| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The cliserver implementation in Dell SonicWALL GMS, Analyzer, and UMA EM5000 7.2, 8.0, and 8.1 before Hotfix 168056 allows remote attackers to deserialize and execute arbitrary Java code via crafted XML data. |
| The GMS ViewPoint (GMSVP) web application in Dell SonicWALL GMS, Analyzer, and UMA EM5000 7.2, 8.0, and 8.1 before Hotfix 168056 allows remote authenticated users to execute arbitrary commands via vectors related to configuration input. |
| flu.cgi in the web interface on SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with firmware before 01A.8 allows remote authenticated users to execute arbitrary commands via the 5066 (aka dnsmasq) parameter. |
| Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data. |
| Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 index.php page via a modified Cookie header. |
| The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. |
| The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address. |
| Mailcwp remote file upload vulnerability incomplete fix v1.100 |
| The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to execute arbitrary commands via unspecified vectors, a different vulnerability than CVE-2015-1986. |
| ftagent.exe in EMC AutoStart 5.4.x and 5.5.x before 5.5.0.508 HF4 allows remote attackers to execute arbitrary commands via crafted packets. |
| Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to execute arbitrary commands via shell metacharacters in the ping field (setobject_ip parameter). |
| The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE. |
| default-rsyncssh.lua in Lsyncd 2.1.5 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a filename. |
| The web interface in BitTorrent allows remote attackers to execute arbitrary commands by leveraging knowledge of the pairing values and a crafted request to port 10000. |
| The VMware driver in OpenStack Compute (Nova) before 2014.1.4 allows remote authenticated users to cause a denial of service (disk consumption) by deleting an instance in the resize state. |
| GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a temporary lock outage, and the resulting temporary shell availability, caused by the Linux kernel OOM killer. |
| The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts. |
| The generate_local_queue function in utils/cups-browsed.c in cups-browsed in cups-filters before 1.0.53 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the host name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2707. |
| nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation. |
| Eval injection vulnerability in luci 0.26.0 allows remote authenticated users with certain permissions to execute arbitrary Python code via a crafted cluster configuration. |
