VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 13 of 78
  • CVE-2024-33439CriNov 20, 2024
    risk 0.59cvss 9.1epss 0.01

    An issue in Kasda LinkSmart Router KW5515 v1.7 and before allows an authenticated remote attacker to execute arbitrary OS commands via cgi parameters.

  • CVE-2024-29292CriNov 20, 2024
    risk 0.59cvss 9.1epss 0.01

    Multiple OS Command Injection vulnerabilities affecting Kasda LinkSmart Router KW6512 <= v1.3 enable an authenticated remote attacker to execute arbitrary OS commands via various cgi parameters.

  • CVE-2024-47460CriNov 5, 2024
    risk 0.59cvss 9.0epss 0.01

    Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability…

  • CVE-2024-48145CriOct 24, 2024
    risk 0.59cvss 9.1epss 0.01

    A prompt injection vulnerability in the chatbox of Netangular Technologies ChatNet AI Version v1.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.

  • CVE-2024-48144CriOct 24, 2024
    risk 0.59cvss 9.1epss 0.01

    A prompt injection vulnerability in the chatbox of Fusion Chat Chat AI Assistant Ask Me Anything v1.2.4.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.

  • CVE-2017-16034criSep 1, 2020
    risk 0.59cvss epss 0.00

    Affected versions of `pidusage` pass unsanitized input to `child_process.exec()`, resulting in arbitrary code execution in the `ps` method. This package is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable. ## Proof of Concept…

  • CVE-2015-4130criAug 31, 2020
    risk 0.59cvss epss 0.01

    Versions of `ungit` prior to 0.9.0 are affected by a command injection vulnerability in the `url` parameter. ## Recommendation Update version 0.9.0 or later.

  • CVE-2018-1111HigMay 17, 2018
    risk 0.59cvss 7.5epss 0.94

    DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses,…

  • CVE-2017-14081HigSep 22, 2017
    risk 0.59cvss 8.8epss 0.17

    Proxy command injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations.

  • CVE-2024-30213HigJul 12, 2024
    risk 0.58cvss 8.8epss 0.01

    StoneFly Storage Concentrator (SC and SCVM) before 8.0.4.26 allows remote authenticated users to achieve Command Injection via a Ping URL, leading to remote code execution.

  • CVE-2024-5035HigMay 27, 2024
    risk 0.58cvss epss 0.03

    The affected device expose a network service called "rftest" that is vulnerable to unauthenticated command injection on ports TCP/8888, TCP/8889, and TCP/8890. By successfully exploiting this flaw, remote unauthenticated attacker can gain arbitrary command execution on the…

  • CVE-2021-3855HigMar 1, 2023
    risk 0.58cvss 8.8epss 0.02

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Liman Central Management System Liman MYS (HTTP/Controllers, CronMail, Jobs modules) allows Command Injection. This issue affects Liman Central Management System: from 1.7.0…

  • CVE-2018-14649CriOct 9, 2018
    risk 0.58cvss 9.8epss 0.12

    It was found that ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access…

  • CVE-2018-0431HigOct 5, 2018
    risk 0.58cvss 8.8epss 0.04

    A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to…

  • CVE-2018-0430HigOct 5, 2018
    risk 0.58cvss 8.8epss 0.04

    A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an authenticated, remote attacker to inject and execute arbitrary commands with root privileges on an affected device. The vulnerability is due to…

  • CVE-2018-0424HigOct 5, 2018
    risk 0.58cvss 8.8epss 0.04

    A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an authenticated, remote attacker to execute arbitrary commands. The…

  • CVE-2016-9044HigSep 7, 2018
    risk 0.58cvss 8.8epss 0.04

    An exploitable command execution vulnerability exists in Information Builders WebFOCUS Business Intelligence Portal 8.1 . A specially crafted web parameter can cause a command injection. An authenticated attacker can send a crafted web request to trigger this vulnerability.

  • CVE-2018-3786CriAug 24, 2018
    risk 0.58cvss 9.8epss 0.12

    A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument.

  • CVE-2018-0427HigAug 15, 2018
    risk 0.58cvss 8.8epss 0.06

    A vulnerability in the CronJob scheduler API of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to perform a command injection attack. The vulnerability is due to incorrect input validation of user-supplied data. An attacker could…

  • CVE-2018-0341HigJul 16, 2018
    risk 0.58cvss 8.8epss 0.06

    A vulnerability in the web-based UI of Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware before 11.2(1) could allow an authenticated, remote attacker to perform a command injection and execute commands with the privileges of the web server. The vulnerability…