CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Description
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-15 · CAPEC-43 · CAPEC-6 · CAPEC-88
CVEs mapped to this weakness (2,292)
page 106 of 115| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-7631 | — | 0.00 | — | 0.04 | Apr 6, 2020 | diskusage-ng through 0.2.4 is vulnerable to Command Injection.It allows execution of arbitrary commands via the path argument. | ||
| CVE-2020-7630 | — | 0.00 | — | 0.04 | Apr 2, 2020 | git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name argument. | ||
| CVE-2020-7629 | — | 0.00 | — | 0.04 | Apr 2, 2020 | install-package through 0.4.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument. | ||
| CVE-2020-7628 | — | 0.00 | — | 0.02 | Apr 2, 2020 | umount through 1.1.6 is vulnerable to Command Injection. The argument device can be controlled by users without any sanitization. | ||
| CVE-2020-7627 | — | 0.00 | — | 0.04 | Apr 2, 2020 | node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the 'arrParams' argument in the 'execute()' function. | ||
| CVE-2020-7626 | — | 0.00 | — | 0.04 | Apr 2, 2020 | karma-mojo through 1.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument. | ||
| CVE-2020-7625 | — | 0.00 | — | 0.04 | Apr 2, 2020 | op-browser through 1.0.6 is vulnerable to Command Injection. It allows execution of arbitrary commands via the url function. | ||
| CVE-2020-7624 | — | 0.00 | — | 0.04 | Apr 2, 2020 | effect through 1.0.4 is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument. | ||
| CVE-2020-7623 | — | 0.00 | — | 0.04 | Apr 2, 2020 | jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument. | ||
| CVE-2020-7621 | — | 0.00 | — | 0.03 | Apr 2, 2020 | strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the '_nginxCmd()' function. | ||
| CVE-2020-7619 | — | 0.00 | — | 0.02 | Apr 2, 2020 | get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data. | ||
| CVE-2020-7620 | — | 0.00 | — | 0.02 | Apr 2, 2020 | pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params. | ||
| CVE-2020-7603 | 0.00 | — | 0.03 | Mar 15, 2020 | closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization. | |||
| CVE-2020-7607 | — | 0.00 | — | 0.03 | Mar 15, 2020 | gulp-styledocco through 0.0.3 allows execution of arbitrary commands. The argument 'options' of the exports function in 'index.js' can be controlled by users without any sanitization. | ||
| CVE-2020-7605 | — | 0.00 | — | 0.03 | Mar 15, 2020 | gulp-tape through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of 'gulp-tape' options. | ||
| CVE-2020-7606 | — | 0.00 | — | 0.03 | Mar 15, 2020 | docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization. | ||
| CVE-2020-7604 | 0.00 | — | 0.03 | Mar 15, 2020 | pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to… | |||
| CVE-2020-7602 | 0.00 | — | 0.03 | Mar 15, 2020 | node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the… | |||
| CVE-2020-7601 | — | 0.00 | — | 0.03 | Mar 15, 2020 | gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands to the "exec" function located in "src/command.js" via the provided options. | ||
| CVE-2019-10807 | — | 0.00 | — | 0.02 | Mar 10, 2020 | Blamer versions prior to 1.0.1 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of the arguments provided to blamer. |
- CVE-2020-7631Apr 6, 2020risk 0.00cvss —epss 0.04
diskusage-ng through 0.2.4 is vulnerable to Command Injection.It allows execution of arbitrary commands via the path argument.
- CVE-2020-7630Apr 2, 2020risk 0.00cvss —epss 0.04
git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name argument.
- CVE-2020-7629Apr 2, 2020risk 0.00cvss —epss 0.04
install-package through 0.4.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.
- CVE-2020-7628Apr 2, 2020risk 0.00cvss —epss 0.02
umount through 1.1.6 is vulnerable to Command Injection. The argument device can be controlled by users without any sanitization.
- CVE-2020-7627Apr 2, 2020risk 0.00cvss —epss 0.04
node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the 'arrParams' argument in the 'execute()' function.
- CVE-2020-7626Apr 2, 2020risk 0.00cvss —epss 0.04
karma-mojo through 1.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument.
- CVE-2020-7625Apr 2, 2020risk 0.00cvss —epss 0.04
op-browser through 1.0.6 is vulnerable to Command Injection. It allows execution of arbitrary commands via the url function.
- CVE-2020-7624Apr 2, 2020risk 0.00cvss —epss 0.04
effect through 1.0.4 is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument.
- CVE-2020-7623Apr 2, 2020risk 0.00cvss —epss 0.04
jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument.
- CVE-2020-7621Apr 2, 2020risk 0.00cvss —epss 0.03
strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the '_nginxCmd()' function.
- CVE-2020-7619Apr 2, 2020risk 0.00cvss —epss 0.02
get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.
- CVE-2020-7620Apr 2, 2020risk 0.00cvss —epss 0.02
pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params.
- CVE-2020-7603Mar 15, 2020risk 0.00cvss —epss 0.03
closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization.
- CVE-2020-7607Mar 15, 2020risk 0.00cvss —epss 0.03
gulp-styledocco through 0.0.3 allows execution of arbitrary commands. The argument 'options' of the exports function in 'index.js' can be controlled by users without any sanitization.
- CVE-2020-7605Mar 15, 2020risk 0.00cvss —epss 0.03
gulp-tape through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of 'gulp-tape' options.
- CVE-2020-7606Mar 15, 2020risk 0.00cvss —epss 0.03
docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.
- CVE-2020-7604Mar 15, 2020risk 0.00cvss —epss 0.03
pulverizr through 0.7.0 allows execution of arbitrary commands. Within "lib/job.js", the variable "filename" can be controlled by the attacker. This function uses the variable "filename" to construct the argument of the exec call without any sanitization. In order to…
- CVE-2020-7602Mar 15, 2020risk 0.00cvss —epss 0.03
node-prompt-here through 1.0.1 allows execution of arbitrary commands. The "runCommand()" is called by "getDevices()" function in file "linux/manager.js", which is required by the "index. process.env.NM_CLI" in the file "linux/manager.js". This function is used to construct the…
- CVE-2020-7601Mar 15, 2020risk 0.00cvss —epss 0.03
gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands to the "exec" function located in "src/command.js" via the provided options.
- CVE-2019-10807Mar 10, 2020risk 0.00cvss —epss 0.02
Blamer versions prior to 1.0.1 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of the arguments provided to blamer.