CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Description
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-136 · CAPEC-15 · CAPEC-183 · CAPEC-248 · CAPEC-40 · CAPEC-43 · CAPEC-75 · CAPEC-76
CVEs mapped to this weakness (1,552)
page 9 of 78| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-37782 | Cri | 0.64 | 9.8 | 0.01 | Nov 22, 2024 | An LDAP injection vulnerability in the login page of Gladinet CentreStack v13.12.9934.54690 allows attackers to access sensitive data or execute arbitrary commands via a crafted payload injected into the username field. | ||
| CVE-2024-25255 | Cri | 0.64 | 9.8 | 0.01 | Nov 11, 2024 | Sublime Text 4 was discovered to contain a command injection vulnerability via the New Build System module. NOTE: multiple third parties report that this is intended behavior. | ||
| CVE-2024-48746 | Cri | 0.64 | 9.8 | 0.01 | Nov 5, 2024 | An issue in Lens Visual integration with Power BI v.4.0.0.3 allows a remote attacker to execute arbitrary code via the Natural language processing component | ||
| CVE-2024-42509 | Cri | 0.64 | 9.8 | 0.02 | Nov 5, 2024 | Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability… | ||
| CVE-2024-10035 | Cri | 0.64 | 9.8 | 0.01 | Nov 4, 2024 | Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in BG-TEK Informatics Security… | ||
| CVE-2024-42507 | — | Cri | 0.64 | 9.8 | 0.01 | Sep 25, 2024 | Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these… | |
| CVE-2024-42506 | Cri | 0.64 | 9.8 | 0.01 | Sep 25, 2024 | Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these… | ||
| CVE-2024-42505 | Cri | 0.64 | 9.8 | 0.01 | Sep 25, 2024 | Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these… | ||
| CVE-2024-42905 | Cri | 0.64 | 9.8 | 0.15 | Aug 28, 2024 | Beijing Digital China Cloud Technology Co., Ltd. DCME-320 v.7.4.12.60 has a command execution vulnerability, which can be exploited to obtain device administrator privileges via the getVar function in the code/function/system/tool/ping.php file. | ||
| CVE-2024-3871 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2024 | The Delta Electronics DVW-W02W2-E2 devices expose a web administration interface to users. This interface implements multiple features that are affected by command injections and stack overflows vulnerabilities. Successful exploitation of these flaws would allow remote… | ||
| CVE-2024-27981 | Cri | 0.64 | 9.8 | 0.01 | Apr 4, 2024 | A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.0.28 and earlier) allows a malicious actor with UniFi Network Application Administrator credentials to escalate privileges to root on the host… | ||
| CVE-2024-29640 | — | Cri | 0.64 | 9.8 | 0.01 | Mar 29, 2024 | An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component. | |
| CVE-2024-28125 | Cri | 0.64 | 9.8 | 0.01 | Mar 18, 2024 | FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation. | ||
| CVE-2014-10075 | — | Cri | 0.64 | 9.8 | 0.04 | Oct 5, 2018 | The karo gem 2.3.8 for Ruby allows Remote command injection via the host field. | |
| CVE-2018-0718 | Cri | 0.64 | 9.8 | 0.02 | Sep 14, 2018 | Command injection vulnerability in Music Station 5.1.2 and earlier versions in QNAP QTS 4.3.3 and 4.3.4 could allow remote attackers to run arbitrary commands in the compromised application. | ||
| CVE-2018-16460 | — | Cri | 0.64 | 9.8 | 0.03 | Sep 7, 2018 | A command Injection in ps package versions <1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID. | |
| CVE-2018-0714 | Cri | 0.64 | 9.8 | 0.02 | Aug 13, 2018 | Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 and their earlier versions could allow remote attackers to run arbitrary commands in the compromised application. | ||
| CVE-2018-3779 | — | Cri | 0.64 | 9.8 | 0.06 | Aug 10, 2018 | active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system. | |
| CVE-2016-6558 | Cri | 0.64 | 9.8 | 0.04 | Jul 13, 2018 | A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be executed if the action_mode… | ||
| CVE-2018-7785 | Cri | 0.64 | 9.8 | 0.03 | Jul 3, 2018 | In Schneider Electric U.motion Builder software versions prior to v1.3.4, a remote command injection allows authentication bypass. |
- risk 0.64cvss 9.8epss 0.01
An LDAP injection vulnerability in the login page of Gladinet CentreStack v13.12.9934.54690 allows attackers to access sensitive data or execute arbitrary commands via a crafted payload injected into the username field.
- risk 0.64cvss 9.8epss 0.01
Sublime Text 4 was discovered to contain a command injection vulnerability via the New Build System module. NOTE: multiple third parties report that this is intended behavior.
- risk 0.64cvss 9.8epss 0.01
An issue in Lens Visual integration with Power BI v.4.0.0.3 allows a remote attacker to execute arbitrary code via the Natural language processing component
- risk 0.64cvss 9.8epss 0.02
Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability…
- risk 0.64cvss 9.8epss 0.01
Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in BG-TEK Informatics Security…
- risk 0.64cvss 9.8epss 0.01
Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these…
- risk 0.64cvss 9.8epss 0.01
Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these…
- risk 0.64cvss 9.8epss 0.01
Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these…
- risk 0.64cvss 9.8epss 0.15
Beijing Digital China Cloud Technology Co., Ltd. DCME-320 v.7.4.12.60 has a command execution vulnerability, which can be exploited to obtain device administrator privileges via the getVar function in the code/function/system/tool/ping.php file.
- risk 0.64cvss 9.8epss 0.02
The Delta Electronics DVW-W02W2-E2 devices expose a web administration interface to users. This interface implements multiple features that are affected by command injections and stack overflows vulnerabilities. Successful exploitation of these flaws would allow remote…
- risk 0.64cvss 9.8epss 0.01
A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.0.28 and earlier) allows a malicious actor with UniFi Network Application Administrator credentials to escalate privileges to root on the host…
- risk 0.64cvss 9.8epss 0.01
An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component.
- risk 0.64cvss 9.8epss 0.01
FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation.
- risk 0.64cvss 9.8epss 0.04
The karo gem 2.3.8 for Ruby allows Remote command injection via the host field.
- risk 0.64cvss 9.8epss 0.02
Command injection vulnerability in Music Station 5.1.2 and earlier versions in QNAP QTS 4.3.3 and 4.3.4 could allow remote attackers to run arbitrary commands in the compromised application.
- risk 0.64cvss 9.8epss 0.03
A command Injection in ps package versions <1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID.
- risk 0.64cvss 9.8epss 0.02
Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 and their earlier versions could allow remote attackers to run arbitrary commands in the compromised application.
- risk 0.64cvss 9.8epss 0.06
active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system.
- risk 0.64cvss 9.8epss 0.04
A command injection vulnerability exists in apply.cgi on the ASUS RP-AC52 access point, firmware version 1.0.1.1s and possibly earlier, web interface specifically in the action_script parameter. The action_script parameter specifies a script to be executed if the action_mode…
- risk 0.64cvss 9.8epss 0.03
In Schneider Electric U.motion Builder software versions prior to v1.3.4, a remote command injection allows authentication bypass.