Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,956)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-7785 1Node Ps Project 1Node Ps Nov 21, 2024 Feb 8, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 This affects all versions of package node-ps. The injection point is located in line 72 in lib/index.js.
CVE-2020-7782 1Spritesheet Js Project 1Spritesheet Js Nov 21, 2024 Feb 8, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 This affects all versions of package spritesheet-js. It depends on a vulnerable package platform-command. The injection point is located in line 32 in lib/generator.js, which is triggered by main entry of the package.
CVE-2021-26541 1Gitlog Project 1Gitlog Nov 21, 2024 Feb 8, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The gitlog function in src/index.ts in gitlog before 4.0.4 has a command injection vulnerability.
CVE-2020-11920 1Svakom 1Siime Eye Firmware Nov 21, 2024 Feb 8, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 An issue was discovered in Svakom Siime Eye 14.1.00000001.3.330.0.0.3.14. A command injection vulnerability resides in the HOST/IP section of the NFS settings menu in the webserver running on the device. By injecting Bas...Show more An issue was discovered in Svakom Siime Eye 14.1.00000001.3.330.0.0.3.14. A command injection vulnerability resides in the HOST/IP section of the NFS settings menu in the webserver running on the device. By injecting Bash commands via shell metacharacters here, the device executes arbitrary code with root privileges (all of the device's services are running as root).Show less
CVE-2021-3122 1Ncr 1Command Center Agent Nov 21, 2024 Feb 7, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbi...Show more CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."Show less
CVE-2020-36243 1Open Emr 1Openemr Nov 21, 2024 Feb 7, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 The Patient Portal of OpenEMR 5.0.2.1 is affected by a Command Injection vulnerability in /interface/main/backup.php. To exploit the vulnerability, an authenticated attacker can send a POST request that executes arbitrar...Show more The Patient Portal of OpenEMR 5.0.2.1 is affected by a Command Injection vulnerability in /interface/main/backup.php. To exploit the vulnerability, an authenticated attacker can send a POST request that executes arbitrary OS commands via shell metacharacters.Show less
CVE-2021-1370 1Cisco 1Ios Xr Nov 21, 2024 Feb 4, 2021 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in a CLI command of Cisco IOS XR Software for the Cisco 8000 Series Routers and Network Convergence System 540 Series Routers running NCS540L software images could allow an authenticated, local attacker t...Show more A vulnerability in a CLI command of Cisco IOS XR Software for the Cisco 8000 Series Routers and Network Convergence System 540 Series Routers running NCS540L software images could allow an authenticated, local attacker to elevate their privilege to root. To exploit this vulnerability, an attacker would need to have a valid account on an affected device. The vulnerability is due to insufficient validation of command line arguments. An attacker could exploit this vulnerability by authenticating to the device and entering a crafted command at the prompt. A successful exploit could allow an attacker with low-level privileges to escalate their privilege level to root.Show less
CVE-2021-1318 1Cisco 6Rv016 Multi Wan Vpn Router Firmware Rv042 Dual Wan Vpn Router FirmwareRv042g Dual Gigabit Wan Vpn Router Firmware+3 more Nov 21, 2024 Feb 4, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that...Show more Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device.Show less
CVE-2021-1317 1Cisco 6Rv016 Multi Wan Vpn Router Firmware Rv042 Dual Wan Vpn Router FirmwareRv042g Dual Gigabit Wan Vpn Router Firmware+3 more Nov 21, 2024 Feb 4, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that...Show more Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device.Show less
CVE-2021-1316 1Cisco 6Rv016 Multi Wan Vpn Router Firmware Rv042 Dual Wan Vpn Router FirmwareRv042g Dual Gigabit Wan Vpn Router Firmware+3 more Nov 21, 2024 Feb 4, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that...Show more Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device.Show less
CVE-2021-1315 1Cisco 6Rv016 Multi Wan Vpn Router Firmware Rv042 Dual Wan Vpn Router FirmwareRv042g Dual Gigabit Wan Vpn Router Firmware+3 more Nov 21, 2024 Feb 4, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that...Show more Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device.Show less
CVE-2021-1314 1Cisco 6Rv016 Multi Wan Vpn Router Firmware Rv042 Dual Wan Vpn Router FirmwareRv042g Dual Gigabit Wan Vpn Router Firmware+3 more Nov 21, 2024 Feb 4, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that...Show more Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on an affected device.Show less
CVE-2020-2507 1Qnap 1Helpdesk Nov 21, 2024 Feb 3, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Hel...Show more The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3.Show less
CVE-2021-21289 3Debian FedoraprojectMechanize Project 3Debian Linux FedoraMechanize Nov 21, 2024 Feb 2, 2021 N/A· v4 8.3 HIGH· v3 7.6 HIGH· v2 Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allo...Show more Mechanize is an open-source ruby library that makes automated web interaction easy. In Mechanize from version 2.0.0 and before version 2.7.7 there is a command injection vulnerability. Affected versions of mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: Mechanize::CookieJar#load, Mechanize::CookieJar#save_as, Mechanize#download, Mechanize::Download#save, Mechanize::File#save, and Mechanize::FileResponse#read_body. This is fixed in version 2.7.7.Show less
CVE-2020-7775 1Freediskspace Project 1Freediskproject Nov 21, 2024 Feb 2, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 This affects all versions of package freediskspace. The vulnerability arises out of improper neutralization of arguments in line 71 of freediskspace.js.
CVE-2021-25310 1Belkin 1Linksys Wrt160nl Firmware Nov 21, 2024 Feb 2, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 The administration web interface on Belkin Linksys WRT160NL 1.0.04.002_US_20130619 devices allows remote authenticated attackers to execute system commands with root privileges via shell metacharacters in the ui_language...Show more The administration web interface on Belkin Linksys WRT160NL 1.0.04.002_US_20130619 devices allows remote authenticated attackers to execute system commands with root privileges via shell metacharacters in the ui_language POST parameter to the apply.cgi form endpoint. This occurs in do_upgrade_post in mini_httpd. NOTE: This vulnerability only affects products that are no longer supported by the maintaineShow less
CVE-2020-18568 1Dlink 2Dsr 1000n Firmware Dsr 250 Firmware Nov 21, 2024 Feb 2, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The D-Link DSR-250 (3.14) DSR-1000N (2.11B201) UPnP service contains a command injection vulnerability, which can cause remote command execution.
CVE-2020-25506 1Dlink 1Dns 320 Firmware Nov 7, 2025 Feb 2, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.
CVE-2020-28494 1Totaljs 1Total.js Nov 21, 2024 Feb 2, 2021 N/A· v4 8.6 HIGH· v3 7.5 HIGH· v2 This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue oc...Show more This affects the package total.js before 3.4.7. The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option shell set to true and because the type parameter is not properly sanitized.Show less
CVE-2020-25036 1Ucopia 1Ucopia Wireless Appliance Nov 21, 2024 Feb 2, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 UCOPIA Wi-Fi appliances 6.0.5 allow authenticated remote attackers to escape the restricted administration shell CLI, and access a shell with admin user rights, via an unprotected less command.

Previous 1...212213214...298 Next