Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-34348 1Qnap 1Qvr Nov 21, 2024 Sep 27, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A command injection vulnerability has been reported to affect QNAP device running QVR. If exploited, this vulnerability could allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in...Show more A command injection vulnerability has been reported to affect QNAP device running QVR. If exploited, this vulnerability could allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.5 build 20210803 and laterShow less
CVE-2021-34729 1Cisco 2Ios Xe Ios Xe Sd Wan Nov 21, 2024 Sep 23, 2021 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 A vulnerability in the CLI of Cisco IOS XE SD-WAN Software and Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands with elevated privileges on an affected device. This vulnera...Show more A vulnerability in the CLI of Cisco IOS XE SD-WAN Software and Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands with elevated privileges on an affected device. This vulnerability is due to insufficient validation of arguments passed to certain CLI commands. An attacker could exploit this vulnerability by including malicious input in the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands with elevated privileges on the underlying operating system. An attacker would need valid user credentials to exploit this vulnerability.Show less
CVE-2021-34726 1Cisco 1Sd Wan Nov 21, 2024 Sep 23, 2021 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with root-level privileges on the underlying operating system of an affected de...Show more A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with root-level privileges on the underlying operating system of an affected device. This vulnerability is due to insufficient input validation on certain CLI commands. An attacker could exploit this vulnerability by authenticating to an affected device and submitting crafted input to the CLI. The attacker must be authenticated as an administrative user to execute the affected commands. A successful exploit could allow the attacker to execute commands with root-level privileges.Show less
CVE-2021-34725 1Cisco 1Ios Xe Sd Wan Nov 21, 2024 Sep 23, 2021 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with root-level privileges on the underlying operating system. This vuln...Show more A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands to be executed with root-level privileges on the underlying operating system. This vulnerability is due to insufficient input validation on certain CLI commands. An attacker could exploit this vulnerability by authenticating to an affected device and submitting crafted input to the CLI. The attacker must be authenticated as an administrative user to execute the affected commands. A successful exploit could allow the attacker to execute commands with root-level privileges.Show less
CVE-2021-37925 1Zohocorp 1Manageengine Admanager Plus Nov 21, 2024 Sep 22, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability.
CVE-2021-36260 1Hikvision 252Ds 2cd2021g1 I(w) Firmware Ds 2cd2023g2 I(u) FirmwareDs 2cd2026g2 Iu/sl Firmware+249 more Nov 10, 2025 Sep 22, 2021 N/A· v4 9.8 CRITICAL· v3 9.3 HIGH· v2 A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some message...Show more A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.Show less
CVE-2020-26301 1Ssh2 Project 1Ssh2 Nov 21, 2024 Sep 20, 2021 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code exec...Show more ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This is fixed in version 1.4.0.Show less
CVE-2021-41315 1Device42 1Remote Collector Nov 21, 2024 Sep 17, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 The Device42 Remote Collector before 17.05.01 does not sanitize user input in its SNMP Connectivity utility. This allows an authenticated attacker (with access to the console application) to execute arbitrary OS commands...Show more The Device42 Remote Collector before 17.05.01 does not sanitize user input in its SNMP Connectivity utility. This allows an authenticated attacker (with access to the console application) to execute arbitrary OS commands and escalate privileges.Show less
CVE-2021-37913 1Hgiga 1Oaklouds Portal Nov 21, 2024 Sep 15, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The HGiga OAKlouds mobile portal does not filter special characters of the IPv6 Gateway parameter of the network interface card setting page. Remote attackers can use this vulnerability to perform command injection and e...Show more The HGiga OAKlouds mobile portal does not filter special characters of the IPv6 Gateway parameter of the network interface card setting page. Remote attackers can use this vulnerability to perform command injection and execute arbitrary commands in the system without logging in.Show less
CVE-2021-37912 1Hgiga 1Oaklouds Portal Nov 21, 2024 Sep 15, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The HGiga OAKlouds mobile portal does not filter special characters of the Ethernet number parameter of the network interface card setting page. Remote attackers can use this vulnerability to perform command injection an...Show more The HGiga OAKlouds mobile portal does not filter special characters of the Ethernet number parameter of the network interface card setting page. Remote attackers can use this vulnerability to perform command injection and execute arbitrary commands in the system without logging in.Show less
CVE-2021-23025 1F5 14Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Advanced Web Application Firewall+11 more Nov 21, 2024 Sep 14, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility...Show more On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.Show less
CVE-2021-23031 1F5 2Big Ip Advanced Web Application Firewall Big Ip Application Security Manager Nov 21, 2024 Sep 14, 2021 N/A· v4 9.9 CRITICAL· v3 6.5 MEDIUM· v2 On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG...Show more On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.Show less
CVE-2021-37531 1Sap 1Netweaver Knowledge Management Xml Forms Nov 21, 2024 Sep 14, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file...Show more SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. This can result in a full compromise of the confidentiality, integrity, and availability of the system.Show less
CVE-2021-31891 1Siemens 5Desigo Cc Gma ManagerOperation Scheduler+2 more Nov 21, 2024 Sep 14, 2021 N/A· v4 10.0 CRITICAL· v3 10.0 HIGH· v2 A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or earlier), Operation Scheduler (All versions with OIS running on Debian...Show more A vulnerability has been identified in Desigo CC (All versions with OIS Extension Module), GMA-Manager (All versions with OIS running on Debian 9 or earlier), Operation Scheduler (All versions with OIS running on Debian 9 or earlier), Siveillance Control (All versions with OIS running on Debian 9 or earlier), Siveillance Control Pro (All versions). The affected application incorrectly neutralizes special elements in a specific HTTP GET request which could lead to command injection. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.Show less
CVE-2021-33554 1Geutebrueck 16G Cam Ebc 2110 Firmware G Cam Ebc 2111 FirmwareG Cam Ebc 2112 Firmware+13 more Nov 21, 2024 Sep 13, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.
CVE-2021-33553 1Geutebrueck 16G Cam Ebc 2110 Firmware G Cam Ebc 2111 FirmwareG Cam Ebc 2112 Firmware+13 more Nov 21, 2024 Sep 13, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.
CVE-2021-33552 1Geutebrueck 16G Cam Ebc 2110 Firmware G Cam Ebc 2111 FirmwareG Cam Ebc 2112 Firmware+13 more Nov 21, 2024 Sep 13, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.
CVE-2021-33551 1Geutebrueck 16G Cam Ebc 2110 Firmware G Cam Ebc 2111 FirmwareG Cam Ebc 2112 Firmware+13 more Nov 21, 2024 Sep 13, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.
CVE-2021-33550 1Geutebrueck 16G Cam Ebc 2110 Firmware G Cam Ebc 2111 FirmwareG Cam Ebc 2112 Firmware+13 more Nov 21, 2024 Sep 13, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.
CVE-2021-33548 1Geutebrueck 16G Cam Ebc 2110 Firmware G Cam Ebc 2111 FirmwareG Cam Ebc 2112 Firmware+13 more Nov 21, 2024 Sep 13, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.

Previous 1...197198199...299 Next