Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-43075 1Fortinet 1Fortiwlm Nov 21, 2024 Mar 1, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.2 and below, version 8.5.2 and below, version 8.4.2 and below, version 8.3.2 and below allows...Show more A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.2 and below, version 8.5.2 and below, version 8.4.2 and below, version 8.3.2 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to the alarm dashboard and controller config handlers.Show less
CVE-2021-4039 1Zyxel 1Nwa1100 Nh Firmware Nov 21, 2024 Mar 1, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.
CVE-2020-12775 1Moica 1Hicos Nov 21, 2024 Mar 1, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Hicos citizen certificate client-side component does not filter special characters for command parameters in specific web URLs. An unauthenticated remote attacker can exploit this vulnerability to perform command injecti...Show more Hicos citizen certificate client-side component does not filter special characters for command parameters in specific web URLs. An unauthenticated remote attacker can exploit this vulnerability to perform command injection attack to execute arbitrary system command, disrupt system or terminate service.Show less
CVE-2022-0764 1Strapi 1Strapi Nov 21, 2024 Feb 26, 2022 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 Arbitrary Command Injection in GitHub repository strapi/strapi prior to 4.1.0.
CVE-2022-25263 1Jetbrains 1Teamcity Nov 21, 2024 Feb 25, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration.
CVE-2022-25064 1Tp Link 1Tl Wr840n Firmware Nov 21, 2024 Feb 25, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.
CVE-2022-25061 1Tp Link 1Tl Wr840n Firmware Nov 21, 2024 Feb 25, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.
CVE-2022-25060 1Tp Link 1Tl Wr840n Firmware Nov 21, 2024 Feb 25, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_startPing.
CVE-2022-25328 1Google 1Fscrypt Nov 21, 2024 Feb 25, 2022 N/A· v4 7.3 HIGH· v3 7.2 HIGH· v2 The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths co...Show more The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or aboveShow less
CVE-2022-24288 1Apache 1Airflow Nov 21, 2024 Feb 25, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.
CVE-2022-25084 1Totolink 1T6 Firmware Nov 21, 2024 Feb 24, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLink T6 V5.9c.4085_B20190428 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
CVE-2022-25083 1Totolink 1A860r Firmware Nov 21, 2024 Feb 24, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLink A860R V4.1.2cu.5182_B20201027 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
CVE-2022-25082 1Totolink 1A950rg Firmware Nov 21, 2024 Feb 24, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLink A950RG V5.9c.4050_B20190424 and V4.1.2cu.5204_B20210112 were discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via...Show more TOTOLink A950RG V5.9c.4050_B20190424 and V4.1.2cu.5204_B20210112 were discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.Show less
CVE-2022-25081 1Totolink 1T10 V2 Firmware Nov 21, 2024 Feb 24, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLink T10 V5.9c.5061_B20200511 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
CVE-2022-25080 1Totolink 1A830r Firmware Nov 21, 2024 Feb 24, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLink A830R V5.9c.4729_B20191112 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
CVE-2022-25079 1Totolink 1A810r Firmware Nov 21, 2024 Feb 24, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLink A810R V4.1.2cu.5182_B20201026 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
CVE-2022-25078 1Totolink 1A3600r Firmware Nov 21, 2024 Feb 24, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter...Show more TOTOLink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.Show less
CVE-2022-25077 1Totolink 1A3100r Firmware Nov 21, 2024 Feb 24, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLink A3100R V4.1.2cu.5050_B20200504 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter...Show more TOTOLink A3100R V4.1.2cu.5050_B20200504 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.Show less
CVE-2022-25076 1Totolink 1A800r Firmware Nov 21, 2024 Feb 24, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLink A800R V4.1.2cu.5137_B20200730 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
CVE-2022-25075 1Totolink 1A3000ru Firmware Nov 21, 2024 Feb 24, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TOTOLink A3000RU V5.9c.2280_B20180512 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Previous 1...187188189...299 Next