CWE-78

High likelihood

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Parent: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

5,974 vulnerabilities with CWE-78
CVE-2024-23061 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 - OS Command Injection via setScheduleCfg Minute Parameter
CVSS 9.8
CVE-2024-23060 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 - OS Command Injection via setDmzCfg ip Parameter
CVSS 9.8
CVE-2024-23059 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 - OS Command Injection via setDdnsCfg Username Parameter
CVSS 9.8
CVE-2024-23058 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 - OS Command Injection via setTr069Cfg Pass Parameter
CVSS 9.8
CVE-2024-23057 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 - OS Command Injection via setNtpCfg tz Parameter
CVSS 9.8
CVE-2024-22942 CRITICAL
TOTOLINK A3300R V17.0.0cu.557_B20221024 - Command Injection
CVSS 9.8
CVE-2024-21833 HIGH
TP-LINK Archer AX3000/AX5400/AXE75/Deco X50/XE200 Firmware - Unauthenticated OS Command Injection
CVSS 8.8
CVE-2024-21821 HIGH
TP-LINK Archer AX3000/AX5400/AXE75 Firmware < 1.1.2/1.1.9 - Authenticated OS Command Injection
CVSS 8.0
CVE-2024-21773 HIGH
TP-LINK Archer AX3000, AX5400, Deco X50, XE200 - Unauthenticated OS Command Injection
CVSS 8.8
CVE-2024-0299 HIGH
Totolink N200RE 9.3.5u.6139_B20201216 - OS Command Injection via setTracerouteCfg Command Parameter
CVSS 7.3
CVE-2024-0298 HIGH
Totolink N200RE 9.3.5u.6139_B20201216 - OS Command Injection via setDiagnosisCfg ip Parameter
CVSS 7.3
CVE-2024-0297 HIGH
Totolink N200RE 9.3.5u.6139_B20201216 - OS Command Injection via UploadFirmwareFile FileName Parameter
CVSS 7.3
CVE-2024-0296 HIGH
Totolink N200RE 9.3.5u.6139_B20201216 - OS Command Injection via NTPSyncWithHost host_time Parameter
CVSS 7.3
CVE-2024-0295 HIGH
Totolink LR1200GB 9.1.0u.6619_B20230130 - OS Command Injection via hostName Parameter
CVSS 7.3
CVE-2024-0294 HIGH
Totolink LR1200GB 9.1.0u.6619_B20230130 - OS Command Injection via setUssd Function
CVSS 7.3
CVE-2024-0293 MEDIUM
Totolink LR1200GB 9.1.0u.6619_B20230130 - OS Command Injection via setUploadSetting FileName Parameter
CVSS 6.3
CVE-2024-0292 MEDIUM
Totolink LR1200GB 9.1.0u.6619_B20230130 - OS Command Injection via hostName Parameter
CVSS 6.3
CVE-2023-7338 HIGH
Ruckus Unleashed Authenticated RCE in Gateway Mode
CVSS 7.5
CVE-2023-54339 CRITICAL
webgrind < 1.1 - Unauthenticated Remote Command Execution via dataFile Parameter
CVSS 9.8
CVE-2023-53981 HIGH
PhotoShow 3.0 - Authenticated Remote Code Execution via Exiftran Path Injection
CVSS 7.2
CVE-2023-53963 CRITICAL
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x - Command Injection
CVSS 9.8
CVE-2023-53948 CRITICAL
Lilac-Reloaded for Nagios 2.0.8 - RCE
CVSS 9.8
CVE-2023-53945 HIGH
BrainyCP 1.0 - Authenticated Remote Code Execution via Crontab Configuration Injection
CVSS 8.8
CVE-2023-53941 CRITICAL
EasyPHP Webserver 14.1 - Command Injection
CVSS 9.8
CVE-2023-53872 CRITICAL
Wp2Fac 1.0 - OS Command Injection via send.php numara Parameter
Details
Vulnerabilities 5,974
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits