Total
4388 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-17532 | 1 Teltonika | 6 Rut900, Rut900 Firmware, Rut950 and 3 more | 2024-11-21 | N/A |
| Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges. | ||||
| CVE-2018-17317 | 1 Fruitywifi Project | 1 Fruitywifi | 2024-11-21 | N/A |
| FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /www/script/config_iface.php, or the newSSID, hostapd_secure, hostapd_wpa_passphrase, or supplicant_ssid parameter to /www/page_config.php. | ||||
| CVE-2018-17228 | 1 Nmap4j Project | 1 Nmap4j | 2024-11-21 | N/A |
| nmap4j 1.1.0 allows attackers to execute arbitrary commands via shell metacharacters in an includeHosts call. | ||||
| CVE-2018-17208 | 1 Linksys | 2 Velop, Velop Firmware | 2024-11-21 | N/A |
| Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell metacharacters in the query string are mishandled by ShellExecute, as demonstrated by the zbtest.cgi?cmd=level&level= substring. This can also be exploited via CSRF. | ||||
| CVE-2018-17068 | 1 Dlink | 2 Dir-816 A2, Dir-816 A2 Firmware | 2024-11-21 | N/A |
| An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction in the handler function of the /goform/Diagnosis route. This could lead to command injection via shell metacharacters in the sendNum parameter. | ||||
| CVE-2018-17066 | 1 Dlink | 2 Dir-816 A2, Dir-816 A2 Firmware | 2024-11-21 | N/A |
| An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction in the handler function of the /goform/form2systime.cgi route. This could lead to command injection via shell metacharacters in the datetime parameter. | ||||
| CVE-2018-17064 | 1 Dlink | 2 Dir-816 A2, Dir-816 A2 Firmware | 2024-11-21 | N/A |
| An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/sylogapply route. This could lead to command injection via the syslogIp parameter after /goform/clearlog is invoked. | ||||
| CVE-2018-17063 | 1 Dlink | 2 Dir-816 A2, Dir-816 A2 Firmware | 2024-11-21 | N/A |
| An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/NTPSyncWithHost route. This could lead to command injection via shell metacharacters. | ||||
| CVE-2018-16863 | 2 Artifex, Redhat | 8 Ghostscript, Enterprise Linux, Enterprise Linux Desktop and 5 more | 2024-11-21 | N/A |
| It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An attacker could possibly exploit another variant of the flaw and bypass the -dSAFER protection to, for example, execute arbitrary shell commands via a specially crafted PostScript document. This only affects ghostscript 9.07 as shipped with Red Hat Enterprise Linux 7. | ||||
| CVE-2018-16752 | 1 Linknet-usa | 2 Lw-n605r, Lw-n605r Firmware | 2024-11-21 | N/A |
| LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases. | ||||
| CVE-2018-16744 | 1 Mgetty Project | 1 Mgetty | 2024-11-21 | N/A |
| An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() in faxrec.c, the mail_to parameter is not sanitized. It could allow for command injection if untrusted input can reach it, because popen is used. | ||||
| CVE-2018-16741 | 2 Debian, Mgetty Project | 2 Debian Linux, Mgetty | 2024-11-21 | N/A |
| An issue was discovered in mgetty before 1.2.1. In fax/faxq-helper.c, the function do_activate() does not properly sanitize shell metacharacters to prevent command injection. It is possible to use the ||, &&, or > characters within a file created by the "faxq-helper activate <jobid>" command. | ||||
| CVE-2018-16660 | 1 Imperva | 1 Securesphere | 2024-11-21 | N/A |
| A command injection vulnerability in PWS in Imperva SecureSphere 13.0.0.10 and 13.1.0.10 Gateway allows an attacker with authenticated access to execute arbitrary OS commands on a vulnerable installation. | ||||
| CVE-2018-16618 | 1 Vtech | 9 80-183803, 80-183804, 80-183805 and 6 more | 2024-11-21 | N/A |
| VTech Storio Max before 56.D3JM6 allows remote command execution via shell metacharacters in an Android activity name. It exposes the storeintenttranslate.x service on port 1668 listening for requests on localhost. Requests submitted to this service are checked for a string of random characters followed by the name of an Android activity to start. Activities are started by inserting their name into a string that is executed in a shell command. By inserting metacharacters this can be exploited to run arbitrary commands as root. The requests also match those of the HTTP protocol and can be triggered on any web page rendered on the device by requesting resources stored at an http://127.0.0.1:1668/ URI, as demonstrated by the http://127.0.0.1:1668/dacdb70556479813fab2d92896596eef?';{ping,example.org}' URL. | ||||
| CVE-2018-16593 | 1 Sony | 105 Kd-43xe7000, Kd-43xe7002, Kd-43xe7003 and 102 more | 2024-11-21 | N/A |
| The Photo Sharing Plus component on Sony Bravia TV through 8.587 devices allows Shell Metacharacter Injection. | ||||
| CVE-2018-16462 | 1 Apex-publish-static-files Project | 1 Apex-publish-static-files | 2024-11-21 | 10.0 Critical |
| A command injection vulnerability in the apex-publish-static-files npm module version <2.0.1 which allows arbitrary shell command execution through a maliciously crafted argument. | ||||
| CVE-2018-16461 | 1 Libnmap Project | 1 Libnmap | 2024-11-21 | N/A |
| A command injection vulnerability in libnmapp package for versions <0.4.16 allows arbitrary commands to be executed via arguments to the range options. | ||||
| CVE-2018-16460 | 1 Umbraengineering | 1 Ps | 2024-11-21 | N/A |
| A command Injection in ps package versions <1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID. | ||||
| CVE-2018-16408 | 2 D-link, Dlink | 2 Dir-846 Firmware, Dir-846 | 2024-11-21 | N/A |
| D-Link DIR-846 devices with firmware 100.26 allow remote attackers to execute arbitrary code as root via a SetNetworkTomographySettings request by leveraging admin access. | ||||
| CVE-2018-16334 | 1 Tendacn | 4 Ac10, Ac10 Firmware, Ac9 and 1 more | 2024-11-21 | N/A |
| An issue was discovered on Tenda AC9 V15.03.05.19(6318)_CN and AC10 V15.03.06.23_CN devices. The mac parameter in a POST request is used directly in a doSystemCmd call, causing OS command injection. | ||||