Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-5037 1Hanwhavision 183Ane L6012r Firmware Ane L7012r FirmwareAno L6012r Firmware+180 more Nov 21, 2024 Nov 13, 2023 7.1 HIGH· v4 7.2 HIGH· v3 N/A· v2 badmonkey, a Security Researcher has found a flaw that allows for a authenticated command injection on the camera. An attacker could inject malicious into request packets to execute command. The manufacturer has released...Show more badmonkey, a Security Researcher has found a flaw that allows for a authenticated command injection on the camera. An attacker could inject malicious into request packets to execute command. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.Show less
CVE-2023-39295 1Qnap 1Qumagie Nov 21, 2024 Nov 10, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An OS command injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in th...Show more An OS command injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: QuMagie 2.1.3 and later Show less
CVE-2023-23367 1Qnap 3Qts Quts HeroQutscloud Nov 21, 2024 Nov 10, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We ha...Show more An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTScloud c5.1.0.2498 and later Show less
CVE-2023-26156 1Chromedriver Project 1Chromedriver Nov 21, 2024 Nov 9, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious a...Show more Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system. Note: An attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver.Show less
CVE-2023-4249 1Zavio 11B8220 Firmware B8520 FirmwareCb3211 Firmware+8 more Nov 21, 2024 Nov 8, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 IP Cameras with firmware version M2.1.6.05 has a command injection vulnerability in their implementation of their binar...Show more Zavio CF7500, CF7300, CF7201, CF7501, CB3211, CB3212, CB5220, CB6231, B8520, B8220, and CD321 IP Cameras with firmware version M2.1.6.05 has a command injection vulnerability in their implementation of their binaries and handling of network requests. Show less
CVE-2023-23369 1Qnap 3Media Streaming Add On Multimedia ConsoleQts Nov 21, 2024 Nov 3, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vu...Show more An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) and later QTS 5.1.0.2399 build 20230515 and later QTS 4.3.6.2441 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later Show less
CVE-2023-23368 1Qnap 3Qts Quts HeroQutscloud Nov 21, 2024 Nov 3, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vu...Show more An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later Show less
CVE-2023-41352 1Nokia 1G 040w Q Firmware Nov 21, 2024 Nov 3, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient filtering for user input. A remote attacker with administrator privilege can exploit this vulnerability to perform a Command Injection attack to execute...Show more Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient filtering for user input. A remote attacker with administrator privilege can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services.Show less
CVE-2023-41348 1Asus 1Rt Ax55 Firmware Nov 21, 2024 Nov 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its code-authentication module. An authenticated remote attacker can exploit this vulnerability to...Show more ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its code-authentication module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services.Show less
CVE-2023-41347 1Asus 1Rt Ax55 Firmware Nov 21, 2024 Nov 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its check token module. An authenticated remote attacker can exploit this vulnerability to perform...Show more ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its check token module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services.Show less
CVE-2023-41346 1Asus 1Rt Ax55 Firmware Nov 21, 2024 Nov 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-refresh module. An authenticated remote attacker can exploit this vulnerability to perfo...Show more ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-refresh module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services.Show less
CVE-2023-41345 1Asus 1Rt Ax55 Firmware Nov 21, 2024 Nov 3, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-generated module. An authenticated remote attacker can exploit this vulnerability to per...Show more ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-generated module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system, or terminate services.Show less
CVE-2023-20219 1Cisco 1Secure Firewall Management Center Nov 26, 2024 Nov 1, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Multiple vulnerabilities in the web management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system....Show more Multiple vulnerabilities in the web management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. The attacker would need valid device credentials but does not require administrator privileges to exploit this vulnerability. These vulnerabilities are due to insufficient validation of user-supplied input for certain configuration options. An attacker could exploit these vulnerabilities by using crafted input within the device configuration GUI. A successful exploit could allow the attacker to execute arbitrary commands on the device including the underlying operating system which could also affect the availability of the device.Show less
CVE-2023-20175 1Cisco 1Identity Services Engine Nov 21, 2024 Nov 1, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A vulnerability in a specific Cisco ISE CLI command could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vul...Show more A vulnerability in a specific Cisco ISE CLI command could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, an attacker must have valid Read-only-level privileges or higher on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.Show less
CVE-2023-20170 1Cisco 1Identity Services Engine Nov 21, 2024 Nov 1, 2023 N/A· v4 6.7 MEDIUM· v3 N/A· v2 A vulnerability in a specific Cisco ISE CLI command could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vul...Show more A vulnerability in a specific Cisco ISE CLI command could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, an attacker must have valid Administrator-level privileges on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.Show less
CVE-2023-43139 1Franfinance 1Franfinance Nov 21, 2024 Oct 31, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in franfinance before v.2.0.27 allows a remote attacker to execute arbitrary code via the validation.php, and controllers/front/validation.php components.
CVE-2023-47104 1Vareille 2Tiny File Dialogs Tinyfiledialogs Mar 10, 2026 Oct 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 tinyfiledialogs (aka tiny file dialogs) before 3.15.0 allows shell metacharacters (such as a backquote or a dollar sign) in titles, messages, and other input data. NOTE: this issue exists because of an incomplete fix for...Show more tinyfiledialogs (aka tiny file dialogs) before 3.15.0 allows shell metacharacters (such as a backquote or a dollar sign) in titles, messages, and other input data. NOTE: this issue exists because of an incomplete fix for CVE-2020-36767, which only considered single and double quote characters.Show less
CVE-2023-46510 1Zioncom 1A7000r Firmware Nov 21, 2024 Oct 27, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in ZIONCOM (Hong Kong) Technology Limited A7000R v.4.1cu.4154 allows an attacker to execute arbitrary code via the cig-bin/cstecgi.cgi to the settings/setPasswordCfg function.
CVE-2018-17879 1Abus 47Tvip 10000 Firmware Tvip 10001 FirmwareTvip 10005 Firmware+44 more Nov 21, 2024 Oct 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered on certain ABUS TVIP cameras. The CGI scripts allow remote attackers to execute code via system() as root. There are several injection points in various scripts.
CVE-2018-17558 1Abus 47Tvip 10000 Firmware Tvip 10001 FirmwareTvip 10005 Firmware+44 more Nov 21, 2024 Oct 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Hardcoded manufacturer credentials and an OS command injection vulnerability in the /cgi-bin/mft/ directory on ABUS TVIP TVIP20050 LM.1.6.18, TVIP10051 LM.1.6.18, TVIP11050 MG.1.6.03.05, TVIP20550 LM.1.6.18, TVIP10050 LM...Show more Hardcoded manufacturer credentials and an OS command injection vulnerability in the /cgi-bin/mft/ directory on ABUS TVIP TVIP20050 LM.1.6.18, TVIP10051 LM.1.6.18, TVIP11050 MG.1.6.03.05, TVIP20550 LM.1.6.18, TVIP10050 LM.1.6.18, TVIP11550 MG.1.6.03, TVIP21050 MG.1.6.03, and TVIP51550 MG.1.6.03 cameras allow remote attackers to execute code as root.Show less

Previous 1...136137138...299 Next