CyberSec.Space Logo
Back to CVE Browser

CVE-2021-47667

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.0220%
EPSS Percentile28.92th
PublishedApr 5, 2025
Last ModifiedApr 15, 2026

Vulnerability Description

An OS command injection vulnerability in lib/NSSDropoff.php in ZendTo 5.24-3 through 6.x before 6.10-7 allows unauthenticated remote attackers to execute arbitrary commands via shell metacharacters in the tmp_name parameter when dropping off a file via a POST /dropoff request.

Affected Platforms (CPE)

No CPE configurations currently published for this record.

References & Advisories

🔗 https://projectblack.io/blog/zendto-nday-vulnerabilities/
🔗 https://projectblack.io/blog/zendto-nday-vulnerabilities/

Related Vulnerabilities

CVE-2021-2124310.0

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deser...

CVE-2021-021110.0

An improper check for unusual or exceptional conditions in Juniper Networks Junos OS and Junos OS Evolved Routing Protocol Daemon ...

CVE-2021-3467910.0

Thycotic Password Reset Server before 5.3.0 allows credential disclosure.

CVE-2021-2124410.0

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server sid...