Total
5172 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-42890 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function NTPSyncWithHost of the file system.so which can control hostTime to attack. | |||||
| CVE-2021-42888 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setLanguageCfg of the file global.so which can control langType to attack. | |||||
| CVE-2021-42885 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setDeviceMac of the file global.so which can control deviceName to attack. | |||||
| CVE-2021-42884 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setDeviceName of the file global.so which can control thedeviceName to attack. | |||||
| CVE-2021-42875 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in the function setDiagnosisCfg of the file lib/cste_modules/system.so to control the ipDoamin. | |||||
| CVE-2021-42872 | 1 Totolink | 2 Ex1200t, Ex1200t Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| TOTOLINK EX1200T V4.1.2cu.5215 is affected by a command injection vulnerability that can remotely execute arbitrary code. | |||||
| CVE-2021-42852 | 1 Lenovo | 10 A1, A1 Firmware, T1 and 7 more | 2024-11-21 | 7.7 HIGH | 8.0 HIGH |
| A command injection vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an authenticated user to execute operating system commands by sending a crafted packet to the device. | |||||
| CVE-2021-42796 | 1 Aveva | 1 Edge | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue was discovered in ExecuteCommand() in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior that allows unauthenticated arbitrary commands to be executed. | |||||
| CVE-2021-42784 | 1 Dlink | 2 Dwr-932c, Dwr-932c E1 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| OS Command Injection vulnerability in debug_fcgi of D-Link DWR-932C E1 firmware allows a remote attacker to perform command injection via a crafted HTTP request. | |||||
| CVE-2021-42759 | 1 Fortinet | 2 Meru, Meru Firmware | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| A violation of secure design principles in Fortinet Meru AP version 8.6.1 and below, version 8.5.5 and below allows attacker to execute unauthorized code or commands via crafted cli commands. | |||||
| CVE-2021-42538 | 1 Emerson | 6 Wireless 1410 Gateway, Wireless 1410 Gateway Firmware, Wireless 1410d Gateway and 3 more | 2024-11-21 | 6.5 MEDIUM | 8.0 HIGH |
| The affected product is vulnerable to a parameter injection via passphrase, which enables the attacker to supply uncontrolled input. | |||||
| CVE-2021-42372 | 1 Xorux | 2 Lpar2rrd, Stor2rrd | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A shell command injection in the HW Events SNMP community in XoruX LPAR2RRD and STOR2RRD before 7.30 allows authenticated remote attackers to execute arbitrary shell commands as the user running the service. | |||||
| CVE-2021-42324 | 1 Dcnglobal | 2 S4600-10p-si, S4600-10p-si Firmware | 2024-11-21 | 7.2 HIGH | 7.4 HIGH |
| An issue was discovered on DCN (Digital China Networks) S4600-10P-SI devices before R0241.0470. Due to improper parameter validation in the console interface, it is possible for a low-privileged authenticated attacker to escape the sandbox environment and execute system commands as root via shell metacharacters in the capture command parameters. Command output will be shown on the Serial interface of the device. Exploitation requires both credentials and physical access. | |||||
| CVE-2021-42232 | 1 Tp-link | 2 Archer A7, Archer A7 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| TP-Link Archer A7 Archer A7(US)_V5_210519 is affected by a command injection vulnerability in /usr/bin/tddp. The vulnerability is caused by the program taking part of the received data packet as part of the command. This will cause an attacker to execute arbitrary commands on the router. | |||||
| CVE-2021-42165 | 1 Mitrastar | 2 Gpt-2541gnac-n1, Gpt-2541gnac-n1 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| MitraStar GPT-2541GNAC-N1 (HGU) 100VNZ0b33 devices allow remote authenticated users to obtain root access by executing command "deviceinfo show file &&/bin/bash" because of incorrect sanitization of parameter "path". | |||||
| CVE-2021-42071 | 1 Visual-tools | 2 Dvr Vx16, Dvr Vx16 Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header. | |||||
| CVE-2021-41738 | 1 Zeroshell | 1 Zeroshell | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| ZeroShell 3.9.5 has a command injection vulnerability in /cgi-bin/kerbynet IP parameter, which may allow an authenticated attacker to execute system commands. | |||||
| CVE-2021-41315 | 1 Device42 | 1 Remote Collector | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| The Device42 Remote Collector before 17.05.01 does not sanitize user input in its SNMP Connectivity utility. This allows an authenticated attacker (with access to the console application) to execute arbitrary OS commands and escalate privileges. | |||||
| CVE-2021-41280 | 1 Sharetribe | 1 Sharetribe | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Sharetribe Go is a source available marketplace software. In affected versions operating system command injection is possible on installations of Sharetribe Go, that do not have a secret AWS Simple Notification Service (SNS) notification token configured via the `sns_notification_token` configuration parameter. This configuration parameter is unset by default. The vulnerability has been patched in version 10.2.1. Users who are unable to upgrade should set the`sns_notification_token` configuration parameter to a secret value. | |||||
| CVE-2021-41254 | 1 Fluxcd | 1 Kustomize-controller | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run `kubectl` commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges. In affected versions multitenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue. This vulnerability was fixed in kustomize-controller v0.15.0 (included in flux2 v0.18.0) released on 2021-10-08. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the `kubectl` binary has been removed from the container image. To prevent the creation of Kubernetes Service Accounts with `secrets` in namespaces owned by tenants, a Kubernetes validation webhook such as Gatekeeper OPA or Kyverno can be used. | |||||