Total
2534 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-45444 | 5 Apple, Debian, Fedoraproject and 2 more | 6 Mac Os X, Macos, Debian Linux and 3 more | 2024-11-21 | 7.8 High |
| In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion. | ||||
| CVE-2021-45401 | 1 Tendacn | 2 Ac10u, Ac10u Firmware | 2024-11-21 | 9.8 Critical |
| A Command injection vulnerability exists in Tenda AC10U AC1200 Smart Dual-band Wireless Router AC10U V1.0 Firmware V15.03.06.49_multi via the setUsbUnload functionality. The vulnerability is caused because the client controlled "deviceName" value is passed directly to the "doSystemCmd" function. | ||||
| CVE-2021-45082 | 4 Cobbler Project, Fedoraproject, Opensuse and 1 more | 5 Cobbler, Fedora, Backports and 2 more | 2024-11-21 | 7.8 High |
| An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.) | ||||
| CVE-2021-44882 | 1 Dlink | 2 Dir-878, Dir-878 Firmware | 2024-11-21 | 9.8 Critical |
| D-Link device DIR_878_FW1.30B08_Hotfix_02 was discovered to contain a command injection vulnerability in the twsystem function. This vulnerability allows attackers to execute arbitrary commands via a crafted HNAP1 POST request. | ||||
| CVE-2021-44881 | 1 Dlink | 2 Dir-882, Dir-882 Firmware | 2024-11-21 | 9.8 Critical |
| D-Link device DIR_882 DIR_882_FW1.30B06_Hotfix_02 was discovered to contain a command injection vulnerability in the twsystem function. This vulnerability allows attackers to execute arbitrary commands via a crafted HNAP1 POST request. | ||||
| CVE-2021-44880 | 1 Dlink | 4 Dir-878, Dir-878 Firmware, Dir-882 and 1 more | 2024-11-21 | 9.8 Critical |
| D-Link devices DIR_878 DIR_878_FW1.30B08_Hotfix_02 and DIR_882 DIR_882_FW1.30B06_Hotfix_02 were discovered to contain a command injection vulnerability in the system function. This vulnerability allows attackers to execute arbitrary commands via a crafted HNAP1 POST request. | ||||
| CVE-2021-44735 | 1 Lexmark | 236 B2236, B2236 Firmware, B2338 and 233 more | 2024-11-21 | 9.8 Critical |
| Embedded web server command injection vulnerability in Lexmark devices through 2021-12-07. | ||||
| CVE-2021-44620 | 1 Totolink | 2 A3100r, A3100r Firmware | 2024-11-21 | 9.8 Critical |
| A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime parameters. | ||||
| CVE-2021-44520 | 1 Citrix | 1 Xenmobile Server | 2024-11-21 | 8.8 High |
| In Citrix XenMobile Server through 10.12 RP9, there is an Authenticated Command Injection vulnerability, leading to remote code execution with root privileges. | ||||
| CVE-2021-44247 | 1 Totolink | 6 A3100r, A3100r Firmware, A720r and 3 more | 2024-11-21 | 9.8 Critical |
| Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain command injection vulnerability in the function setNoticeCfg. This vulnerability allows attackers to execute arbitrary commands via the IpFrom parameter. | ||||
| CVE-2021-44132 | 1 C-data Onu4ferw Project | 2 C-data Onu4ferw, C-data Onu4ferw Firmware | 2024-11-21 | 7.8 High |
| A command injection vulnerability in the function formImportOMCIShell of C-DATA ONU4FERW V2.1.13_X139 allows attackers to execute arbitrary commands via a crafted file. | ||||
| CVE-2021-44079 | 1 Wazuh | 1 Wazuh | 2024-11-21 | 9.8 Critical |
| In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl command line, potentially resulting in remote code execution. | ||||
| CVE-2021-44051 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2024-11-21 | 8.8 High |
| A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 5.0.0.1986 build 20220324 and later | ||||
| CVE-2021-43818 | 6 Debian, Fedoraproject, Lxml and 3 more | 16 Debian Linux, Fedora, Lxml and 13 more | 2024-11-21 | 8.2 High |
| lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. | ||||
| CVE-2021-43711 | 1 Totolink | 2 Ex200, Ex200 Firmware | 2024-11-21 | 9.8 Critical |
| The downloadFlile.cgi binary file in TOTOLINK EX200 V4.0.3c.7646_B20201211 has a command injection vulnerability when receiving GET parameters. The parameter name can be constructed for unauthenticated command execution. | ||||
| CVE-2021-43664 | 1 Totolink | 2 Ex300 V2, Ex300 V2 Firmware | 2024-11-21 | 8.1 High |
| totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component process forceugpo. | ||||
| CVE-2021-43663 | 1 Totolink | 2 Ex300 V2, Ex300 V2 Firmware | 2024-11-21 | 7.5 High |
| totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component cloudupdate_check. | ||||
| CVE-2021-43589 | 1 Dell | 3 Emc Unity Operating Environment, Emc Unity Xt Operating Environment, Emc Unityvsa Operating Environment | 2024-11-21 | 6 Medium |
| Dell EMC Unity, Dell EMC UnityVSA and Dell EMC Unity XT versions prior to 5.1.2.0.5.007 contain an operating system (OS) command injection Vulnerability. A locally authenticated user with high privileges may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the Unity underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege. | ||||
| CVE-2021-43557 | 1 Apache | 1 Apisix | 2024-11-21 | 7.5 High |
| The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer's custom plugin. | ||||
| CVE-2021-43474 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2024-11-21 | 9.8 Critical |
| An Access Control vulnerability exists in D-Link DIR-823G REVA1 1.02B05 (Lastest) via any parameter in the HNAP1 function | ||||