CVE & Exploit Intelligence Database

CVE-2023-39288 5.5 MEDIUM EPSS 0.00

A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.

CWE-88 Aug 25, 2023

CVE-2023-39287 5.5 MEDIUM EPSS 0.00

A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.

CWE-88 Aug 25, 2023

CVE-2023-20224 7.8 HIGH EPSS 0.00

A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability is due to insufficient input validation of user-supplied CLI arguments. An attacker could exploit this vulnerability by authenticating to an affected device and using crafted commands at the prompt. A successful exploit could allow the attacker to execute arbitrary commands as root. The attacker must have valid credentials on the affected device.

CWE-284 Aug 16, 2023

CVE-2023-26310 7.4 HIGH EPSS 0.01

There is a command injection problem in the old version of the mobile phone backup app.

CWE-88 Aug 09, 2023

CVE-2023-33378 9.8 CRITICAL EPSS 0.00

Connected IO v2.1.0 and prior has an argument injection vulnerability in its AT command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.

CWE-88 Aug 04, 2023

CVE-2023-33376 9.8 CRITICAL EPSS 0.00

Connected IO v2.1.0 and prior has an argument injection vulnerability in its iptables command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.

CWE-88 Aug 04, 2023

CVE-2023-30577 7.8 HIGH EPSS 0.00

AMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag-community-3.5.4 mishandles argument checking for runtar.c, a different vulnerability than CVE-2022-37705.

CWE-88 Jul 26, 2023

CVE-2023-34395 7.8 HIGH EPSS 0.00

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Software Foundation Apache Airflow ODBC Provider. In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of arbitrary dynamic-link libraries, resulting in command execution. Starting version 4.0.0 driver can be set only from the hook constructor. This issue affects Apache Airflow ODBC Provider: before 4.0.0.

CWE-88 Jun 27, 2023

CVE-2022-37705 6.7 MEDIUM 1 PoC Analysis EPSS 0.03

A privilege escalation flaw was found in Amanda 3.5.1 in which the backup user can acquire root privileges. The vulnerable component is the runtar SUID program, which is a wrapper to run /usr/bin/tar with specific arguments that are controllable by the attacker. This program mishandles the arguments passed to tar binary (it expects that the argument name and value are separated with a space; however, separating them with an equals sign is also supported),

CWE-88 Apr 16, 2023

CVE-2023-25356 8.8 HIGH EPSS 0.20

CoreDial sipXcom up to and including 21.04 is vulnerable to Improper Neutralization of Argument Delimiters in a Command. XMPP users are able to inject arbitrary arguments into a system command, which can be used to read files from, and write files to, the sipXcom server. This can also be leveraged to gain remote command execution.

CWE-88 Apr 04, 2023

CVE-2022-47502 7.8 HIGH EPSS 0.00

Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution.

CWE-88 Mar 24, 2023

CVE-2022-40677 7.2 HIGH EPSS 0.01

A improper neutralization of argument delimiters in a command ('argument injection') in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 allows attacker to execute unauthorized code or commands via specially crafted input parameters.

CWE-88 Feb 16, 2023

CVE-2022-4864 5.4 MEDIUM 1 Writeup EPSS 0.00

Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

CWE-88 Dec 30, 2022

CVE-2022-46883 8.8 HIGH EPSS 0.01

Mozilla developers Gabriele Svelto, Yulia Startsev, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 106. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.<br />*Note*: This advisory was added on December 13th, 2022 after discovering it was inadvertently left out of the original advisory. The fix was included in the original release of Firefox 107. This vulnerability affects Firefox < 107.

CWE-88 Dec 22, 2022

CVE-2022-47926 9.8 CRITICAL EPSS 0.00

AyaCMS 3.1.2 is vulnerable to file deletion via /aya/module/admin/fst_del.inc.php

CWE-88 Dec 22, 2022

CVE-2022-44731 5.4 MEDIUM EPSS 0.00

A vulnerability has been identified in SIMATIC WinCC OA V3.15 (All versions < V3.15 P038), SIMATIC WinCC OA V3.16 (All versions < V3.16 P035), SIMATIC WinCC OA V3.17 (All versions < V3.17 P024), SIMATIC WinCC OA V3.18 (All versions < V3.18 P014). The affected component allows to inject custom arguments to the Ultralight Client backend application under certain circumstances. This could allow an authenticated remote attacker to inject arbitrary parameters when starting the client via the web interface (e.g., open attacker chosen panels with the attacker's credentials or start a Ctrl script).

CWE-88 Dec 13, 2022

CVE-2022-23740 8.8 HIGH EPSS 0.03

CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.

CWE-88 Nov 23, 2022

CVE-2022-45062 9.8 CRITICAL EPSS 0.04

In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper.

CWE-88 Nov 09, 2022

CVE-2021-46850 7.2 HIGH EXPLOITED 1 PoC Analysis EPSS 0.16

myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel before 0.9.8-26 are vulnerable to command injection. An authenticated and remote administrative user can execute arbitrary commands via the v_sftp_license parameter when sending HTTP POST requests to the /edit/server endpoint.

CWE-88 Oct 24, 2022

CVE-2022-42968 9.8 CRITICAL EPSS 0.01

Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are mishandled.

CWE-88 Oct 16, 2022