CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76
CVEs mapped to this weakness (1,552)
page 61 of 78| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-5082 | 0.09 | — | 0.70 | Sep 28, 2015 | Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi. | |||
| CVE-2014-8517 | 0.09 | — | 0.69 | Nov 17, 2014 | The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect. | |||
| CVE-2019-15954 | — | 0.08 | — | 0.79 | Sep 5, 2019 | An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side.… | ||
| CVE-2016-1000282 | 0.08 | — | 0.13 | Feb 5, 2019 | Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection. | |||
| CVE-2015-5453 | 0.08 | — | 0.57 | Jul 8, 2015 | Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to ADMIN/mailqueue.spl. | |||
| CVE-2015-2208 | 0.08 | — | 0.62 | Mar 12, 2015 | The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter. | |||
| CVE-2023-33831 | 0.07 | — | 0.14 | Sep 18, 2023 | A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. | |||
| CVE-2023-32007 | — | 0.07 | — | 0.76 | May 2, 2023 | ** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a… | ||
| CVE-2022-24697 | — | 0.07 | — | 0.85 | Oct 13, 2022 | Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system… | ||
| CVE-2020-28429 | — | 0.07 | — | 0.63 | Feb 23, 2021 | All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. PoC: var a =require("geojson2kml"); a("./","& touch JHU",function(){}) | ||
| CVE-2019-19609 | — | 0.07 | — | 0.54 | Dec 5, 2019 | The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa… | ||
| CVE-2014-7285 | 0.07 | — | 0.50 | Dec 17, 2014 | The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts. | |||
| CVE-2022-26265 | — | 0.06 | — | 0.30 | Mar 18, 2022 | Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter. | ||
| CVE-2021-32849 | 0.06 | — | 0.08 | Jan 26, 2022 | Gerapy is a distributed crawler management framework. Prior to version 0.9.9, an authenticated user could execute arbitrary commands. This issue is fixed in version 0.9.9. There are no known workarounds. | |||
| CVE-2016-15057 | 0.05 | — | 0.04 | Jan 26, 2026 | ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum. This issue affects Apache Continuum: all versions. Attackers with access to the installations REST API can use this to invoke… | |||
| CVE-2015-2746 | 0.05 | — | 0.26 | Mar 26, 2015 | The network diagnostics tool (CommandLineServlet) in the Appliance Manager command line utility (CLU) in Websense TRITON 7.8.3 and V-Series appliances before 7.8.4 Hotfix 02 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the "second"… | |||
| CVE-2022-39986 | — | 0.04 | — | 0.99 | Aug 1, 2023 | A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php. | ||
| CVE-2023-0315 | 0.04 | — | 0.98 | Jan 16, 2023 | Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8. | |||
| CVE-2015-6912 | 0.04 | — | 0.12 | Sep 11, 2015 | Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter to subtitle.cgi. | |||
| CVE-2015-1815 | 0.04 | — | 0.16 | Mar 30, 2015 | The get_rpm_nvr_by_file_path_temporary function in util.py in setroubleshoot before 3.2.22 allows remote attackers to execute arbitrary commands via shell metacharacters in a file name. |
- CVE-2015-5082Sep 28, 2015risk 0.09cvss —epss 0.70
Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi.
- CVE-2014-8517Nov 17, 2014risk 0.09cvss —epss 0.69
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.
- CVE-2019-15954Sep 5, 2019risk 0.08cvss —epss 0.79
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget with a special tag containing JavaScript code that will be evaluated server side.…
- CVE-2016-1000282Feb 5, 2019risk 0.08cvss —epss 0.13
Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection.
- CVE-2015-5453Jul 8, 2015risk 0.08cvss —epss 0.57
Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to ADMIN/mailqueue.spl.
- CVE-2015-2208Mar 12, 2015risk 0.08cvss —epss 0.62
The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter.
- CVE-2023-33831Sep 18, 2023risk 0.07cvss —epss 0.14
A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.
- CVE-2023-32007May 2, 2023risk 0.07cvss —epss 0.76
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a…
- CVE-2022-24697Oct 13, 2022risk 0.07cvss —epss 0.85
Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system…
- CVE-2020-28429Feb 23, 2021risk 0.07cvss —epss 0.63
All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. PoC: var a =require("geojson2kml"); a("./","& touch JHU",function(){})
- CVE-2019-19609Dec 5, 2019risk 0.07cvss —epss 0.54
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa…
- CVE-2014-7285Dec 17, 2014risk 0.07cvss —epss 0.50
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.
- CVE-2022-26265Mar 18, 2022risk 0.06cvss —epss 0.30
Contao Managed Edition v1.5.0 was discovered to contain a remote command execution (RCE) vulnerability via the component php_cli parameter.
- CVE-2021-32849Jan 26, 2022risk 0.06cvss —epss 0.08
Gerapy is a distributed crawler management framework. Prior to version 0.9.9, an authenticated user could execute arbitrary commands. This issue is fixed in version 0.9.9. There are no known workarounds.
- CVE-2016-15057Jan 26, 2026risk 0.05cvss —epss 0.04
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum. This issue affects Apache Continuum: all versions. Attackers with access to the installations REST API can use this to invoke…
- CVE-2015-2746Mar 26, 2015risk 0.05cvss —epss 0.26
The network diagnostics tool (CommandLineServlet) in the Appliance Manager command line utility (CLU) in Websense TRITON 7.8.3 and V-Series appliances before 7.8.4 Hotfix 02 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the "second"…
- CVE-2022-39986Aug 1, 2023risk 0.04cvss —epss 0.99
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
- CVE-2023-0315Jan 16, 2023risk 0.04cvss —epss 0.98
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.
- CVE-2015-6912Sep 11, 2015risk 0.04cvss —epss 0.12
Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter to subtitle.cgi.
- CVE-2015-1815Mar 30, 2015risk 0.04cvss —epss 0.16
The get_rpm_nvr_by_file_path_temporary function in util.py in setroubleshoot before 3.2.22 allows remote attackers to execute arbitrary commands via shell metacharacters in a file name.