VYPR

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-15 · CAPEC-43 · CAPEC-6 · CAPEC-88

CVEs mapped to this weakness (2,292)

page 106 of 115
  • CVE-2020-7631Apr 6, 2020
    risk 0.00cvss epss 0.04

    diskusage-ng through 0.2.4 is vulnerable to Command Injection.It allows execution of arbitrary commands via the path argument.

  • CVE-2020-7630Apr 2, 2020
    risk 0.00cvss epss 0.04

    git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name argument.

  • CVE-2020-7629Apr 2, 2020
    risk 0.00cvss epss 0.04

    install-package through 0.4.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.

  • CVE-2020-7628Apr 2, 2020
    risk 0.00cvss epss 0.02

    umount through 1.1.6 is vulnerable to Command Injection. The argument device can be controlled by users without any sanitization.

  • CVE-2020-7627Apr 2, 2020
    risk 0.00cvss epss 0.04

    node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the 'arrParams' argument in the 'execute()' function.

  • CVE-2020-7626Apr 2, 2020
    risk 0.00cvss epss 0.04

    karma-mojo through 1.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument.

  • CVE-2020-7625Apr 2, 2020
    risk 0.00cvss epss 0.04

    op-browser through 1.0.6 is vulnerable to Command Injection. It allows execution of arbitrary commands via the url function.

  • CVE-2020-7624Apr 2, 2020
    risk 0.00cvss epss 0.04

    effect through 1.0.4 is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument.

  • CVE-2020-7623Apr 2, 2020
    risk 0.00cvss epss 0.04

    jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument.

  • CVE-2020-7621Apr 2, 2020
    risk 0.00cvss epss 0.03

    strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the '_nginxCmd()' function.

  • CVE-2020-7619Apr 2, 2020
    risk 0.00cvss epss 0.02

    get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.

  • CVE-2020-7620Apr 2, 2020
    risk 0.00cvss epss 0.02

    pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params.

  • CVE-2020-7603Mar 15, 2020
    risk 0.00cvss epss 0.03

    closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization.

  • CVE-2020-7607Mar 15, 2020
    risk 0.00cvss epss 0.03

    gulp-styledocco through 0.0.3 allows execution of arbitrary commands. The argument 'options' of the exports function in 'index.js' can be controlled by users without any sanitization.

  • CVE-2020-7605Mar 15, 2020
    risk 0.00cvss epss 0.03

    gulp-tape through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of 'gulp-tape' options.

  • CVE-2020-7606Mar 15, 2020
    risk 0.00cvss epss 0.03

    docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.

  • CVE-2020-7604Mar 15, 2020
    risk 0.00cvss epss 0.03

    pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to…

  • CVE-2020-7602Mar 15, 2020
    risk 0.00cvss epss 0.03

    node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the…

  • CVE-2020-7601Mar 15, 2020
    risk 0.00cvss epss 0.03

    gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands to the "exec" function located in "src/command.js" via the provided options.

  • CVE-2019-10807Mar 10, 2020
    risk 0.00cvss epss 0.02

    Blamer versions prior to 1.0.1 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of the arguments provided to blamer.