Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,947)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-12313 1Asustor 1Data Master Nov 21, 2024 Dec 4, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 OS command injection in snmp.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands without authentication via the "rocommunity" URL parameter.
CVE-2018-12312 1Asustor 1Data Master Nov 21, 2024 Dec 4, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "secret_key" URL parameter.
CVE-2018-12307 1Asustor 1Data Master Nov 21, 2024 Dec 4, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 OS command injection in user.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands as root via the "name" POST parameter.
CVE-2018-4021 1Netgate 1Pfsense Nov 21, 2024 Dec 3, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitra...Show more An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_battery_mode` POST parameter.Show less
CVE-2018-4020 1Netgate 1Pfsense Nov 21, 2024 Dec 3, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitra...Show more An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_ac_mode` POST parameter parameter.Show less
CVE-2018-4019 1Netgate 1Pfsense Nov 21, 2024 Dec 3, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitra...Show more An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_normal_mode` parameter.Show less
CVE-2018-14706 1Drobo 15n2 Firmware Nov 21, 2024 Dec 3, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request.
CVE-2018-14701 1Drobo 15n2 Firmware Nov 21, 2024 Dec 3, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
CVE-2018-14699 1Drobo 15n2 Firmware Nov 21, 2024 Dec 3, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
CVE-2018-16863 2Artifex Redhat 7Enterprise Linux Desktop Enterprise Linux ServerEnterprise Linux Server Aus+4 more Nov 21, 2024 Dec 3, 2018 N/A· v4 7.8 HIGH· v3 9.3 HIGH· v2 It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An attacker could possibly exploit another variant of the flaw and bypass the -dSAFER protection to, for example, execute arbitrary shell commands via a...Show more It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An attacker could possibly exploit another variant of the flaw and bypass the -dSAFER protection to, for example, execute arbitrary shell commands via a specially crafted PostScript document. This only affects ghostscript 9.07 as shipped with Red Hat Enterprise Linux 7.Show less
CVE-2018-15716 1Nuuo 1Nvrmini2 Firmware Nov 21, 2024 Nov 30, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 NUUO NVRMini2 version 3.9.1 is vulnerable to authenticated remote command injection. An attacker can send crafted requests to upgrade_handle.php to execute OS commands as root.
CVE-2018-19290 1Budabot 1Budabot Nov 21, 2024 Nov 30, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command, resulting in a denial of service or...Show more In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation allows remote attackers to perform a command injection attack against the PHP daemon with a crafted command, resulting in a denial of service or possibly unspecified other impact, as demonstrated by the "!calc 5 x 5" command. In versions before 3.0, modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above, modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code.Show less
CVE-2018-19646 1Imperva 1Securesphere Nov 21, 2024 Nov 28, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The Python CGI scripts in PWS in Imperva SecureSphere 13.0.10, 13.1.10, and 13.2.10 allow remote attackers to execute arbitrary OS commands because command-line arguments are mishandled.
CVE-2018-13418 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter.
CVE-2018-13358 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter.
CVE-2018-13354 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter.
CVE-2018-13353 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter.
CVE-2018-13338 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation.
CVE-2018-13336 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation.
CVE-2018-13330 1Terra Master 1Terramaster Operating System Nov 21, 2024 Nov 27, 2018 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter.

Previous 1...262263264...298 Next