CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

6,057 vulnerabilities with CWE-78
CVE-2017-6360 CRITICAL
QNAP QTS < 4.2.4 - OS Command Injection
CVSS 9.8
CVE-2017-6359 CRITICAL
QNAP QTS < 4.2.4 - OS Command Injection
CVSS 9.8
CVE-2017-6970 HIGH
AlienVault USM/OSSIM <5.3.7/NfSen <1.3.8 - Command Injection
CVSS 8.4
CVE-2017-6398 HIGH
Trend Micro InterScan Messaging Security Virtual Appliance 9.1-1600 - OS Command Injection via saveCert.imss
CVSS 8.8
CVE-2017-6334 HIGH KEV
NETGEAR DGN2200 Series Firmware <= 10.0.0.50 - Authenticated OS Command Injection via dnslookup.cgi host_name Parameter
CVSS 8.8
CVE-2017-6077 CRITICAL KEV
NETGEAR DGN2200 Firmware < 10.0.0.50 - Authenticated OS Command Injection via ping_IPAddr Parameter
CVSS 9.8
CVE-2017-3806 MEDIUM
Cisco Firepower - Command Injection
CVSS 5.3
CVE-2017-3796 HIGH
Cisco WebEx Meetings Server - Command Injection
CVSS 7.2
CVE-2016-15048 CRITICAL
AMTT Hotel Broadband Operation System - Command Injection
CVSS 9.8
CVE-2016-15047 HIGH
AVTECH IP Camera, NVR, and DVR Devices - Authenticated OS Command Injection via CloudSetup.cgi exefile Parameter
CVE-2016-20016 CRITICAL
MVPower TV-7104HE and TV7108HE Firmware - Unauthenticated Remote Code Execution via Web Shell
CVSS 9.8
CVE-2016-11061 CRITICAL
Xerox WorkCentre Multiple Models < 073.xxx.086.15410 - Unauthenticated OS Command Injection
CVSS 9.8
CVE-2016-11054 HIGH
NETGEAR DGN2200v4 Firmware < 2017-01-06 - OS Command Injection and FTP Insecure Root Directory
CVSS 7.2
CVE-2016-11022 HIGH
NETGEAR Prosafe WC9500 5.1.0.17, WC7600 5.1.0.17, and WC7520 2.5.0.35 - Remote Code Execution via reqMethod Parameter
CVSS 7.2
CVE-2016-11021 HIGH KEV
D-Link DCS-930L Firmware < 2.12 - Remote Code Execution via SystemCommand Parameter
CVSS 7.2
CVE-2016-11017 CRITICAL
AKIPS Network Monitor 15.37-16.5 - Unauthenticated OS Command Injection via Username Parameter
CVSS 9.8
CVE-2016-10541 CRITICAL
shell-quote < 1.6.1 - OS Command Injection via Redirection Operator Escape Bypass
CVSS 9.8
CVE-2016-0291 HIGH
IBM BigFix Platform <9.1.8, <9.2.8 - Command Injection
CVSS 8.8
CVE-2016-10709 HIGH
pfSense < 2.2.6 - Authenticated OS Command Injection via Graph Parameter
CVSS 8.8
CVE-2016-1253 CRITICAL
Most package <5.0.0a-2.2-5.0.0a-3 - RCE
CVSS 9.8
CVE-2016-0634 HIGH
bash 4.3 - Authenticated Remote Code Execution via Prompt String Hostname Expansion
CVSS 7.5
CVE-2016-7844 MEDIUM
GigaCC OFFICE < 2.3 - Remote Code Execution via Mail Template
CVSS 5.5
CVE-2016-7819 HIGH
I-O DATA TS-WRLP and TS-WRLA <= 1.01.02 - Authenticated OS Command Injection
CVSS 7.2
CVE-2016-7806 CRITICAL
I-O DATA WFS-SR01 Firmware <= 1.10 - OS Command Injection
CVSS 9.8
CVE-2016-8721 CRITICAL
Moxa AWK-3131A <1.1 - Command Injection
CVSS 9.1
Details
Vulnerabilities 6,057
Exploit Likelihood High