VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 40 of 78
  • CVE-2024-31485HigMay 14, 2024
    risk 0.47cvss 7.2epss 0.02

    A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.30), SICORE Base system (All versions < V1.3.0). The web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could…

  • CVE-2024-34347HigMay 8, 2024
    risk 0.47cvss 8.3epss 0.01

    @hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is…

  • CVE-2024-29949HigApr 2, 2024
    risk 0.47cvss 7.2epss 0.01

    There is a command injection vulnerability in some Hikvision NVRs. This could allow an authenticated user with administrative rights to execute arbitrary commands.

  • CVE-2024-2947HigMar 28, 2024
    risk 0.47cvss 7.3epss 0.01

    A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.

  • CVE-2023-49898HigDec 15, 2023
    risk 0.47cvss 7.2epss 0.02

    In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the…

  • CVE-2023-26153HigOct 6, 2023
    risk 0.47cvss 8.3epss 0.03

    Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie. This issue can be exploited remotely via a malicious cookie value. **Note:** An attacker can use this vulnerability to…

  • CVE-2022-26826HigApr 15, 2022
    risk 0.47cvss 7.2epss 0.04

    Windows DNS Server Remote Code Execution Vulnerability

  • CVE-2021-41116HigOct 5, 2021
    risk 0.47cvss 8.2epss 0.03

    Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has…

  • CVE-2018-0348HigJul 18, 2018
    risk 0.47cvss 7.2epss 0.03

    A vulnerability in the CLI of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by…

  • CVE-2018-0344HigJul 18, 2018
    risk 0.47cvss 7.2epss 0.02

    A vulnerability in the vManage dashboard for the configuration and management service of the Cisco SD-WAN Solution could allow an authenticated, remote attacker to inject and execute arbitrary commands with vmanage user privileges on an affected system. The vulnerability is due…

  • CVE-2017-12078HigJun 8, 2018
    risk 0.47cvss 7.2epss 0.02

    Command injection vulnerability in EZ-Internet in Synology Router Manager (SRM) before 1.1.6-6931 allows remote authenticated users to execute arbitrary command via the username parameter.

  • CVE-2017-12075HigJun 8, 2018
    risk 0.47cvss 7.2epss 0.02

    Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter.

  • CVE-2017-2832HigApr 24, 2018
    risk 0.47cvss 7.2epss 0.06

    An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during a password…

  • CVE-2017-8197HigNov 22, 2017
    risk 0.47cvss 7.2epss 0.02

    FusionSphere V100R006C00SPC102(NFV) has a command injection vulnerability. An authenticated, remote attacker could craft packets with malicious strings and send them to a target device. Successful exploit could allow the attacker to launch a command injection attack and execute…

  • CVE-2017-8188HigNov 22, 2017
    risk 0.47cvss 7.2epss 0.02

    FusionSphere OpenStack V100R006C00SPC102(NFV)has a command injection vulnerability. Due to lack of validation, an attacker with high privilege may inject malicious code into some module of the affected products, causing code execution.

  • CVE-2017-2736HigNov 22, 2017
    risk 0.47cvss 7.2epss 0.01

    VCM5010 with software versions earlier before V100R002C50SPC100 has a command injection vulnerability. This is due to insufficient validation of user's input. An authenticated attacker could launch a command injection attack.

  • CVE-2017-12756HigAug 9, 2017
    risk 0.47cvss 7.2epss 0.01

    Command inject in transfer from another server in extplorer 2.1.9 and prior allows attacker to inject command via the userfile[0] parameter.

  • CVE-2015-4046HigMay 23, 2017
    risk 0.47cvss 7.2epss 0.03

    The asset discovery scanner in AlienVault OSSIM before 5.0.1 allows remote authenticated users to execute arbitrary commands via the assets array parameter to netscan/do_scan.php.

  • CVE-2016-8801HigApr 2, 2017
    risk 0.47cvss 7.2epss 0.01

    Huawei OceanStor 5600 V3 with V300R003C00C10 and earlier versions allows attackers with administrator privilege to inject a command into a specific command's parameters, and run this injected command with root privilege.

  • CVE-2017-6183HigMar 30, 2017
    risk 0.47cvss 7.2epss 0.03

    In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's configuration utilities for adding (and detecting) Active Directory servers was vulnerable to remote command injection, aka NSWA-1314.