Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-39160 1Jupyterhub 1Nbgitpuller Nov 21, 2024 Aug 25, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. T...Show more nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.Show less
CVE-2021-38306 1Lg 1N1t1 Firmware Nov 21, 2024 Aug 24, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Network Attached Storage on LG N1T1*** 10124 devices allows an unauthenticated attacker to gain root access via OS command injection in the en/ajp/plugins/access.ssh/checkInstall.php destServer parameter.
CVE-2021-33191 1Apache 1Nifi Minifi C++ Nov 21, 2024 Aug 24, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command which was designed to patch the application binary. This "patching" command defaults to calling a trusted binary, but might b...Show more From Apache NiFi MiNiFi C++ version 0.5.0 the c2 protocol implements an "agent-update" command which was designed to patch the application binary. This "patching" command defaults to calling a trusted binary, but might be modified to an arbitrary value through a "c2-update" command. Said command is then executed using the same privileges as the application binary. This was addressed in version 0.10.0Show less
CVE-2021-39244 1Altus 15Hadron Xtorm Hx3040 Firmware Nexto Nx3003 FirmwareNexto Nx3004 Firmware+12 more Nov 21, 2024 Aug 23, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Authenticated Semi-Blind Command Injection (via Parameter Injection) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via the getlogs.cgi tcpdump feature. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8...Show more Authenticated Semi-Blind Command Injection (via Parameter Injection) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via the getlogs.cgi tcpdump feature. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0.Show less
CVE-2021-36011 1Adobe 1Illustrator Nov 21, 2024 Aug 20, 2021 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 Adobe Illustrator version 25.2.3 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could lever...Show more Adobe Illustrator version 25.2.3 (and earlier) is affected by a potential Command injection vulnerability when chained with a development and debugging tool for JavaScript scripts. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.Show less
CVE-2021-28634 1Adobe 2Acrobat Dc Acrobat Reader Dc Nov 21, 2024 Aug 20, 2021 N/A· v4 8.2 HIGH· v3 8.5 HIGH· v2 Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Improper Neutralization of Special Elements used in an OS Command. An authenticate...Show more Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by an Improper Neutralization of Special Elements used in an OS Command. An authenticated attacker could leverage this vulnerability to achieve arbitrary code execution on the host machine in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.Show less
CVE-2020-22345 1Centreon 1Centreon Nov 21, 2024 Aug 18, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 /graphStatus/displayServiceStatus.php in Centreon 19.10.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the RRDdatabase_path parameter.
CVE-2021-32830 1Haikuforteams 1Diez Nov 21, 2024 Aug 17, 2021 N/A· v4 7.0 HIGH· v3 6.8 MEDIUM· v2 The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they mi...Show more The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. All versions of this package are vulnerable as of the writing of this CVE.Show less
CVE-2021-3617 1Lenovo 3Smart Camera C2e Firmware Smart Camera X3 FirmwareSmart Camera X5 Firmware Nov 21, 2024 Aug 17, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow command injection by setting a specially crafted network configuration. This vulnerability is the same as CNVD-2020-68652.
CVE-2021-3459 1Motorola 1Mm1000 Firmware Nov 21, 2024 Aug 17, 2021 N/A· v4 6.8 MEDIUM· v3 7.2 HIGH· v2 A privilege escalation vulnerability was reported in the MM1000 device configuration web server, which could allow privileged shell access and/or arbitrary privileged commands to be executed on the adapter.
CVE-2021-21599 1Dell 1Emc Powerscale Onefs Nov 21, 2024 Aug 16, 2021 N/A· v4 6.7 MEDIUM· v3 4.6 MEDIUM· v2 Dell EMC PowerScale OneFS versions 8.2.x - 9.2.1.x contain an OS command injection vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to escalate privileges and escape the compliance g...Show more Dell EMC PowerScale OneFS versions 8.2.x - 9.2.1.x contain an OS command injection vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to escalate privileges and escape the compliance guarantees. This only impacts Smartlock WORM compliance mode clusters as a critical vulnerability and Dell recommends to update/upgrade at the earliest opportunity.Show less
CVE-2021-32826 1Proxyee Down Project 1Proxyee Down Nov 21, 2024 Aug 16, 2021 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 Proxyee-Down is open source proxy software. An attacker being able to provide an extension script (eg: through a MiTM attack or by hosting a malicious extension) may be able to run arbitrary commands on the system runnin...Show more Proxyee-Down is open source proxy software. An attacker being able to provide an extension script (eg: through a MiTM attack or by hosting a malicious extension) may be able to run arbitrary commands on the system running Proxyee-Down. For more details including a PoC see the referenced GHSL-2021-053. As of the writing of this CVE there is currently no patched version.Show less
CVE-2021-37708 1Shopware 1Shopware Nov 21, 2024 Aug 16, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2,...Show more Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.Show less
CVE-2021-35394 1Realtek 1Rtl819x Jungle Software Development Kit Nov 7, 2025 Aug 16, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arb...Show more Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.Show less
CVE-2021-23422 1Bikeshed Project 1Bikeshed Nov 21, 2024 Aug 16, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 This affects the package bikeshed before 3.0.0. This can occur when an untrusted source file containing Inline Tag Command metadata is processed. When an arbitrary OS command is executed, the command output would be incl...Show more This affects the package bikeshed before 3.0.0. This can occur when an untrusted source file containing Inline Tag Command metadata is processed. When an arbitrary OS command is executed, the command output would be included in the HTML output.Show less
CVE-2021-3708 1Dlink 1Dsl 2750u Firmware Nov 21, 2024 Aug 16, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to OS command injection. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3707, to execute any OS commands on...Show more D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to OS command injection. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3707, to execute any OS commands on the vulnerable device.Show less
CVE-2021-37028 1Huawei 1Hg8045q Firmware Nov 21, 2024 Aug 13, 2021 N/A· v4 6.7 MEDIUM· v3 6.9 MEDIUM· v2 There is a command injection vulnerability in the HG8045Q product. When the command-line interface is enabled, which is disabled by default, attackers with administrator privilege could execute part of commands.
CVE-2021-36380 1Sunhillo 1Sureline Nov 5, 2025 Aug 13, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Sunhillo SureLine before 8.7.0.1.1 allows Unauthenticated OS Command Injection via shell metacharacters in ipAddr or dnsAddr /cgi/networkDiag.cgi.
CVE-2021-37346 1Nagios 1Nagios Xi Watchguard Wizard Nov 21, 2024 Aug 13, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Nagios XI WatchGuard Wizard before version 1.4.8 is vulnerable to remote code execution through Improper neutralisation of special elements used in an OS Command (OS Command injection).
CVE-2021-37344 1Nagios 1Nagios Xi Switch Wizard Nov 21, 2024 Aug 13, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Nagios XI Switch Wizard before version 2.5.7 is vulnerable to remote code execution through improper neutralisation of special elements used in an OS Command (OS Command injection).

Previous 1...199200201...299 Next