Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,885)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-2846 1Foscam 1C1 Indoor Hd Camera Firmware May 13, 2026 Jun 29, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configu...Show more In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.Show less
CVE-2017-2845 1Foscam 1C1 Indoor Hd Camera Firmware May 13, 2026 Jun 29, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user t...Show more An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during the SMTP configuration tests resulting in command executionShow less
CVE-2017-2844 1Foscam 1C1 Indoor Hd Camera Firmware May 13, 2026 Jun 29, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resul...Show more In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resulting in command execution. An attacker can simply send an HTTP request to the device to trigger this vulnerability.Show less
CVE-2017-2843 1Foscam 1C1 Indoor Hd Camera Firmware May 13, 2026 Jun 27, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In the web management interface in Foscam C1 Indoor HD Camera running application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file res...Show more In the web management interface in Foscam C1 Indoor HD Camera running application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resulting in command execution. An attacker can simply send an HTTP request to the device to trigger this vulnerability.Show less
CVE-2017-2842 1Foscam 1C1 Indoor Hd Camera Firmware May 13, 2026 Jun 27, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In the web management interface in Foscam C1 Indoor HD Camera running application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file res...Show more In the web management interface in Foscam C1 Indoor HD Camera running application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resulting in command execution. An attacker can simply send an HTTP request to the device to trigger this vulnerability.Show less
CVE-2017-2841 1Foscam 1C1 Indoor Hd Camera Firmware May 13, 2026 Jun 27, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user t...Show more An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary data in the "msmtprc" configuration file resulting in command execution. An attacker can simply send an HTTP request to the device to trigger this vulnerability.Show less
CVE-2017-9828 1Vivotek 3Network Camera Fd8164 Firmware Network Camera Fd816ba FirmwareNetwork Camera Ib8369 Firmware May 13, 2026 Jun 23, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 '/cgi-bin/admin/testserver.cgi' of the web service in most of the VIVOTEK Network Cameras is vulnerable to shell command injection, which allows remote attackers to execute any shell command as root via a crafted HTTP re...Show more '/cgi-bin/admin/testserver.cgi' of the web service in most of the VIVOTEK Network Cameras is vulnerable to shell command injection, which allows remote attackers to execute any shell command as root via a crafted HTTP request. This vulnerability is already verified on VIVOTEK Network Camera IB8369/FD8164/FD816BA; most others have similar firmware that may be affected. An attack uses shell metacharacters in the senderemail parameter.Show less
CVE-2017-2828 1Foscam 1C1 Indoor Hd Camera Firmware May 13, 2026 Jun 21, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user t...Show more An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during account creation resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.Show less
CVE-2017-2827 1Foscam 1C1 Indoor Hd Camera Firmware May 13, 2026 Jun 21, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user t...Show more An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during account creation resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.Show less
CVE-2017-9757 1Ipfire 1Ipfire May 13, 2026 Jun 19, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi via the OINKCODE parameter, which is mishandled by a shell. This can be exploited directly by authenticated users, or through CSRF.
CVE-2017-9736 1Spip 1Spip May 13, 2026 Jun 17, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.
CVE-2017-6683 1Cisco 1Elastic Services Controller May 13, 2026 Jun 13, 2017 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A vulnerability in the esc_listener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected system, aka an Authenticat...Show more A vulnerability in the esc_listener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected system, aka an Authentication Request Processing Arbitrary Command Execution Vulnerability. More Information: CSCvc76642. Known Affected Releases: 2.2(9.76).Show less
CVE-2017-6682 1Cisco 1Elastic Services Controller May 13, 2026 Jun 13, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to run arbitrary commands as the Linux tomcat user on an affected system. More Information: CSCvc76620....Show more A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to run arbitrary commands as the Linux tomcat user on an affected system. More Information: CSCvc76620. Known Affected Releases: 2.2(9.76).Show less
CVE-2016-7819 1Iodata 2Ts Wrla Firmware Ts Wrlp Firmware May 13, 2026 Jun 9, 2017 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 I-O DATA DEVICE TS-WRLP firmware version 1.01.02 and earlier and TS-WRLA firmware version 1.01.02 and earlier allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.
CVE-2016-7806 1Iodata 1Wfs Sr01 Firmware May 13, 2026 Jun 9, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 I-O DATA DEVICE WFS-SR01 firmware version 1.10 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
CVE-2017-2824 1Zabbix 1Zabbix May 13, 2026 May 24, 2017 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An atta...Show more An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.Show less
CVE-2017-5173 1Geutebrueck 1Ip Camera G Cam Efd 2250 Firmware May 13, 2026 May 19, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 An Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An improper neutralization of special elements vulnerability has been ident...Show more An Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An improper neutralization of special elements vulnerability has been identified. If special elements are not properly neutralized, an attacker can call multiple parameters that can allow access to the root level operating system which could allow remote code execution.Show less
CVE-2017-8799 1Irods 1Irods May 13, 2026 May 5, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Untrusted input execution via igetwild in all iRODS versions before 4.1.11 and 4.2.1 allows other iRODS users (potentially anonymous) to execute remote shell commands via iRODS virtual pathnames. To exploit this vulnerab...Show more Untrusted input execution via igetwild in all iRODS versions before 4.1.11 and 4.2.1 allows other iRODS users (potentially anonymous) to execute remote shell commands via iRODS virtual pathnames. To exploit this vulnerability, a virtual iRODS pathname that includes a semicolon would be retrieved via igetwild. Because igetwild is a Bash script, the part of the pathname following the semicolon would be executed in the user's shell.Show less
CVE-2017-8768 1Atlassian 1Sourcetree May 13, 2026 May 4, 2017 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme. It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or...Show more Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme. It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command. The Atlassian ID number is SRCTREE-4632.Show less
CVE-2017-7981 2Enalean Phpwiki Project 2Phpwiki Tuleap May 13, 2026 Apr 29, 2017 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin. This occurs in the Project Wiki component because the proc_open PHP function is used within PhpWiki before 1.5.5 with a syntax v...Show more Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin. This occurs in the Project Wiki component because the proc_open PHP function is used within PhpWiki before 1.5.5 with a syntax value in its first argument, and an authenticated Tuleap user can control this value, even with shell metacharacters, as demonstrated by a '<?plugin SyntaxHighlighter syntax="c;id"' line to execute the id command.Show less

Previous 1...280281282...295 Next