CWE-77— Command Injection
3,740 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-77page 11 of 75
- CVE-2020-36379CRITICALCVSS 9.8EG 9.82021-10-31
An issue was discovered in the remove function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters.
- CVE-2020-36380CRITICALCVSS 9.8EG 9.82021-10-31
An issue was discovered in the crunch function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters.
- CVE-2020-36381CRITICALCVSS 9.8EG 9.82021-10-31
An issue was discovered in the singleCrunch function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters.
- CVE-2020-36448HIGHCVSS 8.1EG 8.12021-08-08
An issue was discovered in the cache crate through 2020-11-24 for Rust. There are unconditional implementations of Send and Sync for Cache<K>.
- CVE-2020-36449HIGHCVSS 8.1EG 8.12021-08-08
An issue was discovered in the kekbit crate before 0.3.4 for Rust. For ShmWriter<H>, Send is implemented without requiring H: Send.
- CVE-2020-36450HIGHCVSS 8.1EG 8.12021-08-08
An issue was discovered in the bunch crate through 2020-11-12 for Rust. There are unconditional implementations of Send and Sync for Bunch<T>.
- CVE-2020-36451HIGHCVSS 8.1EG 8.12021-08-08
An issue was discovered in the rcu_cell crate through 2020-11-14 for Rust. There are unconditional implementations of Send and Sync for RcuCell<T>.
- CVE-2020-36455HIGHCVSS 8.1EG 8.12021-08-08
An issue was discovered in the slock crate through 2020-11-17 for Rust. Slock<T> unconditionally implements Send and Sync.
- CVE-2020-36456HIGHCVSS 8.1EG 8.12021-08-08
An issue was discovered in the toolshed crate through 2020-11-15 for Rust. In CopyCell<T>, the Send trait lacks bounds on the contained type.
- CVE-2020-36457HIGHCVSS 8.1EG 8.12021-08-08
An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox<T> implements the Send and Sync traits for all types T.
- CVE-2020-36458HIGHCVSS 8.1EG 8.12021-08-08
An issue was discovered in the lexer crate through 2020-11-10 for Rust. For ReaderResult<T, E>, there is an implementation of Sync with a trait bound of T: Send, E: Send.
- CVE-2020-36459HIGHCVSS 8.1EG 8.12021-08-08
An issue was discovered in the dces crate through 2020-12-09 for Rust. The World type is marked as Send but lacks bounds on its EntityStore and ComponentStore.
- CVE-2020-36461HIGHCVSS 8.1EG 8.12021-08-08
An issue was discovered in the noise_search crate through 2020-12-10 for Rust. There are unconditional implementations of Send and Sync for MvccRwLock.
- CVE-2020-36462HIGHCVSS 8.1EG 8.12021-08-08
An issue was discovered in the syncpool crate before 0.1.6 for Rust. There is an unconditional implementation of Send for Bucket2.
- CVE-2020-36463HIGHCVSS 8.1EG 8.12021-08-08
An issue was discovered in the multiqueue crate through 2020-12-25 for Rust. There are unconditional implementations of Send for InnerSend<RW, T>, InnerRecv<RW, T>, FutInnerSend<RW, T>, and FutInnerRecv<RW, T>.
- CVE-2020-36529HIGHCVSS 8.8EG 8.82022-06-07
A vulnerability classified as critical has been found in SevOne Network Management System up to 5.7.2.22. This affects the file traceroute.php of the Traceroute Handler. The manipulation leads to privilege escalation with a command injecti…
- CVE-2020-36642MEDIUMCVSS 5.5EG 9.82023-01-06
A vulnerability was found in trampgeek jobe up to 1.6.x and classified as critical. This issue affects the function run_in_sandbox of the file application/libraries/LanguageTask.php. The manipulation leads to command injection. Upgrading t…
- CVE-2020-36650MEDIUMCVSS 5.5EG 5.52023-01-11
A vulnerability, which was classified as critical, was found in IonicaBizau node-gry up to 5.x. This affects an unknown part. The manipulation leads to command injection. Upgrading to version 6.0.0 is able to address this issue. The patch …
- CVE-2020-3760CRITICALCVSS 9.8EG 9.82020-02-13
Adobe Digital Editions versions 4.5.10 and below have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2020-3924MEDIUMCVSS 6.4EG 6.42020-02-27
DVR firmware in TAT-76 and TAT-77 series of products, provided by TONNET do not properly verify patch files. Attackers can inject a specific command into a patch file and gain access to the system.
- CVE-2020-4006CRITICALCVSS 9.1EG 9.1⚠ KEV2020-11-23
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.
- CVE-2020-4059HIGHCVSS 7.3EG 7.32020-06-18
In mversion before 2.0.0, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This vulnerability is patched by version 2.0.0.…
- CVE-2020-4432HIGHCVSS 7.5EG 7.52020-06-10
Certain IBM Aspera applications are vulnerable to command injection after valid authentication, which could allow an attacker with intimate knowledge of the system to execute commands in a SOAP API. IBM X-Force ID: 180810.
- CVE-2020-4636HIGHCVSS 7.2EG 7.22020-10-16
IBM Resilient OnPrem 38.2 could allow a privileged user to inject malicious commands through Python3 scripting. IBM X-Force ID: 185503.
- CVE-2020-4688HIGHCVSS 7.8EG 7.82021-01-20
IBM Security Guardium 10.6 and 11.2 could allow a local attacker to execute arbitrary commands on the system as an unprivileged user, caused by command injection vulnerability. IBM X-Force ID: 186700.
- CVE-2020-4979CRITICALCVSS 9.8EG 9.82021-05-05
IBM QRadar SIEM 7.3 and 7.4 is vulnerable to insecure inter-deployment communication. An attacker that is able to comprimise or spoof traffic between hosts may be able to execute arbitrary commands. IBM X-Force D: 192538.
- CVE-2020-4983HIGHCVSS 7.8EG 7.82021-01-20
IBM Spectrum LSF 10.1 and IBM Spectrum LSF Suite 10.2 could allow a user on the local network who has privileges to submit LSF jobs to execute arbitrary commands. IBM X-Force ID: 192586.
- CVE-2020-5299MEDIUMCVSS 4.0EG 4.02020-06-03
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially in…
- CVE-2020-5601HIGHCVSS 8.8EG 8.82020-06-30
Chrome Extension for e-Tax Reception System Ver1.0.0.0 allows remote attackers to execute an arbitrary command via unspecified vectors.
- CVE-2020-5792HIGHCVSS 7.2EG 7.22020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
- CVE-2020-6811HIGHCVSS 8.8EG 8.82020-03-25
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it could ha…
- CVE-2020-7034HIGHCVSS 7.2EG 8.82021-04-23
A command injection vulnerability in Avaya Session Border Controller for Enterprise could allow an authenticated, remote attacker to send specially crafted messages and execute arbitrary commands with the affected system privileges. Affect…
- CVE-2020-7128CRITICALCVSS 9.8EG 9.82020-11-04
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
- CVE-2020-7129HIGHCVSS 7.2EG 7.22020-11-04
A remote execution of arbitrary commands vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
- CVE-2020-7373CRITICALCVSS 9.8EG 9.82020-10-30
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2…
- CVE-2020-7384HIGHCVSS 7.0EG 7.02020-10-29
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.
- CVE-2020-7697CRITICALCVSS 9.8EG 9.82020-07-29
This affects all versions of package mock2easy. a malicious user could inject commands through the _data variable: Affected Area require('../server/getJsonByCurl')(mock2easy, function (error, stdout) { if (error) { return res.json(500, err…
- CVE-2020-7784CRITICALCVSS 9.8EG 9.82021-01-08
This affects all versions of package ts-process-promises. The injection point is located in line 45 in main entry of package in lib/process-promises.js. The vulnerability is demonstrated with the following PoC:
- CVE-2020-7794CRITICALCVSS 9.8EG 9.82021-01-08
This affects all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function install(requestedModule).
- CVE-2020-7795HIGHCVSS 7.3EG 7.32022-08-02
The package get-npm-package-version before 1.0.7 are vulnerable to Command Injection via main function in index.js.
- CVE-2020-7848HIGHCVSS 8.0EG 8.02021-02-17
The EFM ipTIME C200 IP Camera is affected by a Command Injection vulnerability in /login.cgi?logout=1 script. To exploit this vulnerability, an attacker can send a GET request that executes arbitrary OS commands via cookie value.
- CVE-2020-8101MEDIUMCVSS 6.9EG 6.92021-02-02
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in HTTP interface of ADT LifeShield DIY HD Video Doorbell allows an attacker on the same network to execute commands on the device. This issu…
- CVE-2020-8171CRITICALCVSS 9.8EG 9.82020-05-26
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:There are certain end…
- CVE-2020-8186CRITICALCVSS 9.8EG 9.82020-07-10
A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function.
- CVE-2020-8188HIGHCVSS 8.8EG 8.82020-07-02
We have recently released new version of UniFi Protect firmware v1.13.3 and v1.14.10 for Unifi Cloud Key Gen2 Plus and UniFi Dream Machine Pro/UNVR respectively that fixes vulnerabilities found on Protect firmware v1.13.2, v1.14.9 and prio…
- CVE-2020-8211CRITICALCVSS 9.8EG 9.82020-08-17
Improper input validation in Citrix XenMobile Server 10.12 before RP3, Citrix XenMobile Server 10.11 before RP6, Citrix XenMobile Server 10.10 RP6 and Citrix XenMobile Server before 10.9 RP5 allows SQL Injection.
- CVE-2020-8233HIGHCVSS 8.8EG 8.82020-08-17
A command injection vulnerability exists in EdgeSwitch firmware <v1.9.0 that allowed an authenticated read-only user to execute arbitrary shell commands over the HTTP interface, allowing them to escalate privileges.
- CVE-2020-8298CRITICALCVSS 9.8EG 9.82021-03-04
fs-path node module before 0.0.25 is vulnerable to command injection by way of user-supplied inputs via the `copy`, `copySync`, `remove`, and `removeSync` methods.
- CVE-2020-8466CRITICALCVSS 9.8EG 9.82020-12-17
A command injection vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2, with the improved password hashing method enabled, could allow an unauthenticated attacker to execute certain commands by providing a manipu…
- CVE-2020-9115HIGHCVSS 7.2EG 7.22020-12-01
ManageOne versions 6.5.1.1.B010, 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, ,6.5.1.1.B050, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on th…
Map vulnerabilities like CWE-77 to your infrastructure
EchelonGraph correlates every CVE — across CWE-77 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →