Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-31245 1Mailcow 1Mailcow\ Nov 21, 2024 May 20, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.
CVE-2021-34111 1Thecus 1N4800eco Firmware Nov 21, 2024 May 20, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php.
CVE-2022-30105 1Belkin 1N300 Firmware Nov 21, 2024 May 18, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 In Belkin N300 Firmware 1.00.08, the script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities. The following parameter...Show more In Belkin N300 Firmware 1.00.08, the script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities. The following parameters in the [form name] form; [list vulnerable parameters], are not properly sanitized after being submitted to the web interface in a POST request. With specially crafted parameters, it is possible to inject a an OS command which will be executed with root privileges, as the web interface, and all processes on the device, run as root.Show less
CVE-2021-42852 1Lenovo 5A1 Firmware T1 FirmwareT2 Firmware+2 more Nov 21, 2024 May 18, 2022 N/A· v4 8.0 HIGH· v3 7.7 HIGH· v2 A command injection vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an authenticated user to execute operating system commands by sending a crafted packet to the device.
CVE-2022-29516 1Fujitsu 46Ipcom Ex2 Dc 3200 Firmware Ipcom Ex2 Dc 3500 FirmwareIpcom Ex2 In 1100 Firmware+43 more Nov 21, 2024 May 18, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The web console of FUJITSU Network IPCOM series (IPCOM EX2 IN(3200, 3500), IPCOM EX2 LB(1100, 3200, 3500), IPCOM EX2 SC(1100, 3200, 3500), IPCOM EX2 NW(1100, 3200, 3500), IPCOM EX2 DC, IPCOM EX2 DC, IPCOM EX IN(2300, 250...Show more The web console of FUJITSU Network IPCOM series (IPCOM EX2 IN(3200, 3500), IPCOM EX2 LB(1100, 3200, 3500), IPCOM EX2 SC(1100, 3200, 3500), IPCOM EX2 NW(1100, 3200, 3500), IPCOM EX2 DC, IPCOM EX2 DC, IPCOM EX IN(2300, 2500, 2700), IPCOM EX LB(1100, 1300, 2300, 2500, 2700), IPCOM EX SC(1100, 1300, 2300, 2500, 2700), and IPCOM EX NW(1100, 1300, 2300, 2500, 2700)) allows a remote attacker to execute an arbitrary OS command via unspecified vectors.Show less
CVE-2022-1362 1Cambiumnetworks 1Cnmaestro Nov 21, 2024 May 17, 2022 N/A· v4 7.3 HIGH· v3 9.3 HIGH· v2 The affected On-Premise cnMaestro is vulnerable inside a specific route where a user can upload a crafted package to the system. An attacker could abuse this user-controlled data to execute arbitrary commands on the serv...Show more The affected On-Premise cnMaestro is vulnerable inside a specific route where a user can upload a crafted package to the system. An attacker could abuse this user-controlled data to execute arbitrary commands on the server.Show less
CVE-2022-1360 1Cambiumnetworks 1Cnmaestro Nov 21, 2024 May 17, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The affected On-Premise cnMaestro is vulnerable to execution of code on the cnMaestro hosting server. This could allow a remote attacker to change server configuration settings.
CVE-2022-1359 1Cambiumnetworks 1Cnmaestro Nov 21, 2024 May 17, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The affected On-Premise cnMaestro is vulnerable to an arbitrary file-write through improper limitation of a pathname to a restricted directory inside a specific route. If an attacker supplied path traversal charters (../...Show more The affected On-Premise cnMaestro is vulnerable to an arbitrary file-write through improper limitation of a pathname to a restricted directory inside a specific route. If an attacker supplied path traversal charters (../) as part of a filename, the server will save the file where the attacker chooses. This could allow an attacker to write any data to any file in the server.Show less
CVE-2022-1357 1Cambiumnetworks 1Cnmaestro Nov 21, 2024 May 17, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The affected On-Premise cnMaestro allows an unauthenticated attacker to access the cnMaestro server and execute arbitrary code in the privileges of the web server. This lack of validation could allow an attacker to appen...Show more The affected On-Premise cnMaestro allows an unauthenticated attacker to access the cnMaestro server and execute arbitrary code in the privileges of the web server. This lack of validation could allow an attacker to append arbitrary data to the logger command.Show less
CVE-2022-1356 1Cambiumnetworks 1Cnmaestro Nov 21, 2024 May 17, 2022 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 cnMaestro is vulnerable to a local privilege escalation. By default, a user does not have root privileges. However, a user can run scripts as sudo, which could allow an attacker to gain root privileges when running user...Show more cnMaestro is vulnerable to a local privilege escalation. By default, a user does not have root privileges. However, a user can run scripts as sudo, which could allow an attacker to gain root privileges when running user scripts outside allowed commands.Show less
CVE-2022-24394 1Fidelissecurity 2Deception Network Nov 21, 2024 May 17, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “update_checkfile” value for the “filename” parameter. The vulnerability could allow...Show more Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “update_checkfile” value for the “filename” parameter. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response via an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.Show less
CVE-2022-24393 1Fidelissecurity 2Deception Network Nov 21, 2024 May 17, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “check_vertica_upgrade” value for the “cpIp” parameter. The vulnerability could allow...Show more Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “check_vertica_upgrade” value for the “cpIp” parameter. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response via an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.Show less
CVE-2022-24392 1Fidelissecurity 2Deception Network Nov 21, 2024 May 17, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “feed_comm_test” value for the “feed” parameter. The vulnerability could allow a spec...Show more Vulnerability in Fidelis Network and Deception CommandPost enables authenticated command injection through the web interface using the “feed_comm_test” value for the “feed” parameter. The vulnerability could allow a specially crafted HTTP request to execute system commands on the CommandPost and return results in an HTTP response via an authenticated session. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.Show less
CVE-2022-24390 1Fidelissecurity 2Deception Network Nov 21, 2024 May 17, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Vulnerability in rconfig “remote_text_file” enables an attacker with user level access to the CLI to inject user level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as...Show more Vulnerability in rconfig “remote_text_file” enables an attacker with user level access to the CLI to inject user level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.Show less
CVE-2022-24389 1Fidelissecurity 2Deception Network Nov 21, 2024 May 17, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Vulnerability in rconfig “cert_utils” enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well...Show more Vulnerability in rconfig “cert_utils” enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.Show less
CVE-2022-24388 1Fidelissecurity 2Deception Network Nov 21, 2024 May 17, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Vulnerability in rconfig “date” enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as nei...Show more Vulnerability in rconfig “date” enables an attacker with user level access to the CLI to inject root level commands into Fidelis Network and Deception CommandPost, Collector, Sensor, and Sandbox components as well as neighboring Fidelis components. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability.Show less
CVE-2022-23673 1Arubanetworks 1Clearpass Policy Manager Nov 21, 2024 May 17, 2022 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to C...Show more A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.Show less
CVE-2022-23672 1Arubanetworks 1Clearpass Policy Manager Nov 21, 2024 May 17, 2022 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to C...Show more A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.Show less
CVE-2022-23667 1Arubanetworks 1Clearpass Policy Manager Nov 21, 2024 May 16, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to C...Show more A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.Show less
CVE-2022-23666 1Arubanetworks 1Clearpass Policy Manager Nov 21, 2024 May 16, 2022 N/A· v4 9.1 CRITICAL· v3 9.0 HIGH· v2 A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to C...Show more A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.Show less

Previous 1...179180181...299 Next