Total
4780 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-48591 | 1 Sciencelogic | 1 Sl1 | 2024-11-21 | 8.8 High |
| A SQL injection vulnerability exists in the vendor_state parameter of the “vendor print report” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database. | ||||
| CVE-2022-48590 | 1 Sciencelogic | 1 Sl1 | 2024-11-21 | 8.8 High |
| A SQL injection vulnerability exists in the “admin dynamic app mib errors” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database. | ||||
| CVE-2022-48589 | 1 Sciencelogic | 1 Sl1 | 2024-11-21 | 8.8 High |
| A SQL injection vulnerability exists in the “reporting job editor” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database. | ||||
| CVE-2022-48588 | 1 Sciencelogic | 1 Sl1 | 2024-11-21 | 8.8 High |
| A SQL injection vulnerability exists in the “schedule editor decoupled” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database. | ||||
| CVE-2022-48587 | 1 Sciencelogic | 1 Sl1 | 2024-11-21 | 8.8 High |
| A SQL injection vulnerability exists in the “schedule editor” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database. | ||||
| CVE-2022-48586 | 1 Sciencelogic | 1 Sl1 | 2024-11-21 | 8.8 High |
| A SQL injection vulnerability exists in the “json walker” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database. | ||||
| CVE-2022-48585 | 1 Sciencelogic | 1 Sl1 | 2024-11-21 | 8.8 High |
| A SQL injection vulnerability exists in the “admin brand portal” feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a SQL query. This allows for the injection of arbitrary SQL before being executed against the database. | ||||
| CVE-2022-48584 | 1 Sciencelogic | 1 Sl1 | 2024-11-21 | 8.8 High |
| A command injection vulnerability exists in the download and convert report feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a shell command. This allows for the injection of arbitrary commands to the underlying operating system. | ||||
| CVE-2022-48583 | 1 Sciencelogic | 1 Sl1 | 2024-11-21 | 8.8 High |
| A command injection vulnerability exists in the dashboard scheduler feature of the ScienceLogic SL1 that takes unsanitized user‐controlled input and passes it directly to a shell command. This allows for the injection of arbitrary commands to the underlying operating system. | ||||
| CVE-2022-48582 | 1 Sciencelogic | 1 Sl1 | 2024-11-21 | 8.8 High |
| A command injection vulnerability exists in the ticket report generate feature of the ScienceLogic SL1 that takes unsanitized user controlled input and passes it directly to a shell command. This allows for the injection of arbitrary commands to the underlying operating system. | ||||
| CVE-2022-48581 | 1 Sciencelogic | 1 Sl1 | 2024-11-21 | 8.8 High |
| A command injection vulnerability exists in the “dash export” feature of the ScienceLogic SL1 that takes unsanitized user controlled input and passes it directly to a shell command. This allows for the injection of arbitrary commands to the underlying operating system. | ||||
| CVE-2022-48580 | 1 Sciencelogic | 1 Sl1 | 2024-11-21 | 8.8 High |
| A command injection vulnerability exists in the ARP ping device tool feature of the ScienceLogic SL1 that takes unsanitized user controlled input and passes it directly to a shell command. This allows for the injection of arbitrary commands to the underlying operating system. | ||||
| CVE-2022-47555 | 1 Ormazabal | 4 Ekorccp, Ekorccp Firmware, Ekorrci and 1 more | 2024-11-21 | 9.3 Critical |
| Operating system command injection in ekorCCP and ekorRCI, which could allow an authenticated attacker to execute commands, create new users with elevated privileges or set up a backdoor. | ||||
| CVE-2022-43948 | 1 Fortinet | 2 Fortiadc, Fortiweb | 2024-11-21 | 6.5 Medium |
| A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 7.0.0 through 7.0.3, FortiADC version 7.1.0 through 7.1.1, FortiADC version 7.0.0 through 7.0.3, FortiADC 6.2 all versions, FortiADC 6.1 all versions, FortiADC 6.0 all versions, FortiADC 5.4 all versions, FortiADC 5.3 all versions, FortiADC 5.2 all versions, FortiADC 5.1 all versions allows attacker to execute unauthorized code or commands via specifically crafted arguments to existing commands. | ||||
| CVE-2022-43907 | 1 Ibm | 1 Security Guardium | 2024-11-21 | 7.2 High |
| IBM Security Guardium 11.4 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 240901. | ||||
| CVE-2022-42484 | 2 Freshtomato, Siretta | 3 Freshtomato, Quartz-gold, Quartz-gold Firmware | 2024-11-21 | 9.8 Critical |
| An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability. | ||||
| CVE-2022-41955 | 1 Autolabproject | 1 Autolab | 2024-11-21 | 8.8 High |
| Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A remote code execution vulnerability was discovered in Autolab's MOSS functionality, whereby an instructor with access to the feature might be able to execute code on the server hosting Autolab. This vulnerability has been patched in version 2.10.0. As a workaround, disable the MOSS feature if it is unneeded by replacing the body of `run_moss` in `app/controllers/courses_controller.rb` with `render(plain: "Feature disabled", status: :bad_request) && return`. | ||||
| CVE-2022-41525 | 1 Totolink | 2 Nr1800x, Nr1800x Firmware | 2024-11-21 | 9.8 Critical |
| TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a command injection vulnerability via the OpModeCfg function at /cgi-bin/cstecgi.cgi. | ||||
| CVE-2022-41518 | 1 Totolink | 2 Nr1800x, Nr1800x Firmware | 2024-11-21 | 9.8 Critical |
| TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a command injection vulnerability via the UploadFirmwareFile function at /cgi-bin/cstecgi.cgi. | ||||
| CVE-2022-40764 | 1 Snyk | 2 Cli, Golang Cli | 2024-11-21 | 7.8 High |
| Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957. | ||||