Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-30187 2Codesys Wago 28750 8202 Firmware 750 8203 Firmware750 8204 Firmware+25 more Aug 15, 2025 May 25, 2021 N/A· v4 5.3 MEDIUM· v3 4.6 MEDIUM· v2 CODESYS V2 runtime system SP before 2.4.7.55 has Improper Neutralization of Special Elements used in an OS Command.
CVE-2021-33525 1Eyesofnetwork 1Eyesofnetwork Nov 21, 2024 May 24, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 EyesOfNetwork eonweb through 5.3-11 allows Remote Command Execution (by authenticated users) via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl...Show more EyesOfNetwork eonweb through 5.3-11 allows Remote Command Execution (by authenticated users) via shell metacharacters in the nagios_path parameter to lilac/export.php, as demonstrated by %26%26+curl to insert an "&& curl" substring for the shell.Show less
CVE-2021-29300 1Ronomon 1Opened Nov 21, 2024 May 24, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The @ronomon/opened library before 1.5.2 is vulnerable to a command injection vulnerability which would allow a remote attacker to execute commands on the system if the library was used with untrusted input.
CVE-2021-20557 1Ibm 1Security Guardium Nov 21, 2024 May 24, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 IBM Security Guardium 11.2 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 199184.
CVE-2021-1560 1Cisco 1Dna Spaces\ Nov 21, 2024 May 22, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, remote attacker to perform a command injection attack on an affected device. These vulnerabilities are due to insufficient input saniti...Show more Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, remote attacker to perform a command injection attack on an affected device. These vulnerabilities are due to insufficient input sanitization when executing affected commands. A high-privileged attacker could exploit these vulnerabilities on a Cisco DNA Spaces Connector by injecting crafted input during command execution. A successful exploit could allow the attacker to execute arbitrary commands as root within the Connector docker container.Show less
CVE-2021-1559 1Cisco 1Dna Spaces\ Nov 21, 2024 May 22, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, remote attacker to perform a command injection attack on an affected device. These vulnerabilities are due to insufficient input saniti...Show more Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, remote attacker to perform a command injection attack on an affected device. These vulnerabilities are due to insufficient input sanitization when executing affected commands. A high-privileged attacker could exploit these vulnerabilities on a Cisco DNA Spaces Connector by injecting crafted input during command execution. A successful exploit could allow the attacker to execute arbitrary commands as root within the Connector docker container.Show less
CVE-2021-1558 1Cisco 1Dna Spaces\ Nov 21, 2024 May 22, 2021 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. These vulnerabilities a...Show more Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. These vulnerabilities are due to insufficient restrictions during the execution of affected CLI commands. An attacker could exploit these vulnerabilities by leveraging the insufficient restrictions during execution of these commands. A successful exploit could allow the attacker to elevate privileges from dnasadmin and execute arbitrary commands on the underlying operating system as root.Show less
CVE-2021-1557 1Cisco 1Dna Spaces\ Nov 21, 2024 May 22, 2021 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. These vulnerabilities a...Show more Multiple vulnerabilities in Cisco DNA Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. These vulnerabilities are due to insufficient restrictions during the execution of affected CLI commands. An attacker could exploit these vulnerabilities by leveraging the insufficient restrictions during execution of these commands. A successful exploit could allow the attacker to elevate privileges from dnasadmin and execute arbitrary commands on the underlying operating system as root.Show less
CVE-2021-1487 1Cisco 2Evolved Programmable Network Manager Prime Infrastructure Nov 21, 2024 May 22, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary commands on an affecte...Show more A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Evolved Programmable Network (EPN) Manager could allow an authenticated, remote attacker to execute arbitrary commands on an affected system. The vulnerability is due to insufficient validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the interface. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system (OS) with the permissions of a special non-root user. In this way, an attacker could take control of the affected system, which would allow them to obtain and alter sensitive data. The attacker could also affect the devices that are managed by the affected system by pushing arbitrary configuration files, retrieving device credentials and confidential information, and ultimately undermining the stability of the devices, causing a denial of service (DoS) condition.Show less
CVE-2021-33514 1Netgear 17Gc108p Firmware Gc108pp FirmwareGs108t Firmware+14 more Nov 21, 2024 May 21, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Certain NETGEAR devices are affected by command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application, as demonstrated by setup.cgi?token=';$HTTP_USER_AGENT...Show more Certain NETGEAR devices are affected by command injection by an unauthenticated attacker via the vulnerable /sqfs/lib/libsal.so.0.0 library used by a CGI application, as demonstrated by setup.cgi?token=';$HTTP_USER_AGENT;' with an OS command in the User-Agent field. This affects GC108P before 1.0.7.3, GC108PP before 1.0.7.3, GS108Tv3 before 7.0.6.3, GS110TPPv1 before 7.0.6.3, GS110TPv3 before 7.0.6.3, GS110TUPv1 before 1.0.4.3, GS710TUPv1 before 1.0.4.3, GS716TP before 1.0.2.3, GS716TPP before 1.0.2.3, GS724TPPv1 before 2.0.4.3, GS724TPv2 before 2.0.4.3, GS728TPPv2 before 6.0.6.3, GS728TPv2 before 6.0.6.3, GS752TPPv1 before 6.0.6.3, GS752TPv2 before 6.0.6.3, MS510TXM before 1.0.2.3, and MS510TXUP before 1.0.2.3.Show less
CVE-2021-20719 1Nippon Antenna 1Rfntps Firmware Nov 21, 2024 May 20, 2021 N/A· v4 6.8 MEDIUM· v3 7.7 HIGH· v2 RFNTPS firmware versions System_01000004 and earlier, and Web_01000004 and earlier allow an attacker on the same network segment to execute arbitrary OS commands with a root privilege via unspecified vectors.
CVE-2021-31324 1Control Webpanel 1Webpanel Nov 21, 2024 May 18, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution.
CVE-2021-32305 1Websvn 1Websvn Nov 21, 2024 May 18, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
CVE-2020-36198 1Qnap 1Malware Remover Nov 21, 2024 May 13, 2021 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems...Show more A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP Systems Inc. Malware Remover 3.x.Show less
CVE-2021-32605 1Zzzcms 1Zzzphp Nov 21, 2024 May 11, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 zzzcms zzzphp before 2.0.4 allows remote attackers to execute arbitrary OS commands by placing them in the keys parameter of a ?location=search URI, as demonstrated by an OS command within an "if" "end if" block.
CVE-2021-31915 1Jetbrains 1Teamcity Nov 21, 2024 May 11, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In JetBrains TeamCity before 2020.2.4, OS command injection leading to remote code execution was possible.
CVE-2021-23012 1F5 14Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Advanced Web Application Firewall+11 more Nov 21, 2024 May 10, 2021 N/A· v4 8.2 HIGH· v3 7.2 HIGH· v2 On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either...Show more On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.Show less
CVE-2021-32090 1Localstack 1Localstack Nov 21, 2024 May 7, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The dashboard component of StackLift LocalStack 0.12.6 allows attackers to inject arbitrary shell commands via the functionName parameter.
CVE-2021-28151 1Hongdian 1H8922 Firmware Nov 21, 2024 May 6, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest.
CVE-2021-26543 1Wayfair 1Git Parse Nov 21, 2024 May 6, 2021 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerabi...Show more The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. The issue has been resolved in version 1.0.5.Show less

Previous 1...204205206...299 Next