Design/Logic Flaw

D-Link DCH-M225 1.05b01 and earlier devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the spotifyConnect.php userName parameter...

CVE-2020-6842

D-Link DCH-M225 (version 1.05b01 and earlier) is affected. The issue is a command injection where remote authenticated admins can execute arbitrary OS commands via shell metacharacters in the media renderer name, due to insufficient input sanitization. Documented impact aligns with high severity ...

CVE-2020-6841

Summary: CVE-2020-6841 affects the D-Link DCH-M225 Wi‑Fi audio extender (versions 1.05b01 and earlier). The vulnerability arises in the spotifyConnect.php script where userName input is not properly neutralized, allowing an attacker to inject shell metacharacters and execute arbitrary OS commands...

CVE-2020-5524

CVE-2020-5524 affects NEC Aterm devices (WF1200C v1.2.1 and earlier; WG1200CR v1.2.1 and earlier; WG2600HS v1.3.2 and earlier). The flaw allows an attacker on the same network segment to run arbitrary OS commands with root privileges via the UPnP interface. Public sources in the connected documen...

Multiple vulnerabilities in Aterm WG2600HS

Overview Aterm WG2600HS provided by NEC Corporation contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2020-5533 OS command injection CWE-78 - CVE-2020-5534 Satoru Nagaoka of Cyber Defense Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated wit...

JVN#25766797: Multiple OS command injection vulnerabilities in Aterm WF1200C, Aterm WG1200CR, and Aterm WG2600HS

Aterm WF1200C, Aterm WG1200CR, and Aterm WG2600HS provided by NEC Corporation contain multiple OS command injection vulnerabilities listed below. OS command injection vulnerability in UPnP function CWE-78 - CVE-2020-5524 Version| Vector| Score ---|---|--- CVSS v3|...

JVN#49410695: Multiple vulnerabilities in Aterm WG2600HS

Aterm WG2600HS provided by NEC Corporation contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 - CVE-2020-5533 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:H/Au:N/C:N/I:P/A:N| Base Score: 2.6 OS...

CVE-2020-9026

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected...

CVE-2020-9027

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected...

CVE-2020-9021

Post Oak AWAM Bluetooth Field Device 7400v2.08.21.2018, 7800SD.2015.1.16, 2011.3, 7400v2.02.01.2019, and 7800SD.2012.12.5 is vulnerable to injections of operating system commands through timeconfig.py via shell metacharacters in the htmlNtpServer parameter...

CVE-2020-9020

Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field...

Command injection

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected...

Design/Logic Flaw

Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field...

Design/Logic Flaw

Post Oak AWAM Bluetooth Field Device 7400v2.08.21.2018, 7800SD.2015.1.16, 2011.3, 7400v2.02.01.2019, and 7800SD.2012.12.5 is vulnerable to injections of operating system commands through timeconfig.py via shell metacharacters in the htmlNtpServer parameter...

Command injection

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected...

CVE-2020-9020

Iteris Vantage Velocity Field Unit 2.3.1, 2.4.2, and 3.0 devices allow the injection of OS commands into cgi-bin/timeconfig.py via shell metacharacters in the NTP Server field...

CVE-2020-9020

CVE-2020-9020 affects Iteris Vantage Velocity Field Unit firmware versions 2.3.1, 2.4.2, and 3.0. The root cause is an OS command injection via shell metacharacters entered in the NTP Server field processed by the CGI script cgi-bin/timeconfig.py. This could enable remote command execution with h...

CVE-2020-9026

The CVE-2020-9026 entry concerns ELTEX NTP-RG-1402G devices (1v10, 3.25.3.32) and the NTP-2 device. The issue is an OS command injection vulnerability triggered via the PING field in the resource ping.cmd. Root cause: input handling in command construction allows execution of arbitrary OS command...

CVE-2020-9026

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected...

CVE-2020-9027

ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected...