Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,947)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-13640 1Qbittorrent 1Qbittorrent Nov 21, 2024 Jul 17, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as...Show more In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.Show less
CVE-2019-12992 1Citrix 2Netscaler Sd Wan Sd Wan Nov 21, 2024 Jul 16, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 6 of 6).
CVE-2019-12991 1Citrix 2Netscaler Sd Wan Sd Wan Nov 6, 2025 Jul 16, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).
CVE-2019-12988 1Citrix 2Netscaler Sd Wan Sd Wan Nov 21, 2024 Jul 16, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 4 of 6).
CVE-2019-12987 1Citrix 2Netscaler Sd Wan Sd Wan Nov 21, 2024 Jul 16, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 3 of 6).
CVE-2019-12986 1Citrix 2Netscaler Sd Wan Sd Wan Nov 21, 2024 Jul 16, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 2 of 6).
CVE-2019-12985 1Citrix 2Netscaler Sd Wan Sd Wan Nov 21, 2024 Jul 16, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 1 of 6).
CVE-2019-1576 1Paloaltonetworks 1Pan Os Nov 21, 2024 Jul 16, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user’s permissions.
CVE-2019-13598 1Getvera 1Vera Edge Firmware Nov 21, 2024 Jul 14, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 LuaUPnP in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via the code parameter to /port_3480/data_request because the "No unsafe lua allowed" code block is skipp...Show more LuaUPnP in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via the code parameter to /port_3480/data_request because the "No unsafe lua allowed" code block is skipped.Show less
CVE-2019-13597 1Sahipro 1Sahi Pro Nov 21, 2024 Jul 14, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 _s_/sprm/_s_/dyn/Player_setScriptFile in Sahi Pro 8.0.0 allows command execution. It allows one to run ".sah" scripts via Sahi Launcher. Also, one can create a new script with an editor. It is possible to execute command...Show more _s_/sprm/_s_/dyn/Player_setScriptFile in Sahi Pro 8.0.0 allows command execution. It allows one to run ".sah" scripts via Sahi Launcher. Also, one can create a new script with an editor. It is possible to execute commands on the server using the _execute() function.Show less
CVE-2019-13567 1Zoom 1Zoom Nov 21, 2024 Jul 12, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Zoom Client before 4.4.53932.0709 on macOS allows remote code execution, a different vulnerability than CVE-2019-13450. If the ZoomOpener daemon (aka the hidden web server) is running, but the Zoom Client is not inst...Show more The Zoom Client before 4.4.53932.0709 on macOS allows remote code execution, a different vulnerability than CVE-2019-13450. If the ZoomOpener daemon (aka the hidden web server) is running, but the Zoom Client is not installed or can't be opened, an attacker can remotely execute code with a maliciously crafted launch URL. NOTE: ZoomOpener is removed by the Apple Malware Removal Tool (MRT) if this tool is enabled and has the 2019-07-10 MRTConfigData.Show less
CVE-2019-13574 2Debian Minimagick Project 2Debian Linux Minimagick Nov 21, 2024 Jul 12, 2019 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '\|' character follo...Show more In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '\|' character followed by a command.Show less
CVE-2019-12579 1Londontrustmedia 1Private Internet Access Vpn Client Nov 21, 2024 Jul 11, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The PIA Linux/macOS...Show more A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v82 for Linux and macOS could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The PIA Linux/macOS binary openvpn_launcher.64 binary is setuid root. This binary accepts several parameters to update the system configuration. These parameters are passed to operating system commands using a "here" document. The parameters are not sanitized, which allow for arbitrary commands to be injected using shell metacharacters. A local unprivileged user can pass special crafted parameters that will be interpolated by the operating system calls.Show less
CVE-2019-11062 1Sun.net 1Wmpro Nov 21, 2024 Jul 11, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The SUNNET WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php". The target server can be exploited without authentication.
CVE-2019-13561 1Dlink 1Dir 655 Firmware Nov 21, 2024 Jul 11, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers to execute arbitrary commands via shell metacharacters in the online_firmware_check.cgi check_fw_url parameter.
CVE-2019-13482 1Dlink 1Dir 818l(w) Firmware Nov 21, 2024 Jul 10, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered on D-Link DIR-818LW devices with firmware 2.06betab01. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the Type field to SetWanSettings.
CVE-2019-13481 1Dlink 1Dir 818l(w) Firmware Nov 21, 2024 Jul 10, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered on D-Link DIR-818LW devices with firmware 2.06betab01. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the MTU field to SetWanSettings.
CVE-2019-0328 1Sap 1Netweaver Process Integration Nov 21, 2024 Jul 10, 2019 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 ABAP Tests Modules (SAP Basis, versions 7.0, 7.1, 7.3, 7.31, 7.4, 7.5) of SAP NetWeaver Process Integration enables an attacker the execution of OS commands with privileged rights. An attacker could thereby impact the in...Show more ABAP Tests Modules (SAP Basis, versions 7.0, 7.1, 7.3, 7.31, 7.4, 7.5) of SAP NetWeaver Process Integration enables an attacker the execution of OS commands with privileged rights. An attacker could thereby impact the integrity and availability of the system.Show less
CVE-2019-13278 1Trendnet 1Tew 827dru Firmware Nov 21, 2024 Jul 10, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains multiple command injections when processing user input for the setup wizard, allowing an unauthenticated user to run arbitrary commands on the device...Show more TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains multiple command injections when processing user input for the setup wizard, allowing an unauthenticated user to run arbitrary commands on the device. The vulnerability can be exercised on the local intranet or remotely if remote administration is enabled.Show less
CVE-2018-14495 1Vivotek 1Fd8136 Firmware Nov 21, 2024 Jul 10, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Vivotek FD8136 devices allow Remote Command Injection, aka "another command injection vulnerability in our target device," a different issue than CVE-2018-14494. NOTE: The vendor has disputed this as a vulnerability and...Show more Vivotek FD8136 devices allow Remote Command Injection, aka "another command injection vulnerability in our target device," a different issue than CVE-2018-14494. NOTE: The vendor has disputed this as a vulnerability and states that the issue does not cause a web server crash or have any other affect on it's performanceShow less

Previous 1...250251252...298 Next