Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-41281 1Qnap 3Qts Quts HeroQutscloud Nov 21, 2024 Feb 2, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We ha...Show more An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later Show less
CVE-2023-39302 1Qnap 3Qts Quts HeroQutscloud Nov 21, 2024 Feb 2, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We ha...Show more An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later Show less
CVE-2023-39297 1Qnap 3Qts Quts HeroQutscloud Nov 21, 2024 Feb 2, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have alread...Show more An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later Show less
CVE-2023-6078 13ds 1Biovia Materials Studio Nov 21, 2024 Feb 1, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An OS Command Injection vulnerability exists in BIOVIA Materials Studio products from Release BIOVIA 2021 through Release BIOVIA 2023. Upload of a specially crafted perl script can lead to arbitrary command execution.
CVE-2024-1115 1Openbi 1Openbi Nov 21, 2024 Jan 31, 2024 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability was found in openBI up to 1.0.8 and classified as critical. This issue affects the function dlfile of the file /application/websocket/controller/Setting.php. The manipulation of the argument phpPath leads...Show more A vulnerability was found in openBI up to 1.0.8 and classified as critical. This issue affects the function dlfile of the file /application/websocket/controller/Setting.php. The manipulation of the argument phpPath leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252473 was assigned to this vulnerability.Show less
CVE-2024-24333 1Totolink 1A3300r Firmware Jun 12, 2025 Jan 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the desc parameter in the setWiFiAclRules function.
CVE-2024-24332 1Totolink 1A3300r Firmware May 30, 2025 Jan 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the url parameter in the setUrlFilterRules function.
CVE-2024-24331 1Totolink 1A3300r Firmware May 29, 2025 Jan 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setWiFiScheduleCfg function.
CVE-2024-24330 1Totolink 1A3300r Firmware Jun 9, 2025 Jan 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the port or enable parameter in the setRemoteCfg function.
CVE-2024-24329 1Totolink 1A3300r Firmware Jun 12, 2025 Jan 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setPortForwardRules function.
CVE-2024-24328 1Totolink 1A3300r Firmware Nov 21, 2024 Jan 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setMacFilterRules function.
CVE-2024-24327 1Totolink 1A3300r Firmware May 29, 2025 Jan 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the pppoePass parameter in the setIpv6Cfg function.
CVE-2024-24326 1Totolink 1A3300r Firmware Nov 21, 2024 Jan 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the arpEnable parameter in the setStaticDhcpRules function.
CVE-2024-24325 1Totolink 1A3300r Firmware Jun 20, 2025 Jan 30, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setParentalRules function.
CVE-2023-5372 1Zyxel 2Nas326 Firmware Nas542 Firmware Nov 21, 2024 Jan 30, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administ...Show more The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface.Show less
CVE-2023-49038 1Buffalo 1Ls210d Firmware Jun 2, 2025 Jan 29, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 Command injection in the ping utility on Buffalo LS210D 1.78-0.03 allows a remote authenticated attacker to inject arbitrary commands onto the NAS as root.
CVE-2024-0986 1Issabel 1Pbx Nov 21, 2024 Jan 29, 2024 N/A· v4 9.8 CRITICAL· v3 5.8 MEDIUM· v2 A vulnerability was found in Issabel PBX 4.0.0. It has been rated as critical. This issue affects some unknown processing of the file /index.php?menu=asterisk_cli of the component Asterisk-Cli. The manipulation of the ar...Show more A vulnerability was found in Issabel PBX 4.0.0. It has been rated as critical. This issue affects some unknown processing of the file /index.php?menu=asterisk_cli of the component Asterisk-Cli. The manipulation of the argument Command leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252251. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-0921 1Dlink 1Dir 816 A2 Firmware Nov 21, 2024 Jan 26, 2024 N/A· v4 9.8 CRITICAL· v3 5.8 MEDIUM· v2 A vulnerability has been found in D-Link DIR-816 A2 1.10CNB04 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/setDeviceSettings of the component Web Interface. T...Show more A vulnerability has been found in D-Link DIR-816 A2 1.10CNB04 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/setDeviceSettings of the component Web Interface. The manipulation of the argument statuscheckpppoeuser leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252139.Show less
CVE-2024-0918 1Trendnet 1Tew 800mb Firmware Nov 21, 2024 Jan 26, 2024 N/A· v4 7.2 HIGH· v3 8.3 HIGH· v2 A vulnerability was found in TRENDnet TEW-800MB 1.0.1.0 and classified as critical. Affected by this issue is some unknown functionality of the component POST Request Handler. The manipulation of the argument DeviceURL l...Show more A vulnerability was found in TRENDnet TEW-800MB 1.0.1.0 and classified as critical. Affected by this issue is some unknown functionality of the component POST Request Handler. The manipulation of the argument DeviceURL leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252122 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-38323 1Opennds 1Opennds May 29, 2025 Jan 26, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the status path script entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS c...Show more An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the status path script entry in the configuration file, allowing attackers that have direct or indirect access to this file to execute arbitrary OS commands.Show less

Previous 1...128129130...299 Next