Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,949)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-19920 3Canonical DebianSa Exim Project 3Debian Linux Sa EximUbuntu Linux Nov 21, 2024 Dec 22, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue...Show more sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805.Show less
CVE-2019-15598 1Treekill Project 1Treekill Nov 21, 2024 Dec 18, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Code Injection exists in treekill on Windows which allows a remote code execution when an attacker is able to control the input into the command.
CVE-2019-8513 1Apple 1Mac Os X Nov 21, 2024 Dec 18, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 This issue was addressed with improved checks. This issue is fixed in macOS Mojave 10.14.4. A local user may be able to execute arbitrary shell commands.
CVE-2019-11399 1Trendnet 3Tew 651br Firmware Tew 652brp FirmwareTew 652bru Firmware Nov 21, 2024 Dec 18, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 An issue was discovered on TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12 devices. OS command injection occurs through the get_set.ccp lanHostCfg_HostName_1.1.1.0.0 parameter.
CVE-2019-18830 1Barco 3Clickshare Cs 100 Firmware Clickshare Cse 200 FirmwareClickshare Cse 800 Firmware Nov 21, 2024 Dec 16, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Barco ClickShare Button R9861500D01 devices before 1.9.0 allow OS Command Injection. The embedded 'dongle_bridge' program used to expose the functionalities of the ClickShare Button to a USB host, is vulnerable to OS com...Show more Barco ClickShare Button R9861500D01 devices before 1.9.0 allow OS Command Injection. The embedded 'dongle_bridge' program used to expose the functionalities of the ClickShare Button to a USB host, is vulnerable to OS command injection vulnerabilities. These vulnerabilities could lead to code execution on the ClickShare Button with the privileges of the user 'nobody'.Show less
CVE-2019-17364 2Petwant Skymee 2Petalk Ai Firmware Pf 103 Firmware Nov 21, 2024 Dec 13, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The processCommandUploadLog() function of libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user.
CVE-2019-16737 2Petwant Skymee 2Petalk Ai Firmware Pf 103 Firmware Nov 21, 2024 Dec 13, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The processCommandSetMac() function of libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user.
CVE-2019-16733 2Petwant Skymee 2Petalk Ai Firmware Pf 103 Firmware Nov 21, 2024 Dec 13, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 processCommandSetUid() in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user.
CVE-2019-16730 2Petwant Skymee 2Petalk Ai Firmware Pf 103 Firmware Nov 21, 2024 Dec 13, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 processCommandUpgrade() in libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user.
CVE-2018-11805 2Apache Debian 2Debian Linux Spamassassin Nov 21, 2024 Dec 12, 2019 N/A· v4 6.7 MEDIUM· v3 7.2 HIGH· v2 In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA...Show more In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.Show less
CVE-2019-3989 1Amazon 1Blink Xt2 Sync Module Firmware Nov 21, 2024 Dec 11, 2019 N/A· v4 9.8 CRITICAL· v3 9.3 HIGH· v2 Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when retrieving internal network configuration data.
CVE-2019-3988 1Amazon 1Blink Xt2 Sync Module Firmware Nov 21, 2024 Dec 11, 2019 N/A· v4 8.8 HIGH· v3 8.3 HIGH· v2 Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the bssid paramete...Show more Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the bssid parameter.Show less
CVE-2019-3987 1Amazon 1Blink Xt2 Sync Module Firmware Nov 21, 2024 Dec 11, 2019 N/A· v4 8.8 HIGH· v3 8.3 HIGH· v2 Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the key parameter.
CVE-2019-3986 1Amazon 1Blink Xt2 Sync Module Firmware Nov 21, 2024 Dec 11, 2019 N/A· v4 8.8 HIGH· v3 8.3 HIGH· v2 Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the encryption par...Show more Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the encryption parameter.Show less
CVE-2019-3985 1Amazon 1Blink Xt2 Sync Module Firmware Nov 21, 2024 Dec 11, 2019 N/A· v4 8.8 HIGH· v3 8.3 HIGH· v2 Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the ssid parameter...Show more Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the ssid parameter.Show less
CVE-2014-0163 1Redhat 1Openshift Nov 21, 2024 Dec 11, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Openshift has shell command injection flaws due to unsanitized data being passed into shell commands.
CVE-2019-4715 1Ibm 1Spectrum Scale Nov 21, 2024 Dec 11, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 IBM Spectrum Scale 4.2 and 5.0 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbi...Show more IBM Spectrum Scale 4.2 and 5.0 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 172093.Show less
CVE-2019-19604 4Debian FedoraprojectGit Scm+1 more 4Debian Linux FedoraGit+1 more Nov 21, 2024 Dec 11, 2019 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found i...Show more Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.Show less
CVE-2019-14889 6Canonical DebianFedoraproject+3 more 6Debian Linux FedoraLeap+3 more Nov 21, 2024 Dec 10, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on...Show more A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target.Show less
CVE-2019-17270 1Yachtcontrol 1Yachtcontrol Nov 21, 2024 Dec 10, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Yachtcontrol through 2019-10-06: It's possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command={COMMAND}" page and parameter, where {COMMAND} will be executed...Show more Yachtcontrol through 2019-10-06: It's possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command={COMMAND}" page and parameter, where {COMMAND} will be executed and returning the results to the client. Affects Yachtcontrol webservers disclosed via Dutch GPRS/4G mobile IP-ranges. IP addresses vary due to DHCP client leasing of telco's.Show less

Previous 1...242243244...298 Next