Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-2185 1Gitlab 1Gitlab Nov 21, 2024 Jul 1, 2022 N/A· v4 8.8 HIGH· v3 7.5 HIGH· v2 A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could im...Show more A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution.Show less
CVE-2022-2253 1Webhmi 1Webhmi Firmware Nov 21, 2024 Jul 1, 2022 N/A· v4 9.1 CRITICAL· v3 9.0 HIGH· v2 A user with administrative privileges in Distributed Data Systems WebHMI 4.1.1.7662 may send OS commands to execute on the host server.
CVE-2014-0156 1Manageiq 1Awesomespawn Nov 21, 2024 Jun 30, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Awesome spawn contains OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments. If untrusted input was included in command arguments, attacker could use this...Show more Awesome spawn contains OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments. If untrusted input was included in command arguments, attacker could use this flaw to execute arbitrary command.Show less
CVE-2022-33329 1Robustel 1R1510 Firmware Nov 21, 2024 Jun 30, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send...Show more Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/set_sys_time/` API is affected by a command injection vulnerability.Show less
CVE-2022-33328 1Robustel 1R1510 Firmware Nov 21, 2024 Jun 30, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send...Show more Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/remove/` API is affected by a command injection vulnerability.Show less
CVE-2022-33327 1Robustel 1R1510 Firmware Nov 21, 2024 Jun 30, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send...Show more Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/remove_sniffer_raw_log/` API is affected by a command injection vulnerability.Show less
CVE-2022-33326 1Robustel 1R1510 Firmware Nov 21, 2024 Jun 30, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send...Show more Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/config_rollback/` API is affected by a command injection vulnerability.Show less
CVE-2022-33325 1Robustel 1R1510 Firmware Nov 21, 2024 Jun 30, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send...Show more Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/clear_tools_log/` API is affected by command injection vulnerability.Show less
CVE-2022-33314 1Robustel 1R1510 Firmware Nov 21, 2024 Jun 30, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can se...Show more Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/action/import_sdk_file/` API is affected by command injection vulnerability.Show less
CVE-2022-33313 1Robustel 1R1510 Firmware Nov 21, 2024 Jun 30, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can se...Show more Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/action/import_https_cert_file/` API is affected by command injection vulnerability.Show less
CVE-2022-33312 1Robustel 1R1510 Firmware Nov 21, 2024 Jun 30, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can se...Show more Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/action/import_cert_file/` API is affected by command injection vulnerability.Show less
CVE-2022-31885 1Marvalglobal 1Marval Msm Nov 21, 2024 Jun 28, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Marval MSM v14.19.0.12476 is vulnerable to OS Command Injection due to the insecure handling of VBScripts.
CVE-2022-32092 1Dlink 1Dir 645 Firmware Nov 21, 2024 Jun 27, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 D-Link DIR-645 v1.03 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter at __ajax_explorer.sgi.
CVE-2022-28171 1Hikvision 11Ds A71024 Firmware Ds A71048 FirmwareDs A71048r Cvs Firmware+8 more Nov 21, 2024 Jun 27, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted comma...Show more The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device.Show less
CVE-2022-31767 1Ibm 1Cics Tx Nov 21, 2024 Jun 24, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 IBM CICS TX Standard and Advanced 11.1 could allow a remote attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 227980.
CVE-2022-32534 1Bosch 1Pra Es8p2s Firmware Nov 21, 2024 Jun 23, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The Bosch Ethernet switch PRA-ES8P2S with software version 1.01.05 and earlier was found to be vulnerable to command injection through its diagnostics web interface. This allows execution of shell commands.
CVE-2022-2068 6Broadcom DebianFedoraproject+3 more 28Aff 8300 Firmware Aff 8700 FirmwareAff A400 Firmware+25 more Nov 3, 2025 Jun 21, 2022 N/A· v4 7.3 HIGH· v3 10.0 HIGH· v2 In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by...Show more In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).Show less
CVE-2022-26147 1Quectel 1Rg502q Ea Firmware Nov 21, 2024 Jun 21, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The Quectel RG502Q-EA modem before 2022-02-23 allow OS Command Injection.
CVE-2022-31795 1Fujitsu 1Eternus Cs8000 Firmware Nov 21, 2024 Jun 20, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the grel_finfo function in grel.php. An attacker is able to influence the username...Show more An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the grel_finfo function in grel.php. An attacker is able to influence the username (user), password (pw), and file-name (file) parameters and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands.Show less
CVE-2022-31794 1Fujitsu 1Eternus Cs8000 Firmware Nov 21, 2024 Jun 20, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the requestTempFile function in hw_view.php. An attacker is able to influence the...Show more An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the requestTempFile function in hw_view.php. An attacker is able to influence the unitName POST parameter and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands.Show less

Previous 1...176177178...299 Next