Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,947)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-14494 1Vivotek 1Fd8136 Firmware Nov 21, 2024 Jul 10, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Vivotek FD8136 devices allow Remote Command Injection, related to BusyBox and wget. NOTE: the vendor sent a clarification on 2019-09-17 explaining that, although this CVE was first populated in July 2019, it is a histori...Show more Vivotek FD8136 devices allow Remote Command Injection, related to BusyBox and wget. NOTE: the vendor sent a clarification on 2019-09-17 explaining that, although this CVE was first populated in July 2019, it is a historical vulnerability that does not apply to any current or recent Vivotek hardware or firmwareShow less
CVE-2019-13398 1Fortinet 1Fcm Mb40 Firmware Nov 21, 2024 Jul 8, 2019 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrl_save_profile.cgi (save parameter) and...Show more Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrl_save_profile.cgi (save parameter) and cgi-bin/ddns.cgi.Show less
CVE-2019-1893 1Cisco 1Enterprise Nfv Infrastructure Software Nov 21, 2024 Jul 6, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device as root. Th...Show more A vulnerability in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device as root. The vulnerability is due to insufficient input validation of a configuration file that is accessible to a local shell user. An attacker could exploit this vulnerability by including malicious input during the execution of this file. A successful exploit could allow the attacker to execute arbitrary commands on the underlying OS as root.Show less
CVE-2018-14860 1Odoo 1Odoo Nov 21, 2024 Jul 3, 2019 N/A· v4 9.1 CRITICAL· v3 9.0 HIGH· v2 Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute ar...Show more Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system.Show less
CVE-2018-11215 1Cloudera 1Data Science Workbench Nov 21, 2024 Jul 3, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Remote code execution is possible in Cloudera Data Science Workbench version 1.3.0 and prior releases via unspecified attack vectors.
CVE-2019-6621 1F5 14Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Analytics+11 more Nov 21, 2024 Jul 2, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable t...Show more On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection by an admin/resource admin user. This issue impacts both iControl REST and tmsh implementations.Show less
CVE-2019-6620 1F5 14Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Analytics+11 more Nov 21, 2024 Jul 2, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4 and BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, an undisclosed iControl REST worker vulnerable to command injection for an Administr...Show more On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4 and BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, an undisclosed iControl REST worker vulnerable to command injection for an Administrator user.Show less
CVE-2019-7256 1Nortekcontrol 2Linear Emerge Elite Firmware Linear Emerge Essential Firmware Nov 6, 2025 Jul 2, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Linear eMerge E3-Series devices allow Command Injections.
CVE-2019-7269 1Nortekcontrol 2Linear Emerge 5000p Firmware Linear Emerge 50p Firmware Nov 21, 2024 Jul 2, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Linear eMerge 50P/5000P devices allow Authenticated Command Injection with root Code Execution.
CVE-2019-13155 1Trendnet 1Tew 827dru Firmware Nov 21, 2024 Jul 2, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. There is a command injection in apply.cgi (exploitable with authentication) via the IP Address in Add Virtual Server.
CVE-2019-13154 1Trendnet 1Tew 827dru Firmware Nov 21, 2024 Jul 2, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. There is a command injection in apply.cgi (exploitable with authentication) via the TCP Ports To Open in Add Gaming Rule.
CVE-2019-13153 1Trendnet 1Tew 827dru Firmware Nov 21, 2024 Jul 2, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. There is a command injection in apply.cgi (exploitable with authentication) via the Private Port in Add Virtual Server.
CVE-2019-13151 1Trendnet 1Tew 827dru Firmware Nov 21, 2024 Jul 2, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. There is a command injection in apply.cgi (exploitable with authentication) via the action set_sta_enrollee_pin_5g and the key wps_sta_enrollee_pin.
CVE-2019-13149 1Trendnet 1Tew 827dru Firmware Nov 21, 2024 Jul 2, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11. There is a command injection in apply.cgi (exploitable with authentication) via the key passwd in Routing RIP Settings.
CVE-2019-7670 1Primasystems 1Flexair Nov 21, 2024 Jul 1, 2019 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Prima Systems FlexAir, Versions 2.3.38 and prior. The application incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component, which could allow attackers...Show more Prima Systems FlexAir, Versions 2.3.38 and prior. The application incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component, which could allow attackers to execute commands directly on the operating system.Show less
CVE-2019-13128 1Dlink 1Dir 823g Firmware Nov 21, 2024 Jul 1, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the IPAddress or Gateway field to SetStaticRou...Show more An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is a command injection in HNAP1 (exploitable with Authentication) via shell metacharacters in the IPAddress or Gateway field to SetStaticRouteSettings.Show less
CVE-2019-11829 1Synology 1Calendar Nov 21, 2024 Jun 30, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP' header.
CVE-2019-12997 1Icon 1Loopchain Nov 21, 2024 Jun 28, 2019 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 In Loopchain through 2.2.1.3, an attacker can escalate privileges from a low-privilege shell by changing the environment (aka injection in the DEFAULT_SCORE_HOST environment variable).
CVE-2019-3631 1Mcafee 1Enterprise Security Manager Nov 21, 2024 Jun 27, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Command Injection vulnerability in McAfee Enterprise Security Manager (ESM) prior to 11.2.0 and prior to 10.4.0 allows authenticated user to execute arbitrary code via specially crafted parameters.
CVE-2019-3630 1Mcafee 1Enterprise Security Manager Nov 21, 2024 Jun 27, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Command Injection vulnerability in McAfee Enterprise Security Manager (ESM) prior to 11.2.0 and prior to 10.4.0 allows authenticated user to execute arbitrary code via specially crafted parameters.

Previous 1...251252253...298 Next