Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-0365 1Riconmobile 2S9922l Firmware S9922xl Firmware Nov 21, 2024 Feb 4, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The affected product is vulnerable to an authenticated OS command injection, which may allow an attacker to inject and execute arbitrary shell commands as the Admin (root) user.
CVE-2021-29393 1Globalnorthstar 1Northstar Club Management Nov 21, 2024 Feb 4, 2022 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Remote Code Execution in cominput.jsp and comoutput.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to inject and execute arbitrary system commands via the unsanitized...Show more Remote Code Execution in cominput.jsp and comoutput.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote unauthenticated users to inject and execute arbitrary system commands via the unsanitized user-controlled "command" and "commandvalues" parameters.Show less
CVE-2021-45987 1Tendacn 2G1 Firmware G3 Firmware Nov 21, 2024 Feb 4, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetNetCheckTools. This vulnerability allows attackers to execute arbitrary commands via the ho...Show more Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetNetCheckTools. This vulnerability allows attackers to execute arbitrary commands via the hostName parameter.Show less
CVE-2021-45986 1Tendacn 2G1 Firmware G3 Firmware Nov 21, 2024 Feb 4, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetUSBShareInfo. This vulnerability allows attackers to execute arbitrary commands via the usb...Show more Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetUSBShareInfo. This vulnerability allows attackers to execute arbitrary commands via the usbOrdinaryUserName parameter.Show less
CVE-2021-41018 1Fortinet 1Fortiweb Nov 21, 2024 Feb 2, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via cra...Show more A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.Show less
CVE-2021-43073 1Fortinet 1Fortiweb Nov 21, 2024 Feb 2, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unau...Show more A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.Show less
CVE-2021-41016 1Fortinet 1Fortiextender Firmware Nov 21, 2024 Feb 2, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiExtender version 7.0.1 and below, 4.2.3 and below, 4.1.7 and below allows an authenticated attacker to execute privil...Show more A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiExtender version 7.0.1 and below, 4.2.3 and below, 4.1.7 and below allows an authenticated attacker to execute privileged shell commands via CLI commands including special charactersShow less
CVE-2021-40412 1Reolink 1Rlc 410w Firmware Nov 21, 2024 Jan 28, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An OScommand injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [8] the devname variable, that has the value of the name parameter provided through the...Show more An OScommand injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [8] the devname variable, that has the value of the name parameter provided through the SetDevName API, is not validated properly. This would lead to an OS command injection.Show less
CVE-2021-40411 1Reolink 1Rlc 410w Firmware Nov 21, 2024 Jan 28, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [6] the dns_data->dns2 variable, that has the value of the dns2 parameter provided thr...Show more An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [6] the dns_data->dns2 variable, that has the value of the dns2 parameter provided through the SetLocalLink API, is not validated properly. This would lead to an OS command injection.Show less
CVE-2021-40410 1Reolink 1Rlc 410w Firmware Nov 21, 2024 Jan 28, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [4] the dns_data->dns1 variable, that has the value of the dns1 parameter provided thr...Show more An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [4] the dns_data->dns1 variable, that has the value of the dns1 parameter provided through the SetLocal API, is not validated properly. This would lead to an OS command injection.Show less
CVE-2021-40409 1Reolink 1Rlc 410w Firmware Nov 21, 2024 Jan 28, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->password variable, that has the value of the...Show more An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->password variable, that has the value of the password parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection.Show less
CVE-2021-40408 1Reolink 1Rlc 410w Firmware Nov 21, 2024 Jan 28, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->username variable, that has the value of the...Show more An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->username variable, that has the value of the userName parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection.Show less
CVE-2021-40407 1Reolink 1Rlc 410w Firmware Nov 3, 2025 Jan 28, 2022 N/A· v4 7.2 HIGH· v3 7.5 HIGH· v2 An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the d...Show more An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.Show less
CVE-2020-28885 1Liferay 1Liferay Portal Nov 21, 2024 Jan 28, 2022 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOT...Show more Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to access and execute commands in Gogo Shell and therefore not a design flaShow less
CVE-2020-28884 1Liferay 1Liferay Portal Nov 21, 2024 Jan 28, 2022 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes...Show more Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.Show less
CVE-2021-32849 1Gerapy 1Gerapy Nov 21, 2024 Jan 26, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Gerapy is a distributed crawler management framework. Prior to version 0.9.9, an authenticated user could execute arbitrary commands. This issue is fixed in version 0.9.9. There are no known workarounds.
CVE-2021-36296 1Dell 1Emc Unity Operating Environment Nov 21, 2024 Jan 25, 2022 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain an authenticated remote code execution vulnerability. A remote malicious user with privileges may exploit this vulnerability to execute commands on the syste...Show more Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain an authenticated remote code execution vulnerability. A remote malicious user with privileges may exploit this vulnerability to execute commands on the system.Show less
CVE-2021-36295 1Dell 1Emc Unity Operating Environment Nov 21, 2024 Jan 25, 2022 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain an authenticated remote code execution vulnerability. A remote malicious user with privileges may exploit this vulnerability to execute commands on the syste...Show more Dell VNX2 OE for File versions 8.1.21.266 and earlier, contain an authenticated remote code execution vulnerability. A remote malicious user with privileges may exploit this vulnerability to execute commands on the system.Show less
CVE-2021-45845 2Debian Freecadweb 2Debian Linux Freecad Nov 21, 2024 Jan 25, 2022 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 The Path Sanity Check script of FreeCAD 0.19 is vulnerable to OS command injection, allowing an attacker to execute arbitrary commands via a crafted FCStd document.
CVE-2021-45844 2Debian Freecadweb 2Debian Linux Freecad Nov 21, 2024 Jan 25, 2022 N/A· v4 7.8 HIGH· v3 7.6 HIGH· v2 Improper sanitization in the invocation of ODA File Converter from FreeCAD 0.19 allows an attacker to inject OS commands via a crafted filename.

Previous 1...189190191...299 Next