Total
4387 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-15716 | 1 Nuuo | 5 Ne-2020, Ne-2040, Ne-4080 and 2 more | 2024-11-21 | N/A |
| NUUO NVRMini2 version 3.9.1 is vulnerable to authenticated remote command injection. An attacker can send crafted requests to upgrade_handle.php to execute OS commands as root. | ||||
| CVE-2018-15711 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | N/A |
| Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges. | ||||
| CVE-2018-15710 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | N/A |
| Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php. | ||||
| CVE-2018-15709 | 1 Nagios | 1 Nagios Xi | 2024-11-21 | N/A |
| Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request. | ||||
| CVE-2018-15553 | 1 Telus | 2 Actiontec T2200h, Actiontec T2200h Firmware | 2024-11-21 | N/A |
| fileshare.cmd on Telus Actiontec T2200H T2200H-31.128L.03 devices allows OS Command Injection via shell metacharacters in the smbdUserid or smbdPasswd field. | ||||
| CVE-2018-15529 | 1 Mutiny | 1 Mutiny | 2024-11-21 | N/A |
| A command injection vulnerability in maintenance.cgi in Mutiny "Monitoring Appliance" before 6.1.0-5263 allows authenticated users, with access to the admin interface, to inject arbitrary commands within the filename of a system upgrade upload. | ||||
| CVE-2018-15484 | 1 Kone | 2 Group Controller, Group Controller Firmware | 2024-11-21 | N/A |
| An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Remote Code Execution is possible through the open HTTP interface by modifying autoexec.bat, aka KONE-01. | ||||
| CVE-2018-15481 | 1 Ucopia | 2 Wireless Appliance, Wireless Appliance Firmware | 2024-11-21 | N/A |
| Improper input sanitization within the restricted administration shell on UCOPIA Wireless Appliance devices using firmware version 5.1.x before 5.1.13 allows authenticated remote attackers to escape the shell and escalate their privileges by adding a LocalCommand to the SSH configuration file in the user home folder. | ||||
| CVE-2018-15477 | 1 Mystrom | 2 Wifi Switch, Wifi Switch Firmware | 2024-11-21 | N/A |
| myStrom WiFi Switch V1 devices before 2.66 did not sanitize a parameter received from the cloud that was used in an OS command. Malicious servers were able to run operating system commands on the device. | ||||
| CVE-2018-15380 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-11-21 | N/A |
| A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster service manager and injecting commands into the bound process. A successful exploit could allow the attacker to run commands on the affected host as the root user. This vulnerability affects Cisco HyperFlex Software releases prior to 3.5(2a). | ||||
| CVE-2018-15156 | 1 Open-emr | 1 Openemr | 2024-11-21 | N/A |
| OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/faxq.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php. | ||||
| CVE-2018-15155 | 1 Open-emr | 1 Openemr | 2024-11-21 | N/A |
| OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/fax_dispatch.php after modifying the "hylafax_enscript" global variable in interface/super/edit_globals.php. | ||||
| CVE-2018-15154 | 1 Open-emr | 1 Openemr | 2024-11-21 | N/A |
| OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/billing/sl_eob_search.php after modifying the "print_command" global variable in interface/super/edit_globals.php. | ||||
| CVE-2018-15153 | 1 Open-emr | 1 Openemr | 2024-11-21 | N/A |
| OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/main/daemon_frame.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php. | ||||
| CVE-2018-15007 | 1 Skydevices | 2 Sky Elite 6.0l\+, Sky Elite 6.0l\+ Firmware | 2024-11-21 | N/A |
| The Sky Elite 6.0L+ Android device with a build fingerprint of SKY/x6069_trx_l601_sky/x6069_trx_l601_sky:6.0/MRA58K/1482897127:user/release-keys contains a pre-installed platform app with a package name of com.fw.upgrade.sysoper (versionCode=238, versionName=2.3.8) that contains an exported broadcast receiver app component named com.adups.fota.sysoper.WriteCommandReceiver that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. The com.fw.upgrade.sysoper app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user's text messages, and more. | ||||
| CVE-2018-14998 | 1 Leagoo | 2 P1, P1 Firmware | 2024-11-21 | N/A |
| The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a hidden root privilege escalation capability to achieve command execution as the root user. They have made modifications that allow a user with physical access to the device to obtain a root shell via ADB by modifying read-only system properties at runtime. Specifically, modifying the ro.debuggable and the ro.secure system properties to a certain value and then restarting the ADB daemon allows for a root shell to be obtained via ADB. | ||||
| CVE-2018-14893 | 1 Zyxel | 2 Nsa325 V2, Nsa325 V2 Firmware | 2024-11-21 | N/A |
| A system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API. | ||||
| CVE-2018-14860 | 1 Odoo | 1 Odoo | 2024-11-21 | N/A |
| Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system. | ||||
| CVE-2018-14772 | 1 Pydio | 1 Pydio | 2024-11-21 | N/A |
| Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution vulnerability in which an attacker with administrator access to the web application can execute arbitrary code on the underlying system via Command Injection. | ||||
| CVE-2018-14706 | 1 Drobo | 2 5n2, 5n2 Firmware | 2024-11-21 | N/A |
| System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request. | ||||