CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

6,026 vulnerabilities with CWE-78
CVE-2020-7605 CRITICAL
gulp-tape < 1.0.0 - OS Command Injection via Options Parameter
CVSS 9.8
CVE-2020-7604 CRITICAL
pulverizr < 0.7.0 - OS Command Injection via Unsanitized Filename in lib/job.js
CVSS 9.8
CVE-2020-7603 CRITICAL
closure-compiler-stream < 0.1.15 - OS Command Injection via Unsanitized Options Argument
CVSS 9.8
CVE-2020-7602 CRITICAL
node-prompt-here <= 1.0.1 - OS Command Injection via getDevices Function
CVSS 9.8
CVE-2020-7601 CRITICAL
gulp-scss-lint < 1.0.0 - OS Command Injection via Options Parameter
CVSS 9.8
CVE-2020-9436 HIGH
PHOENIX CONTACT TC Router and TC Cloud Client - Authenticated OS Command Injection
CVSS 8.8
CVE-2020-10390 HIGH
Chadha PHPKB Standard Multi-Language 9 - Authenticated OS Command Injection via wkhtmltopdf Path Parameter
CVSS 7.2
CVE-2020-1980 HIGH
PAN-OS 8.1.0-8.1.12 - Authenticated OS Command Injection via CLI
CVSS 7.8
CVE-2020-10250 CRITICAL
BWA DiREX-Pro 1.2181 - OS Command Injection via PKG Parameter
CVSS 9.8
CVE-2020-2159 HIGH
Jenkins CryptoMove Plugin < 0.1.33 - Authenticated OS Command Injection
CVSS 8.8
CVE-2020-10235 HIGH
Froxlor < 0.10.14 - Remote Code Execution via Database Configuration Options
CVSS 8.8
CVE-2020-10221 HIGH KEV
rconfig < 3.9.4 - Authenticated Remote Code Execution via fileName POST Parameter
CVSS 8.8
CVE-2020-10216 HIGH
D-Link DIR-825 Rev.B 2.10 and TRENDnet TEW-632BRP 1.010B32 - OS Command Injection via Date Parameter
CVSS 8.8
CVE-2020-10215 HIGH
D-Link DIR-825 Rev.B 2.10 and TRENDnet TEW-632BRP 1.010B32 - OS Command Injection via dns_query_name Parameter
CVSS 8.8
CVE-2020-10213 HIGH
D-Link DIR-825 Rev.B 2.10 and TRENDnet TEW-632BRP 1.010B32 - OS Command Injection via wps_sta_enrollee_pin Parameter
CVSS 8.8
CVE-2020-10173 HIGH
Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvI042j1.d26m - OS Command Injection via ping.cgi
CVSS 8.8
CVE-2020-9054 CRITICAL KEV
ZyXEL NAS326/520/540/542 < 5.21 - Unauthenticated RCE via Weblogin.cgi
CVSS 9.8
CVE-2020-3176 MEDIUM
Cisco Remote PHY Device Software - Command Injection
CVSS 6.7
CVE-2020-5535 HIGH
OpenBlocks IoT VX2 <4.0.0 - Command Injection
CVSS 8.8
CVE-2020-1734 HIGH
Ansible Engine < 2.7.16 and Ansible Tower < 3.3.4 - OS Command Injection via Pipe Lookup Plugin
CVSS 7.4
CVE-2020-9463 HIGH
Centreon 19.10 - Authenticated OS Command Injection via server_ip Field
CVSS 8.8
CVE-2020-3173 HIGH
Cisco UCS Manager Software - Command Injection
CVSS 7.8
CVE-2020-3171 HIGH
Cisco UCS Manager and FXOS - Authenticated OS Command Injection via Local Management CLI
CVSS 7.8
CVE-2020-3169 MEDIUM
Cisco FXOS Software - Privilege Escalation
CVSS 6.7
CVE-2020-3167 HIGH
Cisco FXOS/Cisco UCS Manager - Command Injection
CVSS 7.8
Details
Vulnerabilities 6,026
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits