VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 68 of 78
  • CVE-2023-26127May 27, 2023
    risk 0.00cvss epss 0.01

    All versions of the package n158 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code…

  • CVE-2023-26128May 27, 2023
    risk 0.00cvss epss 0.01

    All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the…

  • CVE-2023-26129May 27, 2023
    risk 0.00cvss epss 0.01

    All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to…

  • CVE-2015-20108May 27, 2023
    risk 0.00cvss epss 0.01

    xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.

  • CVE-2023-32073May 12, 2023
    risk 0.00cvss epss 0.06

    WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects…

  • CVE-2023-26125May 4, 2023
    risk 0.00cvss epss 0.01

    Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not…

  • CVE-2023-30623Apr 24, 2023
    risk 0.00cvss epss 0.04

    `embano1/wip` is a GitHub Action written in Bash. Prior to version 2, the `embano1/wip` action uses the `github.event.pull_request.title` parameter in an insecure way. The title parameter is used in a run statement - resulting in a command injection vulnerability due to string…

  • CVE-2023-29566Apr 24, 2023
    risk 0.00cvss epss 0.02

    huedawn-tesseract 0.3.3 and dawnsparks-node-tesseract 0.4.0 to 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.

  • CVE-2023-30535Apr 14, 2023
    risk 0.00cvss epss 0.02

    Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Users of the Snowflake JDBC driver were vulnerable to a command injection vulnerability. An attacker could set up a malicious, publicly accessible server…

  • CVE-2023-1877Apr 5, 2023
    risk 0.00cvss epss 0.02

    Command Injection in GitHub repository microweber/microweber prior to 1.3.3.

  • CVE-2023-28935Mar 30, 2023
    risk 0.00cvss epss 0.03

    ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache UIMA DUCC. When using the "Distributed UIMA Cluster Computing" (DUCC) module of Apache UIMA, an authenticated…

  • CVE-2018-25083Mar 27, 2023
    risk 0.00cvss epss 0.03

    The pullit package before 1.4.0 for Node.js allows OS Command Injection because eval is used on an attacker-supplied Git branch name.

  • CVE-2023-28677Mar 23, 2023
    risk 0.00cvss epss 0.01

    Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to…

  • CVE-2023-27581Mar 13, 2023
    risk 0.00cvss epss 0.02

    github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0` and prior to version 4.4.1, this action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be…

  • CVE-2021-33360Mar 10, 2023
    risk 0.00cvss epss 0.01

    An issue found in Stoqey gnuplot v.0.0.3 and earlier allows attackers to execute arbitrary code via the src/index.ts, plotCallack, child_process, and/or filePath parameter(s).

  • CVE-2021-4329Mar 5, 2023
    risk 0.00cvss epss 0.02

    A vulnerability, which was classified as critical, has been found in json-logic-js 2.0.0. Affected by this issue is some unknown functionality of the file logic.js. The manipulation leads to command injection. Upgrading to version 2.0.1 is able to address this issue. The patch…

  • CVE-2021-4326Feb 22, 2023
    risk 0.00cvss epss 0.00

    A vulnerability in Imperative framework which allows already-privileged local actors to execute arbitrary shell commands via plugin install/update commands, or maliciously formed environment variables. Impacts Zowe CLI.

  • CVE-2023-25805Feb 20, 2023
    risk 0.00cvss epss 0.02

    versionn, software for changing version information across multiple files, has a command injection vulnerability in all versions prior to version 1.1.0. This issue is patched in version 1.1.0.

  • CVE-2023-0789Feb 12, 2023
    risk 0.00cvss epss 0.02

    Command Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11.

  • CVE-2022-31249Feb 7, 2023
    risk 0.00cvss epss 0.04

    A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher…