Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-4474 1Zyxel 2Nas326 Firmware Nas542 Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute som...Show more The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.Show less
CVE-2023-4473 1Zyxel 2Nas326 Firmware Nas542 Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A command injection vulnerability in the web server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating sys...Show more A command injection vulnerability in the web server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.Show less
CVE-2023-37928 1Zyxel 2Nas326 Firmware Nas542 Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A post-authentication command injection vulnerability in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute...Show more A post-authentication command injection vulnerability in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.Show less
CVE-2023-37927 1Zyxel 2Nas326 Firmware Nas542 Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The improper neutralization of special elements in the CGI program of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some...Show more The improper neutralization of special elements in the CGI program of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.Show less
CVE-2023-35138 1Zyxel 2Nas326 Firmware Nas542 Firmware Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A command injection vulnerability in the “show_zysync_server_contents” function of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker t...Show more A command injection vulnerability in the “show_zysync_server_contents” function of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.Show less
CVE-2023-3741 1Nec 22Itk 12d 1(bk)tel Firmware Itk 12d 1p(bk)tel FirmwareItk 12dg 1p(bk)tel Firmware+19 more Nov 21, 2024 Nov 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An OS Command injection vulnerability in NEC Platforms DT900 and DT900S Series all versions allows an attacker to execute any command on the device.
CVE-2023-23325 1Zumtobel 1Netlink Ccd Firmware Nov 21, 2024 Nov 29, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain a command injection vulnerability via the NetHostname parameter.
CVE-2023-6201 1Univera 1Panorama May 20, 2026 Nov 28, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Univera Computer System Panorama allows Command Injection. This issue affects Panorama: before 8.0.
CVE-2023-4222 1Chamilo 1Chamilo Lms Nov 21, 2024 Nov 28, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characte...Show more Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.Show less
CVE-2023-4221 1Chamilo 1Chamilo Lms Nov 21, 2024 Nov 28, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special character...Show more Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.Show less
CVE-2023-3368 1Chamilo 1Chamilo Nov 21, 2024 Nov 28, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a...Show more Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.Show less
CVE-2023-6309 1Moses Smt 1Mosesdecoder Nov 21, 2024 Nov 27, 2023 N/A· v4 9.8 CRITICAL· v3 5.2 MEDIUM· v2 A vulnerability, which was classified as critical, was found in moses-smt mosesdecoder up to 4.0. This affects an unknown part of the file contrib/iSenWeb/trans_result.php. The manipulation of the argument input1 leads t...Show more A vulnerability, which was classified as critical, was found in moses-smt mosesdecoder up to 4.0. This affects an unknown part of the file contrib/iSenWeb/trans_result.php. The manipulation of the argument input1 leads to os command injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-246135.Show less
CVE-2023-6304 1Tecno Mobile 1Tr118 Firmware Nov 21, 2024 Nov 27, 2023 N/A· v4 8.0 HIGH· v3 8.3 HIGH· v2 A vulnerability was found in Tecno 4G Portable WiFi TR118 TR118-M30E-RR-D-EnFrArSwHaPo-OP-V008-20220830. It has been declared as critical. This vulnerability affects unknown code of the file /goform/goform_get_cmd_proces...Show more A vulnerability was found in Tecno 4G Portable WiFi TR118 TR118-M30E-RR-D-EnFrArSwHaPo-OP-V008-20220830. It has been declared as critical. This vulnerability affects unknown code of the file /goform/goform_get_cmd_process of the component Ping Tool. The manipulation of the argument url leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-246130 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-4149 1Wago 30852 0602 Firmware 0852 0603 Firmware0852 1605 Firmware Nov 21, 2024 Nov 21, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A vulnerability in the web-based management allows an unauthenticated remote attacker to inject arbitrary system commands and gain full system control. Those commands are executed with root privileges. The vulnerability...Show more A vulnerability in the web-based management allows an unauthenticated remote attacker to inject arbitrary system commands and gain full system control. Those commands are executed with root privileges. The vulnerability is located in the user request handling of the web-based management.Show less
CVE-2023-35762 1Inea 1Me Rtu Firmware Nov 21, 2024 Nov 20, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Versions of INEA ME RTU firmware 3.36b and prior are vulnerable to operating system (OS) command injection, which could allow remote code execution.
CVE-2023-47675 1Cubecart 1Cubecart Nov 21, 2024 Nov 17, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 CubeCart prior to 6.5.3 allows a remote authenticated attacker with an administrative privilege to execute an arbitrary OS command.
CVE-2023-6019 1Ray Project 1Ray Nov 21, 2024 Nov 16, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray...Show more A command injection existed in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023Show less
CVE-2023-6018 1Lfprojects 1Mlflow Nov 21, 2024 Nov 16, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An attacker can overwrite any file on the server hosting MLflow without any authentication.
CVE-2023-43752 1Elecom 3Wrc X3000gs2 B Firmware Wrc X3000gs2 W FirmwareWrc X3000gs2a B Firmware Nov 21, 2024 Nov 16, 2023 N/A· v4 8.0 HIGH· v3 N/A· v2 OS command injection vulnerability in WRC-X3000GS2-W v1.05 and earlier, WRC-X3000GS2-B v1.05 and earlier, and WRC-X3000GS2A-B v1.05 and earlier allows a network-adjacent authenticated user to execute an arbitrary OS comm...Show more OS command injection vulnerability in WRC-X3000GS2-W v1.05 and earlier, WRC-X3000GS2-B v1.05 and earlier, and WRC-X3000GS2A-B v1.05 and earlier allows a network-adjacent authenticated user to execute an arbitrary OS command by sending a specially crafted request.Show less
CVE-2023-36553 1Fortinet 1Fortisiem Nov 21, 2024 Nov 14, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 5.4.0 and 5.3.0 through 5.3.3 and 5.2.5 through 5.2.8 and 5.2.1 through 5.2.2 and 5.1.0 through 5...Show more A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 5.4.0 and 5.3.0 through 5.3.3 and 5.2.5 through 5.2.8 and 5.2.1 through 5.2.2 and 5.1.0 through 5.1.3 and 5.0.0 through 5.0.1 and 4.10.0 and 4.9.0 and 4.7.2 allows attacker to execute unauthorized code or commands via crafted API requests.Show less

Previous 1...135136137...299 Next