Total
4533 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-28884 | 1 Liferay | 1 Liferay Portal | 2024-11-21 | 7.2 High |
| Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw. | ||||
| CVE-2020-28695 | 1 Askey | 2 Rtf3505vw-n1 Br Sv G000 R3505vwn1001 S32 7, Rtf3505vw-n1 Br Sv G000 R3505vwn1001 S32 7 Firmware | 2024-11-21 | 8.8 High |
| Askey Fiber Router RTF3505VW-N1 BR_SV_g000_R3505VWN1001_s32_7 devices allow Remote Code Execution and retrieval of admin credentials to log into the Dashboard or login via SSH, leading to code execution as root. | ||||
| CVE-2020-28581 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2024-11-21 | 7.2 High |
| A command injection vulnerability in ModifyVLANItem of Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send specially crafted HTTP messages and execute arbitrary OS commands with elevated privileges. | ||||
| CVE-2020-28580 | 1 Trendmicro | 1 Interscan Web Security Virtual Appliance | 2024-11-21 | 7.2 High |
| A command injection vulnerability in AddVLANItem of Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send specially crafted HTTP messages and execute arbitrary OS commands with elevated privileges. | ||||
| CVE-2020-28494 | 1 Totaljs | 1 Total.js | 2024-11-21 | 8.6 High |
| This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option shell set to true and because the type parameter is not properly sanitized. | ||||
| CVE-2020-28490 | 1 Async-git Project | 1 Async-git | 2024-11-21 | 9.1 Critical |
| The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example: git.reset('atouch HACKEDb') | ||||
| CVE-2020-28440 | 1 Corenlp-js-interface Project | 1 Corenlp-js-interface | 2024-11-21 | 9.8 Critical |
| All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function. | ||||
| CVE-2020-28439 | 1 Corenlp-js-prefab Project | 1 Corenlp-js-prefab | 2024-11-21 | 9.8 Critical |
| This affects all versions of package corenlp-js-prefab. The injection point is located in line 10 in 'index.js.' It depends on a vulnerable package 'corenlp-js-interface.' Vulnerability can be exploited with the following PoC: | ||||
| CVE-2020-28429 | 1 Geojson2kml Project | 1 Geojson2kml | 2024-11-21 | 7.3 High |
| All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. PoC: var a =require("geojson2kml"); a("./","& touch JHU",function(){}) | ||||
| CVE-2020-28426 | 1 Kill-process-on-port Project | 1 Kill-process-on-port | 2024-11-21 | 7.3 High |
| All versions of package kill-process-on-port are vulnerable to Command Injection via a.getProcessPortId. | ||||
| CVE-2020-28424 | 1 S3-kilatstorage Project | 1 S3-kilatstorage | 2024-11-21 | 7.2 High |
| This affects all versions of package s3-kilatstorage. | ||||
| CVE-2020-28347 | 1 Tp-link | 2 Ac1750, Ac1750 Firmware | 2024-11-21 | 9.8 Critical |
| tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled. | ||||
| CVE-2020-28188 | 1 Terra-master | 1 Tos | 2024-11-21 | 9.8 Critical |
| Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter. | ||||
| CVE-2020-27976 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | 9.8 Critical |
| osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option. | ||||
| CVE-2020-27887 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2024-11-21 | 8.8 High |
| An issue was discovered in EyesOfNetwork 5.3 through 5.3-8. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the nmap_binary parameter to lilac/autodiscovery.php. | ||||
| CVE-2020-27861 | 1 Netgear | 71 Cbk40, Cbk40 Firmware, Cbk43 and 68 more | 2024-11-21 | 8.8 High |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11076. | ||||
| CVE-2020-27744 | 1 Westerndigital | 6 My Cloud Ex2 Ultra, My Cloud Ex4100, My Cloud Firmware and 3 more | 2024-11-21 | 9.8 Critical |
| An issue was discovered on Western Digital My Cloud NAS devices before 5.04.114. They allow remote code execution with resultant escalation of privileges. | ||||
| CVE-2020-27600 | 1 Dlink | 2 Dir-846, Dir-846 Firmware | 2024-11-21 | 9.8 Critical |
| HNAP1/control/SetMasterWLanSettings.php in D-Link D-Link Router DIR-846 DIR-846 A1_100.26 allows remote attackers to execute arbitrary commands via shell metacharacters in the ssid0 or ssid1 parameter. | ||||
| CVE-2020-27575 | 1 Maxum | 1 Rumpus | 2024-11-21 | 8.8 High |
| Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation. | ||||
| CVE-2020-27542 | 1 Company | 2 Cs-c2shw, Cs-c2shw Firmware | 2024-11-21 | 6.8 Medium |
| Rostelecom CS-C2SHW 5.0.082.1 is affected by: Bash command injection. The camera reads configuration from QR code (including network settings). The static IP configuration from QR code is copied to the file /config/ip-static and after reboot data from this file is inserted into bash command (without any escaping). So bash injection is possible. Camera doesn't parse QR codes if it's already successfully configured. Camera is always rebooted after successful configuration via QR code. | ||||