Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-43857 1Gerapy 1Gerapy Nov 21, 2024 Dec 27, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Gerapy is a distributed crawler management framework. Gerapy prior to version 0.9.8 is vulnerable to remote code execution, and this issue is patched in version 0.9.8.
CVE-2021-45602 1Netgear 18D7800 Firmware Ex2700 FirmwareLbr1020 Firmware+15 more Nov 21, 2024 Dec 26, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.66, EX2700 before 1.0.1.68, WN3000RPv2 before 1.0.0.90, WN3000RPv3 before 1.0.2.100, LBR1020 before 2.6....Show more Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.66, EX2700 before 1.0.1.68, WN3000RPv2 before 1.0.0.90, WN3000RPv3 before 1.0.2.100, LBR1020 before 2.6.5.20, LBR20 before 2.6.5.32, R6700AX before 1.0.10.110, R7800 before 1.0.2.86, R8900 before 1.0.5.38, R9000 before 1.0.5.38, RAX10 before 1.0.10.110, RAX120v1 before 1.2.3.28, RAX120v2 before 1.2.3.28, RAX70 before 1.0.10.110, RAX78 before 1.0.10.110, XR450 before 2.3.2.130, XR500 before 2.3.2.130, and XR700 before 1.0.1.46.Show less
CVE-2021-3621 2Fedoraproject Redhat 8Enterprise Linux Enterprise Linux EusEnterprise Linux Server Aus+5 more Nov 3, 2025 Dec 23, 2021 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially c...Show more A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.Show less
CVE-2021-44453 1Myscada 1Mypro Nov 21, 2024 Dec 23, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 mySCADA myPRO: Versions 8.20.0 and prior has a vulnerable debug interface which includes a ping utility, which may allow an attacker to inject arbitrary operating system commands.
CVE-2021-43984 1Myscada 1Mypro Nov 21, 2024 Dec 23, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 mySCADA myPRO: Versions 8.20.0 and prior has a feature where the firmware can be updated, which may allow an attacker to inject arbitrary operating system commands through a specific parameter.
CVE-2021-43981 1Myscada 1Mypro Nov 21, 2024 Dec 23, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 mySCADA myPRO: Versions 8.20.0 and prior has a feature to send emails, which may allow an attacker to inject arbitrary operating system commands through a specific parameter.
CVE-2021-3584 2Redhat Theforeman 2Foreman Satellite Nov 21, 2024 Dec 23, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker could use Sendmail configuration options to overwrite the defaults and perform command injection. The highest threa...Show more A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker could use Sendmail configuration options to overwrite the defaults and perform command injection. The highest threat from this vulnerability is to confidentiality, integrity and availability of system. Fixed releases are 2.4.1, 2.5.1, 3.0.0.Show less
CVE-2021-23198 1Myscada 1Mypro Nov 21, 2024 Dec 23, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 mySCADA myPRO: Versions 8.20.0 and prior has a feature where the password can be specified, which may allow an attacker to inject arbitrary operating system commands through a specific parameter.
CVE-2021-22657 1Myscada 1Mypro Nov 21, 2024 Dec 23, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 mySCADA myPRO: Versions 8.20.0 and prior has a feature where the API password can be specified, which may allow an attacker to inject arbitrary operating system commands through a specific parameter.
CVE-2021-4144 1Tp Link 1Tl Wr802n Firmware Nov 21, 2024 Dec 23, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 TP-Link wifi router TL-WR802N V4(JP), with firmware version prior to 211202, is vulnerable to OS command injection.
CVE-2021-21888 1Lantronix 1Premierwave 2050 Firmware Nov 21, 2024 Dec 22, 2021 N/A· v4 9.1 CRITICAL· v3 9.0 HIGH· v2 An OS command injection vulnerability exists in the Web Manager SslGenerateCertificate functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary command execu...Show more An OS command injection vulnerability exists in the Web Manager SslGenerateCertificate functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2021-21884 1Lantronix 1Premierwave 2050 Firmware Nov 21, 2024 Dec 22, 2021 N/A· v4 9.1 CRITICAL· v3 9.0 HIGH· v2 An OS command injection vulnerability exists in the Web Manager SslGenerateCSR functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker...Show more An OS command injection vulnerability exists in the Web Manager SslGenerateCSR functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2021-21883 1Lantronix 1Premierwave 2050 Firmware Nov 21, 2024 Dec 22, 2021 N/A· v4 9.9 CRITICAL· v3 9.0 HIGH· v2 An OS command injection vulnerability exists in the Web Manager Diagnostics: Ping functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attack...Show more An OS command injection vulnerability exists in the Web Manager Diagnostics: Ping functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2021-21882 1Lantronix 1Premierwave 2050 Firmware Nov 21, 2024 Dec 22, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An OS command injection vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can m...Show more An OS command injection vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2021-21881 1Lantronix 1Premierwave 2050 Firmware Nov 21, 2024 Dec 22, 2021 N/A· v4 9.9 CRITICAL· v3 9.0 HIGH· v2 An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to command execution. An attacker...Show more An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.Show less
CVE-2021-21877 1Lantronix 1Premierwave 2050 Firmware Nov 21, 2024 Dec 22, 2021 N/A· v4 9.1 CRITICAL· v3 6.5 MEDIUM· v2 Specially-crafted HTTP requests can lead to arbitrary command execution in “GET” requests. An attacker can make authenticated HTTP requests to trigger this vulnerability.
CVE-2021-21876 1Lantronix 1Premierwave 2050 Firmware Nov 21, 2024 Dec 22, 2021 N/A· v4 9.1 CRITICAL· v3 6.5 MEDIUM· v2 Specially-crafted HTTP requests can lead to arbitrary command execution in PUT requests. An attacker can make authenticated HTTP requests to trigger this vulnerability.
CVE-2021-21875 1Lantronix 1Premierwave 2050 Firmware Nov 21, 2024 Dec 22, 2021 N/A· v4 9.1 CRITICAL· v3 9.0 HIGH· v2 A specially-crafted HTTP request can lead to arbitrary command execution in EC keypasswd parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2021-21874 1Lantronix 1Premierwave 2050 Firmware Nov 21, 2024 Dec 22, 2021 N/A· v4 9.1 CRITICAL· v3 9.0 HIGH· v2 A specially-crafted HTTP request can lead to arbitrary command execution in DSA keypasswd parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2021-21873 1Lantronix 1Premierwave 2050 Firmware Nov 21, 2024 Dec 22, 2021 N/A· v4 9.1 CRITICAL· v3 9.0 HIGH· v2 A specially-crafted HTTP request can lead to arbitrary command execution in RSA keypasswd parameter. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Previous 1...191192193...299 Next