Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-33544 1Geutebrueck 16G Cam Ebc 2110 Firmware G Cam Ebc 2111 FirmwareG Cam Ebc 2112 Firmware+13 more Nov 21, 2024 Sep 13, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code.
CVE-2021-40222 1Rittal 1Cmc Pu Iii 7030.000 Firmware Nov 21, 2024 Sep 9, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Rittal CMC PU III Web management Version affected: V3.11.00_2. Version fixed: V3.17.10 is affected by a remote code execution vulnerablity. It is possible to introduce shell code to create a reverse shell in the PU-Hostn...Show more Rittal CMC PU III Web management Version affected: V3.11.00_2. Version fixed: V3.17.10 is affected by a remote code execution vulnerablity. It is possible to introduce shell code to create a reverse shell in the PU-Hostname field of the TCP/IP Configuration dialog. Web application fails to sanitize user input on Network TCP/IP configuration page. This allows the attacker to inject commands as root on the device which will be executed once the data is received.Show less
CVE-2021-39459 1Redaxo 1Redaxo Nov 21, 2024 Sep 9, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Remote code execution in the modules component in Yakamara Media Redaxo CMS version 5.12.1 allows an authenticated CMS user to execute code on the hosting system via a module containing malicious PHP code.
CVE-2021-34728 1Cisco 1Ios Xr Nov 21, 2024 Sep 9, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Multiple vulnerabilities in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker with a low-privileged account to elevate privileges on an affected device. For more information about these vulner...Show more Multiple vulnerabilities in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker with a low-privileged account to elevate privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2021-34722 1Cisco 1Ios Xr Nov 21, 2024 Sep 9, 2021 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 Multiple vulnerabilities in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to gain access to the underlying root shell of an affected device and execute arbitrary commands with root privile...Show more Multiple vulnerabilities in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to gain access to the underlying root shell of an affected device and execute arbitrary commands with root privileges. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2021-34721 1Cisco 1Ios Xr Nov 21, 2024 Sep 9, 2021 N/A· v4 6.7 MEDIUM· v3 6.9 MEDIUM· v2 Multiple vulnerabilities in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to gain access to the underlying root shell of an affected device and execute arbitrary commands with root privile...Show more Multiple vulnerabilities in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to gain access to the underlying root shell of an affected device and execute arbitrary commands with root privileges. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2021-34719 1Cisco 1Ios Xr Nov 21, 2024 Sep 9, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Multiple vulnerabilities in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker with a low-privileged account to elevate privileges on an affected device. For more information about these vulner...Show more Multiple vulnerabilities in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker with a low-privileged account to elevate privileges on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2020-26300 1Systeminformation 1Systeminformation Nov 21, 2024 Sep 9, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command injection vulnerability. Problem was fixed in version 4.26.2...Show more systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command injection vulnerability. Problem was fixed in version 4.26.2 with a shell string sanitation fix.Show less
CVE-2020-26772 1Ppgo Jobs Project 1Ppgo Jobs Nov 21, 2024 Sep 8, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Command Injection in PPGo_Jobs v2.8.0 allows remote attackers to execute arbitrary code via the 'AjaxRun()' function.
CVE-2021-28571 1Adobe 1After Effects Nov 21, 2024 Sep 8, 2021 N/A· v4 8.8 HIGH· v3 7.6 HIGH· v2 Adobe After Effects version 18.1 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could lever...Show more Adobe After Effects version 18.1 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.Show less
CVE-2021-36182 1Fortinet 1Fortiweb Nov 21, 2024 Sep 8, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6.3.13 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests
CVE-2021-39279 1Moxa 12Oncell G3470a Lte Eu T Firmware Oncell G3470a Lte Eu FirmwareTap 323 Eu Ct T Firmware+9 more Nov 21, 2024 Sep 7, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Certain MOXA devices allow Authenticated Command Injection via /forms/web_importTFTP. This affects WAC-2004 1.7, WAC-1001 2.1, WAC-1001-T 2.1, OnCell G3470A-LTE-EU 1.7, OnCell G3470A-LTE-EU-T 1.7, TAP-323-EU-CT-T 1.3, TA...Show more Certain MOXA devices allow Authenticated Command Injection via /forms/web_importTFTP. This affects WAC-2004 1.7, WAC-1001 2.1, WAC-1001-T 2.1, OnCell G3470A-LTE-EU 1.7, OnCell G3470A-LTE-EU-T 1.7, TAP-323-EU-CT-T 1.3, TAP-323-US-CT-T 1.3, TAP-323-JP-CT-T 1.3, WDR-3124A-EU 2.3, WDR-3124A-EU-T 2.3, WDR-3124A-US 2.3, and WDR-3124A-US-T 2.3.Show less
CVE-2021-36024 1Adobe 2Adobe Commerce Magento Open Source Nov 21, 2024 Sep 1, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker...Show more Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution.Show less
CVE-2021-36022 1Adobe 2Adobe Commerce Magento Open Source Nov 21, 2024 Sep 1, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a s...Show more Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.Show less
CVE-2021-27556 1Easycorp 1Zentao Nov 21, 2024 Aug 31, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 The Cron job tab in EasyCorp ZenTao 12.5.3 allows remote attackers (who have admin access) to execute arbitrary code by setting the type parameter to System.
CVE-2021-35062 1Testzentrum Odw 1Testerfassung Nov 21, 2024 Aug 30, 2021 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 A Shell Metacharacter Injection vulnerability in result.php in DRK Odenwaldkreis Testerfassung March-2021 allow an attacker with a valid token of a COVID-19 test result to execute shell commands with the permissions of t...Show more A Shell Metacharacter Injection vulnerability in result.php in DRK Odenwaldkreis Testerfassung March-2021 allow an attacker with a valid token of a COVID-19 test result to execute shell commands with the permissions of the web server.Show less
CVE-2021-33055 1Zohocorp 1Manageengine Adselfservice Plus Nov 21, 2024 Aug 30, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.
CVE-2021-27944 1Vizio 2E50x E1 Firmware P65 F1 Firmware Nov 21, 2024 Aug 26, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Several high privileged APIs on the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs do not enforce access controls, allowing an unauthenticated threat actor to access privileged functionality, leading to OS com...Show more Several high privileged APIs on the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs do not enforce access controls, allowing an unauthenticated threat actor to access privileged functionality, leading to OS command execution. The specific attack methodology is a file upload.Show less
CVE-2021-1584 1Cisco 1Nx Os Nov 21, 2024 Aug 25, 2021 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 A vulnerability in Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an authenticated, local attacker to elevate privileges on an affected device. This vulnerability is...Show more A vulnerability in Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an authenticated, local attacker to elevate privileges on an affected device. This vulnerability is due to insufficient restrictions during the execution of a specific CLI command. An attacker with administrative privileges could exploit this vulnerability by performing a command injection attack on the vulnerable command. A successful exploit could allow the attacker to access the underlying operating system as root.Show less
CVE-2021-39159 1Jupyter 1Binderhub Nov 21, 2024 Aug 25, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 BinderHub is a kubernetes-based cloud service that allows users to share reproducible interactive computing environments from code repositories. In affected versions a remote code execution vulnerability has been identif...Show more BinderHub is a kubernetes-based cloud service that allows users to share reproducible interactive computing environments from code repositories. In affected versions a remote code execution vulnerability has been identified in BinderHub, where providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user created pods in the deployment, with the potential to escalate to the host depending on the underlying kubernetes configuration. Users are advised to update to version 0.2.0-n653. If users are unable to update they may disable the git repo provider by specifying the `BinderHub.repo_providers` as a workaround.Show less

Previous 1...198199200...299 Next