Total
1467 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-33625 | 1 Dlink | 2 Dir-600, Dir-600 Firmware | 2023-06-16 | N/A | 9.8 CRITICAL |
| D-Link DIR-600 Hardware Version B5, Firmware Version 2.18 was discovered to contain a command injection vulnerability via the ST parameter in the lxmldbc_system() function. | |||||
| CVE-2023-26294 | 1 Hp | 1 Hp Device Manager | 2023-06-16 | N/A | 7.8 HIGH |
| Previous versions of HP Device Manager (prior to HPDM 5.0.10) could potentially allow command injection and/or elevation of privileges. | |||||
| CVE-2023-34233 | 1 Snowflake | 1 Snowflake Connector | 2023-06-16 | N/A | 8.8 HIGH |
| The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Versions prior to 3.0.2 are vulnerable to command injection via single sign-on(SSO) browser URL authentication. In order to exploit the potential for command injection, an attacker would need to be successful in (1) establishing a malicious resource and (2) redirecting users to utilize the resource. The attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. This attack scenario can be mitigated through URL whitelisting as well as common anti-phishing resources. Version 3.0.2 contains a patch for this issue. | |||||
| CVE-2023-25911 | 1 Danfoss | 2 Ak-em100, Ak-em100 Firmware | 2023-06-16 | N/A | 9.8 CRITICAL |
| The Danfoss AK-EM100 web applications allow for OS command injection through the web application parameters. | |||||
| CVE-2022-25834 | 1 Percona | 1 Xtrabackup | 2023-06-15 | N/A | 7.8 HIGH |
| In Percona XtraBackup (PXB) through 2.2.24 and 3.x through 8.0.27-19, a crafted filename on the local file system could trigger unexpected command shell execution of arbitrary commands. | |||||
| CVE-2023-33530 | 1 Tenda | 2 G103, G103 Firmware | 2023-06-15 | N/A | 8.8 HIGH |
| There is a command injection vulnerability in the Tenda G103 Gigabit GPON Terminal with firmware version V1.0.0.5. If an attacker gains web management privileges, they can inject commands gaining shell privileges. | |||||
| CVE-2023-33533 | 1 Netgear | 8 D6220, D6220 Firmware, D8500 and 5 more | 2023-06-14 | N/A | 8.8 HIGH |
| Netgear D6220 with Firmware Version 1.0.0.80, D8500 with Firmware Version 1.0.3.60, R6700 with Firmware Version 1.0.2.26, and R6900 with Firmware Version 1.0.2.26 are vulnerable to Command Injection. If an attacker gains web management privileges, they can inject commands into the post request parameters, gaining shell privileges. | |||||
| CVE-2023-20889 | 1 Vmware | 1 Vrealize Network Insight | 2023-06-14 | N/A | 7.5 HIGH |
| Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure. | |||||
| CVE-2023-20887 | 1 Vmware | 1 Vrealize Network Insight | 2023-06-14 | N/A | 9.8 CRITICAL |
| Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution. | |||||
| CVE-2022-40022 | 1 Microchip | 2 Syncserver S650, Syncserver S650 Firmware | 2023-06-14 | N/A | 9.8 CRITICAL |
| Microchip Technology (Microsemi) SyncServer S650 was discovered to contain a command injection vulnerability. | |||||
| CVE-2023-33556 | 1 Totolink | 2 A7100ru, A7100ru Firmware | 2023-06-14 | N/A | 9.8 CRITICAL |
| TOTOLink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the staticGw parameter at /setting/setWanIeCfg. | |||||
| CVE-2023-33538 | 1 Tp-link | 6 Tl-wr740n, Tl-wr740n Firmware, Tl-wr841n and 3 more | 2023-06-13 | N/A | 8.8 HIGH |
| TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm . | |||||
| CVE-2023-34111 | 1 Tdengine | 1 Grafana | 2023-06-13 | N/A | 9.8 CRITICAL |
| The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources. | |||||
| CVE-2023-33782 | 1 Dlink | 2 Dir-842v2, Dir-842v2 Firmware | 2023-06-13 | N/A | 8.8 HIGH |
| D-Link DIR-842V2 v1.0.3 was discovered to contain a command injection vulnerability via the iperf3 diagnostics function. | |||||
| CVE-2023-33532 | 1 Netgear | 2 R6250, R6250 Firmware | 2023-06-12 | N/A | 9.8 CRITICAL |
| There is a command injection vulnerability in the Netgear R6250 router with Firmware Version 1.0.4.48. If an attacker gains web management privileges, they can inject commands into the post request parameters, thereby gaining shell privileges. | |||||
| CVE-2023-31569 | 1 Totolink | 2 X5000r, X5000r Firmware | 2023-06-12 | N/A | 9.8 CRITICAL |
| TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection via the setWanCfg function. | |||||
| CVE-2019-6986 | 1 Duraspace | 1 Vitro | 2023-06-12 | 5.0 MEDIUM | 7.5 HIGH |
| SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to execute arbitrary SPARQL via the uri parameter, leading to a regular expression denial of service (ReDoS), as demonstrated by crafted use of FILTER%20regex in a /individual?uri= request. | |||||
| CVE-2023-28704 | 1 Furbo | 2 Dog Camera, Dog Camera Firmware | 2023-06-09 | N/A | 8.8 HIGH |
| Furbo dog camera has insufficient filtering for special parameter of device log management function. An unauthenticated remote attacker in the Bluetooth network with normal user privileges can exploit this vulnerability to perform command injection attack to execute arbitrary system commands or disrupt service. | |||||
| CVE-2023-34232 | 2023-06-09 | N/A | N/A | ||
| snowflake-connector-nodejs, a NodeJS driver for Snowflake, is vulnerable to command injection via single sign on (SSO) browser URL authentication in versions prior to 1.6.21. In order to exploit the potential for command injection, an attacker would need to be successful in (1) establishing a malicious resource and (2) redirecting users to utilize the resource. The attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. This attack scenario can be mitigated through URL whitelisting as well as common anti-phishing resources. Version 1.6.21 contains a patch for this issue. | |||||
| CVE-2023-34231 | 2023-06-09 | N/A | N/A | ||
| gosnowflake is th Snowflake Golang driver. Prior to version 1.6.19, a command injection vulnerability exists in the Snowflake Golang driver via single sign-on (SSO) browser URL authentication. In order to exploit the potential for command injection, an attacker would need to be successful in (1) establishing a malicious resource and (2) redirecting users to utilize the resource. The attacker could set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload. If the attacker then tricked a user into visiting the maliciously crafted connection URL, the user’s local machine would render the malicious payload, leading to a remote code execution. This attack scenario can be mitigated through URL whitelisting as well as common anti-phishing resources. A patch is available in version 1.6.19. | |||||