CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Hierarchy (View 1000)

Parents

CWE-77

Children

none

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-15 · CAPEC-43 · CAPEC-6 · CAPEC-88

CVEs mapped to this weakness (1,367)

page 14 of 69

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2024-45251	Cri	0.64	9.8	0.01	Oct 6, 2024	Elsight – CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-45798	Cri	0.64	9.9	0.00	Sep 17, 2024	arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts.
CVE-2024-42757	Cri	0.64	9.8	0.04	Aug 15, 2024	Command injection vulnerability in Asus RT-N15U 3.0.0.4.376_3754 allows a remote attacker to execute arbitrary code via the netstat function page.
CVE-2024-6048	Cri	0.64	9.8	0.01	Jun 17, 2024	Openfind's MailGates and MailAudit fail to properly filter user input when analyzing email attachments. An unauthenticated remote attacker can exploit this vulnerability to inject system commands and execute them on the remote server.
CVE-2024-36360	Cri	0.64	9.8	0.02	Jun 11, 2024	OS command injection vulnerability exists in awkblog v0.0.1 (commit hash:7b761b192d0e0dc3eef0f30630e00ece01c8d552) and earlier. If a remote unauthenticated attacker sends a specially crafted HTTP request, an arbitrary OS command may be executed with the privileges of the affected product on the machine running the product.
CVE-2024-32850	Cri	0.64	9.8	0.02	May 31, 2024	Improper neutralization of special elements used in a command ('Command Injection') exists in SkyBridge MB-A100/MB-A110 firmware Ver. 4.2.2 and earlier and SkyBridge BASIC MB-A130 firmware Ver. 1.5.5 and earlier. If the remote monitoring and control function is enabled on the product, an attacker with access to the product may execute an arbitrary command or login to the product with the administrator privilege.
CVE-2024-31705	Cri	0.64	9.8	0.06	Apr 29, 2024	An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input.
CVE-2024-29640	Cri	0.64	9.8	0.02	Mar 29, 2024	An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component.
CVE-2023-6437	Cri	0.64	9.8	0.01	Mar 28, 2024	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TP-Link TP-Link EX20v AX1800, Tp-Link Archer C5v AC1200, Tp-Link TD-W9970, Tp-Link TD-W9970v3, TP-Link VX220-G2u, TP-Link VN020-G2u allows authenticated OS Command Injection.This issue affects TP-Link EX20v AX1800, Tp-Link Archer C5v AC1200, Tp-Link TD-W9970, Tp-Link TD-W9970v3 : through 20240328. Also the vulnerability continues in the TP-Link VX220-G2u and TP-Link VN020-G2u models due to the products not being produced and supported.
CVE-2024-28048	Cri	0.64	9.8	0.01	Mar 26, 2024	OS command injection vulnerability exists in ffBull ver.4.11, which may allow a remote unauthenticated attacker to execute an arbitrary OS command with the privilege of the running web server. Note that the developer was unreachable, therefore, users should consider stop using ffBull ver.4.11.
CVE-2024-28125	Cri	0.64	9.8	0.01	Mar 18, 2024	FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation.
CVE-2017-10904	Cri	0.64	9.8	0.01	Dec 16, 2017	Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVE-2017-10902	Cri	0.64	9.8	0.02	Dec 1, 2017	PTW-WMS1 firmware version 2.000.012 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVE-2017-1000214	Cri	0.64	9.8	0.07	Nov 27, 2017	GitPHP by xiphux is vulnerable to OS Command Injections
CVE-2017-16926	Cri	0.64	9.8	0.06	Nov 22, 2017	Ohcount 3.0.0 is prone to a command injection via specially crafted filenames containing shell metacharacters, which can be exploited by an attacker (providing a source tree for Ohcount processing) to execute arbitrary code as the user running Ohcount.
CVE-2017-1000215	Cri	0.64	9.8	0.07	Nov 17, 2017	ROOT xrootd version 4.6.0 and below is vulnerable to an unauthenticated shell command injection resulting in remote code execution
CVE-2017-3761	Cri	0.64	9.8	0.05	Oct 17, 2017	The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.
CVE-2017-15226	Cri	0.64	9.8	0.08	Oct 10, 2017	Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex are used directly in a popen call.
CVE-2017-1000116	Cri	0.64	9.8	0.06	Oct 5, 2017	Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.
CVE-2015-3431	Cri	0.64	9.8	0.06	Sep 19, 2017	Pydio (formerly AjaXplorer) before 6.0.7 allows remote attackers to execute arbitrary commands via unspecified vectors, aka "Pydio OS Command Injection Vulnerabilities."

CVE-2024-45251CriOct 6, 2024
risk 0.64cvss 9.8epss 0.01
Elsight – CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-45798CriSep 17, 2024
risk 0.64cvss 9.9epss 0.00
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts.
CVE-2024-42757CriAug 15, 2024
risk 0.64cvss 9.8epss 0.04
Command injection vulnerability in Asus RT-N15U 3.0.0.4.376_3754 allows a remote attacker to execute arbitrary code via the netstat function page.
CVE-2024-6048CriJun 17, 2024
risk 0.64cvss 9.8epss 0.01
Openfind's MailGates and MailAudit fail to properly filter user input when analyzing email attachments. An unauthenticated remote attacker can exploit this vulnerability to inject system commands and execute them on the remote server.
CVE-2024-36360CriJun 11, 2024
risk 0.64cvss 9.8epss 0.02
OS command injection vulnerability exists in awkblog v0.0.1 (commit hash:7b761b192d0e0dc3eef0f30630e00ece01c8d552) and earlier. If a remote unauthenticated attacker sends a specially crafted HTTP request, an arbitrary OS command may be executed with the privileges of the affected product on the machine running the product.
CVE-2024-32850CriMay 31, 2024
risk 0.64cvss 9.8epss 0.02
Improper neutralization of special elements used in a command ('Command Injection') exists in SkyBridge MB-A100/MB-A110 firmware Ver. 4.2.2 and earlier and SkyBridge BASIC MB-A130 firmware Ver. 1.5.5 and earlier. If the remote monitoring and control function is enabled on the product, an attacker with access to the product may execute an arbitrary command or login to the product with the administrator privilege.
CVE-2024-31705CriApr 29, 2024
risk 0.64cvss 9.8epss 0.06
An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input.
CVE-2024-29640CriMar 29, 2024
risk 0.64cvss 9.8epss 0.02
An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component.
CVE-2023-6437CriMar 28, 2024
risk 0.64cvss 9.8epss 0.01
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TP-Link TP-Link EX20v AX1800, Tp-Link Archer C5v AC1200, Tp-Link TD-W9970, Tp-Link TD-W9970v3, TP-Link VX220-G2u, TP-Link VN020-G2u allows authenticated OS Command Injection.This issue affects TP-Link EX20v AX1800, Tp-Link Archer C5v AC1200, Tp-Link TD-W9970, Tp-Link TD-W9970v3 : through 20240328. Also the vulnerability continues in the TP-Link VX220-G2u and TP-Link VN020-G2u models due to the products not being produced and supported.
CVE-2024-28048CriMar 26, 2024
risk 0.64cvss 9.8epss 0.01
OS command injection vulnerability exists in ffBull ver.4.11, which may allow a remote unauthenticated attacker to execute an arbitrary OS command with the privilege of the running web server. Note that the developer was unreachable, therefore, users should consider stop using ffBull ver.4.11.
CVE-2024-28125CriMar 18, 2024
risk 0.64cvss 9.8epss 0.01
FitNesse all releases allows a remote authenticated attacker to execute arbitrary OS commands. Note: A contributor of FitNesse has claimed that this is not a vulnerability but a product specification and this is currently under further investigation.
CVE-2017-10904CriDec 16, 2017
risk 0.64cvss 9.8epss 0.01
Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVE-2017-10902CriDec 1, 2017
risk 0.64cvss 9.8epss 0.02
PTW-WMS1 firmware version 2.000.012 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
CVE-2017-1000214CriNov 27, 2017
risk 0.64cvss 9.8epss 0.07
GitPHP by xiphux is vulnerable to OS Command Injections
CVE-2017-16926CriNov 22, 2017
risk 0.64cvss 9.8epss 0.06
Ohcount 3.0.0 is prone to a command injection via specially crafted filenames containing shell metacharacters, which can be exploited by an attacker (providing a source tree for Ohcount processing) to execute arbitrary code as the user running Ohcount.
CVE-2017-1000215CriNov 17, 2017
risk 0.64cvss 9.8epss 0.07
ROOT xrootd version 4.6.0 and below is vulnerable to an unauthenticated shell command injection resulting in remote code execution
CVE-2017-3761CriOct 17, 2017
risk 0.64cvss 9.8epss 0.05
The Lenovo Service Framework Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection which, in turn, could lead to remote code execution.
CVE-2017-15226CriOct 10, 2017
risk 0.64cvss 9.8epss 0.08
Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex are used directly in a popen call.
CVE-2017-1000116CriOct 5, 2017
risk 0.64cvss 9.8epss 0.06
Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.
CVE-2015-3431CriSep 19, 2017
risk 0.64cvss 9.8epss 0.06
Pydio (formerly AjaXplorer) before 6.0.7 allows remote attackers to execute arbitrary commands via unspecified vectors, aka "Pydio OS Command Injection Vulnerabilities."