Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,883)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2014-2507 1Emc 1Documentum Content Server May 6, 2026 Jun 8, 2014 N/A· v4 N/A· v3 8.5 HIGH· v2 EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05 allows remote authenticated users to execute arbitrary commands via shell metacharacters in arguments to unspecifie...Show more EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05 allows remote authenticated users to execute arbitrary commands via shell metacharacters in arguments to unspecified methods.Show less
CVE-2014-2959 2Dell Quantum 4Powervault Ml6000 Powervault Ml6000 FirmwareScalar I500+1 more May 6, 2026 Jun 2, 2014 N/A· v4 N/A· v3 9.0 HIGH· v2 logViewer.htm on the Dell ML6000 tape backup system with firmware before i8.2.0.2 (641G.GS103) and the Quantum Scalar i500 tape backup system with firmware before i8.2.2.1 (646G.GS002) allows remote attackers to execute...Show more logViewer.htm on the Dell ML6000 tape backup system with firmware before i8.2.0.2 (641G.GS103) and the Quantum Scalar i500 tape backup system with firmware before i8.2.2.1 (646G.GS002) allows remote attackers to execute arbitrary commands via shell metacharacters in a pathname parameter.Show less
CVE-2013-2090 1Uplawski 1Creme Fraiche May 6, 2026 May 27, 2014 N/A· v4 N/A· v3 9.3 HIGH· v2 The set_meta_data function in lib/cremefraiche.rb in the Creme Fraiche gem before 0.6.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the file name of an email attachment. NO...Show more The set_meta_data function in lib/cremefraiche.rb in the Creme Fraiche gem before 0.6.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the file name of an email attachment. NOTE: some of these details are obtained from third party information.Show less
CVE-2013-1668 1Coscms 1Coscms May 6, 2026 May 23, 2014 N/A· v4 N/A· v3 8.5 HIGH· v2 The uploadFile function in upload/index.php in CosCMS before 1.822 allows remote administrators to execute arbitrary commands via shell metacharacters in the name of an uploaded file.
CVE-2012-1166 1Canonical 2Ltsp Display Manager Ubuntu Linux May 6, 2026 May 21, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 The default keybindings for wwm in LTSP Display Manager (ldm) 2.2.x before 2.2.7 allow remote attackers to execute arbitrary commands via the KP_RETURN keybinding, which launches a terminal window.
CVE-2014-3121 1Marc Lehmann 1Rxvt Unicode May 6, 2026 May 14, 2014 N/A· v4 N/A· v3 7.6 HIGH· v2 rxvt-unicode before 9.20 does not properly handle OSC escape sequences, which allows user-assisted remote attackers to manipulate arbitrary X window properties and execute arbitrary commands.
CVE-2014-2935 1Caldera 1Caldera May 6, 2026 May 8, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 costview3/xmlrpc_server/xmlrpc.php in CostView in Caldera 9.20 allows remote attackers to execute arbitrary commands via shell metacharacters in a methodCall element in a PHP XMLRPC request.
CVE-2014-2565 1Bluecoat 2Content Analysis System Content Analysis System Software May 6, 2026 Apr 30, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 The commandline interface in Blue Coat Content Analysis System (CAS) 1.1 before 1.1.4.2 allows remote administrators to execute arbitrary commands via unspecified vectors, related to "command injection."
CVE-2013-7259 1Neo4j 1Neo4j May 6, 2026 Apr 29, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in Neo4J 1.9.2 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary code, as demonstrated by a request to (1...Show more Multiple cross-site request forgery (CSRF) vulnerabilities in Neo4J 1.9.2 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary code, as demonstrated by a request to (1) db/data/ext/GremlinPlugin/graphdb/execute_script or (2) db/manage/server/console/.Show less
CVE-2014-3008 1Unitrends 1Enterprise Backup May 6, 2026 Apr 28, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 Unitrends Enterprise Backup 7.3.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the comm parameter to recoveryconsole/bpl/snmpd.php.
CVE-2014-3007 2Python Pythonware 2Pillow Python Imaging Library May 6, 2026 Apr 27, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py...Show more Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3 might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.Show less
CVE-2013-5948 2Asus T Mobile 3Rt Ac68u Rt Ac68u FirmwareTm Ac1900 May 6, 2026 Apr 22, 2014 N/A· v4 N/A· v3 8.5 HIGH· v2 The Network Analysis tab (Main_Analysis_Content.asp) in the ASUS RT-AC68U and other RT series routers with firmware before 3.0.0.4.374.5047 allows remote authenticated users to execute arbitrary commands via shell metach...Show more The Network Analysis tab (Main_Analysis_Content.asp) in the ASUS RT-AC68U and other RT series routers with firmware before 3.0.0.4.374.5047 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the Target field (destIP parameter).Show less
CVE-2014-2707 1Linuxfoundation 1Cups Filters May 6, 2026 Apr 17, 2014 N/A· v4 N/A· v3 8.3 HIGH· v2 cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the (1) model or (2) PDL, related to "System V interface scripts generated for queues...Show more cups-browsed in cups-filters 1.0.41 before 1.0.51 allows remote IPP printers to execute arbitrary commands via shell metacharacters in the (1) model or (2) PDL, related to "System V interface scripts generated for queues."Show less
CVE-2014-2874 1Paperthin 1Commonspot Content Server May 6, 2026 Apr 15, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to execute arbitrary code via shell metacharacters in an unspecified context.
CVE-2014-0359 1Xangati 2Xangati Software Release Xangati Xnr May 6, 2026 Apr 15, 2014 N/A· v4 N/A· v3 9.0 HIGH· v2 Xangati XSR before 11 and XNR before 7 allows remote attackers to execute arbitrary commands via shell metacharacters in a gui_input_test.pl params parameter to servlet/Installer.
CVE-2014-0356 1Zyxel 2N300 Netusb Nbg 419n N300 Netusb Nbg 419n Firmware May 6, 2026 Apr 15, 2014 N/A· v4 N/A· v3 7.9 HIGH· v2 The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allows remote attackers to execute arbitrary code via shell metacharacters in input to the (1) detectWeather, (2) set_language, (3) SystemCommand...Show more The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allows remote attackers to execute arbitrary code via shell metacharacters in input to the (1) detectWeather, (2) set_language, (3) SystemCommand, or (4) NTPSyncWithHost function in management.c, or a (5) SET COUNTRY, (6) SET WLAN SSID, (7) SET WLAN CHANNEL, (8) SET WLAN STATUS, or (9) SET WLAN COUNTRY udps command.Show less
CVE-2014-2850 1Sophos 2Web Appliance Web Appliance Firmware May 6, 2026 Apr 11, 2014 N/A· v4 N/A· v3 8.5 HIGH· v2 The network interface configuration page (netinterface) in Sophos Web Appliance before 3.8.2 allows remote administrators to execute arbitrary commands via shell metacharacters in the address parameter.
CVE-2014-1982 1Alliedtelesis 8At Rg634a At Rg634a FirmwareImg616lh+5 more May 6, 2026 Mar 31, 2014 N/A· v4 N/A· v3 10.0 HIGH· v2 The administrative interface in Allied Telesis AT-RG634A ADSL Broadband router 3.3+, iMG624A firmware 3.5, iMG616LH firmware 2.4, and iMG646BD firmware 3.5 allows remote attackers to gain privileges and execute arbitrary...Show more The administrative interface in Allied Telesis AT-RG634A ADSL Broadband router 3.3+, iMG624A firmware 3.5, iMG616LH firmware 2.4, and iMG646BD firmware 3.5 allows remote attackers to gain privileges and execute arbitrary commands via a direct request to cli.html.Show less
CVE-2014-0887 1Ibm 1Lotus Protector For Mail Security May 6, 2026 Mar 25, 2014 N/A· v4 N/A· v3 7.1 HIGH· v2 The Admin Web UI in IBM Lotus Protector for Mail Security 2.8.x before 2.8.1-22905 allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors.
CVE-2014-0886 1Ibm 1Lotus Protector For Mail Security May 6, 2026 Mar 25, 2014 N/A· v4 N/A· v3 7.1 HIGH· v2 The Admin Web UI in IBM Lotus Protector for Mail Security 2.8.x before 2.8.1-22905 allows remote authenticated users to bypass intended access restrictions and execute arbitrary commands via unspecified vectors.

Previous 1...287288289...295 Next