CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

6,017 vulnerabilities with CWE-78
CVE-2022-2234 CRITICAL
mySCADA myPRO < 8.26.0 - Authenticated OS Command Injection
CVSS 9.9
CVE-2022-36633 HIGH
Teleport < 10.1.2 and < 8.3.17 - Unauthenticated Remote Code Execution via SSH Agent Installation Link
CVSS 8.8
CVE-2022-38132 HIGH
Linksys MR8300 Router - Command Injection
CVSS 8.2
CVE-2022-1513 HIGH
Lenovo PCManager < 5.0.10.4191 - Remote Code Execution via Specially Crafted Website
CVSS 7.3
CVE-2022-32572 HIGH
WWBN AVideo 11.6 and dev master commit 3f7c0364 - OS Command Injection via aVideoEncoder wget Functionality
CVSS 8.8
CVE-2022-30534 HIGH
WWBN AVideo 11.6 and dev master commit 3f7c0364 - OS Command Injection via aVideoEncoder Chunkfile Functionality
CVSS 8.8
CVE-2022-35976 MEDIUM
GitOps Tools Extension for VSCode - RCE
CVSS 5.2
CVE-2022-37061 CRITICAL
FLIR AX8 Firmware <= 1.46.16 - Remote Command Injection via res.php id Parameter
CVSS 9.8
CVE-2022-35975 CRITICAL
GitOps Tools Extension for VSCode - RCE
CVSS 9.0
CVE-2022-1410 HIGH
Device42 CMDB < 18.01.00 - Authenticated OS Command Injection in db_optimize Component
CVSS 8.0
CVE-2022-36273 CRITICAL
Tenda AC9 V15.03.2.21_cn - Command Injection
CVSS 9.8
CVE-2022-36381 HIGH
Nintendo Wi-Fi Network Adaptor WAP-001 - Command Injection
CVSS 7.2
CVE-2022-36309 HIGH
Airspan AirVelocity <15.18.00.2511 - Command Injection
CVSS 8.8
CVE-2022-2314 CRITICAL
VR Calendar < 2.3.2 - Unauthenticated Remote Code Execution via Arbitrary PHP Function Execution
CVSS 9.8
CVE-2022-35555 CRITICAL
Tenda W6 V1.0.0.9(4122) - OS Command Injection via cmdinput Parameter
CVSS 9.8
CVE-2022-20827 CRITICAL
Cisco RV160, RV260, RV340, and RV345 Series Routers - Unauthenticated Remote Code Execution
CVSS 9.0
CVE-2022-22140 CRITICAL
TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14 - Command Injection
CVSS 9.8
CVE-2022-21178 CRITICAL
TCL LinkHub Mesh Wifi MS1G_00_01.00_14 - OS Command Injection via confsrv ucloud_add_new_node
CVSS 9.8
CVE-2022-34769 MEDIUM
rashim michlol < 187.4392 - Authenticated Insecure Direct Object Reference via ptMsl Parameter
CVSS 6.3
CVE-2022-25168 CRITICAL
Apache Hadoop 2.0.0-2.10.1 and 2.10.2-3.3.3 - OS Command Injection via FileUtil.unTar
CVSS 9.8
CVE-2022-27616 HIGH
Synology DiskStation Manager 6.2-6.2.4-25556-5 - Authenticated OS Command Injection in WebAPI Component
CVSS 7.2
CVE-2022-33955 MEDIUM
IBM CICS TX 11.1 - OS Command Injection via Back and Refresh Attack
CVSS 6.8
CVE-2022-34527 HIGH
D-Link DSL-3782 <= v1.03 - OS Command Injection via byte_4C0160 Function
CVSS 8.8
CVE-2022-22684 HIGH
Synology DiskStation Manager < 6.2.4-25553 - Authenticated OS Command Injection in Task Management Component
CVSS 7.2
CVE-2022-2550 HIGH
GitHub hestiacp/hestiacp <1.6.5 - Command Injection
CVSS 8.8
Details
Vulnerabilities 6,017
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits