VYPR

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

ClassDraftLikelihood: High

Description

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76

CVEs mapped to this weakness (1,552)

page 9 of 78
  • CVE-2024-37782CriNov 22, 2024
    risk 0.64cvss 9.8epss 0.01

    An LDAP injection vulnerability in the login page of Gladinet CentreStack v13.12.9934.54690 allows attackers to access sensitive data or execute arbitrary commands via a crafted payload injected into the username field.

  • CVE-2024-25255CriNov 11, 2024
    risk 0.64cvss 9.8epss 0.01

    Sublime Text 4 was discovered to contain a command injection vulnerability via the New Build System module. NOTE: multiple third parties report that this is intended behavior.

  • CVE-2024-48746CriNov 5, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue in Lens Visual integration with Power BI v.4.0.0.3 allows a remote attacker to execute arbitrary code via the Natural language processing component

  • CVE-2024-42509CriNov 5, 2024
    risk 0.64cvss 9.8epss 0.02

    Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability…

  • CVE-2024-10035CriNov 4, 2024
    risk 0.64cvss 9.8epss 0.01

    Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in BG-TEK Informatics Security…

  • CVE-2024-42507CriSep 25, 2024
    risk 0.64cvss 9.8epss 0.01

    Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these…

  • CVE-2024-42506CriSep 25, 2024
    risk 0.64cvss 9.8epss 0.01

    Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these…

  • CVE-2024-42505CriSep 25, 2024
    risk 0.64cvss 9.8epss 0.01

    Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these…

  • CVE-2024-42905CriAug 28, 2024
    risk 0.64cvss 9.8epss 0.15

    Beijing Digital China Cloud Technology Co., Ltd. DCME-320 v.7.4.12.60 has a command execution vulnerability, which can be exploited to obtain device administrator privileges via the getVar function in the code/function/system/tool/ping.php file.

  • CVE-2024-3871CriApr 16, 2024
    risk 0.64cvss 9.8epss 0.02

    The Delta Electronics DVW-W02W2-E2 devices expose a web administration interface to users. This interface implements multiple features that are affected by command injections and stack overflows vulnerabilities. Successful exploitation of these flaws would allow remote…

  • CVE-2024-27981CriApr 4, 2024
    risk 0.64cvss 9.8epss 0.01

    A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.0.28 and earlier) allows a malicious actor with UniFi Network Application Administrator credentials to escalate privileges to root on the host…

  • CVE-2024-29640CriMar 29, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component.

  • CVE-2024-28125CriMar 18, 2024
    risk 0.64cvss 9.8epss 0.01

    FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation.

  • CVE-2014-10075CriOct 5, 2018
    risk 0.64cvss 9.8epss 0.04

    The karo gem 2.3.8 for Ruby allows Remote command injection via the host field.

  • CVE-2018-0718CriSep 14, 2018
    risk 0.64cvss 9.8epss 0.02

    Command injection vulnerability in Music Station 5.1.2 and earlier versions in QNAP QTS 4.3.3 and 4.3.4 could allow remote attackers to run arbitrary commands in the compromised application.

  • CVE-2018-16460CriSep 7, 2018
    risk 0.64cvss 9.8epss 0.03

    A command Injection in ps package versions <1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID.

  • CVE-2018-0714CriAug 13, 2018
    risk 0.64cvss 9.8epss 0.02

    Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 and their earlier versions could allow remote attackers to run arbitrary commands in the compromised application.

  • CVE-2018-3779CriAug 10, 2018
    risk 0.64cvss 9.8epss 0.06

    active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system.

  • CVE-2016-6558CriJul 13, 2018
    risk 0.64cvss 9.8epss 0.04

    A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be executed if the action_mode…

  • CVE-2018-7785CriJul 3, 2018
    risk 0.64cvss 9.8epss 0.03

    In Schneider Electric U.motion Builder software versions prior to v1.3.4, a remote command injection allows authentication bypass.