CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76
CVEs mapped to this weakness (1,552)
page 68 of 78| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-26127 | 0.00 | — | 0.01 | May 27, 2023 | All versions of the package n158 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code… | |||
| CVE-2023-26128 | — | 0.00 | — | 0.01 | May 27, 2023 | All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the… | ||
| CVE-2023-26129 | 0.00 | — | 0.01 | May 27, 2023 | All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to… | |||
| CVE-2015-20108 | — | 0.00 | — | 0.01 | May 27, 2023 | xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used. | ||
| CVE-2023-32073 | 0.00 | — | 0.06 | May 12, 2023 | WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects… | |||
| CVE-2023-26125 | — | 0.00 | — | 0.01 | May 4, 2023 | Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not… | ||
| CVE-2023-30623 | 0.00 | — | 0.04 | Apr 24, 2023 | `embano1/wip` is a GitHub Action written in Bash. Prior to version 2, the `embano1/wip` action uses the `github.event.pull_request.title` parameter in an insecure way. The title parameter is used in a run statement - resulting in a command injection vulnerability due to string… | |||
| CVE-2023-29566 | — | 0.00 | — | 0.02 | Apr 24, 2023 | huedawn-tesseract 0.3.3 and dawnsparks-node-tesseract 0.4.0 to 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function. | ||
| CVE-2023-30535 | 0.00 | — | 0.02 | Apr 14, 2023 | Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Users of the Snowflake JDBC driver were vulnerable to a command injection vulnerability. An attacker could set up a malicious, publicly accessible server… | |||
| CVE-2023-1877 | 0.00 | — | 0.02 | Apr 5, 2023 | Command Injection in GitHub repository microweber/microweber prior to 1.3.3. | |||
| CVE-2023-28935 | 0.00 | — | 0.03 | Mar 30, 2023 | ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache UIMA DUCC. When using the "Distributed UIMA Cluster Computing" (DUCC) module of Apache UIMA, an authenticated… | |||
| CVE-2018-25083 | — | 0.00 | — | 0.03 | Mar 27, 2023 | The pullit package before 1.4.0 for Node.js allows OS Command Injection because eval is used on an attacker-supplied Git branch name. | ||
| CVE-2023-28677 | 0.00 | — | 0.01 | Mar 23, 2023 | Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to… | |||
| CVE-2023-27581 | — | 0.00 | — | 0.02 | Mar 13, 2023 | github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0` and prior to version 4.4.1, this action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be… | ||
| CVE-2021-33360 | — | 0.00 | — | 0.01 | Mar 10, 2023 | An issue found in Stoqey gnuplot v.0.0.3 and earlier allows attackers to execute arbitrary code via the src/index.ts, plotCallack, child_process, and/or filePath parameter(s). | ||
| CVE-2021-4329 | — | 0.00 | — | 0.02 | Mar 5, 2023 | A vulnerability, which was classified as critical, has been found in json-logic-js 2.0.0. Affected by this issue is some unknown functionality of the file logic.js. The manipulation leads to command injection. Upgrading to version 2.0.1 is able to address this issue. The patch… | ||
| CVE-2021-4326 | — | 0.00 | — | 0.00 | Feb 22, 2023 | A vulnerability in Imperative framework which allows already-privileged local actors to execute arbitrary shell commands via plugin install/update commands, or maliciously formed environment variables. Impacts Zowe CLI. | ||
| CVE-2023-25805 | — | 0.00 | — | 0.02 | Feb 20, 2023 | versionn, software for changing version information across multiple files, has a command injection vulnerability in all versions prior to version 1.1.0. This issue is patched in version 1.1.0. | ||
| CVE-2023-0789 | — | 0.00 | — | 0.02 | Feb 12, 2023 | Command Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11. | ||
| CVE-2022-31249 | 0.00 | — | 0.04 | Feb 7, 2023 | A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher… |
- CVE-2023-26127May 27, 2023risk 0.00cvss —epss 0.01
All versions of the package n158 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code…
- CVE-2023-26128May 27, 2023risk 0.00cvss —epss 0.01
All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the…
- CVE-2023-26129May 27, 2023risk 0.00cvss —epss 0.01
All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to…
- CVE-2015-20108May 27, 2023risk 0.00cvss —epss 0.01
xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.
- CVE-2023-32073May 12, 2023risk 0.00cvss —epss 0.06
WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects…
- CVE-2023-26125May 4, 2023risk 0.00cvss —epss 0.01
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not…
- CVE-2023-30623Apr 24, 2023risk 0.00cvss —epss 0.04
`embano1/wip` is a GitHub Action written in Bash. Prior to version 2, the `embano1/wip` action uses the `github.event.pull_request.title` parameter in an insecure way. The title parameter is used in a run statement - resulting in a command injection vulnerability due to string…
- CVE-2023-29566Apr 24, 2023risk 0.00cvss —epss 0.02
huedawn-tesseract 0.3.3 and dawnsparks-node-tesseract 0.4.0 to 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.
- CVE-2023-30535Apr 14, 2023risk 0.00cvss —epss 0.02
Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Users of the Snowflake JDBC driver were vulnerable to a command injection vulnerability. An attacker could set up a malicious, publicly accessible server…
- CVE-2023-1877Apr 5, 2023risk 0.00cvss —epss 0.02
Command Injection in GitHub repository microweber/microweber prior to 1.3.3.
- CVE-2023-28935Mar 30, 2023risk 0.00cvss —epss 0.03
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache UIMA DUCC. When using the "Distributed UIMA Cluster Computing" (DUCC) module of Apache UIMA, an authenticated…
- CVE-2018-25083Mar 27, 2023risk 0.00cvss —epss 0.03
The pullit package before 1.4.0 for Node.js allows OS Command Injection because eval is used on an attacker-supplied Git branch name.
- CVE-2023-28677Mar 23, 2023risk 0.00cvss —epss 0.01
Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to…
- CVE-2023-27581Mar 13, 2023risk 0.00cvss —epss 0.02
github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0` and prior to version 4.4.1, this action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be…
- CVE-2021-33360Mar 10, 2023risk 0.00cvss —epss 0.01
An issue found in Stoqey gnuplot v.0.0.3 and earlier allows attackers to execute arbitrary code via the src/index.ts, plotCallack, child_process, and/or filePath parameter(s).
- CVE-2021-4329Mar 5, 2023risk 0.00cvss —epss 0.02
A vulnerability, which was classified as critical, has been found in json-logic-js 2.0.0. Affected by this issue is some unknown functionality of the file logic.js. The manipulation leads to command injection. Upgrading to version 2.0.1 is able to address this issue. The patch…
- CVE-2021-4326Feb 22, 2023risk 0.00cvss —epss 0.00
A vulnerability in Imperative framework which allows already-privileged local actors to execute arbitrary shell commands via plugin install/update commands, or maliciously formed environment variables. Impacts Zowe CLI.
- CVE-2023-25805Feb 20, 2023risk 0.00cvss —epss 0.02
versionn, software for changing version information across multiple files, has a command injection vulnerability in all versions prior to version 1.1.0. This issue is patched in version 1.1.0.
- CVE-2023-0789Feb 12, 2023risk 0.00cvss —epss 0.02
Command Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
- CVE-2022-31249Feb 7, 2023risk 0.00cvss —epss 0.04
A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher…