Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,951)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-4180 1Ibm 1Security Guardium Nov 21, 2024 Jun 3, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 IBM Security Guardium 11.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrar...Show more IBM Security Guardium 11.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 174735.Show less
CVE-2020-2200 1Jenkins 1Play Framework Nov 21, 2024 Jun 3, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by us...Show more Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master.Show less
CVE-2014-8945 1Piwigo 1Lexiglot Nov 21, 2024 Jun 1, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 admin.php?page=projects in Lexiglot through 2014-11-20 allows command injection via username and password fields.
CVE-2014-7173 1Farsite 1Farlinx X25 Gateway Firmware Nov 21, 2024 Jun 1, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 FarLinX X25 Gateway through 2014-09-25 allows command injection via shell metacharacters to sysSaveMonitorData.php, fsx25MonProxy.php, syseditdate.php, iframeupload.php, or sysRestoreX25Cplt.php.
CVE-2020-13694 1Quickbox 1Quickbox Nov 21, 2024 Jun 1, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the m...Show more In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user can execute sudo mysql without a password, which means that the www-data user can execute arbitrary OS commands via the mysql -e option.Show less
CVE-2020-13448 1Quickbox 1Quickbox Nov 21, 2024 Jun 1, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 allows an authenticated remote attacker to execute code on the server via command injection in the servicestart parameter.
CVE-2020-8816 1Pi Hole 1Pi Hole Nov 10, 2025 May 29, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
CVE-2019-20807 6Apple CanonicalDebian+3 more 7Command Center Debian LinuxLeap+4 more Nov 21, 2024 May 28, 2020 N/A· v4 5.3 MEDIUM· v3 4.6 MEDIUM· v2 In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).
CVE-2020-11950 1Vivotek 200Cc8160(hs) Firmware Cc8160 FirmwareCc8370 Hv Firmware+197 more Nov 21, 2024 May 28, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 VIVOTEK Network Cameras before XXXXX-VVTK-2.2002.xx.01x (and before XXXXX-VVTK-0XXXX_Beta2) allows an authenticated user to upload and execute a script (with resultant execution of OS commands). For example, this affects...Show more VIVOTEK Network Cameras before XXXXX-VVTK-2.2002.xx.01x (and before XXXXX-VVTK-0XXXX_Beta2) allows an authenticated user to upload and execute a script (with resultant execution of OS commands). For example, this affects IT9388-HT devices.Show less
CVE-2020-8605 1Trendmicro 1Interscan Web Security Virtual Appliance Nov 21, 2024 May 27, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability.
CVE-2020-12393 1Mozilla 3Firefox Firefox EsrThunderbird Nov 21, 2024 May 26, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a te...Show more The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. Note: this issue only affects Firefox on Windows operating systems.. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.Show less
CVE-2020-8171 1Ui 1Airos Nov 21, 2024 May 26, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:Th...Show more We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:There are certain end-points containing functionalities that are vulnerable to command injection. It is possible to craft an input string that passes the filter check but still contains commands, resulting in remote code execution.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page.Show less
CVE-2020-13388 1Python 1Jw.util Nov 21, 2024 May 22, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary...Show more An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used.Show less
CVE-2020-1956 1Apache 1Kylin Oct 23, 2025 May 22, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or v...Show more Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.Show less
CVE-2020-13252 1Centreon 1Centreon Nov 21, 2024 May 21, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphSt...Show more Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page.Show less
CVE-2020-13167 1Netsweeper 1Netsweeper Nov 21, 2024 May 19, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of s...Show more Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.Show less
CVE-2020-11766 2Avantfax Ifax 2Avantfax Hylafax Nov 21, 2024 May 19, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 sendfax.php in iFAX AvantFAX before 3.3.6 and HylaFAX Enterprise Web Interface before 0.2.5 allows authenticated Command Injection.
CVE-2020-2014 1Paloaltonetworks 1Pan Os Nov 21, 2024 May 13, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An OS Command Injection vulnerability in PAN-OS management server allows authenticated users to inject and execute arbitrary shell commands with root privileges. This issue affects: All versions of PAN-OS 7.1 and 8.0; PA...Show more An OS Command Injection vulnerability in PAN-OS management server allows authenticated users to inject and execute arbitrary shell commands with root privileges. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.7.Show less
CVE-2020-2010 1Paloaltonetworks 1Pan Os Nov 21, 2024 May 13, 2020 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 An OS command injection vulnerability in PAN-OS management interface allows an authenticated administrator to execute arbitrary OS commands with root privileges. This issue affects: All versions of PAN-OS 7.1 and 8.0; PA...Show more An OS command injection vulnerability in PAN-OS management interface allows an authenticated administrator to execute arbitrary OS commands with root privileges. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.7.Show less
CVE-2020-2008 1Paloaltonetworks 1Pan Os Nov 21, 2024 May 13, 2020 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 An OS command injection and external control of filename vulnerability in Palo Alto Networks PAN-OS allows authenticated administrators to execute code with root privileges or delete arbitrary system files and impact the...Show more An OS command injection and external control of filename vulnerability in Palo Alto Networks PAN-OS allows authenticated administrators to execute code with root privileges or delete arbitrary system files and impact the system's integrity or cause a denial of service condition. This issue affects: All versions of PAN-OS 7.1 and 8.0; PAN-OS 8.1 versions earlier than 8.1.14.Show less

Previous 1...227228229...298 Next