CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-77

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-44079 77 Exec Code 2021-11-22 2021-11-26
7.5
None Remote Low Not required Partial Partial Partial
In the wazuh-slack active response script in Wazuh before 4.2.5, untrusted user agents are passed to a curl command line, potentially resulting in remote code execution.
2 CVE-2021-43557 77 Bypass 2021-11-22 2021-11-26
5.0
None Remote Low Not required Partial None None
The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer's custom plugin.
3 CVE-2021-43469 77 Exec Code 2021-12-06 2021-12-06
6.5
None Remote Low ??? Partial Partial Partial
VINGA WR-N300U 77.102.1.4853 is affected by a command execution vulnerability in the goahead component.
4 CVE-2021-43339 77 2021-11-03 2021-11-30
6.5
None Remote Low ??? Partial Partial Partial
In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. For example, a new admin user could be created.
5 CVE-2021-43319 77 2021-11-30 2021-12-03
7.5
None Remote Low Not required Partial Partial Partial
Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.
6 CVE-2021-43266 77 Exec Code 2021-11-02 2021-11-09
4.6
None Remote High ??? Partial Partial Partial
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exporting collections via PDF export could lead to code execution via shell metacharacters in a collection name.
7 CVE-2021-42740 77 2021-10-21 2021-10-28
7.5
None Remote Low Not required Partial Partial Partial
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
8 CVE-2021-42538 77 2021-10-22 2021-10-27
6.5
None Remote Low ??? Partial Partial Partial
The affected product is vulnerable to a parameter injection via passphrase, which enables the attacker to supply uncontrolled input.
9 CVE-2021-42132 77 Exec Code 2021-12-07 2021-12-08
6.5
None Remote Low ??? Partial Partial Partial
A command Injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.
10 CVE-2021-42129 77 Exec Code 2021-12-07 2021-12-08
6.5
None Remote Low ??? Partial Partial Partial
A command injection vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary command execution.
11 CVE-2021-42094 77 2021-10-07 2021-10-14
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Zammad before 4.1.1. Command Injection can occur via custom Packages.
12 CVE-2021-41744 77 2021-10-22 2021-10-28
7.5
None Remote Low Not required Partial Partial Partial
All versions of yongyou PLM are affected by a command injection issue. UFIDA PLM (Product Life Cycle Management) is a strategic management method. It applies a series of enterprise application systems to support the entire process from conceptual design to the end of product life, and the collaborative creation, distribution, application and management of product information across organizations. Yonyou PLM uses jboss by default, and you can access the management control background without authorization An attacker can use this vulnerability to gain server permissions.
13 CVE-2021-41720 77 Exec Code 2021-09-30 2021-11-30
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template function. This is a different parameter, method, and version than CVE-2021-23337. NOTE: the vendor's position is that it's the developer's responsibility to ensure that a template does not evaluate code that originates from untrusted input.
14 CVE-2021-41383 77 Exec Code 2021-09-17 2021-09-29
9.0
None Remote Low ??? Complete Complete Complete
setup.cgi on NETGEAR R6020 1.0.0.48 devices allows an admin to execute arbitrary shell commands via shell metacharacters in the ntp_server field.
15 CVE-2021-41146 77 Exec Code 2021-10-21 2021-10-28
6.8
None Remote Medium Not required Partial Partial Partial
qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known.
16 CVE-2021-41116 77 2021-10-05 2021-10-09
7.5
None Remote Low Not required Partial Partial Partial
Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has been resolved in composer versions 1.10.23 and 2.1.9. There are no workarounds for this issue.
17 CVE-2021-40999 77 Exec Code 2021-10-15 2021-10-20
6.5
None Remote Low ??? Partial Partial Partial
A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.
18 CVE-2021-40998 77 Exec Code 2021-10-15 2021-10-20
9.0
None Remote Low ??? Complete Complete Complete
A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.
19 CVE-2021-40995 77 Exec Code 2021-10-15 2021-10-20
6.5
None Remote Low ??? Partial Partial Partial
A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.
20 CVE-2021-40994 77 Exec Code 2021-10-15 2021-10-21
6.5
None Remote Low ??? Partial Partial Partial
A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.
21 CVE-2021-40987 77 Exec Code 2021-10-15 2021-10-21
9.0
None Remote Low ??? Complete Complete Complete
A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.
22 CVE-2021-40986 77 Exec Code 2021-10-15 2021-10-21
9.0
None Remote Low ??? Complete Complete Complete
A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.
23 CVE-2021-40345 77 Exec Code 2021-10-26 2021-11-01
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.
24 CVE-2021-40113 77 2021-11-04 2021-11-06
7.5
None Remote Low Not required Partial Partial Partial
Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following actions: Log in with a default credential if the Telnet protocol is enabled Perform command injection Modify the configuration For more information about these vulnerabilities, see the Details section of this advisory.
25 CVE-2021-40084 77 Exec Code 2021-08-25 2021-08-31
7.5
None Remote Low Not required Partial Partial Partial
opensysusers through 0.6 does not safely use eval on files in sysusers.d that may contain shell metacharacters. For example, it allows command execution via a crafted GECOS field whereas systemd-sysusers (a program with the same specification) does not do that.
26 CVE-2021-39510 77 2021-08-24 2021-09-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in D-Link DIR816_A1_FW101CNB04 750m11ac wireless router, The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters.
27 CVE-2021-39509 77 2021-08-24 2021-09-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in D-Link DIR-816 DIR-816A2_FWv1.10CNB05_R1B011D88210 The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell metacharacters.
28 CVE-2021-38611 77 Exec Code 2021-08-24 2021-08-31
10.0
None Remote Low Not required Complete Complete Complete
A command-injection vulnerability in the Image Upload function of the NASCENT RemKon Device Manager 4.0.0.0 allows attackers to execute arbitrary commands, as root, via shell metacharacters in the filename parameter to assets/index.php.
29 CVE-2021-38556 77 Exec Code 2021-08-24 2021-09-02
6.5
None Remote Low ??? Partial Partial Partial
includes/configure_client.php in RaspAP 2.6.6 allows attackers to execute commands via command injection.
30 CVE-2021-38530 77 2021-08-11 2021-08-19
10.0
None Remote Low Not required Complete Complete Complete
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects RBK40 before 2.5.1.16, RBR40 before 2.5.1.16, RBS40 before 2.5.1.16, RBK20 before 2.5.1.16, RBR20 before 2.5.1.16, RBS20 before 2.5.1.16, RBK50 before 2.5.1.16, RBR50 before 2.5.1.16, RBS50 before 2.5.1.16, and RBS50Y before 2.6.1.40.
31 CVE-2021-38529 77 2021-08-11 2021-08-18
7.5
None Remote Low Not required Partial Partial Partial
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D7800 before 1.0.1.56, R7800 before 1.0.2.68, R8900 before 1.0.4.26, and R9000 before 1.0.4.26.
32 CVE-2021-38528 77 2021-08-11 2021-08-18
10.0
None Remote Low Not required Complete Complete Complete
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects D8500 before 1.0.3.58, R6900P before 1.3.2.132, R7000P before 1.3.2.132, R7100LG before 1.0.0.64, WNDR3400v3 before 1.0.1.38, and XR300 before 1.0.3.56.
33 CVE-2021-38527 77 2021-08-11 2021-08-19
10.0
None Remote Low Not required Complete Complete Complete
Certain NETGEAR devices are affected by command injection by an unauthenticated attacker. This affects CBR40 before 2.5.0.14, EX6100v2 before 1.0.1.98, EX6150v2 before 1.0.1.98, EX6250 before 1.0.0.132, EX6400 before 1.0.2.158, EX6400v2 before 1.0.0.132, EX6410 before 1.0.0.132, EX6420 before 1.0.0.132, EX7300 before 1.0.2.158, EX7300v2 before 1.0.0.132, EX7320 before 1.0.0.132, EX7700 before 1.0.0.216, EX8000 before 1.0.1.232, R7800 before 1.0.2.78, RBK12 before 2.6.1.44, RBR10 before 2.6.1.44, RBS10 before 2.6.1.44, RBK20 before 2.6.1.38, RBR20 before 2.6.1.36, RBS20 before 2.6.1.38, RBK40 before 2.6.1.38, RBR40 before 2.6.1.36, RBS40 before 2.6.1.38, RBK50 before 2.6.1.40, RBR50 before 2.6.1.40, RBS50 before 2.6.1.40, RBK752 before 3.2.16.6, RBR750 before 3.2.16.6, RBS750 before 3.2.16.6, RBK852 before 3.2.16.6, RBR850 before 3.2.16.6, RBS850 before 3.2.16.6, RBS40V before 2.6.2.4, RBS50Y before 2.6.1.40, RBW30 before 2.6.2.2, and XR500 before 2.3.2.114.
34 CVE-2021-38521 77 2021-08-11 2021-08-18
6.5
None Remote Low ??? Partial Partial Partial
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6400 before 1.0.1.50, R7900P before 1.4.1.50, R8000P before 1.4.1.50, RAX75 before 1.0.1.62, and RAX80 before 1.0.1.62.
35 CVE-2021-38520 77 2021-08-11 2021-08-18
6.5
None Remote Low ??? Partial Partial Partial
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6400 before 1.0.1.52, R6400v2 before 1.0.4.84, R6700v3 before 1.0.4.84, R6700v2 before 1.2.0.62, R6900v2 before 1.2.0.62, and R7000P before 1.3.2.124.
36 CVE-2021-38519 77 2021-08-11 2021-08-19
6.5
None Remote Low ??? Partial Partial Partial
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6250 before 1.0.4.36, R6300v2 before 1.0.4.36, R6400 before 1.0.1.50, R6400v2 before 1.0.2.66, R6700v3 before 1.0.2.66, R6700 before 1.0.2.8, R6900 before 1.0.2.8, R7000 before 1.0.9.88, R6900P before 1.3.2.132, R7100LG before 1.0.0.52, R7900 before 1.0.3.10, R8000 before 1.0.4.46, R7900P before 1.4.1.50, R8000P before 1.4.1.50, and RAX80 before 1.0.1.40.
37 CVE-2021-38518 77 2021-08-11 2021-08-18
6.5
None Remote Low ??? Partial Partial Partial
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects RAX200 before 1.0.4.120, RAX75 before 1.0.4.120, RAX80 before 1.0.4.120, RBK852 before 3.2.17.12, RBR850 before 3.2.17.12, and RBS850 before 3.2.17.12.
38 CVE-2021-38373 77 2021-08-10 2021-08-20
3.5
None Remote Medium ??? Partial None None
In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked.
39 CVE-2021-38372 77 2021-08-10 2021-08-20
4.3
None Remote Medium Not required None Partial None
In KDE Trojita 0.7, man-in-the-middle attackers can create new folders because untagged responses from an IMAP server are accepted before STARTTLS.
40 CVE-2021-38370 77 2021-08-10 2021-08-20
4.3
None Remote Medium Not required None Partial None
In Alpine through 2.24, untagged responses from an IMAP server are accepted before STARTTLS.
41 CVE-2021-38294 77 Exec Code 2021-10-25 2021-11-23
7.5
None Remote Low Not required Partial Partial Partial
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
42 CVE-2021-38189 77 2021-08-08 2021-08-16
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in the lettre crate before 0.9.6 for Rust. In an e-mail message body, an attacker can place a . character after two <CR><LF> sequences and then inject arbitrary SMTP commands.
43 CVE-2021-38173 77 Exec Code 2021-08-07 2021-09-14
7.5
None Remote Low Not required Partial Partial Partial
Btrbk before 0.31.2 allows command execution because of the mishandling of remote hosts filtering SSH commands using ssh_filter_btrbk.sh in authorized_keys.
44 CVE-2021-38169 77 2021-08-07 2021-08-13
6.5
None Remote Low ??? Partial Partial Partial
Roxy-WI through 5.2.2.0 allows command injection via /app/funct.py and /api/api_funct.py.
45 CVE-2021-38124 77 Exec Code 2021-09-28 2021-10-01
7.5
None Remote Low Not required Partial Partial Partial
Remote Code Execution vulnerability in Micro Focus ArcSight Enterprise Security Manager (ESM) product, affecting versions 7.0.2 through 7.5. The vulnerability could be exploited resulting in remote code execution.
46 CVE-2021-37739 77 Exec Code 2021-10-15 2021-10-20
9.0
None Remote Low ??? Complete Complete Complete
A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): ClearPass Policy Manager 6.10.x prior to 6.10.2 - - ClearPass Policy Manager 6.9.x prior to 6.9.7-HF1 - - ClearPass Policy Manager 6.8.x prior to 6.8.9-HF1. Aruba has released patches for ClearPass Policy Manager that address this security vulnerability.
47 CVE-2021-37724 77 Exec Code 2021-09-07 2021-10-12
9.0
None Remote Low ??? Complete Complete Complete
A remote arbitrary command execution vulnerability was discovered in Aruba Operating System Software version(s): Prior to 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.16. Aruba has released patches for ArubaOS that address this security vulnerability.
48 CVE-2021-37723 77 Exec Code 2021-09-07 2021-10-12
9.0
None Remote Low ??? Complete Complete Complete
A remote arbitrary command execution vulnerability was discovered in Aruba Operating System Software version(s): Prior to 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.16. Aruba has released patches for ArubaOS that address this security vulnerability.
49 CVE-2021-37722 77 Exec Code 2021-09-07 2021-10-12
9.0
None Remote Low ??? Complete Complete Complete
A remote arbitrary command execution vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.7.1.4, 8.6.0.9, 8.5.0.13, 8.3.0.16, 6.5.4.20, 6.4.4.25. Aruba has released patches for Aruba SD-WAN Software and Gateways and ArubaOS that address this security vulnerability.
50 CVE-2021-37721 77 Exec Code 2021-09-07 2021-10-12
9.0
None Remote Low ??? Complete Complete Complete
A remote arbitrary command execution vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.7.1.4, 8.6.0.9, 8.5.0.13, 8.3.0.16, 6.5.4.20, 6.4.4.25. Aruba has released patches for Aruba SD-WAN Software and Gateways and ArubaOS that address this security vulnerability.
Total number of vulnerabilities : 735   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.