Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-46157 1Mgt Commerce 1Cloudpanel Nov 21, 2024 Dec 8, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 File-Manager in MGT CloudPanel 2.0.0 through 2.3.2 allows the lowest privilege user to achieve OS command injection by changing file ownership and changing file permissions to 4755.
CVE-2023-43744 1Zultys 6Mx E Firmware Mx Se FirmwareMx Se Ii Firmware+3 more Nov 21, 2024 Dec 8, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 An OS command injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an administrator to execute arbitrary OS...Show more An OS command injection vulnerability in Zultys MX-SE, MX-SE II, MX-E, MX-Virtual, MX250, and MX30 with firmware versions prior to 17.0.10 patch 17161 and 16.04 patch 16109 allows an administrator to execute arbitrary OS commands via a file name parameter in a patch application function. The Zultys MX Administrator client has a "Patch Manager" section that allows administrators to apply patches to the device. The user supplied filename for the patch file is passed to a shell script without validation. Including bash command substitution characters in a patch file name results in execution of the provided command.Show less
CVE-2023-49897 1Fxc 2Ae1021 Firmware Ae1021pe Firmware Oct 24, 2025 Dec 6, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An OS command injection vulnerability exists in AE1021PE firmware version 2.0.9 and earlier and AE1021 firmware version 2.0.9 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an...Show more An OS command injection vulnerability exists in AE1021PE firmware version 2.0.9 and earlier and AE1021 firmware version 2.0.9 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product.Show less
CVE-2023-44221 1Sonicwall 5Sma 200 Firmware Sma 210 FirmwareSma 400 Firmware+2 more Oct 31, 2025 Dec 5, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially lea...Show more Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability.Show less
CVE-2023-6357 1Codesys 11Control For Beaglebone Sl Control For Empc A/imx6Control For Iot2000 Sl+8 more Nov 21, 2024 Dec 5, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A low-privileged remote attacker could exploit the vulnerability and inject additional system commands via file system libraries which could give the attacker full control of the device.
CVE-2023-24046 1Connectize 1Ac21000 G6 Firmware Nov 21, 2024 Dec 4, 2023 N/A· v4 6.8 MEDIUM· v3 N/A· v2 An issue was discovered on Connectize AC21000 G6 641.139.1.1256 allows attackers to run arbitrary commands via use of a crafted string in the ping utility.
CVE-2023-48800 1Totolink 1X6000r Firmware Nov 21, 2024 Dec 4, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In TOTOLINK X6000R_Firmware V9.4.0cu.852_B20230719, the shttpd file sub_417338 function obtains fields from the front-end, connects them through the snprintf function, and passes them to the CsteSystem function, resultin...Show more In TOTOLINK X6000R_Firmware V9.4.0cu.852_B20230719, the shttpd file sub_417338 function obtains fields from the front-end, connects them through the snprintf function, and passes them to the CsteSystem function, resulting in a command execution vulnerability.Show less
CVE-2023-44304 1Dell 1Dm5500 Firmware Nov 21, 2024 Dec 4, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Dell DM5500 contains a privilege escalation vulnerability in the appliance. A remote attacker with low privileges could potentially exploit this vulnerability to escape the restricted shell and gain root access to the...Show more Dell DM5500 contains a privilege escalation vulnerability in the appliance. A remote attacker with low privileges could potentially exploit this vulnerability to escape the restricted shell and gain root access to the appliance. Show less
CVE-2023-44291 1Dell 1Powerprotect Data Manager Dm5500 Firmware Nov 21, 2024 Dec 4, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Dell DM5500 5.14.0.0 contains an OS command injection vulnerability in the appliance. A remote attacker with high privileges could potentially exploit this vulnerability, leading to the execution of arbitrary OS comma...Show more Dell DM5500 5.14.0.0 contains an OS command injection vulnerability in the appliance. A remote attacker with high privileges could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. Show less
CVE-2023-48842 1Dlink 1Go Rt Ac750 Firmware Jun 3, 2025 Dec 1, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 D-Link Go-RT-AC750 revA_v101b03 was discovered to contain a command injection vulnerability via the service parameter at hedwig.cgi.
CVE-2023-48812 1Totolink 1X6000r Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function creates a command execution...Show more In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function creates a command execution vulnerability.Show less
CVE-2023-48811 1Totolink 1X6000r Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function creates a command execution...Show more In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function creates a command execution vulnerability.Show less
CVE-2023-48810 1Totolink 1X6000r Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vuln...Show more In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.Show less
CVE-2023-48808 1Totolink 1X6000r Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vuln...Show more In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.Show less
CVE-2023-48807 1Totolink 1X6000r Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vuln...Show more In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.Show less
CVE-2023-48806 1Totolink 1X6000r Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vuln...Show more In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.Show less
CVE-2023-48805 1Totolink 1X6000r Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vuln...Show more In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.Show less
CVE-2023-48804 1Totolink 1X6000r Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vuln...Show more In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.Show less
CVE-2023-48803 1Totolink 1X6000r Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vuln...Show more In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.Show less
CVE-2023-48802 1Totolink 1X6000r Firmware Jun 5, 2025 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vuln...Show more In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function when passed to the CsteSystem function creates a command execution vulnerability.Show less

Previous 1...134135136...299 Next