VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 69 of 78
  • CVE-2022-43758Feb 7, 2023
    risk 0.00cvss epss 0.01

    A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SUSE Rancher allows code execution for user with the ability to add an untrusted Helm catalog or modifying the URL configuration used to download KDM (only admin users…

  • CVE-2022-25853Feb 6, 2023
    risk 0.00cvss epss 0.01

    All versions of the package semver-tags are vulnerable to Command Injection via the getGitTagsRemote function due to improper input sanitization.

  • CVE-2022-25855Feb 6, 2023
    risk 0.00cvss epss 0.01

    All versions of the package create-choo-app3 are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.

  • CVE-2022-25916Feb 1, 2023
    risk 0.00cvss epss 0.01

    Versions of the package mt7688-wiscan before 0.8.3 are vulnerable to Command Injection due to improper input sanitization in the 'wiscan.scan' function.

  • CVE-2022-21129Jan 31, 2023
    risk 0.00cvss epss 0.03

    Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function. **Note:** In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium…

  • CVE-2021-41231Jan 27, 2023
    risk 0.00cvss epss 0.01

    OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, an administrator with the permissions to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. Versions 19.4.22 and 20.0.19 contain a patch for…

  • CVE-2021-41144Jan 27, 2023
    risk 0.00cvss epss 0.01

    OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, a layout block was able to bypass the block blacklist to execute remote code. Versions 19.4.22 and 20.0.19 contain a patch for this issue.

  • CVE-2021-41143Jan 27, 2023
    risk 0.00cvss epss 0.01

    OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Magento admin users with access to the customer media could execute code on the server. Versions 19.4.22 and 20.0.19 contain a patch for this issue.

  • CVE-2021-39217Jan 27, 2023
    risk 0.00cvss epss 0.01

    OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue.

  • CVE-2022-25962Jan 25, 2023
    risk 0.00cvss epss 0.01

    All versions of the package vagrant.js are vulnerable to Command Injection via the boxAdd function due to improper input sanitization.

  • CVE-2022-21810Jan 25, 2023
    risk 0.00cvss epss 0.01

    All versions of the package smartctl are vulnerable to Command Injection via the info method due to improper input sanitization.

  • CVE-2022-25908Jan 24, 2023
    risk 0.00cvss epss 0.02

    All versions of the package create-choo-electron are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.

  • CVE-2022-25350Jan 24, 2023
    risk 0.00cvss epss 0.01

    All versions of the package puppet-facter are vulnerable to Command Injection via the getFact function due to improper input sanitization.

  • CVE-2023-22884Jan 21, 2023
    risk 0.00cvss epss 0.11

    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL…

  • CVE-2022-21191Jan 13, 2023
    risk 0.00cvss epss 0.01

    Versions of the package global-modules-path before 3.0.0 are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function.

  • CVE-2020-36650Jan 11, 2023
    risk 0.00cvss epss 0.02

    A vulnerability, which was classified as critical, was found in IonicaBizau node-gry up to 5.x. This affects an unknown part. The manipulation leads to command injection. Upgrading to version 6.0.0 is able to address this issue. The patch is named…

  • CVE-2022-25890Jan 9, 2023
    risk 0.00cvss epss 0.01

    All versions of the package wifey are vulnerable to Command Injection via the connect() function due to improper input sanitization.

  • CVE-2022-25923Jan 6, 2023
    risk 0.00cvss epss 0.03

    Versions of the package exec-local-bin before 1.2.0 are vulnerable to Command Injection via the theProcess() functionality due to improper user-input sanitization.

  • CVE-2022-25926Jan 4, 2023
    risk 0.00cvss epss 0.01

    Versions of the package window-control before 1.4.5 are vulnerable to Command Injection via the sendKeys function, due to improper input sanitization.

  • CVE-2022-44621Dec 30, 2022
    risk 0.00cvss epss 0.03

    Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.