Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,963)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-27575 1Maxum 1Rumpus Nov 21, 2024 Mar 8, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vu...Show more Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation.Show less
CVE-2021-27256 1Netgear 43Br200 Firmware Br500 FirmwareD7800 Firmware+40 more Nov 21, 2024 Mar 5, 2021 N/A· v4 8.8 HIGH· v3 8.3 HIGH· v2 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Although authentication is required to exploit this vulnerability, the...Show more This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of the rc_service parameter provided to apply_save.cgi. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-12355.Show less
CVE-2021-26970 1Arubanetworks 1Airwave Nov 21, 2024 Mar 5, 2021 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Vulnerabilities in the AirWave web-base management interface could allow...Show more A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Vulnerabilities in the AirWave web-base management interface could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a lower privileged user on the underlying operating system leading to partial system compromise.Show less
CVE-2021-26962 1Arubanetworks 1Airwave Nov 21, 2024 Mar 5, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Vulnerabilities in the AirWave CLI could allow remote authenticated user...Show more A remote authenticated arbitrary command execution vulnerability was discovered in Aruba AirWave Management Platform version(s): Prior to 8.2.12.0. Vulnerabilities in the AirWave CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to full system compromise.Show less
CVE-2021-27886 1Docker Dashboard Project 1Docker Dashboard Nov 21, 2024 Mar 2, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
CVE-2021-3342 1Eprints 1Eprints Nov 21, 2024 Mar 1, 2021 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted LaTeX input to a cgi/latex2png?latex= URI.
CVE-2021-26704 1Eprints 1Eprints Nov 21, 2024 Mar 1, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 EPrints 3.4.2 allows remote attackers to execute arbitrary commands via crafted input to the verb parameter in a cgi/toolbox/toolbox URI.
CVE-2021-26476 1Eprints 1Eprints Nov 21, 2024 Mar 1, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 EPrints 3.4.2 allows remote attackers to execute OS commands via crafted LaTeX input to a cgi/cal?year= URI.
CVE-2019-25022 1Scytl 1Secure Vote Nov 21, 2024 Feb 27, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Scytl sVote 2.1. An attacker can inject code that gets executed by creating an election-event and injecting a payload over an event alias, because the application calls Runtime.getRuntime().exe...Show more An issue was discovered in Scytl sVote 2.1. An attacker can inject code that gets executed by creating an election-event and injecting a payload over an event alias, because the application calls Runtime.getRuntime().exec() without validation.Show less
CVE-2021-21302 1Prestashop 1Prestashop Nov 21, 2024 Feb 26, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed i...Show more PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2Show less
CVE-2021-20658 1Contec 1Sv Cpt Mc310 Firmware Nov 21, 2024 Feb 24, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 SolarView Compact SV-CPT-MC310 prior to Ver.6.5 allows an attacker to execute arbitrary OS commands with the web server privilege via unspecified vectors.
CVE-2021-26680 1Arubanetworks 1Clearpass Policy Manager Nov 21, 2024 Feb 23, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface a...Show more A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.Show less
CVE-2021-26679 1Arubanetworks 1Clearpass Policy Manager Nov 21, 2024 Feb 23, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface a...Show more A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.Show less
CVE-2021-26684 1Arubanetworks 1Clearpass Policy Manager Nov 21, 2024 Feb 23, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface a...Show more A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.Show less
CVE-2021-26683 1Arubanetworks 1Clearpass Policy Manager Nov 21, 2024 Feb 23, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface a...Show more A remote authenticated command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.Show less
CVE-2021-26681 1Arubanetworks 1Clearpass Policy Manager Nov 21, 2024 Feb 23, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 A remote authenticated command Injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass CLI could allow remote authentic...Show more A remote authenticated command Injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the ClearPass CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.Show less
CVE-2020-28432 - - Nov 7, 2023 Feb 23, 2021 N/A· v4 N/A· v3 N/A· v2 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none
CVE-2020-28431 - - Nov 7, 2023 Feb 23, 2021 N/A· v4 N/A· v3 N/A· v2 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none
CVE-2020-28429 1Geojson2kml Project 1Geojson2kml Nov 21, 2024 Feb 23, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. PoC: var a =require("geojson2kml"); a("./","& touch JHU",function(){})
CVE-2021-26724 1Nozominetworks 2Central Management Control Guardian Nov 21, 2024 Feb 22, 2021 8.6 HIGH· v4 7.2 HIGH· v3 9.0 HIGH· v2 OS Command Injection vulnerability when changing date settings or hostname using web GUI of Nozomi Networks Guardian and CMC allows authenticated administrators to perform remote code execution. This issue affects: Nozom...Show more OS Command Injection vulnerability when changing date settings or hostname using web GUI of Nozomi Networks Guardian and CMC allows authenticated administrators to perform remote code execution. This issue affects: Nozomi Networks Guardian 20.0.7.3 version 20.0.7.3 and prior versions. Nozomi Networks CMC 20.0.7.3 version 20.0.7.3 and prior versions.Show less

Previous 1...210211212...299 Next