VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 74 of 78
  • CVE-2021-32661Jun 3, 2021
    risk 0.00cvss epss 0.01

    Backstage is an open platform for building developer portals. In versions of Backstage's Techdocs Plugin (`@backstage/plugin-techdocs`) prior to 0.9.5, a malicious internal actor can potentially upload documentation content with malicious scripts by embedding the script within…

  • CVE-2021-32660Jun 3, 2021
    risk 0.00cvss epss 0.01

    Backstage is an open platform for building developer portals, and techdocs-common contains common functionalities for Backstage's TechDocs. In versions of `@backstage/tehdocs-common` prior to 0.6.4, a malicious internal actor is able to upload documentation content with…

  • CVE-2021-29300May 24, 2021
    risk 0.00cvss epss 0.05

    The @ronomon/opened library before 1.5.2 is vulnerable to a command injection vulnerability which would allow a remote attacker to execute commands on the system if the library was used with untrusted input.

  • CVE-2021-32090May 7, 2021
    risk 0.00cvss epss 0.02

    The dashboard component of StackLift LocalStack 0.12.6 allows attackers to inject arbitrary shell commands via the functionName parameter.

  • CVE-2020-13664May 5, 2021
    risk 0.00cvss epss 0.03

    Arbitrary PHP code execution vulnerability in Drupal Core under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker…

  • CVE-2021-29369May 3, 2021
    risk 0.00cvss epss 0.02

    The gnuplot package prior to version 0.1.0 for Node.js allows code execution via shell metacharacters in Gnuplot commands.

  • CVE-2021-21388Apr 29, 2021
    risk 0.00cvss epss 0.02

    systeminformation is an open source system and OS information library for node.js. A command injection vulnerability has been discovered in versions of systeminformation prior to 5.6.4. The issue has been fixed with a parameter check on user input. Please upgrade to version >=…

  • CVE-2021-31607Apr 23, 2021
    risk 0.00cvss epss 0.04

    In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the…

  • CVE-2021-23379Apr 18, 2021
    risk 0.00cvss epss 0.01

    This affects all versions of package portkiller. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2021-23380Apr 18, 2021
    risk 0.00cvss epss 0.01

    This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function…

  • CVE-2021-23381Apr 18, 2021
    risk 0.00cvss epss 0.01

    This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2021-23374Apr 18, 2021
    risk 0.00cvss epss 0.01

    This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2021-23375Apr 18, 2021
    risk 0.00cvss epss 0.01

    This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2021-23376Apr 18, 2021
    risk 0.00cvss epss 0.02

    This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2021-23377Apr 18, 2021
    risk 0.00cvss epss 0.03

    This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2021-23378Apr 18, 2021
    risk 0.00cvss epss 0.02

    This affects all versions of package picotts. If attacker-controlled user input is given to the say function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2021-23348Mar 31, 2021
    risk 0.00cvss epss 0.02

    This affects the package portprocesses before 1.0.5. If (attacker-controlled) user input is given to the killProcess function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2021-23363Mar 30, 2021
    risk 0.00cvss epss 0.02

    This affects the package kill-by-port before 0.0.2. If (attacker-controlled) user input is given to the killByPort function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.

  • CVE-2021-23360Mar 21, 2021
    risk 0.00cvss epss 0.02

    This affects the package killport before 1.0.2. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command…

  • CVE-2021-23359Mar 18, 2021
    risk 0.00cvss epss 0.02

    This affects all versions of package port-killer. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization. Running this PoC will cause the command…