE-2022-30321 | 2 Hashicorp, Redhat | 3 Go-getter, Openshift, Openstack | 2024-11-21 | 8.6 High |
| go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0. | ||||
| CVE-2022-2323 | 1 Sonicwall | 14 Sws12-10fpoe, Sws12-10fpoe Firmware, Sws12-8 and 11 more | 2024-11-21 | 8.8 High |
| Improper neutralization of special elements used in a user input allows an authenticated malicious user to perform remote code execution in the host system. This vulnerability impacts SonicWall Switch 1.1.1.0-2s and earlier versions | ||||