CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Description
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-15 · CAPEC-43 · CAPEC-6 · CAPEC-88
CVEs mapped to this weakness (2,016)
page 83 of 101| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-26127 | 0.00 | — | 0.00 | May 27, 2023 | All versions of the package n158 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code… | |||
| CVE-2023-26128 | — | 0.00 | — | 0.00 | May 27, 2023 | All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the… | ||
| CVE-2023-26129 | 0.00 | — | 0.01 | May 27, 2023 | All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to… | |||
| CVE-2023-2479 | 0.00 | — | 0.93 | May 2, 2023 | OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4. | |||
| CVE-2023-30854 | 0.00 | — | 0.32 | Apr 28, 2023 | AVideo is an open source video platform. Prior to version 12.4, an OS Command Injection vulnerability in an authenticated endpoint `/plugin/CloneSite/cloneClient.json.php` allows attackers to achieve Remote Code Execution. This issue is fixed in version 12.4. | |||
| CVE-2023-28102 | — | 0.00 | — | 0.01 | Mar 27, 2023 | discordrb is an implementation of the Discord API using Ruby. In discordrb before commit `91e13043ffa` the `encoder.rb` file unsafely constructs a shell string using the file parameter, which can potentially leave clients of discordrb vulnerable to command injection. The library… | ||
| CVE-2023-25617 | 0.00 | — | 0.02 | Mar 14, 2023 | SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom… | |||
| CVE-2022-2024 | 0.00 | — | 0.44 | Feb 25, 2023 | OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11. | |||
| CVE-2022-36231 | — | 0.00 | — | 0.23 | Feb 23, 2023 | pdf_info 0.5.3 is vulnerable to Command Execution because the Ruby code uses backticks instead of Open3. | ||
| CVE-2023-24816 | 0.00 | — | 0.00 | Feb 10, 2023 | IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This… | |||
| CVE-2022-31249 | 0.00 | — | 0.01 | Feb 7, 2023 | A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher… | |||
| CVE-2022-43758 | 0.00 | — | 0.01 | Feb 7, 2023 | A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SUSE Rancher allows code execution for user with the ability to add an untrusted Helm catalog or modifying the URL configuration used to download KDM (only admin users… | |||
| CVE-2022-25853 | — | 0.00 | — | 0.00 | Feb 6, 2023 | All versions of the package semver-tags are vulnerable to Command Injection via the getGitTagsRemote function due to improper input sanitization. | ||
| CVE-2022-25855 | — | 0.00 | — | 0.00 | Feb 6, 2023 | All versions of the package create-choo-app3 are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization. | ||
| CVE-2022-25906 | — | 0.00 | — | 0.00 | Feb 1, 2023 | All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function. | ||
| CVE-2022-25916 | — | 0.00 | — | 0.00 | Feb 1, 2023 | Versions of the package mt7688-wiscan before 0.8.3 are vulnerable to Command Injection due to improper input sanitization in the 'wiscan.scan' function. | ||
| CVE-2022-21129 | — | 0.00 | — | 0.01 | Jan 31, 2023 | Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function. **Note:** In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium… | ||
| CVE-2022-25962 | — | 0.00 | — | 0.01 | Jan 25, 2023 | All versions of the package vagrant.js are vulnerable to Command Injection via the boxAdd function due to improper input sanitization. | ||
| CVE-2022-21810 | — | 0.00 | — | 0.00 | Jan 25, 2023 | All versions of the package smartctl are vulnerable to Command Injection via the info method due to improper input sanitization. | ||
| CVE-2022-25860 | — | 0.00 | — | 0.35 | Jan 24, 2023 | Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of… |
- CVE-2023-26127May 27, 2023risk 0.00cvss —epss 0.00
All versions of the package n158 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code…
- CVE-2023-26128May 27, 2023risk 0.00cvss —epss 0.00
All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function. **Note:** To execute the code snippet and potentially exploit the vulnerability, the…
- CVE-2023-26129May 27, 2023risk 0.00cvss —epss 0.01
All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. **Note:** To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to…
- CVE-2023-2479May 2, 2023risk 0.00cvss —epss 0.93
OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4.
- CVE-2023-30854Apr 28, 2023risk 0.00cvss —epss 0.32
AVideo is an open source video platform. Prior to version 12.4, an OS Command Injection vulnerability in an authenticated endpoint `/plugin/CloneSite/cloneClient.json.php` allows attackers to achieve Remote Code Execution. This issue is fixed in version 12.4.
- CVE-2023-28102Mar 27, 2023risk 0.00cvss —epss 0.01
discordrb is an implementation of the Discord API using Ruby. In discordrb before commit `91e13043ffa` the `encoder.rb` file unsafely constructs a shell string using the file parameter, which can potentially leave clients of discordrb vulnerable to command injection. The library…
- CVE-2023-25617Mar 14, 2023risk 0.00cvss —epss 0.02
SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom…
- CVE-2022-2024Feb 25, 2023risk 0.00cvss —epss 0.44
OS Command Injection in GitHub repository gogs/gogs prior to 0.12.11.
- CVE-2022-36231Feb 23, 2023risk 0.00cvss —epss 0.23
pdf_info 0.5.3 is vulnerable to Command Execution because the Ruby code uses backticks instead of Open3.
- CVE-2023-24816Feb 10, 2023risk 0.00cvss —epss 0.00
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This…
- CVE-2022-31249Feb 7, 2023risk 0.00cvss —epss 0.01
A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher…
- CVE-2022-43758Feb 7, 2023risk 0.00cvss —epss 0.01
A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SUSE Rancher allows code execution for user with the ability to add an untrusted Helm catalog or modifying the URL configuration used to download KDM (only admin users…
- CVE-2022-25853Feb 6, 2023risk 0.00cvss —epss 0.00
All versions of the package semver-tags are vulnerable to Command Injection via the getGitTagsRemote function due to improper input sanitization.
- CVE-2022-25855Feb 6, 2023risk 0.00cvss —epss 0.00
All versions of the package create-choo-app3 are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.
- CVE-2022-25906Feb 1, 2023risk 0.00cvss —epss 0.00
All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function.
- CVE-2022-25916Feb 1, 2023risk 0.00cvss —epss 0.00
Versions of the package mt7688-wiscan before 0.8.3 are vulnerable to Command Injection due to improper input sanitization in the 'wiscan.scan' function.
- CVE-2022-21129Jan 31, 2023risk 0.00cvss —epss 0.01
Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function. **Note:** In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium…
- CVE-2022-25962Jan 25, 2023risk 0.00cvss —epss 0.01
All versions of the package vagrant.js are vulnerable to Command Injection via the boxAdd function due to improper input sanitization.
- CVE-2022-21810Jan 25, 2023risk 0.00cvss —epss 0.00
All versions of the package smartctl are vulnerable to Command Injection via the info method due to improper input sanitization.
- CVE-2022-25860Jan 24, 2023risk 0.00cvss —epss 0.35
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of…