CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76
CVEs mapped to this weakness (1,552)
page 75 of 78| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-23355 | — | 0.00 | — | 0.01 | Mar 15, 2021 | This affects all versions of package ps-kill. If (attacker-controlled) user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file.… | ||
| CVE-2021-23356 | — | 0.00 | — | 0.01 | Mar 15, 2021 | This affects all versions of package kill-process-by-name. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file. | ||
| CVE-2021-23352 | — | 0.00 | — | 0.02 | Mar 9, 2021 | This affects the package madge before 4.0.1. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function. | ||
| CVE-2020-8298 | — | 0.00 | — | 0.11 | Mar 4, 2021 | fs-path node module before 0.0.25 is vulnerable to command injection by way of user-supplied inputs via the `copy`, `copySync`, `remove`, and `removeSync` methods. | ||
| CVE-2020-28243 | — | 0.00 | — | 0.04 | Feb 27, 2021 | An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory. | ||
| CVE-2021-23337 | — | 0.00 | — | 0.22 | Feb 15, 2021 | Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. | ||
| CVE-2021-27185 | — | 0.00 | — | 0.05 | Feb 10, 2021 | The samba-client package before 4.0.0 for Node.js allows command injection because of the use of process.exec. | ||
| CVE-2021-21479 | — | 0.00 | — | 0.10 | Feb 9, 2021 | In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system. | ||
| CVE-2021-26541 | — | 0.00 | — | 0.05 | Feb 8, 2021 | The gitlog function in src/index.ts in gitlog before 4.0.4 has a command injection vulnerability. | ||
| CVE-2021-23330 | — | 0.00 | — | 0.05 | Feb 1, 2021 | All versions of package launchpad are vulnerable to Command Injection via stop. | ||
| CVE-2021-23326 | — | 0.00 | — | 0.03 | Jan 20, 2021 | This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection. | ||
| CVE-2020-7784 | — | 0.00 | — | 0.01 | Jan 8, 2021 | This affects all versions of package ts-process-promises. The injection point is located in line 45 in main entry of package in lib/process-promises.js. The vulnerability is demonstrated with the following PoC: | ||
| CVE-2020-7794 | — | 0.00 | — | 0.02 | Jan 8, 2021 | This affects all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function install(requestedModule). | ||
| CVE-2020-35136 | 0.00 | — | 0.06 | Dec 23, 2020 | Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php. | |||
| CVE-2020-28247 | — | 0.00 | — | 0.01 | Nov 12, 2020 | The lettre library through 0.10.0-alpha for Rust allows arbitrary sendmail option injection via transport/sendmail/mod.rs. | ||
| CVE-2020-15228 | 0.00 | — | 0.01 | Oct 1, 2020 | In the `@actions/core` npm module before version 1.2.6,`addPath` and `exportVariable` functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the… | |||
| CVE-2020-7697 | — | 0.00 | — | 0.02 | Jul 29, 2020 | This affects all versions of package mock2easy. a malicious user could inject commands through the _data variable: Affected Area require('../server/getJsonByCurl')(mock2easy, function (error, stdout) { if (error) { return res.json(500, error); } res.json(JSON.parse(stdout)); },… | ||
| CVE-2020-8186 | — | 0.00 | — | 0.03 | Jul 10, 2020 | A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function. | ||
| CVE-2020-4059 | 0.00 | — | 0.03 | Jun 18, 2020 | In mversion before 2.0.0, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This vulnerability is patched by version 2.0.0. Previous releases are deprecated in… | |||
| CVE-2020-5299 | 0.00 | — | 0.01 | Jun 3, 2020 | In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially introduce a CSV injection into the data to… |
- CVE-2021-23355Mar 15, 2021risk 0.00cvss —epss 0.01
This affects all versions of package ps-kill. If (attacker-controlled) user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file.…
- CVE-2021-23356Mar 15, 2021risk 0.00cvss —epss 0.01
This affects all versions of package kill-process-by-name. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization in the index.js file.
- CVE-2021-23352Mar 9, 2021risk 0.00cvss —epss 0.02
This affects the package madge before 4.0.1. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function.
- CVE-2020-8298Mar 4, 2021risk 0.00cvss —epss 0.11
fs-path node module before 0.0.25 is vulnerable to command injection by way of user-supplied inputs via the `copy`, `copySync`, `remove`, and `removeSync` methods.
- CVE-2020-28243Feb 27, 2021risk 0.00cvss —epss 0.04
An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.
- CVE-2021-23337Feb 15, 2021risk 0.00cvss —epss 0.22
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
- CVE-2021-27185Feb 10, 2021risk 0.00cvss —epss 0.05
The samba-client package before 4.0.0 for Node.js allows command injection because of the use of process.exec.
- CVE-2021-21479Feb 9, 2021risk 0.00cvss —epss 0.10
In SCIMono before 0.0.19, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.
- CVE-2021-26541Feb 8, 2021risk 0.00cvss —epss 0.05
The gitlog function in src/index.ts in gitlog before 4.0.4 has a command injection vulnerability.
- CVE-2021-23330Feb 1, 2021risk 0.00cvss —epss 0.05
All versions of package launchpad are vulnerable to Command Injection via stop.
- CVE-2021-23326Jan 20, 2021risk 0.00cvss —epss 0.03
This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection.
- CVE-2020-7784Jan 8, 2021risk 0.00cvss —epss 0.01
This affects all versions of package ts-process-promises. The injection point is located in line 45 in main entry of package in lib/process-promises.js. The vulnerability is demonstrated with the following PoC:
- CVE-2020-7794Jan 8, 2021risk 0.00cvss —epss 0.02
This affects all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function install(requestedModule).
- CVE-2020-35136Dec 23, 2020risk 0.00cvss —epss 0.06
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.
- CVE-2020-28247Nov 12, 2020risk 0.00cvss —epss 0.01
The lettre library through 0.10.0-alpha for Rust allows arbitrary sendmail option injection via transport/sendmail/mod.rs.
- CVE-2020-15228Oct 1, 2020risk 0.00cvss —epss 0.01
In the `@actions/core` npm module before version 1.2.6,`addPath` and `exportVariable` functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the…
- CVE-2020-7697Jul 29, 2020risk 0.00cvss —epss 0.02
This affects all versions of package mock2easy. a malicious user could inject commands through the _data variable: Affected Area require('../server/getJsonByCurl')(mock2easy, function (error, stdout) { if (error) { return res.json(500, error); } res.json(JSON.parse(stdout)); },…
- CVE-2020-8186Jul 10, 2020risk 0.00cvss —epss 0.03
A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function.
- CVE-2020-4059Jun 18, 2020risk 0.00cvss —epss 0.03
In mversion before 2.0.0, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This vulnerability is patched by version 2.0.0. Previous releases are deprecated in…
- CVE-2020-5299Jun 3, 2020risk 0.00cvss —epss 0.01
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially introduce a CSV injection into the data to…