Vulnerabilities > Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

DATE CVE VULNERABILITY TITLE RISK
2024-11-01 CVE-2024-51252 OS Command Injection vulnerability in Draytek Vigor3900 Firmware 1.5.1.3
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the restore function.
network
low complexity
draytek CWE-78
critical
 9.8
9.8
2024-11-01 CVE-2024-51244 OS Command Injection vulnerability in Draytek Vigor3900 Firmware 1.5.1.3
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doIPSec function.
network
low complexity
draytek CWE-78
8.8
8.8
2024-11-01 CVE-2024-51245 OS Command Injection vulnerability in Draytek Vigor3900 Firmware 1.5.1.3
In DrayTek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the rename_table function.
network
low complexity
draytek CWE-78
8.8
8.8
2024-11-01 CVE-2024-51247 OS Command Injection vulnerability in Draytek Vigor3900 Firmware 1.5.1.3
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doPPPo function.
network
low complexity
draytek CWE-78
8.8
8.8
2024-11-01 CVE-2024-51248 OS Command Injection vulnerability in Draytek Vigor3900 Firmware 1.5.1.3
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the modifyrow function.
network
low complexity
draytek CWE-78
8.8
8.8
2024-10-29 CVE-2024-51378 OS Command Injection vulnerability in Cyberpanel
getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX.
network
low complexity
cyberpanel CWE-78
critical
 9.8
9.8
2024-10-29 CVE-2024-22065 OS Command Injection vulnerability in ZTE Mf258K PRO Firmware 1.0.0B03
There is a command injection vulnerability in ZTE MF258 Pro product.
network
low complexity
zte CWE-78
8.8
8.8
2024-10-28 CVE-2024-48825 OS Command Injection vulnerability in Tenda AC7 Firmware 15.03.06.44
Tenda AC7 v.15.03.06.44 ate_ifconfig_set has pre-authentication command injection allowing remote attackers to execute arbitrary code.
low complexity
tenda CWE-78
8.8
8.8
2024-10-28 CVE-2024-48826 OS Command Injection vulnerability in Tenda AC7 Firmware 15.03.06.44
Tenda AC7 v.15.03.06.44 ate_iwpriv_set has pre-authentication command injection allowing remote attackers to execute arbitrary code.
low complexity
tenda CWE-78
8.8
8.8
2024-10-25 CVE-2024-37845 OS Command Injection vulnerability in Radixiot Mango
MangoOS before 5.2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the Active Process Command feature.
network
low complexity
radixiot CWE-78
7.2
7.2