VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 76 of 78
  • CVE-2020-11079May 28, 2020
    risk 0.00cvss epss 0.03

    node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.

  • CVE-2019-15609Feb 28, 2020
    risk 0.00cvss epss 0.04

    The kill-port-process package version < 2.2.0 is vulnerable to a Command Injection vulnerability.

  • CVE-2019-7537Mar 21, 2019
    risk 0.00cvss epss 0.03

    An issue was discovered in Donfig 0.3.0. There is a vulnerability in the collect_yaml method in config_obj.py. It can execute arbitrary Python commands, resulting in command execution.

  • CVE-2019-5414Mar 17, 2019
    risk 0.00cvss epss 0.02

    If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in a third-party module kill-port < 1.3.2.

  • CVE-2013-2516Feb 15, 2019
    risk 0.00cvss epss 0.03

    Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.

  • CVE-2019-6986Jan 28, 2019
    risk 0.00cvss epss 0.03

    SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to execute arbitrary SPARQL via the uri parameter, leading to a regular expression denial of service (ReDoS), as demonstrated by crafted use of FILTER%20regex in a /individual?uri= request.

  • CVE-2018-16462Oct 30, 2018
    risk 0.00cvss epss 0.07

    A command injection vulnerability in the apex-publish-static-files npm module version <2.0.1 which allows arbitrary shell command execution through a maliciously crafted argument.

  • CVE-2018-16461Oct 30, 2018
    risk 0.00cvss epss 0.04

    A command injection vulnerability in libnmapp package for versions <0.4.16 allows arbitrary commands to be executed via arguments to the range options.

  • CVE-2018-9866CriAug 3, 2018
    risk 0.00cvss 9.8epss 0.04

    A vulnerability in lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliance's, allow remote user to execute arbitrary code. This vulnerability affected GMS version 8.1 and earlier.

  • CVE-2015-6613Nov 3, 2015
    risk 0.00cvss epss 0.01

    Bluetooth in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows attackers to send commands to a debugging port, and consequently gain privileges, via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 24371736.

  • CVE-2015-5011Oct 26, 2015
    risk 0.00cvss epss 0.00

    IBM WebSphere Message Broker 8 before 8.0.0.6 and Integration Bus 9 before 9.0.0.4 do not check authorization for MQSISTARTMSGFLOW and MQSISTOPMSGFLOW commands, which allows local users to bypass intended access restrictions, and start or stop a service, by issuing a command.

  • CVE-2015-4974Oct 26, 2015
    risk 0.00cvss epss 0.01

    IBM General Parallel File System (GPFS) 3.5.x before 3.5.0.27 and 4.1.x before 4.1.1.2 and Spectrum Scale 4.1.1.x before 4.1.1.2 allow local users to obtain root privileges for command execution via unspecified vectors.

  • CVE-2015-4930Oct 4, 2015
    risk 0.00cvss epss 0.02

    IBM QRadar SIEM 7.1 MR2 before Patch 11 IF02 and 7.2.x before 7.2.5 Patch 4 allows remote authenticated users to execute arbitrary commands with root privileges by leveraging admin access.

  • CVE-2015-2011Oct 4, 2015
    risk 0.00cvss epss 0.02

    The xmlrpc.cgi Webmin script in IBM QRadar SIEM 7.1 MR2 before Patch 11 IF02 and 7.2.x before 7.2.5 Patch 4 allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors.

  • CVE-2015-6547Sep 20, 2015
    risk 0.00cvss epss 0.04

    The management console on Symantec Web Gateway (SWG) appliances with software before 5.2.2 DB 5.0.0.1277 allows remote authenticated users to execute arbitrary commands at boot time via unspecified vectors.

  • CVE-2015-5274Sep 18, 2015
    risk 0.00cvss epss 0.02

    rubygem-openshift-origin-console in Red Hat OpenShift 2.2 allows remote authenticated users to execute arbitrary commands via a crafted request to the Broker.

  • CVE-2015-5190Sep 3, 2015
    risk 0.00cvss epss 0.03

    The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via "escape characters" in a URL.

  • CVE-2015-5474Aug 13, 2015
    risk 0.00cvss epss 0.04

    BitTorrent and uTorrent allow remote attackers to inject command line parameters and execute arbitrary commands via a crafted URL using the (1) bittorrent or (2) magnet protocol.

  • CVE-2015-5080Jul 16, 2015
    risk 0.00cvss epss 0.04

    The Management Interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.1 before 10.1.132.8, 10.5 before Build 56.15, and 10.5.e before Build 56.1505.e allows remote authenticated users to execute arbitrary shell commands via shell…

  • CVE-2015-1561Jul 14, 2015
    risk 0.00cvss epss 0.09

    The escape_command function in include/Administration/corePerformance/getStats.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands…