Total
5071 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-7591 | 1 Kemptechnologies | 3 Loadmaster, Loadmaster Mt, Multi-tenant Hypervisor Firmware | 2025-02-18 | 10 Critical |
| Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above | ||||
| CVE-2021-46686 | 2025-02-18 | N/A | ||
| Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in acmailer CGI ver.4.0.3 and earlier and acmailer DB ver.1.1.5 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker. | ||||
| CVE-2024-39607 | 1 Elecom | 3 Wrc-x1500gs-b Firmware, Wrc-x1500gsa-b Firmware, Wrc-x6000xs-g Firmware | 2025-02-17 | 6.8 Medium |
| OS command injection vulnerability exists in ELECOM wireless LAN routers. A specially crafted request may be sent to the affected product by a logged-in user with an administrative privilege to execute an arbitrary OS command. | ||||
| CVE-2022-42433 | 1 Tp-link | 2 Tl-wr841 Firmware, Tl-wr841n | 2025-02-14 | 8.0 High |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR841N TL-WR841N(US)_V14_220121 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ated_tp service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-17356. | ||||
| CVE-2022-3210 | 1 Dlink | 2 Dir-2150, Dir-2150 Firmware | 2025-02-14 | 8.8 High |
| This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 4.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the xupnpd service, which listens on TCP port 4044 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15905. | ||||
| CVE-2022-43628 | 1 Dlink | 2 Dir-1935, Dir-1935 Firmware | 2025-02-14 | 6.8 Medium |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetIPv6FirewallSettings requests to the web management portal. When parsing subelements within the IPv6FirewallRule element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16148. | ||||
| CVE-2022-43627 | 1 Dlink | 2 Dir-1935, Dir-1935 Firmware | 2025-02-14 | 6.8 Medium |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetStaticRouteIPv4Settings requests to the web management portal. When parsing subelements within the StaticRouteIPv4Data element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16147. | ||||
| CVE-2022-43626 | 1 Dlink | 2 Dir-1935, Dir-1935 Firmware | 2025-02-14 | 6.8 Medium |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetIPv4FirewallSettings requests to the web management portal. When parsing subelements within the IPv4FirewallRule element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16146. | ||||
| CVE-2022-43624 | 1 Dlink | 2 Dir-1935, Dir-1935 Firmware | 2025-02-14 | 6.8 Medium |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetStaticRouteIPv6Settings requests to the web management portal. When parsing subelements within the StaticRouteIPv6List element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16145. | ||||
| CVE-2022-43629 | 1 Dlink | 2 Dir-1935, Dir-1935 Firmware | 2025-02-14 | 6.8 Medium |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetSysEmailSettings requests to the web management portal. When parsing subelements within the SetSysEmailSettings element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16149. | ||||
| CVE-2022-43631 | 1 Dlink | 2 Dir-1935, Dir-1935 Firmware | 2025-02-14 | 6.8 Medium |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetVirtualServerSettings requests to the web management portal. When parsing subelements within the VirtualServerInfo element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16151. | ||||
| CVE-2022-43632 | 1 Dlink | 2 Dir-1935, Dir-1935 Firmware | 2025-02-14 | 6.8 Medium |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetQoSSettings requests to the web management portal. When parsing subelements within the QoSInfo element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16153. | ||||
| CVE-2022-43647 | 1 Dlink | 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more | 2025-02-14 | 8.8 High |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19464. | ||||
| CVE-2022-43633 | 1 Dlink | 2 Dir-1935, Dir-1935 Firmware | 2025-02-14 | 6.8 Medium |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-1935 1.03 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of SetSysLogSettings requests to the web management portal. When parsing the IPAddress element, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-16154. | ||||
| CVE-2022-43642 | 1 Dlink | 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more | 2025-02-14 | 8.8 High |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the YouTube plugin for the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19222. | ||||
| CVE-2022-43643 | 1 Dlink | 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more | 2025-02-14 | 8.8 High |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Generic plugin for the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19460. | ||||
| CVE-2022-43644 | 1 Dlink | 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more | 2025-02-14 | 8.8 High |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Dreambox plugin for the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19461. | ||||
| CVE-2022-43645 | 1 Dlink | 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more | 2025-02-14 | 8.8 High |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the IVI plugin for the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19462. | ||||
| CVE-2022-43646 | 1 Dlink | 4 Dir-825\/ac, Dir-825\/ac Firmware, Dir-825\/ee and 1 more | 2025-02-14 | 8.8 High |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-825 1.0.9/EE routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Vimeo plugin for the xupnpd service, which listens on TCP port 4044. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the admin user. Was ZDI-CAN-19463. | ||||
| CVE-2024-5672 | 2025-02-13 | 7.2 High | ||
| A high privileged remote attacker can execute arbitrary system commands via GET requests due to improper neutralization of special elements used in an OS command. | ||||