Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-20617 - - Feb 20, 2025 Jan 22, 2025 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrativ...Show more Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary OS command may be executed. This vulnerability was reported on a different screen operation from CVE-2025-26856.Show less
CVE-2023-37032 1Linuxfoundation 1Magma Mar 13, 2025 Jan 21, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 A Stack-based buffer overflow in the Mobile Management Entity (MME) of Magma versions <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows remote attackers to crash the MME with an unauthentica...Show more A Stack-based buffer overflow in the Mobile Management Entity (MME) of Magma versions <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows remote attackers to crash the MME with an unauthenticated cellphone by sending a NAS packet containing an oversized `Emergency Number List` Information Element.Show less
CVE-2024-57542 1Linksys 1E8450 Firmware Apr 22, 2025 Jan 21, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Linksys E8450 v1.2.00.360516 was discovered to contain a command injection vulnerability via the field id_email_check_btn.
CVE-2025-0528 1Tenda 3Ac10 Firmware Ac18 FirmwareAc8 Firmware May 28, 2025 Jan 17, 2025 8.6 HIGH· v4 7.2 HIGH· v3 8.3 HIGH· v2 A vulnerability, which was classified as critical, has been found in Tenda AC8, AC10 and AC18 16.03.10.20. Affected by this issue is some unknown functionality of the file /goform/telnet of the component HTTP Request Han...Show more A vulnerability, which was classified as critical, has been found in Tenda AC8, AC10 and AC18 16.03.10.20. Affected by this issue is some unknown functionality of the file /goform/telnet of the component HTTP Request Handler. The manipulation leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2024-13502 - - Jan 17, 2025 Jan 17, 2025 9.3 CRITICAL· v4 N/A· v3 N/A· v2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Newtec/iDirect NTC2218, NTC2250, NTC2299 on Linux, PowerPC, ARM allows Local Code Inclusion.This issue affects N...Show more Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Newtec/iDirect NTC2218, NTC2250, NTC2299 on Linux, PowerPC, ARM allows Local Code Inclusion.This issue affects NTC2218, NTC2250, NTC2299: from 1.0.1.1 through 2.2.6.19. The `commit_multicast` page used to configure multicasts in the modem's web administration interface uses improperly parses incoming data from the request before passing it to an `eval` statement in a bash script. This allows attackers to inject arbitrary shell commands.Show less
CVE-2025-0457 - - Jan 16, 2025 Jan 16, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 The airPASS from NetVision Information has an OS Command Injection vulnerability, allowing remote attackers with regular privileges to inject and execute arbitrary OS commands.
CVE-2024-57025 1Totolink 1X5000r Firmware Apr 7, 2025 Jan 15, 2025 N/A· v4 6.8 MEDIUM· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "desc" parameter in setWiFiScheduleCfg.
CVE-2024-57024 1Totolink 1X5000r Firmware Apr 7, 2025 Jan 15, 2025 N/A· v4 6.8 MEDIUM· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "eMinute" parameter in setWiFiScheduleCfg.
CVE-2024-57023 1Totolink 1X5000r Firmware Apr 7, 2025 Jan 15, 2025 N/A· v4 6.8 MEDIUM· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "week" parameter in setWiFiScheduleCfg.
CVE-2024-57022 1Totolink 1X5000r Firmware Mar 19, 2025 Jan 15, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "sHour" parameter in setWiFiScheduleCfg.
CVE-2024-57021 1Totolink 1X5000r Firmware Mar 20, 2025 Jan 15, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "eHour" parameter in setWiFiScheduleCfg.
CVE-2024-57020 1Totolink 1X5000r Firmware Mar 18, 2025 Jan 15, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "sMinute" parameter in setWiFiScheduleCfg.
CVE-2024-57019 1Totolink 1X5000r Firmware Mar 18, 2025 Jan 15, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "limit" parameter in setVpnAccountCfg.
CVE-2024-57018 1Totolink 1X5000r Firmware Mar 13, 2025 Jan 15, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "desc" parameter in setVpnAccountCfg.
CVE-2024-57017 1Totolink 1X5000r Firmware Mar 13, 2025 Jan 15, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "pass" parameter in setVpnAccountCfg.
CVE-2024-57016 1Totolink 1X5000r Firmware Mar 24, 2025 Jan 15, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "user" parameter in setVpnAccountCfg.
CVE-2024-57015 1Totolink 1X5000r Firmware Mar 18, 2025 Jan 15, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "hour" parameter in setScheduleCfg.
CVE-2024-57014 1Totolink 1X5000r Firmware Mar 18, 2025 Jan 15, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "recHour" parameter in setScheduleCfg.
CVE-2024-57013 1Totolink 1X5000r Firmware Mar 13, 2025 Jan 15, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "switch" parameter in setScheduleCfg.
CVE-2024-57012 1Totolink 1X5000r Firmware Mar 14, 2025 Jan 15, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "week" parameter in setScheduleCfg.

Previous 1...899091...299 Next