Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-42888 1Totolink 1Ex1200t Firmware Nov 21, 2024 Jun 3, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setLanguageCfg of the file global.so which can control langType to attack.
CVE-2021-42885 1Totolink 1Ex1200t Firmware Nov 21, 2024 Jun 3, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setDeviceMac of the file global.so which can control deviceName to attack.
CVE-2021-42884 1Totolink 1Ex1200t Firmware Nov 21, 2024 Jun 3, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setDeviceName of the file global.so which can control thedeviceName to attack.
CVE-2022-26868 1Dell 1Powerstoreos Nov 21, 2024 Jun 2, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Dell EMC PowerStore versions 2.0.0.x, 2.0.1.x, and 2.1.0.x are vulnerable to a command injection flaw. An authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS comm...Show more Dell EMC PowerStore versions 2.0.0.x, 2.0.1.x, and 2.1.0.x are vulnerable to a command injection flaw. An authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system takeover by an attacker.Show less
CVE-2021-42875 1Totolink 1Ex1200t Firmware Nov 21, 2024 Jun 2, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in the function setDiagnosisCfg of the file lib/cste_modules/system.so to control the ipDoamin.
CVE-2022-30425 1Tenda 1Hg6 Firmware Nov 21, 2024 Jun 2, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Tenda Technology Co.,Ltd HG6 3.3.0-210926 was discovered to contain a command injection vulnerability via the pingAddr and traceAddr parameters. This vulnerability is exploited via a crafted POST request.
CVE-2021-44080 1Sercomm 1H500s Firmware Nov 21, 2024 Jun 2, 2022 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 A Command Injection vulnerability in httpd web server (setup.cgi) in SerComm h500s, FW: lowi-h500s-v3.4.22 allows logged in administrators to arbitrary OS commands as root in the device via the connection_type parameter...Show more A Command Injection vulnerability in httpd web server (setup.cgi) in SerComm h500s, FW: lowi-h500s-v3.4.22 allows logged in administrators to arbitrary OS commands as root in the device via the connection_type parameter of the statussupport_diagnostic_tracing.json endpoint.Show less
CVE-2021-42872 1Totolink 1Ex1200t Firmware Nov 21, 2024 Jun 2, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 TOTOLINK EX1200T V4.1.2cu.5215 is affected by a command injection vulnerability that can remotely execute arbitrary code.
CVE-2021-34084 1S3 Uploader Project 1S3 Uploader Nov 21, 2024 Jun 2, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 OS command injection vulnerability in Turistforeningen node-s3-uploader through 2.0.3 for Node.js allows attackers to execute arbitrary commands via the metadata() function.
CVE-2021-34083 1Google It Project 1Google It Nov 21, 2024 Jun 2, 2022 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the 'Open in browser' option in versions up to 1.6.2, google-it will unsafely co...Show more Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the 'Open in browser' option in versions up to 1.6.2, google-it will unsafely concat the result's link retrieved from google to a shell command, potentially exposing the server to RCE.Show less
CVE-2021-34082 1Proctree Project 1Proctree Nov 21, 2024 Jun 2, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 OS Command Injection vulnerability in allenhwkim proctree through 0.1.1 and commit 0ac10ae575459457838f14e21d5996f2fa5c7593 for Node.js, allows attackers to execute arbitrary commands via the fix function.
CVE-2021-34081 1Gitsome Project 1Gitsome Nov 21, 2024 Jun 2, 2022 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 OS Command Injection vulnerability in bbultman gitsome through 0.2.3 allows attackers to execute arbitrary commands via a crafted tag name of the target git repository.
CVE-2021-34080 1Ssl Utils Project 1Ssl Utils Nov 21, 2024 Jun 2, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 OS Command Injection vulnerability in es128 ssl-utils 1.0.0 for Node.js allows attackers to execute arbitrary commands via unsanitized shell metacharacters provided to the createCertRequest() and the createCert() functio...Show more OS Command Injection vulnerability in es128 ssl-utils 1.0.0 for Node.js allows attackers to execute arbitrary commands via unsanitized shell metacharacters provided to the createCertRequest() and the createCert() functions.Show less
CVE-2021-34079 1Docker Tester Project 1Docker Tester Nov 21, 2024 Jun 2, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 OS Command injection vulnerability in Mintzo Docker-Tester through 1.2.1 allows attackers to execute arbitrary commands via shell metacharacters in the 'ports' entry of a crafted docker-compose.yml file.
CVE-2021-34078 1Adp 1Lifion Verifiy Dependencies Nov 21, 2024 Jun 2, 2022 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 lifion-verify-dependencies through 1.1.0 is vulnerable to OS command injection via a crafted dependency name on the scanned project's package.json file.
CVE-2022-20797 1Cisco 1Secure Network Analytics Nov 21, 2024 May 27, 2022 N/A· v4 9.1 CRITICAL· v3 9.0 HIGH· v2 A vulnerability in the web-based management interface of Cisco Secure Network Analytics, formerly Cisco Stealthwatch Enterprise, could allow an authenticated, remote attacker to execute arbitrary commands as an administr...Show more A vulnerability in the web-based management interface of Cisco Secure Network Analytics, formerly Cisco Stealthwatch Enterprise, could allow an authenticated, remote attacker to execute arbitrary commands as an administrator on the underlying operating system. This vulnerability is due to insufficient user input validation by the web-based management interface of the affected software. An attacker could exploit this vulnerability by injecting arbitrary commands in the web-based management interface. A successful exploit could allow the attacker to make configuration changes on the affected device or cause certain services to restart unexpectedly.Show less
CVE-2022-29256 1Sharp Project 1Sharp Nov 21, 2024 May 25, 2022 N/A· v4 6.7 MEDIUM· v3 4.6 MEDIUM· v2 sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0....Show more sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5.Show less
CVE-2022-29337 1Cdatatec 1Fd702xw X R430 Firmware Nov 21, 2024 May 24, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 C-DATA FD702XW-X-R430 v2.1.13_X001 was discovered to contain a command injection vulnerability via the va_cmd parameter in formlanipv6. This vulnerability allows attackers to execute arbitrary commands via a crafted HTTP...Show more C-DATA FD702XW-X-R430 v2.1.13_X001 was discovered to contain a command injection vulnerability via the va_cmd parameter in formlanipv6. This vulnerability allows attackers to execute arbitrary commands via a crafted HTTP request.Show less
CVE-2022-26532 1Zyxel 65Atp100 Firmware Atp100w FirmwareAtp200 Firmware+62 more Nov 21, 2024 May 24, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A argument injection vulnerability in the 'packet-trace' CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32...Show more A argument injection vulnerability in the 'packet-trace' CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the CLI command.Show less
CVE-2022-1813 1Rengine Project 1Rengine Nov 21, 2024 May 22, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 OS Command Injection in GitHub repository yogeshojha/rengine prior to 1.2.0.

Previous 1...178179180...299 Next