CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

6,017 vulnerabilities with CWE-78
CVE-2020-35789 HIGH
NETGEAR NMS300 Firmware < 1.6.0.27 - Authenticated OS Command Injection
CVSS 8.8
CVE-2020-10209 HIGH
Amino AK45x AK5xx AK65x Aria6xx Aria7xx Kami7B Firmware - OS Command Injection via CWMP Registration
CVSS 8.1
CVE-2020-10208 CRITICAL
Amino AK45x AK5xx AK65x Aria6xx Aria7xx Kami7B Firmware - Authenticated OS Command Injection in EntoneWebEngine
CVSS 9.9
CVE-2020-25847 HIGH
QNAP QTS < 4.5.1.1495 and QuTS hero < h4.5.1.1491 - OS Command Injection
CVSS 8.8
CVE-2020-35729 CRITICAL
klog_server 2.4.1 - OS Command Injection via User Parameter
CVSS 9.8
CVE-2020-35715 HIGH
Linksys RE6500 Firmware < 1.0.012.001 - Authenticated OS Command Injection via upload_settings.cgi Filename
CVSS 8.8
CVE-2020-35714 HIGH
Linksys RE6500 Firmware < 1.0.011.001 - Authenticated Remote Code Execution via systemCommand Parameter
CVSS 8.8
CVE-2020-35713 CRITICAL
Linksys RE6500 Firmware < 1.0.012.001 - Unauthenticated Remote Code Execution via goform/setSysAdm
CVSS 9.8
CVE-2020-28188 CRITICAL
TerraMaster TOS <= 4.2.06 - Unauthenticated Remote Code Execution via Event Parameter
CVSS 9.8
CVE-2020-35665 CRITICAL
TerraMaster Operating System <= 4.2.06 - Unauthenticated Remote Code Execution via Event Parameter in makecvs.php
CVSS 9.8
CVE-2020-29552 CRITICAL
URVE Build 24.03.2020 - Command Injection
CVSS 9.8
CVE-2020-24581 HIGH
D-Link DSL-2888A <AU_2.31_V1.1.47ae55 - Command Injection
CVSS 8.0
CVE-2020-26284 HIGH
Hugo < 0.79.1 - OS Command Injection via Malicious Executable in Current Working Directory
CVSS 7.7
CVE-2020-35606 HIGH
Webmin <= 1.962 - Authenticated Remote Command Execution via Package Updates Module
CVSS 8.8
CVE-2020-25494 CRITICAL
Xinuos OpenServer 5-6 - OS Command Injection via printbook cgi-bin Parameters
CVSS 9.8
CVE-2020-12522 CRITICAL
WAGO PFC 100, PFC 200, Touch Panel 600 Standard/Advanced/Marine < FW10 - Remote Code Execution
CVSS 10.0
CVE-2020-8466 CRITICAL
Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 - Unauthenticated OS Command Injection
CVSS 9.8
CVE-2020-25094 CRITICAL
LogRhythm Platform Manager 7.4.9 - OS Command Injection via WebSocket
CVSS 9.8
CVE-2020-26274 MEDIUM
systeminformation <4.31.1 - Command Injection
CVSS 6.4
CVE-2020-7781 CRITICAL
Package connection-tester <0.2.1 - Code Injection
CVSS 9.8
CVE-2020-25618 HIGH
SolarWinds N-Central 12.3.0.670 - OS Command Injection via Sudo Misconfiguration
CVSS 8.8
CVE-2020-35476 CRITICAL
OpenTSDB 2.4.0 unauthenticated command injection
CVSS 9.8
CVE-2020-26259 MEDIUM
XStream <1.4.15 - File Deletion
CVSS 6.8
CVE-2020-25759 HIGH
D-Link DSR Unified Services Router Firmware < 3.17 - Authenticated OS Command Injection via Multipart HTTP POST Request
CVSS 8.8
CVE-2020-25757 HIGH
D-Link DSR VPN Routers < 3.17 - Unauthenticated OS Command Injection via Lua CGI
CVSS 8.8
Details
Vulnerabilities 6,017
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits