VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 17 of 78
  • CVE-2024-48440HigOct 24, 2024
    risk 0.57cvss 8.8epss 0.02

    Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 was discovered to contain a command injection vulnerability via the component at_command.asp.

  • CVE-2024-44413HigOct 11, 2024
    risk 0.57cvss 8.8epss 0.03

    A vulnerability was discovered in DI_8200-16.07.26A1, which has been classified as critical. This issue affects the upgrade_filter_asp function in the upgrade_filter.asp file. Manipulation of the path parameter can lead to command injection.

  • CVE-2024-44335HigSep 9, 2024
    risk 0.57cvss 8.8epss 0.12

    D-Link DI-7003G v19.12.24A1, DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.04.18D1, DI-7100GV2 v24.04.18D1, DI-7200GV2 v24.04.18E1, DI-7300G+V2 v24.04.18D1, and DI-7400G+V2 v24.04.18D1 are vulnerable to Remote Command Execution (RCE) via version_upgrade.asp.

  • CVE-2024-44334HigSep 9, 2024
    risk 0.57cvss 8.8epss 0.32

    D-Link DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.04.18D1, DI-7100GV2 v24.04.18D1, DI-7200GV2 v24.04.18E1, DI-7300G+V2 v24.04.18D1, and DI-7400G+V2 v24.04.18D1 are vulnerable to Remote Command Execution due to insufficient parameter filtering in the CGI handling function of…

  • CVE-2024-4078CriMay 16, 2024
    risk 0.57cvss 9.8epss 0.01

    A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the…

  • CVE-2023-6999HigApr 9, 2024
    risk 0.57cvss 8.8epss 0.01

    The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Remote Code Exxecution via shortcode in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This makes it possible for authenticated attackers, with…

  • CVE-2024-28041HigMar 25, 2024
    risk 0.57cvss 8.8epss 0.01

    HGW BL1500HM Ver 002.001.013 and earlier allows a network-adjacent unauthenticated attacker to execute an arbitrary command.

  • CVE-2018-0454HigOct 5, 2018
    risk 0.57cvss 8.8epss 0.02

    A vulnerability in the web-based management interface of Cisco Cloud Services Platform 2100 could allow an authenticated, remote attacker to perform command injection. The vulnerability is due to insufficient input validation of command input. An attacker could exploit this…

  • CVE-2018-15356HigAug 17, 2018
    risk 0.57cvss 8.8epss 0.03

    An authenticated attacker can execute arbitrary code using command ejection in Eltex ESP-200 firmware version 1.2.0.

  • CVE-2018-3772CriJul 30, 2018
    risk 0.57cvss 9.8epss 0.03

    Concatenating unsanitized user input in the `whereis` npm module < 0.4.1 allowed an attacker to execute arbitrary commands. The `whereis` module is deprecated and it is recommended to use the `which` npm module instead.

  • CVE-2018-0350HigJul 18, 2018
    risk 0.57cvss 8.8epss 0.03

    A vulnerability in the VPN subsystem configuration in the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit…

  • CVE-2018-1244HigJul 2, 2018
    risk 0.57cvss 8.8epss 0.03

    Dell EMC iDRAC7/iDRAC8, versions prior to 2.60.60.60, and iDRAC9 versions prior to 3.21.21.21 contain a command injection vulnerability in the SNMP agent. A remote authenticated malicious iDRAC user with configuration privileges could potentially exploit this vulnerability to…

  • CVE-2018-5428HigJun 20, 2018
    risk 0.57cvss 8.8epss 0.03

    The version control adapters component of TIBCO Data Virtualization (formerly known as Cisco Information Server) contains vulnerabilities that may allow for arbitrary command execution. Affected releases are TIBCO Data Virtualization: 7.0.5; 7.0.6.

  • CVE-2017-16100CriJun 7, 2018
    risk 0.57cvss 9.8epss 0.05

    dns-sync is a sync/blocking dns resolver. If untrusted user input is allowed into the resolve() method then command injection is possible.

  • CVE-2018-3746CriJun 1, 2018
    risk 0.57cvss 9.8epss 0.05

    The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine.

  • CVE-2017-7161HigApr 3, 2018
    risk 0.57cvss 8.8epss 0.02

    An issue was discovered in certain Apple products. Safari before 11.0.2 is affected. The issue involves the "WebKit Web Inspector" component. It allows remote attackers to execute arbitrary code via special characters that trigger command injection.

  • CVE-2016-0324HigJan 12, 2018
    risk 0.57cvss 8.8epss 0.04

    IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.0 before 7.0.1-ISS-SIM-FP0001 allows remote authenticated users to execute arbitrary code with administrator privileges via unspecified vectors. IBM X-Force ID: 111640.

  • CVE-2017-8135HigNov 22, 2017
    risk 0.57cvss 8.8epss 0.01

    The FusionSphere OpenStack with software V100R006C00 and V100R006C10 has a command injection vulnerability due to the insufficient input validation on four TCP listening ports. An unauthenticated attacker can exploit the vulnerabilities to gain root privileges by sending some…

  • CVE-2017-8134HigNov 22, 2017
    risk 0.57cvss 8.8epss 0.01

    The FusionSphere OpenStack with software V100R006C00 and V100R006C10 has a command injection vulnerability due to the insufficient input validation on four TCP listening ports. An unauthenticated attacker can exploit the vulnerabilities to gain root privileges by sending some…

  • CVE-2017-8133HigNov 22, 2017
    risk 0.57cvss 8.8epss 0.02

    Huawei iManager NetEco with software V600R008C00 and V600R008C10 has a command injection vulnerability. An authenticated, remote attacker could exploit this vulnerability to send malicious packets to a target device. Successful exploit could enable a low privileged user to…