CWE-78— OS Command Injection
5,525 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-78page 22 of 111
- CVE-2019-5138CRITICALCVSS 9.9EG 9.92020-02-25
An exploitable command injection vulnerability exists in encrypted diagnostic script functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file can cause arbitrary busybox commands to be executed,…
- CVE-2019-5140HIGHCVSS 8.8EG 8.82020-02-25
An exploitable command injection vulnerability exists in the iwwebs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file name can cause user input to be reflected in a subsequent iwsystem ca…
- CVE-2019-5141HIGHCVSS 8.8EG 8.82020-02-25
An exploitable command injection vulnerability exists in the iw_webs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iw_serverip parameter can cause user input to be reflected in a subsequent iw_system call, …
- CVE-2019-5142HIGHCVSS 7.2EG 7.22020-02-25
An exploitable command injection vulnerability exists in the hostname functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted entry to network configuration information can cause execution of arbitrary system command…
- CVE-2019-5155HIGHCVSS 7.2EG 7.22020-03-11
An exploitable command injection vulnerability exists in the cloud connectivity feature of WAGO PFC200. An attacker can inject operating system commands into any of the parameter values contained in the firmware update command. This affect…
- CVE-2019-5156HIGHCVSS 7.2EG 7.22020-03-11
An exploitable command injection vulnerability exists in the cloud connectivity functionality of WAGO PFC200 versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). An attacker can inject operating system commands into the TimeoutPrepared p…
- CVE-2019-5157HIGHCVSS 7.2EG 7.22020-03-11
An exploitable command injection vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200 Firmware versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). An attacker can inject OS commands into the TimeoutUnconfirmed par…
- CVE-2019-5167HIGHCVSS 7.8EG 7.82020-03-11
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). At 0x1e3f0 the extracted dns value from the xml file is used as an argument to /etc/config-too…
- CVE-2019-5168HIGHCVSS 7.8EG 7.82020-03-11
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). An attacker can send a specially crafted XML cache file At 0x1e8a8 the extracted domainname va…
- CVE-2019-5169HIGHCVSS 7.8EG 7.82020-03-12
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can b…
- CVE-2019-5170HIGHCVSS 7.8EG 7.82020-03-12
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can b…
- CVE-2019-5171HIGHCVSS 7.8EG 7.82020-03-12
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send specially crafted packet at 0x1ea48 to the extracted hostname va…
- CVE-2019-5172HIGHCVSS 7.8EG 7.82020-03-11
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). An attacker can send a specially crafted packet to trigger the parsing of this cache …
- CVE-2019-5173HIGHCVSS 7.8EG 7.82020-03-11
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can b…
- CVE-2019-5174HIGHCVSS 7.8EG 7.82020-03-11
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can be used to…
- CVE-2019-5175HIGHCVSS 7.8EG 7.82020-03-11
An exploitable command injection vulnerability exists in the iocheckd service ‘I/O-Check’ function of the WAGO PFC 200 Firmware version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can b…
- CVE-2019-5315HIGHCVSS 7.2EG 7.22019-09-13
A command injection vulnerability is present in the web management interface of ArubaOS that permits an authenticated user to execute arbitrary commands on the underlying operating system. A malicious administrator could use this ability t…
- CVE-2019-5414HIGHCVSS 8.1EG 8.12019-03-21
If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in a third-party module kill-port < 1.3.2.
- CVE-2019-5424HIGHCVSS 8.8EG 8.82019-04-10
In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, a privileged user can execute arbitrary shell commands over the SSH CLI interface. This allows to execute shell commands under the root user.
- CVE-2019-5425HIGHCVSS 8.8EG 8.82019-04-10
In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an authenticated user can execute arbitrary shell commands over the SSH interface bypassing the CLI interface, which allow them to escalate privileges to root.
- CVE-2019-5475HIGHCVSS 8.8EG 8.82019-09-03
The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Execution when instances using CommandLineExecutor.java are supplied vulnerable data, such as the Yum Configuration Capability.
- CVE-2019-5477CRITICALCVSS 9.8EG 9.82019-08-16
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file`…
- CVE-2019-5485CRITICALCVSS 10.0EG 10.02019-09-13
NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.
- CVE-2019-5623CRITICALCVSS 9.8EG 9.82020-04-29
Accellion File Transfer Appliance version FTA_8_0_540 suffers from an instance of CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection').
- CVE-2019-5736HIGHCVSS 8.6EG 8.62019-02-11
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of t…
- CVE-2019-5819HIGHCVSS 7.8EG 7.82019-06-27
Insufficient data validation in developer tools in Google Chrome on OS X prior to 74.0.3729.108 allowed a local attacker to execute arbitrary code via a crafted string copied to clipboard.
- CVE-2019-5987HIGHCVSS 8.8EG 8.82020-01-06
Access analysis CGI An-Analyzer released in 2019 June 24 and earlier allows remote authenticated attackers to execute arbitrary OS commands via the Management Page.
- CVE-2019-6013MEDIUMCVSS 6.6EG 6.62019-12-26
DBA-1510P firmware 1.70b009 and earlier allows authenticated attackers to execute arbitrary OS commands via Command Line Interface (CLI).
- CVE-2019-6014HIGHCVSS 8.8EG 8.82019-12-26
DBA-1510P firmware 1.70b009 and earlier allows an attacker to execute arbitrary OS commands via Web User Interface.
- CVE-2019-6487HIGHCVSS 8.8EG 8.82019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe city…
- CVE-2019-6552CRITICALCVSS 9.8EG 9.82019-04-05
Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple command injection vulnerabilities, caused by a lack of proper validation of user-supplied data, may allow remote code execution.
- CVE-2019-6620HIGHCVSS 7.2EG 7.22019-07-02
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4 and BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, an undisclosed iControl REST worker vulnerable to command injection for an Administrator user.
- CVE-2019-6621HIGHCVSS 7.2EG 7.22019-07-02
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection…
- CVE-2019-6736HIGHCVSS 8.8EG 8.82019-06-03
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender SafePay 23.0.10.34. User interaction is required to exploit this vulnerability in that the target must visit a malicious page o…
- CVE-2019-6738HIGHCVSS 8.8EG 8.82019-06-03
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender SafePay 23.0.10.34. User interaction is required to exploit this vulnerability in that the target must visit a malicious page o…
- CVE-2019-6739HIGHCVSS 8.8EG 8.82019-06-03
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Malwarebytes Antimalware 3.6.1.2711. User interaction is required to exploit this vulnerability in that the target must visit a malicious w…
- CVE-2019-6962HIGHCVSS 7.5EG 7.52019-06-20
A shell injection issue in cosa_wifi_apis.c in the RDK RDKB-20181217-1 CcspWifiAgent module allows attackers with login credentials to execute arbitrary shell commands under the CcspWifiSsp process (running as root) if the platform was com…
- CVE-2019-7198CRITICALCVSS 9.8EG 9.82020-12-10
This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 202010…
- CVE-2019-7256CRITICALCVSS 9.8EG 10.0⚠ KEV2019-07-02
Linear eMerge E3-Series devices allow Command Injections.
- CVE-2019-7269CRITICALCVSS 9.8EG 9.82019-07-02
Linear eMerge 50P/5000P devices allow Authenticated Command Injection with root Code Execution.
- CVE-2019-7297CRITICALCVSS 9.8EG 9.82019-01-31
An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request. This occurs when th…
- CVE-2019-7298HIGHCVSS 8.1EG 8.12019-02-01
An issue was discovered on D-Link DIR-823G devices with firmware through 1.02B03. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 request. This occurs when any HNAP API function trig…
- CVE-2019-7301HIGHCVSS 7.2EG 7.22019-02-01
Zen Load Balancer 3.10.1 allows remote authenticated admin users to execute arbitrary commands as root via shell metacharacters in the index.cgi?action=View_Cert certname parameter.
- CVE-2019-7383HIGHCVSS 7.8EG 7.82019-03-21
An issue was discovered on Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W devices with firmware V1.1-R2.1_TRUNK-20181105.bin. A shell command injection occurs by editing the description of an ISP file. The file network/isp/isp_update_ed…
- CVE-2019-7384HIGHCVSS 7.8EG 7.82019-03-21
An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below. The value of the fmgpo…
- CVE-2019-7385HIGHCVSS 7.8EG 7.82019-03-21
An authenticated shell command injection issue has been discovered in Raisecom ISCOM HT803G-U, HT803G-W, HT803G-1GE, and HT803G GPON products with the firmware version ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 or below, The values of the newp…
- CVE-2019-7632HIGHCVSS 8.8EG 8.82019-02-08
LifeSize Team, Room, Passport, and Networker 220 devices allow Authenticated Remote OS Command Injection, as demonstrated by shell metacharacters in the support/mtusize.php mtu_size parameter. The lifesize default password for the cli acco…
- CVE-2019-7670HIGHCVSS 7.2EG 7.22019-07-01
Prima Systems FlexAir, Versions 2.3.38 and prior. The application incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component, which could allow attackers to execute commands…
- CVE-2019-8159HIGHCVSS 8.8EG 8.82019-11-06
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion…
- CVE-2019-8312HIGHCVSS 8.8EG 8.82019-02-13
An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to exe…
Map vulnerabilities like CWE-78 to your infrastructure
EchelonGraph correlates every CVE — across CWE-78 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →