Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,955)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-23330 1Bitovi 1Launchpad Nov 21, 2024 Feb 1, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 All versions of package launchpad are vulnerable to Command Injection via stop.
CVE-2020-5626 1Infoscience 2Elc Analytics Logstorage Nov 21, 2024 Jan 28, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Logstorage version 8.0.0 and earlier, and ELC Analytics version 3.0.0 and earlier allow remote attackers to execute arbitrary OS commands via a specially crafted log file.
CVE-2021-3317 1Klogserver 1Klog Server Nov 21, 2024 Jan 26, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
CVE-2013-2512 1Ftpd Project 1Ftpd Nov 21, 2024 Jan 26, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
CVE-2021-3291 1Zen Cart 1Zen Cart Nov 21, 2024 Jan 26, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.
CVE-2021-3190 1Async Git Project 1Async Git Nov 21, 2024 Jan 26, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.
CVE-2020-36199 1Kaspersky 1Tinycheck Nov 21, 2024 Jan 26, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 TinyCheck before commits 9fd360d and ea53de8 was vulnerable to command injection due to insufficient checks of input parameters in several places.
CVE-2020-35576 1Tp Link 1Tl Wr841n Firmware Nov 21, 2024 Jan 26, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A Command Injection issue in the traceroute feature on TP-Link TL-WR841N V13 (JP) with firmware versions prior to 201216 allows authenticated users to execute arbitrary code as root via shell metacharacters, a different...Show more A Command Injection issue in the traceroute feature on TP-Link TL-WR841N V13 (JP) with firmware versions prior to 201216 allows authenticated users to execute arbitrary code as root via shell metacharacters, a different vulnerability than CVE-2018-12577.Show less
CVE-2020-27542 1Company 1Cs C2shw Firmware Nov 21, 2024 Jan 26, 2021 N/A· v4 6.8 MEDIUM· v3 4.6 MEDIUM· v2 Rostelecom CS-C2SHW 5.0.082.1 is affected by: Bash command injection. The camera reads configuration from QR code (including network settings). The static IP configuration from QR code is copied to the file /config/ip-st...Show more Rostelecom CS-C2SHW 5.0.082.1 is affected by: Bash command injection. The camera reads configuration from QR code (including network settings). The static IP configuration from QR code is copied to the file /config/ip-static and after reboot data from this file is inserted into bash command (without any escaping). So bash injection is possible. Camera doesn't parse QR codes if it's already successfully configured. Camera is always rebooted after successful configuration via QR code.Show less
CVE-2020-27298 1Philips 5Coronary Tools Dynamic Coronary RoadmapInterventional Workspot+2 more Jun 4, 2025 Jan 26, 2021 N/A· v4 6.5 MEDIUM· v3 3.3 LOW· v2 Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an...Show more Philips Interventional Workspot (Release 1.3.2, 1.4.0, 1.4.1, 1.4.3, 1.4.5), Coronary Tools/Dynamic Coronary Roadmap/Stentboost Live (Release 1.0), ViewForum (Release 6.3V1L10). The software constructs all or part of an OS command using externally influenced input from an upstream component but does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when sent to a downstream component.Show less
CVE-2020-23826 1Assaabloy 1Yale Wipc 303w Firmware Nov 21, 2024 Jan 26, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The Yale WIPC-303W 2.21 through 2.31 camera is vulnerable to remote command execution (RCE) through command injection via the HTTP API. NOTE: This may be a duplicate of CVE-2020-10176
CVE-2020-12513 1Pepperl Fuchs 12Io Link Master 4 Eip Firmware Io Link Master 4 Pnio FirmwareIo Link Master 8 Eip L Firmware+9 more Nov 21, 2024 Jan 22, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2021-1142 1Cisco 1Smart Software Manager Satellite Nov 21, 2024 Jan 20, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information abou...Show more Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2021-1141 1Cisco 1Smart Software Manager Satellite Nov 21, 2024 Jan 20, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information abou...Show more Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2021-1140 1Cisco 1Smart Software Manager Satellite Nov 21, 2024 Jan 20, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information abou...Show more Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2021-1139 1Cisco 1Smart Software Manager Satellite Nov 21, 2024 Jan 20, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information abou...Show more Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2021-1138 1Cisco 1Smart Software Manager Satellite Nov 21, 2024 Jan 20, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information abou...Show more Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. For more information about these vulnerabilities, see the Details section of this advisory.Show less
CVE-2021-1264 1Cisco 1Catalyst Center Jul 23, 2025 Jan 20, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A vulnerability in the Command Runner tool of Cisco DNA Center could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient input validation by the Command...Show more A vulnerability in the Command Runner tool of Cisco DNA Center could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to insufficient input validation by the Command Runner tool. An attacker could exploit this vulnerability by providing crafted input during command execution or via a crafted command runner API call. A successful exploit could allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center.Show less
CVE-2021-23326 1The Guild 1Graphql Tools Nov 21, 2024 Jan 20, 2021 N/A· v4 8.8 HIGH· v3 7.5 HIGH· v2 This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection.
CVE-2021-0219 1Juniper 1Junos Nov 21, 2024 Jan 15, 2021 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 A command injection vulnerability in install package validation subsystem of Juniper Networks Junos OS that may allow a locally authenticated attacker with privileges to execute commands with root privilege. To validate...Show more A command injection vulnerability in install package validation subsystem of Juniper Networks Junos OS that may allow a locally authenticated attacker with privileges to execute commands with root privilege. To validate a package in Junos before installation, an administrator executes the command 'request system software add validate-on-host' via the CLI. An attacker with access to this CLI command may be able to exploit this vulnerability. This issue affects Juniper Networks Junos OS: all versions prior to 17.3R3-S10; 17.4 versions prior to 17.4R2-S12, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R2-S8, 18.2R3-S6; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R1-S8, 18.4R2-S7, 18.4R3-S6; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3-S3; 19.2 versions prior to 19.2R3-S1; 19.3 versions prior to 19.3R2-S5, 19.3R3-S1; 19.4 versions prior to 19.4R2-S2, 19.4R3-S1; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R1-S2, 20.2R2; 20.3 versions prior to 20.3R1-S1, 20.3R2.Show less

Previous 1...213214215...298 Next