CWE-77 <span class="text-2xl md:text-3xl font-bold ml-2" style="color:var(--text-secondary)">— Command Injection

CVE-2022-26826HIGHCVSS 7.2EG 7.2

Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/setFixTools.

2022-04-15

Windows DNS Server Remote Code Execution Vulnerability

CVE-2022-26990CRITICALCVSS 9.8EG 9.8

CVE-2022-26991CRITICALCVSS 9.8EG 9.8

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the firewall-local log function via the EmailAddress, SmtpServerName, SmtpUsername, and Sm…

CVE-2022-26992CRITICALCVSS 9.8EG 9.8

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the ntp function via the TimeZone parameter. This vulnerability allows attackers to execut…

CVE-2022-26993CRITICALCVSS 9.8EG 9.8

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the ddns function via the DdnsUserName, DdnsHostName, and DdnsPassword parameters. This vu…

CVE-2022-26994CRITICALCVSS 9.8EG 9.8

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pppoe function via the pppoeUserName, pppoePassword, and pppoe_Service parameters. Thi…

CVE-2022-26995CRITICALCVSS 9.8EG 9.8

Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pptp function via the pptpUserName and pptpPassword parameters. This vulnerability all…

CVE-2022-26996CRITICALCVSS 9.8EG 9.8

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pptp (wan_pptp.html) function via the pptp_fix_ip, pptp_fix_mask, pptp_fix_gw, and wan_dns1_stat parameters. This vulnerability allows attackers to exe…

CVE-2022-26997CRITICALCVSS 9.8EG 9.8

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pppoe function via the pppoe_username, pppoe_passwd, and pppoe_servicename parameters. This vulnerability allows attackers to execute arbitrary command…

CVE-2022-26998CRITICALCVSS 9.8EG 9.8

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the upnp function via the upnp_ttl parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVE-2022-26999CRITICALCVSS 9.8EG 9.8

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the wps setting function via the wps_enrolee_pin parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVE-2022-27000CRITICALCVSS 9.8EG 9.8

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the static ip settings function via the wan_ip_stat, wan_mask_stat, wan_gw_stat, and wan_dns1_stat parameters. This vulnerability allows attackers to execu…

CVE-2022-27001CRITICALCVSS 9.8EG 9.8

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the time and time zone function via the h_primary_ntp_server, h_backup_ntp_server, and h_time_zone parameters. This vulnerability allows attackers to execu…

CVE-2022-27002CRITICALCVSS 9.8EG 9.8

Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the dhcp function via the hostname parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVE-2022-27003CRITICALCVSS 9.8EG 9.8

Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns、ddns_host parameters. This vulnerability allows attackers to execute arbitrary commands via a craf…

CVE-2022-27004CRITICALCVSS 9.8EG 9.8

Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6rd function via the relay6rd parameter. This vulnerability allows attackers to e…

CVE-2022-27005CRITICALCVSS 9.8EG 9.8

Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6in4 function via the remote6in4 parameter. This vulnerability allows attackers t…

CVE-2022-27076CRITICALCVSS 9.8EG 9.8

Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the setWanCfg function via the hostName parameter. This vulnerability allows attackers to ex…

CVE-2022-27077CRITICALCVSS 9.8EG 9.8

Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/delAd.

CVE-2022-27078CRITICALCVSS 9.8EG 9.8

Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /cgi-bin/uploadWeiXinPic.

CVE-2022-27079CRITICALCVSS 9.8EG 9.8

Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/setAdInfoDetail.

CVE-2022-27080CRITICALCVSS 9.8EG 9.8

Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/setPicListItem.

CVE-2022-27081CRITICALCVSS 9.8EG 9.8

Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/setWorkmode.

CVE-2022-27082CRITICALCVSS 9.8EG 9.8

Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/SetLanInfo.

CVE-2022-27083CRITICALCVSS 9.8EG 9.8

Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /goform/SetInternetLanInfo.

CVE-2022-27268CRITICALCVSS 9.8EG 9.8

Tenda M3 1.10 V1.0.0.12(4856) was discovered to contain a command injection vulnerability via the component /cgi-bin/uploadAccessCodePic.

CVE-2022-27269CRITICALCVSS 9.8EG 9.8

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the component get_cgi_from_memory. This vulnerability is triggered via a crafted packet.

CVE-2022-27270CRITICALCVSS 9.8EG 9.8

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the component config_ovpn. This vulnerability is triggered via a crafted packet.

CVE-2022-27271CRITICALCVSS 9.8EG 9.8

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the component ipsec_secrets. This vulnerability is triggered via a crafted packet.

CVE-2022-27272CRITICALCVSS 9.8EG 9.8

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the component python-lib. This vulnerability is triggered via a crafted packet.

CVE-2022-27273CRITICALCVSS 9.8EG 9.8

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the function sub_1791C. This vulnerability is triggered via a crafted packet.

CVE-2022-27274CRITICALCVSS 9.8EG 9.8

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the function sub_12168. This vulnerability is triggered via a crafted packet.

CVE-2022-27275CRITICALCVSS 9.8EG 9.8

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the function sub_12028. This vulnerability is triggered via a crafted packet.

CVE-2022-27276CRITICALCVSS 9.8EG 9.8

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the function sub_122D0. This vulnerability is triggered via a crafted packet.

CVE-2022-27373HIGHCVSS 8.8EG 8.8

InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain a remote code execution (RCE) vulnerability via the function sub_10F2C. This vulnerability is triggered via a crafted packet.

2022-07-19

Shanghai Feixun Data Communication Technology Co., Ltd router fir302b A2 was discovered to contain a remote command execution (RCE) vulnerability via the Ping function.

CVE-2022-27411CRITICALCVSS 9.8EG 9.8

2022-05-05

TOTOLINK N600R v5.3c.5507_B20171031 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter in the "Main" function.

CVE-2022-27588CRITICALCVSS 9.8EG 9.8

2022-05-05

We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later

CVE-2022-27806HIGHCVSS 8.7EG 7.2

2022-05-05

On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker ass…

CVE-2022-27924HIGHCVSS 7.5EG 9.0⚠ KEV

2022-04-21

Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries.

CVE-2022-28055CRITICALCVSS 9.8EG 9.8

2022-05-04

Fusionpbx v4.4 and below contains a command injection vulnerability via the download email logs function.

CVE-2022-28171HIGHCVSS 7.5EG 9.8

2022-06-27

The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending mess…

CVE-2022-28220HIGHCVSS 7.5EG 7.5

2022-09-08

Apache James prior to release 3.6.3 and 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. Fix of CVE-2021-38542, which solved similar problem fron Apache James 3.6.1, is subject to a parser differential …

CVE-2022-28491CRITICALCVSS 9.8EG 9.8

CVE-2022-28494CRITICALCVSS 9.8EG 9.8

TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 contains a command injection vulnerability in the NTPSyncWithHost function via the host_name parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVE-2022-28495CRITICALCVSS 9.8EG 9.8

TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the setUpgradeFW function via the filename parameter. This vulnerability allows attackers to execute arbitrary commands via a craf…

2023-03-24

TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the setWebWlanIdx function via the webWlanIdx parameter. This vulnerability allows attackers to execute arbitrary commands via a c…

CVE-2022-28496CRITICALCVSS 9.8EG 9.8

CVE-2022-28497CRITICALCVSS 9.8EG 9.8

TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 discovered to contain a command injection vulnerability in the setPasswordCfg function via the adminuser and adminpassparameter. This vulnerability allows attackers to execute arbitrary comman…